the impact of privacy regulation and technology incentives ...acquisti/papers/adjerid... · patient...

This article was downloaded by: [128.237.116.93] On: 16 March 2018, At: 08:44Publisher: Institute for Operations Research and the Management Sciences (INFORMS)INFORMS is located in Maryland, USA

Management Science

Publication details, including instructions for authors and subscription information:http://pubsonline.informs.org

The Impact of Privacy Regulation and TechnologyIncentives: The Case of Health Information ExchangesIdris Adjerid, Alessandro Acquisti, Rahul Telang, Rema Padman, Julia Adler-Milstein

To cite this article:Idris Adjerid, Alessandro Acquisti, Rahul Telang, Rema Padman, Julia Adler-Milstein (2016) The Impact of Privacy Regulationand Technology Incentives: The Case of Health Information Exchanges. Management Science 62(4):1042-1063. https://doi.org/10.1287/mnsc.2015.2194

Full terms and conditions of use: http://pubsonline.informs.org/page/terms-and-conditions

This article may be used only for the purposes of research, teaching, and/or private study. Commercial useor systematic downloading (by robots or other automatic processes) is prohibited without explicit Publisherapproval, unless otherwise noted. For more information, contact [email protected].

The Publisher does not warrant or guarantee the article’s accuracy, completeness, merchantability, fitnessfor a particular purpose, or non-infringement. Descriptions of, or references to, products or publications, orinclusion of an advertisement in this article, neither constitutes nor implies a guarantee, endorsement, orsupport of claims made of that product, publication, or service.

Copyright © 2015, INFORMS

Please scroll down for article—it is on subsequent pages

INFORMS is the largest professional society in the world for professionals in the fields of operations research, managementscience, and analytics.For more information on INFORMS, its publications, membership, or meetings visit http://www.informs.org

http://pubsonline.informs.org

https://doi.org/10.1287/mnsc.2015.2194

https://doi.org/10.1287/mnsc.2015.2194

http://pubsonline.informs.org/page/terms-and-conditions

http://www.informs.org

MANAGEMENT SCIENCEVol. 62, No. 4, April 2016, pp. 1042–1063ISSN 0025-1909 (print) ISSN 1526-5501 (online) http://dx.doi.org/10.1287/mnsc.2015.2194

© 2016 INFORMS

The Impact of Privacy Regulation and TechnologyIncentives: The Case of Health Information Exchanges

Idris AdjeridMendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556, [email protected]

Alessandro Acquisti, Rahul Telang, Rema PadmanH. John Heinz III Heinz College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213

[email protected], [email protected], [email protected]

Julia Adler-MilsteinSchool of Information, University of Michigan, Ann Arbor, Michigan 48109 [email protected]

Health information exchanges (HIEs) are healthcare information technology efforts designed to foster coordi-nation of patient care across the fragmented U.S. healthcare system. Their purpose is to improve efficiency

and quality of care through enhanced sharing of patient data. Across the United States, numerous states haveenacted laws that provide various forms of incentives for HIEs and address growing privacy concerns associ-ated with the sharing of patient data. We investigate the impact on the emergence of HIEs of state laws thatincentivize HIE efforts and state laws that include different types of privacy requirements for sharing healthcaredata, focusing on the impact of laws that include requirements for patient consent. Although we observe thatprivacy regulation alone can result in a decrease in planning and operational HIEs, we also find that, whencoupled with incentives, privacy regulation with requirements for patient consent can actually positively impactthe development of HIE efforts. Among all states with laws creating HIE incentives, only states that combinedincentives with consent requirements saw a net increase in operational HIEs; HIEs in those states also reporteddecreased levels of privacy concern relative to HIEs in states with other legislative approaches. Our resultscontribute to the burgeoning literature on health information technology and the debate on the impact of pri-vacy regulation on technology innovation. In particular, they show that the impact of privacy regulation on thesuccess of information technology efforts is heterogeneous: both positive and negative effects can arise fromregulation, depending on the specific attributes of privacy laws.

Keywords : privacy; information systems; IT policy and management; economics of information systems;healthcare

History : Received April 19, 2012; accepted December 16, 2014, by Anandhi Bharadwaj, information systems.Published online in Articles in Advance November 13, 2015.

1. IntroductionThe U.S. healthcare system is in the midst of an infor-mation technology revolution. Adoption of electronicmedical record (EMR) systems is quickly rising (Officeof the National Coordinator for Health InformationTechnology 2012). In parallel, health informationexchanges (HIEs) have emerged. HIEs provide infor-mation technology solutions that allow electronicinformation sharing between otherwise disconnectedhealthcare organizations. They are intended to facil-itate the exchange of patient health informationbetween hospitals belonging to different health sys-tems or distinct physician practices. In turn, thisenables patients’ health records to electronically fol-low them between care settings. HIEs are viewedas a particularly critical investment because muchof the anticipated efficiency and quality gains fromEMRs come from the ability to support the electronicexchange of patient data across healthcare providers

(Walker et al. 2005). Without HIEs, data are trappedin individual institutions, thereby inhibiting coordina-tion of care, resulting in avoidable medical errors, anddriving up costs from duplicative utilization. This hasresulted in substantial legislative activity1 aimed atrealizing the vision of nationwide adoption of EMRscoupled with the ability to exchange data betweenthem (Blumenthal 2010).

Legislative efforts have focused on creating a favor-able environment in which HIEs can flourish. Therationale for government involvement is that HIEshave experienced both slow growth rates and highfailure rates across the United States (Adler-Milsteinet al. 2009, 2011). Research on the underlying causesof these failures revealed an array of barriers to the

1 See, e.g., the Health Information Technology for Economic andClinical Health (HITECH) Act of 2009, Pub. L. No. 111-5, 123 Stat.226 (2009); and the Patient Protection and Affordable Care Act of2010, Pub. L. No. 111-148, 124 Stat. 119 (2010).

1042

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.

mailto:[email protected]





Adjerid et al.: The Impact of Privacy Regulation and Technology IncentivesManagement Science 62(4), pp. 1042–1063, © 2016 INFORMS 1043

development of HIE efforts. Central among them arechallenges related to financial sustainability (NationaleHealth Collaborative 2011, Vest and Gamm 2010,eHealth Initiative 2005–2010) and issues related topatient privacy (Simon et al. 2009, McDonald 2009,McGraw et al. 2009). These challenges have spurred25 states (as well as the District of Columbia) toenact legislation to incentivize HIE efforts (e.g., byproviding funding for HIE efforts), address privacyconcerns, or, most often, both. However, the bestapproach to ameliorating the issues associated withHIE efforts remains unclear. In particular, HIEs havespurred significant debate over the appropriate bal-ance of patient privacy and the potential gains tohealthcare providers and their patients. The sensitiv-ity of the digital health information that is exchangedby HIEs has made the role of patient consent espe-cially contentious.

One side of the debate is that consent require-ments add administrative costs and restrict theavailability of patient information (National eHealthCollaborative 2011, Pritts et al. 2009). By contrast,Simon et al. (2009) find that patients felt that theirconsent should be obtained for the exchange ofhealth information (i.e., an opt-in system); a systemthat assumed their willingness to participate with-out obtaining explicit consent (i.e., an opt-out system)would not be acceptable. Thus, policy makers seekingto foster the growth of HIE efforts face the same chal-lenge that emerges in other industries: how to addressprivacy concerns without overregulating the disclo-sure of personal information and stifling the growthand emergence of valuable information technologyefforts reliant on it.

Careful empirical literature related to that chal-lenge has been recently emerging. Work by Miller andTucker (2009) finds that the presence of privacy reg-ulation inhibits technology adoption by hospitals. Insubsequent work, Miller and Tucker (2011) accountfor some of the variation in the statutory require-ments of privacy regulation and hospital character-istics, and they identify some heterogeneous effectsof privacy regulation.2 Adopting a similarly granularapproach to measuring privacy regulation, we explorewhether different forms of privacy regulation enableor impede HIE efforts. Extending prior work, we dif-ferentiate between states that coupled privacy regula-tion with HIE incentives and those that did not. Weposit that incentives could offset the significant costsassociated with HIE efforts, including those that arise

2 For instance, they find that, although privacy regulation mostoften negatively impacted hospital technology adoption, it also hada positive effect on adoption in some cases (e.g., when laws hadlimits on redisclosure).

from varying degrees of privacy regulation. We eval-uate the impact of these laws compared to states withno laws pertaining to HIE efforts.

Our empirical strategy takes advantage of thefact that across different states policy makers haveapproached HIE challenges in different ways, enact-ing legislation that varied both in terms of the incen-tives they create for HIEs, and in terms of the typesof privacy protections they afford to patient dataexchanged through HIEs. Specifically, some statesenacted legislation with HIE incentives alongsiderequirements for patient consent while other statesenacted legislation with HIE incentives but with pri-vacy regulation that did not require consent. Yet otherstates enacted legislation with HIE incentives but noprivacy regulation or only privacy regulation, or theydid not enact relevant legislation at all. Our workleverages this variation to evaluate the impact of thislegislation—in particular, the variation in privacy pro-tection afforded by these laws—on the propensity ofregional healthcare markets to have an HIE workingtoward exchange capabilities (planning HIE) or anHIE that is actively exchanging patient health infor-mation between healthcare entities (operational HIE).We use semiannual data from a six-year period (2004–2009) to compare the probability of a hospital refer-ral region (HRR)3 having an HIE in the planning oroperational stage across states with variation in theextent to which legislation provided patients the rightto consent to the exchange of their data by the HIE.We disentangle the impact of consent requirementsfrom HIE incentives using between-state and across-time variation in consent requirements and regula-tions providing HIE incentives. We include HRR andtime fixed effects and control for relevant observables(e.g., other elements of the laws, differences in HRRwealth, populations, health information technology(IT) adoption).

Although we show that privacy regulation withoutincentives had a negative effect on HIE efforts, wealso find that privacy regulation, particularly regula-tion that includes consent requirements, was a nec-essary condition for incentives to positively impactHIE efforts. Incentives coupled with privacy regula-tion that included requirements for patient consentresulted in a 47% increase in the propensity of anHRR having a planning HIE and a 23% increase inthe propensity of an HRR having an operational HIE.By contrast, incentives without any privacy regula-tion resulted in no measurable gain in the propensityof HRRs having planning or operational HIEs, and

3 HRRs are areas defined by the Dartmouth Atlas for Healthcare asregional healthcare markets for tertiary medical care that contain atleast one hospital that performs major cardiovascular proceduresand neurosurgery (Wennberg and Cooper 1996, p. 201).

