Skip to main content
AMIA Annual Symposium Proceedings logoLink to AMIA Annual Symposium Proceedings
. 2011 Oct 22;2011:48–56.

Impact of Health Disclosure Laws on Health Information Exchanges

Idris Adjerid 1, Rema Padman 1
PMCID: PMC3243116  PMID: 22195054

Abstract

Health information exchanges (HIEs) are expected to facilitate data sharing between healthcare entities, thereby improving the efficiency and quality of care. Privacy concerns have been consistently cited as one of the primary challenges to HIE formation and success. Currently, it is unclear how privacy laws – in particular, legislation restricting the disclosure of health records – have shaped the development of HIEs. This preliminary study explores the landscape of state-level health privacy legislation and examines the impact of variations in such privacy and confidentiality laws on the progress of HIEs. We found that states with stronger privacy laws, limiting the disclosure of health information, had significantly more HIEs exchanging data and had fewer failed HIEs. We suggest that this counterintuitive finding may be explained by the more subtle benefits of such laws, such as increased confidence and trust of participants in an exchange.

Other key contributors to this work are Alessandro Acquisti, Rahul Telang, and Julia Adler-Milstein

1. Introduction

In an effort to curb rising healthcare costs, the Health Information Technology for Economic and Clinical Health Act (HITECH) includes provisions to promote the adoption of information technology in the healthcare sector. HITECH creates a variety of incentives for information technology adoption and health information sharing, including funding for states to build health information exchange capabilities. To-date, most health information exchange activity has taken place through local and regional collaborations that bring together disparate health entities for the purpose of exchanging data electronically. These HIE efforts (HIEs) are expected to improve efficiency and quality of care through enhanced information sharing capabilities.

However, the increased digitization and electronic accessibility of health records raise concerns about the privacy and confidentiality of sensitive health information. On June 29, 2010, the American Civil Liberties Union filed suit against the state-sponsored exchange in Rhode Island, on grounds that it had not implemented sufficient controls to protect sensitive patient health information. [1] Experts have also expressed concern that HIEs will be a major source of future health privacy risk, citing failures to keep up with best practices around advancing technology, resulting in antiquated data security, governance, and policy. [2] These concerns have also been echoed by HIEs in self-reported surveys in which they cite patient privacy concerns as significant challenges to progress. [38] Balancing protecting health information and utilizing technology to improve efficiency and quality of care is therefore a critical challenge facing HIEs and states as they develop their strategies to expand HIEs. Our study helps inform this area by assessing the effect of privacy regulation on the advancement of technology adoption and innovation in the healthcare industry.

The impact of privacy protections on HIE progress remains an open question with several plausible rationales for both positive and negative effects. Strong privacy laws may hinder exchange of information by increasing the cost and liability associated with sharing health information. Conversely, stronger privacy protections could mediate some of the privacy concerns voiced by experts and patient rights groups thus encouraging HIE growth and success. In this paper, we examine the impact of stronger privacy laws that limit the disclosure of health information on the pursuit and success of HIE efforts. Given the significant role HIEs are likely to play in improving the high-cost, variable quality U.S. healthcare system, insights into this question will be helpful in balancing patients’ right to privacy and facilitated sharing of patient health information.

To answer this question, we contrast the adoption and success of Health Information Exchanges in states with laws that limit the disclosure of patient health information to states that do not have these laws. Our current results suggest that states with stronger privacy laws, limiting the disclosure of health information had more HIEs exchanging data and had fewer failed HIEs. This is an interesting result as it suggests more subtle benefits of such laws, such as increased confidence and trust of participants in an exchange.

2. Related Work

A few recent studies have examined issues relating to privacy in the context of HIE and health IT. Miller and Tucker (2009) examine the role of health disclosure laws in the adoption of EMR and find that disclosure laws inhibited positive externalities from having other local hospitals adopt EMR, resulting in a 24% reduction in EMR adoption. [9] Specific to HIE, Goldstein and Rein (2010) explore consumer consent options in the context of health information exchange, detailing the evolution of various consent models and the how state and federal legislation influences the development of these models. [10] More broadly, Angst (2009) discusses some of the questions revolving around balancing of patient privacy and the substantial benefits promised by health information exchange. He argues that some of these trade offs can be partially mitigated through technological innovation (such as designing systems that allow granular consent), and also advocates increased education of the public on the benefits and risks of health information exchange. [11] McGraw et al (2009) echo this sentiment, arguing that a comprehensive framework that implements core privacy principles, adopts trusted network design characteristics, and establishes oversight and accountability mechanisms can bolster trust and promote adoption. [12]

3. Data

3.1. Health Disclosure Laws

The privacy and security concerns associated with HIE are exacerbated by the complexities of the U.S. legal system (particularly across states), which leaves HIEs without a clear and consistent guidance for mitigating privacy risks. According to a recent report on consumer consent models for health information exchange, “the lack of uniformity (in state laws) is often viewed as one of the most complex challenges of implementing electronic exchange”. [13] While this complexity presents challenges to HIEs, we exploit the rich variation across states to contrast the adoption and success of Health Information Exchanges.

