Privacy rules slow adoption of electronic medical records

Choice for policy makers may be between tough patient privacy rules and speedy EMR enactment

In a study that is unlikely to find favor among privacy advocates, researchers from two academic institutions warned that increased privacy protections around health data will hamper the adoption of electronic medical records systems.

The study (abstract), conducted by researchers at MIT and the University of Virginia, said adoption of EMR is often slowest in states with strong medical privacy protections.

On average, up to 30% fewer hospitals adopted EMR in states where they were forced to operate under strong privacy laws compared to hospitals in states with less stringent privacy requirements. That's because privacy protections often made it harder and more expensive for hospitals to exchange and transfer patient information, thereby reducing the value proposition of an EMR system, the study found.

"Despite EMR's effectiveness at reducing medical errors and improving baseline indicators of patient health, hospitals are deterred from adopting it by strong healthcare privacy laws," the study claimed.

The results of the research, which looked at EMR adoption in 19 states over a 10-year period, was originally presented at a Federal Trade Commission workshop in April 2008. It was publicly released only this week following its acceptance in the journal Management Science, an MIT spokesman said.

The research suggests that there's a tradeoff between achieving fast adoption of EMR and strong health-care privacy, said Catherine Tucker, an assistant professor of marketing at MIT's Sloan School of Management and one of the report's authors. In general, while medical privacy is a good thing, it doesn't always allow for quick adoption of EMR systems, Tucker said.

"What we found was that privacy laws are getting in the way of hospitals'" trying to exchange information with each other, she said. "Policy makers are going to have to choose how much EMR adoption they want and at what cost to patient privacy."

It's a viewpoint that is unlikely to sit well with privacy advocates, who are already nervous about the accelerated move to a nationwide EMR system under a health-care modernization program announced by President Obama earlier this year.

The Health Information Technology for Economic and Clinical Health Act was introduced by Obama as part of the economic stimulus package earlier this year. It provides US$20 billion for the creation of a national electronic health records system that would fundamentally improve the way in which health information is electronically accessed, stored and shared.

Health care security experts and privacy advocates cautiously lauded the bill for the many provisions it includes for protecting patient health care data. However, they claimed it doesn't go far enough in addressing all the privacy concerns raised by EMR systems, although they have acknowledged the bill is a step in the right direction.

Among the welcomed provisions are those that require health-care entities and professionals to implement better controls for who can access and share different categories of health-care information. Also seen as long overdue is a provision that prohibits health-care providers from selling protected health information in electronic medical records and imposes limitations on marketing such data.

Such requirements have been considered long delayed in the health-care sector. "However, if the end result of Obama's new privacy legislation is to add extra layers of complexity and necessitate hospital-specific customization of privacy filters then there is the potential for there to be a negative effect," Tucker said.

Hospitals and other health-care entities are often reluctant to implement an EMR system if it requires a lot of customization work upfront to accommodate privacy requirements, she said. For example, if a state law allows only specific groups of people within an organization to access specific kinds of medical information, a hospital might need to implement filters and access controls to comply with the requirement, she said. Such customization also can be costly, which is another factor that results in slower adoption of EMR in states with stringent privacy requirements, Tucker said.

Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, blasted the study's conclusions. She said the study was based on old data and did not consider all of the factors that a health-care entity would typically look at when deciding whether to adopt an EMR system.

The study simply looked at whether a state has a medical privacy law and then looked at EMR adoption in that state to draw its conclusions, McGraw said. What it doesn't appear to have done is to examine whether other important factors, such as funding and business value, might have also had an impact on EMR adoption. Often health-care entities point to these two issues as being the two most important considerations when making decisions on EMR systems, she said. As a result, the study is "not of much value," she said.

"We just had $19 billion put on the table by the federal government to spur adoption of electronic medical records," McGraw said. "There's been an acknowledgement by this Congress that you need privacy protections," for people to begin trusting their health-care data to EMR systems. Trying to suggest at this stage that policy makers might have to choose between privacy and speedy adoption of EMR is disingenuous, she said.