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.

Adjerid et al.: The Impact of Privacy Regulation and Technology Incentives1044 Management Science 62(4), pp. 1042–1063, © 2016 INFORMS

incentives coupled with privacy regulation that didnot include consent requirements resulted in either nogains (e.g., for planning HIEs) or comparably mod-est gains (a 9% increase in the propensity of an HRRhaving an operational HIE) that only offset but didnot overcome the baseline negative effects of privacyregulation. As a result, of all attempts to incentivizeHIE efforts, only those coupled with privacy regula-tion including consent requirements resulted in a netgain in HIE efforts. Specifically, HRRs in these statessaw an 11% net increase in the propensity of havingan operational HIE.

Our findings are bolstered by the fact that we donot find evidence that HIE laws are passed as aresult of increased HIE activity (i.e., reverse causa-tion). We find consistent results when we considerthe impact of unobservable state characteristics thatmay be correlated with the passage of HIE incentives(such as changes in political attitudes or public opin-ion toward the importance of health IT). Moreover,we find no correlation between consent requirementsand the availability of funding or the number ofpatients covered by an HIE. We theorize that this sur-prising interplay between HIE incentives and consentrequirements may be due to an association betweenincentives and privacy concerns. Specifically, we positthat incentives may be associated with an increasedattention to and salience of HIE privacy concerns,which inhibits their effectiveness when they are notcoupled with comprehensive privacy regulation (e.g.,regulation with consent requirements). We find evi-dence in support of this interpretation: HIEs in stateswith incentives but no consent requirements were sig-nificantly more likely to report that privacy was amajor challenge in their development relative to HIEsin states with other legislative approaches (includ-ing no law). By contrast, HIEs in states with con-sent requirements reported the lowest level of privacyconcerns.

Our work contributes to two streams of literature.One stream relates to the adoption and the diffusionof IT in healthcare—in particular, the factors and bar-riers that impact their adoption (Angst and Agarwal2009, Angst et al. 2010, Anderson and Agarwal 2011).Specific to HIEs, numerous national surveys havesuggested that health privacy issues are some ofthe most significant barriers to HIE efforts (eHealthInitiative 2005–2010, Adler-Milstein et al. 2009, 2011).As a result, research has also focused on how toaddress privacy concerns associated with informa-tion technology in healthcare and HIE in particu-lar (Greenberg et al. 2009, McDonald 2009, McGrawet al. 2009). Within this stream of literature, which islargely nonempirical, experts disagree on the appro-priate solution for addressing privacy concerns. Toour knowledge, our work is the first to empirically

evaluate the impact on the emergence of planning andoperational HIEs of varying approaches to privacyregulation.

Another stream relates to the economic and policyliterature evaluating the impact of privacy protectionson technological progress. Numerous consumer ser-vices thrive today thanks to the exchange and useof personal—and sometimes sensitive—information.The risks associated with the potential misuse ofthat information, however, have fueled a debate overthe best approach to protecting consumers’ privacyand the role of regulation in that protection (Solove2004, Lenard and Rubin 2005). This has led to asmall but growing body of careful empirical analy-ses of that relationship (e.g., Miller and Tucker 2009,2011; Goldfarb and Tucker 2011). We extend thatwork in various ways. First, this literature has eitherfocused on contexts where technology incentives didnot exist or (as in the case of work in the contextof health IT) predated a paradigm shift in the pol-icy approach toward promoting health IT. Focusingon the interaction of various forms of privacy reg-ulation with previously unstudied attempts to pro-mote information technology efforts in healthcare, wedocument a surprising interplay between state initia-tives aimed at incentivizing HIE efforts and privacyregulation. We find that HIE incentives consistentlyoffset the negative baseline effects of privacy regu-lation on HIEs and, more surprisingly, that incen-tives were more effective in doing so when coupledwith privacy regulation that included consent require-ments. This suggests that the potential fixed coststhat arise from regulatory privacy protection may beproactively managed by accompanying incentives forinformation technology efforts. Interestingly, couplingmore comprehensive privacy protections (e.g., con-sent requirements, which seemingly impose highercosts on HIEs) with HIE incentives may sometimesbe preferred if those protections alleviate privacy con-cerns that dampen the propensity of incentives toenable HIE efforts. Furthermore, research is emerg-ing that points to heterogeneous effects of privacyregulation on information technology efforts (e.g., thenet effect of privacy regulation on hospital IT adop-tion may depend on the number of hospitals in acounty; see Miller and Tucker 2011). By documentingthe differential impacts on HIE efforts of privacy reg-ulation with and without incentives, we extend theunderstanding of the heterogeneous effects of privacyregulation on technology efforts. Thus, the findingspresented here suggest that regulators may have anopportunity to provide meaningful privacy protectionto patients while encouraging the growth and suc-cess of valuable information technology efforts. Forinstance, legislative efforts such as the HITECH Actof 2009, which couple significant incentives for health

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


IT with enhanced privacy protections for patients,may offer an effective approach toward providingimproved patient privacy protections while encourag-ing the growth of valuable health information tech-nology solutions.

2. BackgroundThe healthcare delivery system in the United Statesis highly fragmented. Most people, over their life-time, receive care from multiple medical providerswho practice in unaffiliated settings. As a result, dif-ferent pieces of a patient’s medical history residein the various places in which they received care,forcing medical providers to make clinical decisionswith incomplete information. This can contribute toa range of negative patient consequences, includ-ing missed diagnoses, duplicative testing, dangerouscombinations of medications, and poor care coordi-nation. Prompted by estimates of gains in quality4

and efficiency5 of patient care, enabling clinical datato electronically follow patients between care deliverysettings has gained substantial support. In particular,in recent years, there has been an increase in efforts tofacilitate electronic exchange of patient data via HIEs.

HIEs are information technology service organiza-tions that provide a governance framework and tech-nology solution for exchanging patient data. Entitieswith clinical data, such as hospitals, physician prac-tices, and laboratories (“healthcare entities”), are themost common participants in an HIE, and they mostoften send and receive test results as well as caresummaries.

HIE development typically occurs in two stages:planning and operational. In the planning stage, agroup of healthcare stakeholders in a given com-munity initially come together informally to discussthe problem of care fragmentation and how best toaddress it. This is typically initiated by a large stake-holder in the community, either a healthcare deliveryorganization (e.g., a large hospital) or a payer (e.g.,an insurer or large employer). If there is agreement to

4 Gains in quality of care may be realized from the increased avail-ability of comprehensive health information, which should allowclinicians to make better treatment decisions and fewer mistakes.This benefit would be especially salient in the emergency care con-text, in which the patient may not be able to report preexistingconditions or drug allergies (Vest and Gamm 2010).5 Health information exchanges have the potential to significantlydecrease the costs of providing healthcare. Walker et al. (2005) esti-mate that, when fully implemented, health information exchangescould yield approximately $78 billion in annual savings fromadministrative efficiencies and reducing redundant utilization. Jhaet al. (2009) estimate that, in the United States, eliminating avoid-able instances of injury to a patient resulting from a medicalintervention, such as administering the wrong medication, andredundant medical tests would save over $24 billion per year.

move forward into a more formal planning phase, thisoften proceeds in one of two ways: either a third-partyorganization is established or identified to serve as aformal HIE entity or one of the stakeholders agrees toserve as the lead entity. In our data set, two-thirds ofefforts operated as established, independent organi-zations and the remaining one-third operated directlyfrom within another organization (typically a hospi-tal or health system that spearheaded the effort). Theformal planning phase consists of an array of inter-related decisions that include conducting an envi-ronmental scan and needs assessment, establishinga mission and goals, setting up a governance struc-ture, establishing legal and information sharing agree-ments, deciding on an approach to protect patientprivacy (including patient consent), developing a sus-tainability plan and identifying revenue streams thatat least cover operating costs, marketing to a broadergroup of potential stakeholders, and developing atechnical infrastructure.6

The second stage begins when an HIE effort reachesoperational status with a functional technology andadministrative infrastructure and data start to beexchanged between healthcare entities. Although thisis considered a key milestone, HIEs in this stage con-tinue efforts to increase participation from healthcareentities: increasing the quantity and quality of patientdata available through an HIE makes the expectedbenefits of exchange more likely and also helps HIEsto achieve financial sustainability (only 33% of opera-tional exchanges in our data set reported covering thecost of operating an HIE with participant fees alone).

The last decade has seen significant growth inHIE activity, including the number of planned HIEsand an increasing number of HIEs that are opera-tional: in our data, we observe 15 total HIEs nation-wide in 2004, compared to 143 by the end of 2009.Despite substantial potential benefits, HIEs are notyet widespread, and many attempts to establish HIEshave failed (Adler-Milstein et al. 2009, 2011). This hasspurred a growing body of work evaluating barri-ers to HIEs, which suggests that they have been hin-dered by financial sustainability challenges stemmingfrom misaligned incentives from competing health-care entities and patient privacy concerns (eHealthInitiative 2005–2010, Adler-Milstein et al. 2009, 2011).

2.1. HIE IncentivesNumerous HIEs have struggled to develop a sustain-ability plan and identify revenue streams. In part,this is due to misaligned incentives for HIE partici-pants (who are the primary source of HIE revenue)and the significant cost attached to the administra-tive and technical infrastructure necessary to facili-tate exchange. Although healthcare entities can derive

6 See National Rural Health Resource Center (2015).

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


some value from participating in an HIE (e.g., bet-ter quality of patient care), under the predominanthealthcare reimbursement model of fee-for-service,redundant care translates into revenue, and physi-cians have little incentive to avoid care if they believeit is of even marginal value. Worse, HIE makes iteasier for patients to switch healthcare providers,potentially resulting in some hospitals and physicianslosing patients. Moreover, healthcare entities (e.g.,hospitals and physician practices) are expected to payfor HIE when those paying for care accrue much ofthe benefit. For example, if a physician avoids order-ing a redundant test because he or she has access tothe results of a diagnostic test performed in a differ-ent setting, the physician (or laboratory) loses revenuewhile the payer (and, downstream, the patient) accruethe savings. The challenges in sustaining HIE effortsthat stem from these misaligned incentives for health-care entities have been exacerbated by the high costsof HIE efforts, with considerable resources requiredto develop administrative and technical infrastructurethat meets regulatory requirements (e.g., privacy reg-ulation) while also addressing the concerns and needsof various HIE stakeholders. These challenges haveled some to argue that HIE should be treated as apublic good with support from the government (e.g.,Vest and Gamm 2010).