To identify states with laws that limit disclosure of health information, we relied on both the recent compilation of state disclosure laws by Pritts et al (2009) [13] and the earlier compilation of general state privacy laws by Pritts et al (2002) [14]. Through these resources, we identified states with laws that require healthcare entities to garner authorization from patients prior to disclosing their health information. While there are other types of laws that relate to the protection of patient privacy (right to access, patient doctor privilege, etc.), we used this ‘consent prior to disclosure’ type of law in our analysis because of its direct relevance to HIE.

Because HIEs are likely to include a broad range of healthcare entities, we used a relatively stringent standard to designate a state as having a health disclosure law. States had to have laws that (at a minimum) limited disclosure by physicians, hospitals, Health Maintenance Organizations, and insurers. We did not differentiate states based on secondary details of the various laws (i.e. looking at exceptions to soliciting consent from patients or whether their protections go beyond HIPAA requirements). We also used the annual Privacy Journal’s Compilation of State Privacy Laws (updated to 2010) [15] and individual online legal references from each state to validate the continued existence of these laws, update any changes to these laws, and identify new laws that had been passed. We identified 21 states with laws that met our requirements for limiting disclosure of health information (see Figure 1 below). For the purposes of this paper, we will refer to this set of laws as health disclosure laws. For our time period of interest (2004–2009), general health disclosure laws were relatively unchanged and are used in our cross-sectional analysis.

Figure 1:

Figure 1:

States with Health Disclosure Law (2009)

Our use of state health disclosure laws does present some notable concerns. For instance, the majority of these laws were passed prior to the prominence of HIE efforts and are generally geared towards paper-based medical records. This may cast some doubt as to their direct applicability to HIE efforts. However, Pritt et al. (2009) suggests that state laws are indeed influence HIE activities finding that, “differences in state laws have resulted in a range of ‘consent cultures’ across the country that defines the context for electronic exchange”. [13]

Another legitimate concern is that these laws may not have restrictions beyond what HIPAA provides. This is supported by Pritt et al. (2009) in which they find that state-level legislation often implicitly or explicitly calls on the HIPAA privacy rule or provides similarly unrestrictive disclosure requirements. [13] For example, most states that had health disclosure laws allow physicians and hospitals to disclose general health information for treatment purposes without patient consent (similar to HIPAA). Although these laws do not always provide additional protections to patients, they do expand state rights and power with respect to health privacy. More specifically, passage of this legislation grants states enforcement capabilities for violations of these provisions (we have not evaluated the frequency with which states attempt to enforce these laws). Enforcement of health privacy protections is not trivial, given that the Centers for Medicare and Medicaid Services has been heavily criticized for failure to enforce HIPAA privacy and security provisions [16]. Lastly, it is likely that the laws we identify through our analysis are a proxy for general state health privacy sentiments and are positively correlated with other state health privacy laws that may actually provide protections above and beyond HIPAA (e.g. disclosure of mental health data or patient right to access).

3.2. Health Information Exchanges

For this study, we defined an HIE as any project or initiative focused around electronic health data exchange between two or more disparate organizations or stakeholders. To identify a comprehensive set of HIEs, we started from publicly available data from the eHealth Initiative’s (eHI) annual compilation of state, regional, and local HIE efforts (eHealth Initiative, 2005–2010). Additionally, we validated and condensed their list through online research and communications with HIE representatives. Lastly, we consolidated our data set with data from a national survey of Health Information Exchanges [17] to further validate our dataset and also to include more granular HIE characteristics (e.g. reliance on federal funding, number of patients covered, and type of data being shared). Through this process, we identified 313 HIE initiatives. At the end of 2009, 89 of these initiatives were operational and actively exchanging health information, 132 initiatives were still planning to become operational, and 92 had failed.1 A general overview of the distribution of operational HIEs across states is given in Figure 2 below:

Figure 2:

Figure 2:

Number of Operational HIEs by State

Figure 2 suggests that states with HIE activity seem to generally be the same states that have health disclosure laws (Figure 1). We present this only as an observation of correlation, acknowledging that the states identified in Figure 2 are likely correlated along other important dimensions as well (e.g. state population or resident wealth). Our data also demonstrates an uneven advancement of HIE efforts with nearly half of states having none to very little HIE activity. Also, we see some clustering of operational HIEs with 30% of operational HIEs contained within three states (New York, California, and Florida).

