Policy Points: Historically, in addition to economic and technical hurdles, state and federal health information privacy laws have been cited as a significant obstacle to expanding electronic health information exchange (HIE) in the United States. Our review finds that over the past decade, several helpful developments have ameliorated the legal barriers to HIE, although variation in states' patient consent requirements remains a challenge. Today, health care providers' complaints about legal obstacles to HIE may be better understood as reflecting concerns about the economic and competitive risks of information sharing.
Context: Although the clinical benefits of exchanging patients' health information electronically across providers have long been recognized, participation in health information exchange (HIE) has lagged behind adoption of electronic health records. Barriers erected by federal and state health information privacy law have been cited as a leading reason for the slow progress. A comprehensive assessment of these issues has not been undertaken for nearly a decade, despite a number of salient legal developments.
Methods: Analysis of federal and state health information privacy statutes and regulations and secondary materials.
Findings: Although some legal barriers to HIE persist, many have been ameliorated-in some cases, simply through improved understanding of what the law actually requires. It is now clear that the Health Insurance Portability and Accountability Act presents no obstacles to electronically sharing protected health information for treatment purposes and does not hold providers who properly disclose information liable for privacy breaches by recipients. The failure of federal efforts to establish a unique patient identifier number does slow HIE by inhibiting optimal matching of patient records, but other action to facilitate matching will be taken under the 21st Century Cures Act. The Cures Act also creates the legal architecture to begin to combat "information blocking." Varying patient consent requirements under federal and state law are the most important remaining legal barrier to HIE progress. However, federal rules relating to disclosure of substance-abuse treatment information were recently liberalized, and development of a technical standard, Data Segmentation for Privacy, or DS4P, now permits sensitive data requiring special handling to be segmented within a patient's record. Even with these developments, state-law requirements for patient consent remain daunting to navigate.
Conclusions: Although patient consent requirements make HIE challenging, providers' expressed worries about legal barriers to participating in HIE likely primarily reflect concerns that are economically motivated. Lowering the cost of HIE or increasing financial incentives may boost provider participation more than further reducing legal barriers.
Keywords: electronic health record; health information exchange; health information technology; legal.
© 2018 Milbank Memorial Fund.