A number of states have heeded these calls,enacting legislation that attempts to alleviate theseconcerns by incentivizing HIE efforts. Specifically,various state legislations included general provisionsaimed at reducing the costs (financial, legal, man-agerial, coordination, or otherwise) associated withpursuing a health information exchange effort in thestate. These laws and their typical provisions aredescribed in more detail in §4.2.

2.2. HIEs and PrivacyIssues of privacy are among the most widely citedbarriers to HIE formation (Simon et al. 2009) andhave materialized as significant costs to HIEs. HIEsdiffer from other forms of health IT (e.g., EMRs) inways that have important implications for patientprivacy. First, HIEs facilitate the exchange of infor-mation between multiple, unaffiliated organizations;thus the risk to the privacy of health informationand associated concerns expressed by consumersmay be substantially greater than with other tech-nologies. Also, HIEs are predicated on the idea ofexchanging individual personal health information asopposed to aggregated population-level data, mak-ing privacy concerns salient and relevant. Theseunique challenges have spurred a stream of liter-ature evaluating how to best address privacy con-cerns while still encouraging HIE efforts (Greenberget al. 2009, McDonald 2009, McGraw et al. 2009).

Scholars have expressed differing opinions about theappropriate way to address privacy concerns asso-ciated with HIEs. For example, Greenberg et al.(2009) and McDonald (2009) agree that federal pro-tections need to be revisited in light of a poten-tial nationwide health information network, which isenvisioned to ultimately link regional and state-levelHIEs; however, they differ on the need to updatestate protections. McDonald (2009) suggests that newrestrictions beyond the protection afforded by theHealth Insurance Portability and Accountability Actof 1996 (HIPAA) would interfere with efficient andsafe care. Greenberg et al. (2009) advocate updates tostate legislation to better address privacy issues spe-cific to HIEs. The ramifications of this debate can beobserved in the significant heterogeneity in how stateshave tackled HIE privacy challenges. The variation inprivacy regulation is described in more detail in §4.2.

3. Theory: Privacy Regulation,Incentives, and HIE Efforts

Although the stakeholders initiating HIE efforts andthe specific model they pursue can vary, the mech-anism underlying the choice of stakeholders to startplanning for exchange and whether or not an HIEbecomes operational is the same: HIEs can only cre-ate value if healthcare entities (i.e., those with clinicaldata) participate in an HIE, which typically involvesadhering to the terms set forth by the HIE and usingits offered technology solutions to receive and sendpatient health information. The choice of healthcareentities to participate in an HIE is driven by anassessment of the costs and benefits that they willaccrue. For example, a hospital would incur tech-nical costs, participation fees, and potential loss ofpatients as a result of reduced switching costs, aswell as the increased legal risk from a data breachor misuse of patient data. This would be weighedagainst potential quality and efficiency gains fromelectronic access to more complete information abouttheir patients, as well as reputational benefits fromjoining a community-based effort to improve carecoordination. In addition, a broader group of stake-holders, which do not deliver care, may stand tobenefit from cost reductions as a result of HIE andcould also influence efforts to plan for an HIE andwhether it becomes operational. For instance, a largepayer may participate in an HIE effort and subsidizethe costs to healthcare entities in order to encouragebroader participation. This could be particularly likelyif the net benefit to healthcare entities (absent thesesubsidies) was not sufficiently compelling to promotewidespread participation (e.g., because of the mis-aligned incentives described earlier). In the remain-der of this section, we discuss how varying forms of

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


privacy regulation and incentives may have diverseeffects on the expected benefits and costs of HIE.

3.1. Privacy Regulation andConsent Requirements

In principle, regulation that protects patients’ privacymay have a range of effects on the benefits and costsof HIE efforts. Consistent with early analysis of pri-vacy economics by scholars such as Stigler (1980) andPosner (1981), regulating the use of patient data maydecrease availability of their information when it isneeded by healthcare providers to make decisions,making promised benefits less likely. Regulation mayalso increase the cost of establishing and maintainingan HIE (for instance, by imposing additional techno-logical controls or administrative procedures to pro-tect individuals’ data). On the other hand, privacyregulation may have a positive effect on the choiceto pursue an HIE. An established literature finds thatprivacy concerns can increase the cost of technol-ogy adoption and reduce its effectiveness (Angst andAgarwal 2009, Sheng et al. 2008). As a result, schol-ars have argued that assurances provided by regu-lation can assuage privacy concerns and positivelyimpact the success of information technology efforts(Bamberger and Mulligan 2011, McGraw et al. 2009).

Naturally, privacy regulation is not monolithic; theextent to which privacy regulation impacts the ben-efits and costs of HIEs likely depends on the degreeand type of reassurance it affords. In particular, oneof the key differentiating features between regulatoryapproaches in the context of HIE is whether theyinclude requirements for patient consent. Consent, orinformed consent, is a cornerstone of the Organisa-tion for Economic and Cooperative Development’sprivacy guidelines and the Federal Trade Commis-sion’s Fair Information Practice Principles. Generallyspeaking, consent in the context of HIE refers tothe notion that patients should be informed aboutthe risks and benefits associated with the electronicexchange of their health information and have theright to decide whether they would like to incur them.As in the case of privacy regulation in general, regu-lation specifically requiring consent can, in principle,produce an array of effects, both positive and nega-tive, on the emergence of planning and operationalHIEs. A central concern relative to patient consentin the context of HIE is that it may result in lim-ited or patchy patient agreement to have their dataincluded in the HIE (Lai and Hui 2006), in whichcase the potential benefits of HIE may be hindered.Healthcare entities may be less willing to participatein an HIE if they perceive a low likelihood of reapingefficiency and quality gains as a result of incompleteor low-quality patient data. Moreover, other stake-holders (e.g., payers) may be less willing to support

an HIE effort (i.e., subsidize the cost to healthcareentities) if they perceive the benefits to be unlikely.Furthermore, requirements for consent are also likelyto impact HIEs’ technology and administrative costs(i.e., in establishing more stringent legal agreements)and participation costs for healthcare entities (i.e.,costs for participants to adhere to them). For example,HIEs operating in states with consent requirementsmay need additional investment in technical andadministrative controls to meet regulatory require-ments (e.g., clerical time by staff or technical controlsto garner and track patient consent decisions). Hence,consent requirements may further reduce the propen-sity of a healthcare entity to participate in an HIE ifthey perceive participation to be too costly to justifytheir expected benefits.

On the other hand, regulations with consentrequirements can reduce costs stemming from patientprivacy concerns. Patients may demand the right toconsent to the use of their data in the context of anHIE. Simon et al. (2009) find that patients felt thatan HIE that assumed their willingness to participatewithout obtaining explicit consent (i.e., an opt-outsystem) would not be acceptable. As a consequence,healthcare entities may decide not to participate inHIEs if a lack of patient consent results in significantprivacy costs and pushback from patients and advo-cacy groups. McGraw et al. (2009) argue in support ofthis notion and propose that a comprehensive frame-work that implements core privacy principles such asconsent can bolster trust from patients and medicalproviders. In contrast to previously described effectsof privacy regulation, a reduction in costs stemmingfrom privacy concerns may encourage increased par-ticipation by healthcare entities, thus helping HIEs toreach the critical mass of participants to ensure thatanticipated benefits are realized.

The role of privacy regulation that does not includeconsent requirements is also of interest becausenumerous states have privacy legislation that doesnot require patient consent before the exchange ofhealth information between providers. For example,legislation in the state of Indiana does not includerequirements for patient consent but instead, requirescompliance “with the federal Health Insurance Porta-bility and Accountability Act (HIPAA)” and the pro-tection of “information privacy.”7 It is likely that therole of regulation that does not require consent issimilar to consent-based regulation except that theimpact on benefits and costs (and the propensity ofcommunity stakeholders to pursue HIE efforts) maybe less pronounced. For example, privacy regulationthat does not include consent requirements may stillrestrict (to some degree) the availability of patient

7 Ind. Code Ann. §5-31-6-1; Ind. Code Ann. §5-31-6-3 (West 2009).

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


information and also introduce additional costs toHIE efforts, but these effects may not be as pro-nounced when compared to regulation with consentrequirements. It may also be the case that regulationwithout consent is not as effective in reducing coststo HIE efforts stemming from patient privacy con-cerns. In fact, we argue that this is likely the case.Recent experimental work suggests that providingconsumers with choice relative to the use of their per-sonal information may be particularly vital in assuag-ing privacy concerns. Brandimarte et al. (2012) findthat individuals who were provided increased choiceperceived a lower privacy risk, even when the objec-tive risks were held constant, and were significantlymore likely to make personal disclosures; Stutzmanet al. (2013) find a strong positive correlation betweenthe granularity of control provided to users of onlinesocial networks and the amount of disclosure by users(albeit to a narrower set of users). These mecha-nisms are also likely to be present in the context ofHIEs, given the sensitivity of personal health infor-mation. Finally, policy makers have also recognizedthe unique role of providing choice by increasinglypromoting more control for consumers with respectto online uses of their personal information (FederalTrade Commission 2012, White House 2012).