Building on this observational relationship, we examine the impact of the specific disclosure law of interest described earlier on the success and failure of HIEs using econometric models.

4. Modeling, Analysis, and Results

We present our modeling and results of a cross-sectional analysis using an aggregated dataset that summarizes all HIE activity during our time period of interest (2004–2009). This data set offers a robust picture of the degree of HIE activity in each state by the end of 2009. We also analyzed a set of additional variables that capture HIE progress and success. All of the measures we use in this analysis are reported in Table 1.

Table 1:

Measures of Interest with Respect to HIE Progress

Measure Description
Total HIEstate The total number of attempted HIEs
Operational HIEstate The total number of HIEs actively exchanging data
Failed HIEsstate The total number of failed HIEs
Operational Ratestate Total operational HIEs relative to the total attempted
Failure Ratestate Total failed HIEs relative to the total attempted
Time to OperationalHIE The time (months) it takes an exchange to reach operational status

For our analysis, we use general health disclosure laws as the independent variable of interest (summarized in Figure 1), because of their direct applicability to the sharing of health information, and because they have almost exclusively been passed prior to the substantial growth to HIE. We start by exploring the effect of health disclosure laws by looking at the number of Operational and Attempted HIEs in a state (Table 2a).

Table 2a:

Mean Total, Operational, and Failed HIEs by Health Disclosure Law

Measure Law No Law P-Val
Total HIE*** 9 4.1 0.0010
Operational HIE*** 3.095238 .8 0.0002
Failed HIE* 2.333333 1.43333 0.0638

We hypothesize that, as these are raw counts, there will also be strong state scale effects. It is not reasonable to compare counts of HIEs in Rhode Island and New York. Rhode Island may be sufficiently served by one HIE while New York, with its significantly larger population and geographic size, will likely pursue a greater number of HIE efforts. If these scale effects are correlated with health disclosure laws (Figure 1 suggests this may be the case) it may be driving some of the differences we initially see. Results normalized by population are presented in Table 2b.

Table 2b:

Mean Total, Operational, and Failed HIEs by Health Disclosure Law (Normalized by Population)

Measure Law No Law P-Val
Total HIE 14.05101 14.54214 0.4432
Operational HIE** 5.252693 2.494582 0.0199
Failed HIE** 2.414936 5.830914 0.0434

Table 2b confirms some of our suspicions: the difference between states in terms of the total number of HIEs fades away when scale effects are accounted for. However, states with health disclosure laws still exhibit more operational HIEs; this effect is robust to inclusions of scale effects. Most interestingly, we see that when we account for scale effects, we find the opposite effect on failed HIEs. That is, states with health disclosure laws had in effect less failed HIEs (p < .05). We then compare the operational and failure rates and time to operational status for states relative to health disclosure laws (Table 2c), and find that states with these laws have higher rates of operational HIEs, lower rates of failed HIEs, and take less time on average to reach operational status (although the difference for time to operation was not significant).

Table 2c:

Mean Time to Operation and Operational and Failure Rates by Health Disclosure Law

Measure Law No Law P-Val
Operational Rate*** .356678 .1721627 0.0075
Failure Rate* .2265268 .3590013 0.0557
Time to Operation 25.54386 29.68182 0.1748

An econometric model is used to further explore the relationship between HIEs activities and Health Disclosure Laws. This allows us to control for state population effects with Population and PopulationSquared, wealth effects with PerCapitaGDP, political orientation with DemocraticState, and technological sophistication measured by BroadbandAccess. The resulting model is presented below:

EconometricModel:DepVariables=β0+β1*HealthDisclosureLawstate+β2*Populationstate+β3*PopulationSquaredstate+β4*BroadbandAccessstate+β5*DemocraticStatestate+β6*PerCapitaGDPstate+μ