3.2. Incentives and Privacy ConcernsThe impact of HIE incentives on the benefits andcosts of establishing an HIE seem, at first glance, com-paratively straightforward: all else equal, stakehold-ers with access to incentives that reduce the costsof pursuing an HIE effort should be more likely tostart planning for exchange, and these HIEs shouldbe more likely to become operational. For instance,stakeholders in communities with access to grant pro-grams associated with HIE incentives would haveless of a challenge generating the required capitalto initiate exchange efforts and be able to providehealthcare entities the opportunity to participate ata lower cost (thus increasing the likelihood of morewidespread participation and the propensity of reap-ing expected benefits from exchange). Additionally,given the potential of privacy requirements to imposefixed costs on information technology efforts (e.g.,Goldfarb and Tucker 2011, Miller and Tucker 2009)and the anecdotal evidence that privacy requirementshave been key hurdles for HIE efforts, incentives mayserve to offset some of these costs and attenuate someof the negative effects of privacy regulation on thepropensity of HIE efforts to emerge.

However, there may also be a more nuanced andless obvious interplay between incentives, privacyconcerns, and the impact of privacy regulation andincentives. Specifically, legislation intended to encour-age the pursuit of HIE efforts may also be associ-ated with elevated salience and awareness of privacy

concerns. We see examples of a similar phenomenonin other contexts: government subsidies for cleanenergy solutions have led to significant investmentin these technologies but have simultaneously high-lighted the limitations and potentially adverse effectsof these technologies (e.g., lack of cost effective-ness and efficacy); see Somaskanda (2013) and Cala(2013). With respect to HIE incentives, they may beseen to increase the probability that HIEs will be cre-ated and become operational and thereby increase thelikelihood of patient privacy concerns being realized.Moreover, it may simply be the case that HIE incen-tives increase the attention paid to these efforts (e.g.,by regulators, patient groups, and privacy advocates),including increased attention to associated privacyconcerns. There is some anecdotal evidence in sup-port of this notion. For example, the American CivilLiberties Union brought suit against the legislativelycreated Rhode Island HIE on the grounds that it wasnot adequately soliciting consent from patients, andprivacy advocates warned that states “will find them-selves embroiled in legal entanglements over privacyas they seek to implement HIEs” (Miliard 2010). Thislatter statement suggests that state-supported HIEs(such as those initiated or aided by state legislation)may receive disproportionate scrutiny from privacyadvocates. It is also possible that the direction ofcausality is reversed: states in which the attention tohealth information exchange, including attention toprivacy concerns, is high may be more likely to pro-vide HIE incentives.

3.3. Conceptual Model and PredictionsAlthough we cannot directly observe the granu-lar benefits and costs to various stakeholders fromHIE participation, we can observe variation in thepropensity of healthcare stakeholders to start plan-ning for exchange capabilities (PlanningHIE) andwhether these exchanges start actively exchangingpatient health information between healthcare enti-ties (OperationalHIE). We argue that these observedvariables are, in turn, a function of the unobservedexpected benefit and costs of an HIE effort to poten-tial HIE stakeholders, NetRegionalBenefit. Moreover,we model the choice to pursue an exchange at thelevel of a state subregion j since HIEs have emergedpredominately as regionally focused efforts.8 Schol-ars suggest that this regional focus is due to the sig-nificant variation between healthcare markets (evenwithin a given state) and the nuanced challengesthis variation can introduce for the pursuit of HIEefforts (Grossman et al. 2008). For example, the nec-essary collaborations, technology infrastructure, and

8 Of the 73 operational exchanges in our data set, 71 were exchang-ing data predominately in a single HRR.

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


the priorities of participating providers are likely todiffer considerably between the healthcare marketin metropolitan and rural regions of a state (e.g.,Manhattan versus upstate New York). Moreover, anHIE’s goal is to enable clinical data to electronicallyfollow patients between the settings in which theyreceive care, which also are predominantly within adefined geographic region. Hence, we utilize HRRs asour unit of analysis because they represent regionalhealthcare markets.9 In effect, HRRs are defined pre-cisely to capture the geographic regions in whichpatients are likely to receive the bulk of their careand thus require the exchange of information. Finally,and consistent with the preceding arguments, wesuggest that various forms of privacy requirements(PrivConsent/PrivNoConsent) and legislative provisionsintended to encourage the pursuit of HIE efforts(Incentives) can affect the benefits and costs of HIEefforts to stakeholders within the various healthcaremarkets in a state, impacting the choice of stake-holders to start planning for exchange and whetherthese HIEs becomes operational. This is summarizedin the following conceptual model (based on Millerand Tucker 2009):

PlanningHIE∗

jst1OperationalHIE∗

jst

= f 4NetRegionalBenefitjst PrivConsentjst1

PrivNoConsentjst1 Incentivesjst50

This model assumes a latent variable construct wherestakeholders in HRR j in state s at time t startplanning for an HIE if the (unobserved) expectednet benefit (NetRegionalBenefit) is positive. Moreover,we assume that an HIE effort in the region reachesoperational status if the NetRegionalBenefit remainspositive such that they are able to complete keyplanning activities (e.g., create data sharing agree-ments, develop the underlying technical infrastruc-ture, and gather the critical mass of participationby healthcare entities to make exchange feasible).Conversely, healthcare stakeholders will not formexchanges if they perceive the net benefit to be neg-ative, and healthcare entities will cease pursuing HIEefforts (resulting in failed exchange) if they perceivethe net benefit from HIE to no longer be positive.

The arguments from this conceptual model andthe various dynamics described in this section aresummarized in Figure 1. This figure suggests thatthe net effect of privacy regulation on HIE effortsis a function of (1) the costs associated with pri-vacy regulation; (2) the extent to which privacy con-cerns are, in fact, barriers to the pursuit of HIE

9 Specifically, HRRs define healthcare markets determined by wheremost of the residents in a given area received treatment formajor cardiovascular surgical procedures and for neurosurgery(Wennberg and Cooper 1996).

efforts; and (3) the likelihood of available regulationto alleviate these concerns. With this in mind, wefirst consider the simplest case where privacy reg-ulation is enacted without accompanying incentives(i.e., the left-hand side of Figure 1), where we con-sider it more likely that privacy regulation will havea negative overall effect on NetRegionalBenefit, thusreducing the likelihood that HIEs form and becomeoperational (this is similar to what has been shownin the current empirical literature). This implies thatthe propensity of privacy regulation to reduce theNetRegionalBenefit from HIE as a result of increasedimplementation costs and the restrictions on the avail-ability of patient data (1125 are likely to outweighany gains from reduced patient privacy concerns(1125. Moreover, taking into account the propen-sity of consent requirements to have more substantialnegative effects on NetRegionalBenefit (1 > 2), thiseffect may be more pronounced for legislation includ-ing consent requirements.

The introduction of HIE incentives, however, intro-duces a more complex and interesting dynamic.Focusing only on the propensity of incentives toreduce HIE costs (35, incentives alone may positivelyimpact NetRegionalBenefit, and, if passed alongsideprivacy regulation, HIE incentives could offset someof the costs of privacy regulation. However, if we alsoconsider the potential of incentives to be associatedwith elevated privacy concerns (35 that then offsetthe positive effects of HIE incentives on NetRegional-Benefit (45, we may observe a more nuanced effect ofboth incentives and privacy regulation on HIE efforts.First, we may see a limited positive effect on Net-RegionalBenefit of incentives passed alone because ofthe dampening effect of the simultaneously elevatedprivacy concerns (35. Moreover, this suggests thatprivacy regulation, and in particular consent regula-tion that can better alleviate patient privacy concerns(1 > 25, may become a more prominent force inthis dynamic and could play a critical role in unlock-ing the propensity of HIE incentives to positivelyimpact the net benefits of exchange. The implicationof this is that coupling consent requirements with HIEincentives may have a stronger positive impact onNetRegionalBenefit (and thus differentially increase thepropensity of regional stakeholders to start planningfor exchange and these exchanges becoming opera-tional) relative to incentives with privacy regulationthat did not include consent requirements or with noaccompanying privacy regulation. Further, this sug-gests that privacy regulation may have considerablydifferent (and potentially opposite) effects on HIEsdepending on whether incentives are also in place.

4. DataOur analysis uses a combination of a six-year paneldata set and cross-sectional HIE survey data to assess

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


Figure 1 Effects of Legislation on HIE Formation

the impact of the different legislative approaches onplanning and operational HIEs. Consistent with theliterature, we define an HIE as any entity that facili-tates electronic health information exchange betweenindependent healthcare entities in a defined geo-graphic region to improve health (Adler-Milstein et al.2009). As a result, the HIEs in our data set predom-inately focused on the exchange of patient healthinformation between medical providers for patienttreatment purposes. Further, we consider facilitationto be providing a technical infrastructure to supportclinical data exchange. Together, these criteria excludeefforts whose entire scope is limited to administrativedata exchange as well as efforts working on issuesrelated to HIE but not directly enabling it to occur.

4.1. Panel HIE DataTo identify HIEs across regions and time, we usedpublicly available data from the eHealth Initiative’sannual compilation of state, regional, and local HIEefforts (eHealth Initiative 2005–2010). These data arebased on yearly surveys of HIEs completed by theeHealth Initiative (eHI) and provide longitudinalinformation about planning and operational HIEs inthe 2004–2009 period. We also used various onlineresources provided by health organizations and indi-vidual HIEs to determine their status as of the end of2009 and collect any additional information on char-acteristics of these exchanges (e.g., profit status). Asnoted earlier, at the beginning of 2004, there were

only a handful of established HIEs. As of the end of2009, we identified 220 HIEs that were in one of twostages.

• Planning: The HIE has been initiated but is in theplanning stages of development and is not activelysharing health information 4n= 1325.

• Operational: The HIE is actively enabling theexchange of health information between healthcareentities 4n= 885.

We also identified 92 HIEs that had been initiatedduring this time period but had subsequently ceasedoperations. We do not have longitudinal data on theseexchanges, and they are not included in our paneldata. However, using cross-sectional data on the totalnumber of failed HIEs in our time period of analysis,we find no significant differences in failed exchangesbetween legislative approaches.10 To identify the dateon which HIEs were initiated and became operationaland their geographic area of operation, we matchedHIEs in the eHealth Initiative survey data with anational survey of HIEs collected in 2010 that cap-tured detailed information on HIEs as of the end of2009 (Adler-Milstein et al. 2011). Our sample includesthe 73 planning and 75 operational exchanges com-mon to both data sets minus 5 exchanges that were

10 Normalizing by state population, we find that during our timeperiod, states with incentives and consent requirements had 2.5failed HIEs compared with 2.9 failed HIEs for states with incentivesbut no consent and 3.7 for states without any HIE incentives.

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


dropped because they did not report detailed infor-mation on their geographic location, resulting in143 exchanges (70 planning and 73 operational) in ourpanel data set.

On average, HIEs in our data set had been in exis-tence for approximately four years, and the subsetof HIEs that were operational had been exchanginghealth information for three and a half years by theend of 2009. Most exchanges (86%) operated withina single state; nearly all exchanges (98%) were oper-ating in fewer than two states. HIE geographic cov-erage was measured at the more granular level of anHRR. HRRs are generally contained within a singlestate but can span multiple states and, in some cases,can also span legislative approaches (although thiswas not common).11 Of the operational exchanges,70% reported covering a single HRR, and 60% ofthe planning exchanges anticipated covering a singleHRR. The exchanges that were operational or plan-ning in multiple HRRs tended to have the major-ity of their coverage in a single HRR, and thus weconsidered only their primary HRR. For example, ofthe 22 exchanges that reported operating in multipleHRRs, 20 reported being primarily operational in asingle HRR with more than 70% of their overall cov-erage in a single HRR.12 We aggregated HRR cover-age across individual HIEs to generate two primarydependent variables.13

• PlanningHIEjst : A binary measure of whetherHRR j in state s at time t had one or more HIEs inthe planning phase. This measure only includes HIEsthat had not failed and were available to take the HIEsurvey in 2010.

• OperationalHIEjst : A binary measure of whetherHRR j in state s at time t had one or more operationalHIEs.

These variables are created semiannually over theperiod 2004–2009 to most accurately capture theimpact of legislation on HIEs, which commonly wentinto effect at the beginning or the middle of the year.

To construct measures of HRR demographics,including measures of HRR population, income, andunemployment rates, we used a range of secondarysources (e.g., U.S. Census Bureau, U.S. Bureau of Eco-nomic Analysis, and the U.S. Department of Health

11 In our analysis we find that only 9% of HRRs had significantportions (more than 25%) of the populations they encompass inother states with different legislative approaches. Our results arerobust to the exclusion of these HRRs.12 On average, HIEs were operational in 9.5 hospital service areas(HSAs)—a collection of ZIP codes whose residents receive most oftheir hospitalizations from the hospitals in that area (Wennberg andCooper 1996)—in their central HRRs compared with 1.5 HSAs intheir secondary HRRs.13 HRRs having multiple operational exchanges were uncommon,with only 4% of regions reporting multiple operational exchanges.

and Human Services’ Area Health Resources Files(AHRF)). Finally, we used the Health Information andManagement Systems Society (HIMSS) Analytics™

Database (HADB) to create measures that enabledus to control for hospital-level health IT adoption.In addition to our semiannual panel data set, we con-structed a cross-sectional data set using HIE surveydata. These data, which were only available for thefinal year of our data, offered a detailed snapshot ofHIE activities, including a range of self-reported mea-sures that captured qualitative differences betweenHIEs. We used this cross-sectional data to exam-ine other dimensions of HIE progress that were notcaptured in our panel measures of HIE efforts. Forexample, these data include measures of the num-ber of patients covered by an exchange, organiza-tional structure, sources of funding, and challengesfaced. We supplemented this with data from othersources to construct state-level measures of educationlevels, age structure, and political leaning. Table 1includes the full list of measures and associated sum-mary statistics.

4.2. LegislationProtection of patients’ personal health information, aswell as requirements for patient consent for the shar-ing of personal health information in the context ofexchanges, is governed by a combination of federaland state laws.

At the federal level, patient consent is governedprimarily by HIPAA14 and associated regulation.HIPAA was amended in 2009 by the HITECH Act,which added some privacy requirements, includingbreach notification requirements for entities coveredby HIPAA.15 Although HIPAA laws impact the dis-closure of health information by HIEs, HIPAA appliesto all states (our analysis relies on between-state vari-ation) and was passed before the time period of ouranalysis. HITECH was passed in our period of analy-sis, and its effect on HIE efforts is accounted for by thetime fixed effects in our models. At the state level, twotypes of privacy legislation may affect HIE outcomes:(1) general privacy health laws, not HIE specific, thatwere largely enacted before the significant emergenceof HIEs; and (2) HIE-specific laws aimed at promot-ing HIE activities and/or focusing on the disclosureof patient data and patient consent.

General health privacy laws (i.e., not HIE spe-cific) have historically been in place to deal withvarious aspects of health privacy, including disclo-sure of patient health information and consent. We

14 Health Insurance Portability and Accountability Act of 1996,42 U.S.C. §1320d-9 (2011).15 Health Information Technology for Economic and Clinical HealthAct of 2009, U.S.C. §3013 (2011).

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


Table 1 Data Overview and Summary Statistics

Panel Cross section

Variable Description Mean SD Mean SD Source

Dependent variablesPlanningHIEjst A binary measure of whether HRR j in state s at

time t is covered by one or more planning HIEs.0015 0035 0018 0038 HIE/eHi survey

OperationalHIEjst A binary measure of whether HRR j in state s attime t is covered by one or more operational HIEs.

0010 003 0020 004 HIE/eHi survey

PrivChallengeis Binary variable indicating whether HIE i in state sreported that privacy concerns were a majorchallenge to their progress.

— — 0012 0033 HIE survey

FundChallengeis Binary variable indicating whether an HIE i in state sreported the lack of funding as a major challengeto their progress.

— — 0043 0049 HIE survey

HighPatientHIEis Binary variable of whether HIE i in state s coveredmore than 50,000 patients.

— — 0062 0048 HIE survey

Independent variablesPrivConsentst Dummy variable indicating a state s at time t has

privacy legislation that requires consent for HIE.0009 0028 0017 0038 Goldstein and Rein (2010);

Pritts et al. (2009)PrivNoConsentst Dummy variable indicating a state s at time t has

privacy legislation that does not require patientconsent for HIE.

0039 0048 0047 005 Goldstein and Rein (2010);Pritts et al. (2009)

Incentivesst Dummy variable indicating whether a state s at time tenacted any law intended to encourage HIEs.

0016 0036 0045 005 Westlaw/LexisNexis

ControlsBroadbandAccesss The percentage of households in state s with

high-speed Internet access.— — 0051 0006 U.S. Census Bureau

PerCapGDPs ($1,000) The total GDP of state s divided by the population ofstate s.

— — 4301 1308 U.S. Bureau of EconomicAnalysis

Fundingst Dummy variable indicating whether HIE-specificlegislation at time t explicitly provides fundingopportunities for HIEs in state s.


StateDesignatedst Dummy variable indicating whether HIE-specificlegislation in state s at time t creates ordesignates a statewide HIE.


Populationjst (1,000s) Number of inhabitants in HRR j in state s at time t . 97604 1109609 1100205 1113201 AHRFMedianIncomejst ($1,000s) The median family income for HRR j in state s at

time t .4501 1005 4703 1008 AHRF

UnempRatejst The unemployment rate for HRR j in state s attime t .

601 2003 905 204 AHRF

CPOEADOPTIONjst Percentage of hospitals in HRR j in state s at time tadopting computerized provider order entrysystems (CPOEs) normalized by staffed beds.

0019 0022 0024 0024 HADB

MonthsPursuingis Months an HIE i in state s has been in existence. — — 48 38 HIE surveyFormalGovis Binary indicator of whether an HIE i in state s has a

formal governance structure.— — 0081 0039 HIE survey

Democratics Dummy variable indicating whether a democrat hascarried state s in the 2000, 2004, and 2008presidential elections.

— — 0047 005 National Archives

TopMeds Dummy variable if state s had a hospital in the U.S.News & World Report hospital honor roll in2009–2010.

— — 0031 0046 Comarow (2009)

AdvancedDegrees The percentage of individuals in state s with agraduate degree.

— — 001 0003 U.S. Census Bureau

Over65s The percentage of individuals in state s over 65. — — 0012 0002 AHRF

identified state health privacy laws using the recentcompilation by Pritts et al. (2009) and the earlier com-pilation of general state privacy laws by Pritts et al.(2002). However, we found that most state health pri-vacy laws, similar to HIPAA, were passed before ourperiod of analysis. Moreover, there has been consid-erable debate over the applicability of patient consentrequirements provided in general health privacy laws.Specifically, most HIEs in our data set focused on

the exchange of patient health information betweenproviders for treatment purposes. However, patientconsent requirements in the majority of state healthprivacy laws include exceptions to garnering patientconsent for data disclosures between providers fortreatment purposes, thus effectively precluding themajority of exchange activities. According to Prittset al. (2009), only two states (Minnesota and NewYork) appear to generally require patient permission

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


to disclose all types of health information and onlythree (New York, Minnesota, and Vermont) usuallyrequire medical providers to obtain patient permis-sion before disclosing health information to otherproviders. Because general health privacy laws thatare not HIE specific were passed before our periodof analysis, and their requirements for consent havelimited applicability to HIEs, we do not use them asfocal independent variables. The states with require-ments relevant to the exchange of health informationwere included in our analysis as interactions withtime-varying HIE-specific legislation. This accountsfor states that may not provide explicit requirementsfor consent in HIE-specific legislation because theirexisting legislation already has relevant requirements.

Our primary independent variables capture HIE-specific laws that, unlike general health privacy laws,were passed in the period of our analysis and havedirect applicability to exchange efforts. We identi-fied HIE-specific laws primarily through various legalsearch services (e.g., LexisNexis Academic and West-law) and supplemented these searches with recentreports on disclosure laws and HIEs (Goldstein andRein 2010). We find that, in the past decade, vari-ous states enacted legislation that (1) incentivized HIEefforts, (2) addressed patient privacy and consent, or,most commonly, (3) some combination of both.