Note that this basic model does not provide an estimate of the causal effect of these laws. This is due to potential bias from both relevant omitted variables and unobservable variables that are correlated with both a state’s likelihood to pass these laws and also have successful HIE efforts. For example, general attitudes and motivations towards the advancement of the healthcare field are likely to vary across states. It is also possible that these attitudes are also correlated with health privacy sensitivities, driving the observed correlation between HIE success and health disclosure laws. In order to identify the casual effects of health disclosure laws, we perform additional analysis using instrumental variables (IV). We use instruments proposed by Miller and Tucker (2009), which are measures of state opposition to the federal Real ID2 initiative and the percent of households in a state that subscribe to the “Do Not Call” List3 (they also evaluate the validity of these instruments in a similar context to ours). We also introduce a new instrument for this analysis, which is whether a state has passed a law prohibiting employer discrimination based on sexual orientation. This instrument differs from our other instruments in that it does not have a direct privacy link. However, the passage of employee discrimination laws may be correlated with state health privacy protections due to underlying consumer protection sentiments in a state (employees and patients in this case). The underlying premise for this analysis is that these IVs are correlated with the privacy protections in a state but uncorrelated with potential confounders, such as state funding for HIEs, EMR adoption, or general attitudes towards the healthcare industry.

The claim that our IV’s are uncorrelated with potential confounds to our analysis is not trivial as we may be concerned that our IVs are correlated with state characteristics that also drive HIE outcomes. For example, it may be the case that both our health disclosure laws and IVs are correlated with educational levels in a state, which are the true driver of the positive HIE outcomes we observe. We investigate this argument and find that indeed our IVs are correlated with state educational levels. However, educational outcomes are also very highly correlated with our PerCapitaGDP control and other covariates and are thus captured in our model. In fact, inclusion of measures of advanced degrees in our model does not provide any additional predictive power with respect to HIE activities.

We may also be concerned that our IV’s could be correlated with the age structure in a state. This may be relevant as healthcare costs are skewed heavily towards the higher ages with a large portion of an individuals healthcare expenses coming later in life. This shift in healthcare costs may in turn drive motivations and incentives for HIE development. Using a measure of the percent of the population over 65, we actually do not find strong support for a correlation between the age structure and our IV’s. Additionally, when we include the measure of “individuals over 65” in our model it does not provide any additional predictive power.

Lastly, we may argue that our some of our IVs may be correlated with the technological sophistication of a state. This is somewhat supported as we find that state “Do Not Call List” participation is positively correlated with the measure of broadband access in a state (which is a control in our model). We also considered various measures of state computer services GDP to help capture state technological sophistication, but found that they did not provide any additional predictive power.

In Table 3a, we report estimates from Model 1, using standard Poisson estimates with our raw counts (columns 1,4,7), and normalized counts (columns 2,5,8), and using our IV Poisson approach (columns 3,6,9).

Table 3a:

Evaluation of Total HIEs, Operational HIEs, and Failed HIEs counts

Total HIE Operational HIE Failed HIE
(1) (2) (3) (4) (5) (6) (7) (8) (9)
Stnd. Normal IV Stnd. Normal. IV Stnd. Normal IV
Disclosure Law 0.133 (0.79) 0.323 (1.70)* 0.691 (1.49) 0.741 (2.51) ** 1.067 (2.94) *** 1.491 (1.91) * −0.417 (1.81)* −0.753 (2.51)** −0.047 (0.07)
Population 0.164 (8.17) *** −0.104 (3.07) *** 0.199 (6.37) *** 0.163 (4.29) *** −0.105 (1.79)* 0.179 (2.56)** 0.165 (6.32) *** −0.083 (1.36) 0.226 (3.31) ***
Population Squared −0.003 (6.50) *** 0.002 (2.31)** −0.004 (5.33) *** −0.003 (3.28) *** 0.002 (1.27) −0.004 (2.05)** −0.002 (4.00) *** 0.002 (1.46) −0.004 (2.62) ***
Per Capita GDP 0.005 (1.91)* 0.013 (7.02) *** 0.008 (3.07) *** 0.006 (0.96) 0.019 (3.79) *** 0.009 (1.49) 0.003 (0.86) 0.008 (2.39) ** 0.003 (0.69)
Observations 51 51 51 51 51 51 51 51 51
*

significant at 10%;

**

significant at 5%;

***

significant at 1% Standard error in brackets. Control variables not reported.

To further explore HIE progress we use a Probit regression to estimate the impact of health disclosure laws on HIE operational and failure rates (Table 3b).