As we described earlier, we considered state leg-islation as providing HIE incentives if it included,at a minimum, general provisions aimed at reducingany of the costs (financial, legal, managerial, coor-dination, or otherwise) associated with pursuing ahealth information exchange effort in the state. Ourreview of state laws fitting this criterion yields anumber of state laws with provisions to incentivizeHIE efforts. For instance, the North Dakota statelaw directs its health information technology officeto “facilitate and expand electronic health informa-tion exchange in the state, directly or by awardinggrants”;16 West Virginia law requires the director ofthe Office of Health Enhancement and Lifestyle Plan-ning to work “through the West Virginia Health Infor-mation Network, the Bureau for Medical Servicesand other appropriate entities, to develop a collabora-tive approach for health information exchange”;17 andKentucky state law tasks the Kentucky eHealth net-work board with responsibility for “the operation ofan electronic health network in this Commonwealth”and, among other things, for making recommenda-tions related to “models for an electronic health net-work” and “financing the central interchange for thenetwork.”18 Moreover, we reviewed the specific provi-sions in state laws incentivizing HIE efforts to identify

16 N.D. Cent. Code, §54-59-26.17 W. Va. Code Ann. §16-29H-6.18 Ky. Rev. Stat. Ann. §216.267.

any trends in the nature of HIE incentives. This effortyielded two broad categories of HIE incentives. First,we found that 11 states have laws designating explicitfunds authorized for use in support of HIE efforts.For instance, Minnesota state law allocated fundingfor the commissioner of health to award grants for thepurpose of implementing “regional or community-based health information exchange organizations.”19

North Dakota state law included provisions to createan “electronic health information exchange fund” andalso instituted a “health information technology loanprogram.” We found seven states that had HIE incen-tives focused on creating or designating a specificstatewide HIE as opposed to focusing on dispersedregional efforts (such provisions do not exclude otherentities from creating additional exchanges in thatstate). For instance, Rhode Island state law estab-lished a “statewide HIE under state authority to allowfor the electronic mobilization of confidential healthcare information,”20 and Vermont state law taskedthe Vermont Information Technology Leaders (a non-profit organization within the state) with operatingthe “statewide health information exchange networkfor this state” that included “grant agreements” withthe organization.21 We account for this variation inthe specific provisions included as part of state lawsincentivizing HIE efforts in our empirical analysis.

Similar to general health privacy laws, HIE-specificlaws varied in the extent to which they providedpatients with privacy protections and, in partic-ular, the extent to which they instituted require-ments for consent. Given that most states’ generalhealth privacy laws22 do not include consent require-ments for disclosing health information23 to otherproviders (which are also the majority of HIE par-ticipants), requirements for consent in HIE-specificlaws are especially relevant to the disclosure ofhealth information by exchanges. As a result, wedifferentiate between legislation including provisionsrequiring consent, only general privacy requirementswithout consent, and no privacy requirements at all.Leveraging variation in HIE incentives and privacyrequirements between states, we categorize states that

19 Minn. Stat. Ann. §144.3345.20 RI Gen L §5-37.7-4.21 18 V.S.A. §9352.22 New York, Minnesota, and Vermont have some requirementsthat require consent for disclosure between providers. These stateswere treated as having consent requirements and are Incentives andPrivConsent states because they would all subsequently pass HIE-specific legislation.23 States have passed more stringent laws for some specific andsometimes sensitive health data (e.g., mental health or HIV data).Because this data type is generally not the focus of HIEs, we focusonly on laws restricting the exchange of general health information.

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


Figure 2 Overview of HIE-Specific Legislation

Incentives and PrivConsent

Incentives and PrivNoConsent

Incentives only

passed HIE-specific legislation into one of three maincategories:24

• Incentives and PrivConsent: states with lawsintended to encourage the pursuit of HIEs and thathave requirements for patient consent (eight states).25

• Incentives and PrivNoConsent: states with lawsintended to encourage the pursuit of HIEs and thatmake some mention of privacy protections but donot include requirements for consent (i.e., they relyon the status quo of no consent requirements for theexchange of health information between healthcareentities) (11 states).

• Incentives: states with laws intended to encour-age the pursuit of HIEs but that make no men-tion of privacy protections; these states also did nothave any preexisting general health privacy laws thatwould require consent in the context of exchange(three states and the District of Columbia).

Figure 2 identifies the states that have enacted HIE-specific legislation. In addition, we identified threestates that passed or amended health privacy lawsthat instituted privacy requirements for HIEs withoutaccompanying incentives. During the time period ofour analysis, Nevada and New Mexico passed healthprivacy legislation that explicitly mentioned exchangebut did not institute consent requirements for theexchange of health information between healthcareentities for treatment purposes (similar to generalhealth disclosure laws discussed previously). Con-versely, Maine amended existing privacy legislation to

24 See EC.1 in the electronic companion (available as supplemen-tal material at http://dx.doi.org/10.1287/mnsc.2015.2194) for addi-tional example statutes and text.25 Specifically, under this category, we consider any law that man-dates that patients are provided with notice before the exchange oftheir personal health information in an HIE and, at a minimum,that patients are also provided with the choice to exclude theirinformation from such an exchange as having consent requirements.

require patient consent prior to the exchange of patienthealth information. This leaves 25 states that did notpass HIE-specific legislation during our time period.

5. MethodsOur empirical approach leverages time-series regres-sion using longitudinal data on planning and oper-ational HIEs across HRRs, as well ascross-sectionalanalysis using survey data on individual HIEs.

5.1. Model 1: Fixed Effects ModelThe first model we estimate is a panel linear prob-ability model that includes HRR and time fixedeffects with reported standard errors clustered at thestate level. This model evaluates the impact of HIE-specific legislation on HIE creation (PlanningHIEjst)and reaching operational status (OperationalHIEjst) inhealthcare market j , in state s, at time t.26 This modelidentifies the baseline effects on these variables of

26 In our context, nonlinear models with fixed effects (e.g., logit)are not desirable because they leverage only variation across time.In our analysis, this precludes a significant portion of our dataand would result in a specification with estimations using HRRfixed effects failing to converge. The central limitation to the lin-ear probability model is that the predicted probabilities are notconstrained between 0 and 1, thus requiring some caution wheninterpreting coefficient estimates. However, prior work has shownlittle qualitative difference between the logit and linear probabil-ity specification (Angrist and Pischke 2008), and prior empiricalwork in this field has leveraged identical approaches (Miller andTucker 2009, Goldfarb and Tucker 2011). In addition to the practicallimitations associated with nonlinear fixed effects models, scholars(e.g., Neyman and Scott 1948) have demonstrated that estimatesfrom nonlinear fixed effects models are inconsistent because theasymptotic variance of the main parameters is a function of a smalland assumed fixed group size; this is also known as the inciden-tal parameter problem. Greene (2002) finds this problem to be ofsignificant practical consequence with slope estimates from non-linear fixed effects models uniformly biased away from zero com-pounded by estimates of the standard errors biased toward zero.

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.

http://dx.doi.org/10.1287/mnsc.2015.2194


privacy regulation with and without consent require-ments and the effects of HIE incentives while allowingfor the differential impact of HIE incentives if privacyrequirements are also in place (model 1):

PlanningHIEjst1OperationalHIEjst

= 0 +1 × PrivConsentst +2 × PrivNoConsentst

+3 × Incentivesst +4 × PrivConsentst × Incentivesst

+5 × PrivNoConsentst × Incentivesst

+B6 × StateDesignatedst +7 × Fundingst

+ ×Xjst + js +t +jst0

Here, PrivConsentst is a dummy variable indicat-ing whether a state s at time t had a privacy lawthat also required patient consent in the context ofexchange, and PrivNoConsentst is a dummy variableindicating whether a state had a privacy law inplace but did not require patient consent in the con-text of exchange. In this model, PrivConsentst andPrivNoConsentst capture the impact of privacy regu-lation that was passed without accompanying incen-tives. Moreover, Incentivesst is a dummy variableindicating whether a state s had legislation provid-ing HIE incentives at time t (where t representssemiannual intervals). We also include the interac-tions PrivConsentst × Incentivesst and PrivNoConsentst ×Incentivesst to identify any differential impact of incen-tives when varying degrees of privacy protections arepresent. These interactions take into account otherpotentially relevant privacy legislation. For example,if a state had passed legislation with HIE incentivesduring our time period of analysis without privacyprovisions but either during or prior to our periodof analysis also passed privacy requirements relevantto exchange in separate legislation, this interactionwould be positive.

We also created variables to differentiate betweenthe most common provisions in state laws incentiviz-ing HIE efforts. We found that states differed in termsof whether they provided explicit funding in legisla-tion incentivizing HIEs; some states provided fundsexplicitly authorized for use in support of HIE efforts,whereas other states directed responsible entities toidentify sources of financial support for exchangeefforts or were ambiguous regarding financial sup-port from the state. Thus, our first variable capturesHIE incentives with explicit funding opportunities(Fundingst5. In addition, we captured differences instates’ propensity to focus HIE incentives on creatingor designating a statewide exchange versus focusingHIE incentives on HIE efforts in disparate healthcaremarkets. Thus, our second variable captures stateswith laws that designate or create a state-sponsoredHIE (StateDesignatedst5. We include these variables in

our model to address the concern that the variation instate strategies toward HIE incentives may correlatewith a particular legislative approach. If this were thecase, the effect of a given legislative approach couldbe driven by the intensity or nature of HIE incentives.

Finally, we include a vector of control variables, Xjst ,which accounts for other factors relevant to the emer-gence of planning and operational HIEs. For exam-ple, HIE efforts may require that regional healthcareentities have some minimum level of patient recorddigitization and health IT infrastructure in order toengage in electronic exchange, which could be corre-lated with privacy regulation. As a result, we controlfor healthcare IT adoption in the HRR by includ-ing CPOEAdoptionjst to capture hospital adoption ofcomputerized provider order entry (CPOE).27 CPOEis often a proxy for advanced adoption of health-care IT and is highly correlated with the adoption ofother healthcare IT (e.g., electronic medical records).It is also a core component of the federal defini-tion of “meaningful use” of electronic health records(Blumenthal and Tavenner 2010). Other HRR-levelcontrols include those capturing population, medianincome, and unemployment rates. HRR and timefixed effects are represented by js and t , respec-tively; jst is the error term. We evaluate whethermulticollinearity is a concern in the estimation of thismodel by calculating correlation tables and the vari-ance inflation factor (VIF) for each independent vari-able in the model. We find that all variables have aVIF well below the recommended maximum of 10(Kennedy 1992), with a mean VIF of 1.9 for the vari-ables in our panel estimation (see EC.2 in the elec-tronic companion). Similar fixed effects models havebeen used in the literature to examine the effect of apolicy intervention (Bertrand et al. 2004). HRR fixedeffects allow us to control for time-invariant unob-served factors and time dummies allow us to controlfor time trends. Thus, the unbiased effect of variedregulatory approaches can be identified from varia-tion across HRRs and time. In an extended specifica-tion, we include one-year lagged variables to allowfor a delayed effect on HIE outcomes of legislationaimed at incentivizing HIE efforts with and withoutprivacy regulation. This accounts for the potential forresources provided by these laws to take time to reachentities interested in pursuing HIE.28

5.2. Model 2: Cross-Sectional ModelThe second model we estimate also uses a linearprobability model and standard errors clustered at

27 Based on data obtained from HADB.28 For clarity of exposition, we exclude the lagged terms for thebinary indicators of states having privacy regulation alone (Priv-Consent and PrivNoConsent) since the lagged effect of this legislativeapproach is not of central interest and was rare in our data set.

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


the state level but uses cross-sectional survey data.Our survey data captured a detailed snapshot ofHIEs’ status and activities as of the end of 2009.This model evaluates the association between relevantHIE characteristics (described below) and the vary-ing approaches toward incentivizing HIE efforts (i.e.,those with and without consent-based regulation):

HIECharactersiticis = 0 +1 × Incentivess

+2 × Incentivess × PrivConsents

+ ×Xs + ×Zis +is0

Here, Incentivess is a binary indicator of whether anHIE is operating in a state s with HIE incentives. Theinteraction between Incentivess ∗ PrivConsents capturesany differential impact of having consent require-ments alongside HIE incentives. Because states withprivacy regulation without incentives had only twooperational and three planning exchanges, we donot attempt to estimate effects for these legislativeapproaches. However, to avoid biased interpretationof our estimates, we exclude these HIEs from ourestimation for model 2. This model does include avector of state-level controls, Xs , which accounts forstate political leaning, wealth, population, age struc-ture, and education levels, as well as a vector, Zis , ofHIE-level controls including measures of the length oftime an HIE has been pursuing exchange and whetherthey have a formal governance structure. Althoughwe do include a number of state- and HIE-level con-trols, we cannot include HIE or regional fixed effects.As a result, the estimates from model 2 should beinterpreted with some caution. However, we arguethat the most problematic endogeneity concerns areunlikely in the context of our analysis.

For instance, we use this model primarily to eval-uate the association among HIE incentives, consentrequirements, and HIE privacy challenges. Specifi-cally, we use a binary measure of whether an HIE iin state s reported that privacy concerns were amajor challenge or impediment to their development(PrivChallengeis5 to evaluate our previous conjecturethat incentives for HIEs may be associated with anincreased attention to and salience of privacy con-cerns, which could materialize as barriers to the emer-gence of HIEs. In the context of this analysis, oneconcern may be that heterogeneity in states’ tastes forprivacy would both impact their propensity to haveconsent requirements, as well as the pushback HIEsface from privacy concerns. However, our predictionswould actually be made less likely by this effect, sincewe conjecture that HIEs in states with consent require-ments will, in fact, report less pushback as a resultof patient privacy concerns. For a similar reason, weconsider reverse causality in which low initial privacy

concerns resulted in states being more likely to passconsent requirements as also being unlikely.

Additionally, we use this model to evaluatewhether relevant heterogeneity exists in key indi-vidual characteristics of HIEs across states with andwithout consent requirements. For example, becauseavailability of funding (beyond that from the gov-ernment) has been shown to significantly affect thechoice to pursue exchange (Adler-Milstein et al.2009), we evaluate the correlation between consentrequirements and the availability of funding to HIEs.Although our panel estimation controls for legisla-tion with explicit funding opportunities as part oftheir HIE incentives, this may not suffice, becauseHIEs may leverage a range of funding sources includ-ing those provided by the federal government andother private sources (e.g., large health systems orphysician groups). As a result, we include the vari-able FundChallengeis as a binary measure indicatingwhether HIE i in state s reported that the lack offunding was a major challenge to their development.Finally, we evaluate whether HIEs in states with con-sent requirements varied with respect to other char-acteristics that are also indicative of HIE progress andtheir ability to achieve desired goals. Specifically, weevaluate differences in the number of patients coveredby an exchange (HighPatientHIEis5 across states withand without consent requirements.

6. ResultsThe results for the fixed effects model (model 1) arepresented in Table 2. We find that privacy regulationwithout incentives had a negative effect on the pur-suit of HIE. However, this effect varied dependingon the stage of HIE development. For privacy regula-tion with consent requirements (PrivConsent), we finda large negative and significant coefficient for Plan-ningHIE (column (A)). However, a similarly negativecoefficient for OperationalHIE is not significant (p =

00171, column (B)). For privacy regulation withoutconsent requirements (PrivNoConsent), we find a sig-nificant negative coefficient for OperationalHIE but anear-zero and insignificant estimate for PlanningHIE.This suggests that, although privacy regulation with-out consent had a significant effect on HIEs reachingoperational status, it does not seem to dissuade enti-ties from initially pursuing HIE.

We find small and generally insignificant estimateson Incentives, suggesting that HRRs in states that pro-vided HIE incentives without accompanying privacyprovisions did not see increases in HIEs. However,we do find a significant and positive coefficient onthe interaction of PrivNoConsent and Incentives, butonly for OperationalHIE. This suggests that incentivespassed alongside regulation without consent require-ments resulted in a 9% increase in the probability

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


Table 2 Impact of Legislation on HIE Efforts

(A) (B) (C) (D)PlanningHIE OperationalHIE PlanningHIE OperationalHIE

PrivConsent −00360∗∗ −00116 −00342∗∗ −00077340007235 40008315 40007415 40008465

PrivNoConsent 000282 −00104∗∗ 000302 −00100∗∗

40005905 40002435 40005885 40002285Incentives 0000462 0000459 −0000598 −00000367

40005015 40002675 40003995 40002225Incentives×PrivConsent 00466∗∗ 00230∗∗ 00432∗∗ 00135∗

4001125 40006915 4001005 40006685Incentives×PrivNoConsent −000483 000908∗∗ −000410 000987∗∗

40009065 40003075 40007965 40003055IncentivesLag 000412 000319

4001075 40002735IncentivesLag×PrivConsentLag 000293 00117

4001195 40009885IncentivesLag×PrivNoConsentLag −000297 −000344

4001235 40002885StateDesignated −00162+ 00196∗∗ −00150 00218∗∗

40009015 40007205 40009065 40006965Funding 000497 −000556∗ 000447 −000641∗

4001065 40002315 4001075 40002565CPOEAdoption 0000659 000798 0000772 000815

40006665 40008055 40006585 40007985OperationalHIE −00520∗∗ −00525∗∗

40005695 40005575

Observations 3,672 3,672 3,672 3,672R-squared 00195 00113 00196 00120Control variables Yes Yes Yes YesTime fixed effects Yes Yes Yes YesHRR fixed effects Yes Yes Yes Yes

Note. Robust standard errors are shown in parentheses.+p < 001; ∗p < 0005; ∗∗p < 0001.

of an HRR having an operational exchange but nomeasurable effect on the propensity of initiating anexchange. Finally, we find consistent and significantgains from HIE incentives when they were coupledwith privacy regulation providing patient consentrequirements. Specifically, we find a large and signif-icant coefficient on the interaction of PrivConsent andIncentives for both PlanningHIE (p < 0001) and Opera-tionalHIE (p < 0001), suggesting that incentives passedalongside privacy regulation with consent require-ments resulted in a 47% increase in the probability ofHRRs having a planning exchange and a 23% increasein the probability of HRRs having an operationalexchange. Moreover, the difference in the effective-ness of incentives coupled with consent requirementswas statistically significant when compared with theincentives alone (Incentives) or incentives with reg-ulation without consent (Incentives × PrivNoConsent)for both PlanningHIE (p < 0001) and OperationalHIE(p < 0005).

Given that we find evidence of negative baselineeffects of privacy regulation, we also consider the net

effect for states with legislative approaches that com-bined incentives and privacy regulation. For instance,although HIE incentives coupled with privacy regu-lation without consent requirements resulted in a 9%increase in the probability of HRRs having an opera-tional exchange, this effect was offset by the negative(10%) baseline effect of the privacy regulation, result-ing in a zero net effect on the propensity of HRRs inthese states to have operational HIEs. By contrast, wefind evidence of a net gain in operational HIEs forHRRs in states with both HIE incentives and privacyregulation with consent requirements. Specifically, weidentify an 11% (p < 0005) net increase for Operational-HIE and also a 10% net increase (although insignifi-cant, p = 0022) for PlanningHIE. Within our data set,HIE incentives coupled with consent requirementswas the only legislative approach with evidence of anet gain in OperationalHIE.

Estimates of our main model with lagged variablesare presented in Table 2, columns (C) and (D). We findthat estimates on our baseline interaction of Incentivesand PrivConsent for PlanningHIE are of similar mag-nitude to our primary estimation and are significant

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


(p < 0005), whereas our lagged term has a small andinsignificant coefficient. This suggests that new HIEswere planned within a short period of the passage ofthese laws and may reflect the relatively low costs ofinitiating an exchange and that parties interested inpursuing HIE closely tracked the progression of theselaws. However, we may reasonably expect that theeffect of legislation on the propensity of an exchangeactually becoming operational may be less immediate,because the resources afforded by these laws may becritical in exchanges advancing their capabilities. Wefind some support for this notion, with the coefficienton our baseline interaction of Incentives and PrivCon-sent for OperationalHIE roughly half the magnitudeof our primary estimation (13.5% versus 23.0%). Ourlagged term, however, is larger (11.7%) but less pre-cisely estimated (p = 0024), suggesting some variabil-ity in the lagged effect of relevant legislation. Weshould note that we are not able to observe laggedeffects for states that passed laws within the last yearof our panel (Oregon and Alaska), which may also becontributing to higher standard errors for estimationof our lagged term.