Table 3b:

Evaluation of Operational and Failure Rate

Operational Rate Failure Rate
(1) (2) (3) (4)
Standard IV Standard IV
Disclosure Law 0.464 (2.39)** 0.513 (2.25)** −0.427 (2.48)** −0.421 (1.83)*
Population 0.001 (0.02) 0.006 (0.20) −0.000 (0.00) 0.001 (0.02)
Population Squared −0.000 (0.15) −0.000 (0.28) 0.001 (1.04) 0.000 (0.89)
Per Capita GDP 0.001 (0.34) −0.002 (0.25) −0.002 (0.56) −0.002 (0.22)
Observations 313 313 313 313
*

significant at 10%;

**

significant at 5%;

***

significant at 1% Standard error in brackets. Control variables not reported.

The results presented in Table 3a and 3b generally confirm what we find in our initial analyses. We see a positive and significant coefficient on Disclosure Law when looking at the number of operational HIEs and Operational Rates. We also see a significant and negative coefficient on Disclosure Law for both number of failed HIEs and Failure Rates. These results are generally robust to inclusion of our IVs.

Lastly, we estimate our model looking at the time it takes an HIE to become operational and present our results using standard Poisson regression in column 1 and IV Poisson regression 2 in Table 3c below. The negative coefficients on Disclosure law for both standard estimates in column 1 and IV estimates in column 2 is evidence 30–40% reduction in time reaching operational status for states with health disclosure laws. While IV analysis is useful for identifying casual effects, the method adds noise to our estimates resulting in lower significance for our coefficients of interest. Several of our estimates becomes weakly significant (P>.05) with the inclusion of our instruments but all are directionally consistent with the estimates using the basic analysis.

Table 3c:

Evaluation of HIE Time (Months) to Operation

Time to Operation (Months)
(1) (2)
Standard IV
Disclosure Law −0.284 (−1.96)** −0.436 (1.76)*
Population −0.047 (−3.17)*** −0.041 (2.27)**
Population Squared 0.002 (4.68)*** 0.002 (3.21)***
Per Capita GDP 0.031 (3.65)*** 0.022 (2.31)**
*

significant at 10%;

**

significant at 5%;

***

significant at 1% Standard error in brackets. Control variables not reported.

5. Discussion and Conclusions

This study evaluates the impact of health disclosure laws on HIE progress and success utilizing a commonly used econometric approach intended to isolate causal effects. We consistently find that adoption of laws intended to protect patient privacy results in an increase in operational HIEs and fewer failed HIEs. We also present evidence suggesting that states with strong patient privacy protections have better success and lower failure rates of HIE efforts and take less time to reach operational status.

The positive effect of privacy protection on the adoption and success of health information exchange initiatives may seem counter intuitive and surprising, particularly given the existing work demonstrating the negative effect of privacy legislation on the adoption of electronic medical records. However, these results do not necessarily contradict previous work: health information exchange progress can be quite different from the adoption of electronic medical records due to the inter-organizational relationships required, and as such may have dissimilar interactions with health disclosure laws. For example, privacy concerns associated with HIE may be substantially more obvious and salient to patients and regulators when compared to EMR adoption.

In addition to assuaging HIE participant concerns about the liability of sharing their data, strong privacy protections could encourage HIE progress for several other reasons. For instance, given that data privacy sensitivities exist even in states with weaker legislative protections, state with more prescriptive legislation dealing with privacy may result in a less ambiguous operating environment for HIEs. Also, restrictive legislative environments may in effect force the “privacy issue,” resulting in HIEs that tackle privacy concerns early on in their development, engaging the local community, and creating mitigating technological solutions and policies. Future work could further evaluate these hypotheses by collecting and contrasting privacy sentiments and policies adopted by exchanges across states with and without health disclosure legislation. Additionally, we may evaluate rates and breadth of patient and provider participation in exchanges with health disclosure laws vs. those without.

The results presented in this manuscript have implications for policy makers at both the state and federal level. Often, technological progress and privacy protection sit on opposite ends of the negotiating table. These concerns may be increasingly salient in the case of HIEs given their direct privacy implications, and the considerable attention that has been given to various privacy and security concerns. The results in this paper suggest that in the context of HIEs, stronger protections seem to promote the development and success of these efforts.

Footnotes

1

A small minority of exchanges (6%) reported sharing of health data across state lines as of 2009. Because it is a rare occurrence in our time-period of analysis (end of 2009), we only considered an HIE’s state of origin and did not include that dimension in the analysis for this manuscript. Exclusion of the exchanges with interstate activities did not impact our results.

2

We thank Hal Varian and Fredrik Wallenberg for sharing the data with us.

3

These data come from the ACLU website http://www.realnightmare.org.

References


Articles from AMIA Annual Symposium Proceedings are provided here courtesy of American Medical Informatics Association

RESOURCES