The results from our cross-sectional model (seeTable 3) offer some explanation for the differen-tial HIE gains from incentives coupled with consentrequirements and also address alternative interpre-tations of our results. First, we evaluate the valid-ity of our earlier conjecture that the effectiveness ofincentives with consent requirements is driven by thepropensity of consent requirements to address ele-vated consumer privacy concerns associated with HIEincentives. We find evidence in support of this con-jecture with HIE incentives not coupled with consentrequirements positively associated with increasedscrutiny and privacy concerns. Specifically, we findthat HIEs in states with HIE incentives but withoutconsent requirements were 30% more likely to reportthat privacy was a major challenge compared withHIEs in states with incentives and consent require-ments (p < 0001) and 14% more likely to report thatprivacy was a major challenge in their develop-ment compared with states without any legislation(p < 0005). HIEs in states with incentives and consentrequirements were least likely to report major pri-vacy challenges compared with all other legislativeapproaches (p < 0001).

Results from our cross-sectional model also helpto rule out what we considered the most promi-nent confounding factors to the interpretations ofour results. First, we consider whether our resultsmerely reflect heterogeneity in the propensity ofincentives coupled with consent requirements to pro-vide funding opportunities for HIE efforts (the lackof sufficient financial support has been a prominentbarrier to HIE development). Although we account

Table 3 Consent Requirements and Key HIE Characteristics

(A) (B) (C)PrivChallenge FundChallenge HighPatientHIE

Incentives 00144∗ −00240∗ −001024000665 4001185 4001145

Incentives×PrivConsent −00302∗∗ −00102 001604000685 4001415 4001075

Population 00007∗ −00005 −000054000035 4000035 4000035

PerCapGDP −00007∗∗ −00007 00010+

4000025 4000055 4000065BroadbandAccess −00001 00006 00008

4000035 4000075 4000095Democratic −00015 −00019 00070

4000645 4001125 4001035TopMed 00135∗ 00218+ 00087

4000535 4001175 4001275AdvancedDegree 00030∗ 00019 −00078∗

4000145 4000295 4000345Over65 00032∗∗ −00011 −00030

4000115 4000225 4000205MonthsPursuing −00001+ −00002 00003∗∗

40000015 4000015 4000015FormalGov −00087 −00104 00437∗

4000735 4001555 4001595

Observations 133 136 70R-squared 0013 0011 0019

Notes. Robust standard errors are shown in parentheses. The number ofobservations varies because of some nonresponses in the survey; col-umn (C) only uses responses from operational exchanges.

+p < 001; ∗p < 0005; ∗∗p < 0001.

for this in our panel estimation by controlling for HIEincentives with funding opportunities (Funding), weaddress this concern further by evaluating any asso-ciation between HIE self-reported funding challengesand incentives that included consent requirements.We do not find support for the notion that HIEs instates with consent requirements significantly differedwith respect to their access to sources of funding: col-umn (B) in Table 3 shows that, although HIEs in stateswith HIE incentives were 24% less likely to report thatfunding was a major challenge (p < 0005), there is nosignificant correlation between consent requirementsand funding being a major challenge for HIEs withan insignificant estimate on Incentivess × PrivConsents .

In addition, we evaluate whether legislative ap-proaches coupling incentives with consent require-ments actually resulted in a positive effect onexchange capabilities in a healthcare market. Specif-ically, it may be the case that, although legislativeapproaches coupling incentives with consent resultin a higher likelihood of an exchange being opera-tional, these exchanges may have less extensive orcomprehensive exchange capabilities. We do not findevidence of this, however, with an insignificant esti-mate on Incentivess × PrivConsents for HighPatientHIE

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


(column (C)). In fact, the positive estimate on thiscoefficient suggests that HIEs in states with bothincentives and consent requirements trended towardcovering more patients, not fewer.

7. RobustnessWe evaluated the robustness of our primary results(model 1) by examining concerns regarding (1) theendogenous passing of legislation providing incen-tives and consent, (2) our assumption that HRRs aresubject to only one legislative approach, and (3) incen-tive heterogeneity and high-impact states.

7.1. Endogeneity of Incentives and ConsentThe results presented in §6 highlighted the uniquerole of consent requirements combined with HIEincentives in spurring the emergence of planning andoperational HIEs. The model we estimate was iden-tified using HRR and time fixed effects to isolatewithin-HRR variation over time and controls thatcould be correlated with the legislative initiatives ofinterest and the pursuit of HIE. However, a state’schoice of a particular legislative approach is certainlynot random, exposing our estimates to potential biasif there exists time-varying heterogeneity betweenstates with certain legislative approaches that alsocontributes to the success of HIEs. Although the direc-tion of this bias is ambiguous (i.e., it is possible thatthe potential bias in our results makes our resultsmore conservative), we focus on the potential bias,which could result in the overestimation of our cen-tral result.

First, rather than HIE laws driving HIE activity,these laws could instead be passed as a result ofincreased HIE activity. To assess this possibility, weplotted the total number of attempted HIEs (plan-ning plus operational) for the main HIE legislativeapproaches we identified. Figure 3 reveals that statesthat ultimately passed consent requirements did nothave elevated levels of HIE activity before the pas-sage of the law. In fact, they had the lowest levelof HIE activity when compared with other legisla-tive approaches. More generally, before the period inwhich most HIE laws were passed (pre-2007), therewere minor differences in the number of attemptedHIEs. However, as we move into 2007, states withno legislation or incentives without consent main-tain a roughly constant rate of growth, whereas statesthat coupled incentives with consent requirements seea significant increase in attempted HIEs. We furtherevaluate possible reverse causality by estimating ourmain model with one-time-period lead variables forthe legal requirements (see columns (A) and (B) inTable 4). This allows us to evaluate whether the trendsof increased planning and operational HIEs were, infact, in existence prior to the enactment of relevant

Figure 3 (Color online) Number of HIEs in States with Key LegislativeApproaches

0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

4.0

4.5

5.0

2004 2005 2006 2007 2008 2009 2010

Tot

al H

IEs

Attempted HIEs

Incentives and PrivConsent

Incentives and PrivNoConsent

No HIE law

HIE laws. We find that our initial result is robust tothe inclusion of lead variables and that the estimateson our lead variables, including the interaction ofincentives and consent requirements, are insignificant.

In addition, our main estimation evaluates theimpact on HIE efforts of legislation with HIE incen-tives compared with states without any such legisla-tion. However, HIE incentives may be correlated withtime-varying state unobservables that also impact HIEoutcomes. For example, HIE incentives may be cor-related with changes in political attitudes or publicopinion toward the importance of health IT, which islikely to also have an impact on the emergence of HIEefforts. As a result, we evaluate whether our resultsare being driven by differences between states withand without HIE incentives. Specifically, we estimateour model using only the subset of states that havelegislation with HIE incentives (columns (C) and (D)in Table 4). The results are consistent with those in ouroriginal estimation with a sizable and significant (p <0005) impact of Incentives × PrivConsent on both Plan-ningHIE and OperationalHIE. In addition, we arguethat the heterogeneous effects on HIE efforts of incen-tives (e.g., incentives without consent had a marginalor no effect on HIE efforts) make it less likely thatunobserved factors, correlated over time with HIEincentives, are systematically driving HIE efforts.

With respect to the endogeneity of privacy regu-lation, prior work (e.g., Miller and Tucker 2011) hasused privacy regulation limiting the disclosure ofhealth information as an instrumental variable in theestimation of the effect of EMR adoption on health-care outcomes, arguing and presenting evidence thatsuch regulations are likely exogenous to shifts instates’ focus on healthcare issues and political motiva-tions. Similar to such analysis, we find that states withconsent requirements varied considerably in terms ofgeographic location, size, and state political affiliation.Moreover, we propose, similar to the case against the

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


Table 4 Robustness Checks

Lead variable analysis Only states with incentives Excluding overlapping HRR

(A) (B) (C) (D) (E) (F)PlanningHIE OperationalHIE PlanningHIE OperationalHIE PlanningHIE OperationalHIE

PrivConsent −00354∗∗ −00123∗ −00372∗∗ −0010940006145 40005755 40008535 40008195

PrivNoConsent −000246 −000845∗∗ −00106∗∗ −00114∗∗

40004075 40002305 40003685 40003745Incentives −0000114 000266 000172 000150

40003945 40002825 40005855 40002765Incentives×PrivConsent 00389∗∗ 00164∗∗ 00248∗ 00160∗∗ 00445∗∗ 00221∗∗

4001045 40005695 40009235 40004915 4001225 40006735Incentives×PrivNoConsent 000430 000630+ 000779 000904∗

40007175 40003465 40008265 40004115IncentivesLead 000230 −000319

40003545 40003115IncentivesLead×PrivConsentLead 00116 000798

40007005 40004815IncentivesLead×PrivNoConsentLead −000601 000447

40004375 40003325StateDesignated −00161+ 00245∗∗ −00246+ 00152+ −00156+ 00187∗

40009545 40004825 4001255 40007965 40008945 40007115Funding 000433 −000662∗∗ 000568 −000656∗ 000503 −000590∗

4001195 40002105 40009635 40002905 4001175 40002395CPOEAdoption 000128 000894 −000408 −000393 000160 000924

40006825 40007935 40009925 40009735 40007245 40008805OperationalHIE −00530∗∗ −00526∗∗ −00523∗∗

40006385 40008855 40005775

Observations 3,366 3,366 1,584 1,584 3,384 3,384R-squared 00197 00114 00219 00143 00198 00119Control variables Yes Yes Yes Yes Yes YesTime fixed effects Yes Yes Yes Yes Yes YesHRR fixed effects Yes Yes Yes Yes Yes Yes

Note. Robust standard errors are shown in parentheses.+p < 001; ∗p < 0005; ∗∗p < 0001.

endogeneity of HIE incentives, that our results par-tially shield us from these concerns. If unobservedfactors are powerfully driving HIE efforts and thesefactors are correlated, over time, with privacy reg-ulation, the divergent effects of privacy regulation(e.g., privacy regulation without incentives actuallyinhibited HIE efforts) would be considerably moredifficult to identify. Since we focus on the interac-tion of privacy regulation with incentives, we are stillconcerned that specific legislative approaches, partic-ularly legislative approaches that couple incentiveswith consent requirements, could be differentially cor-related with other unobserved factors over time thatcould also drive the emergence of planning and oper-ational HIEs. For instance, it is possible that legisla-tive approaches coupling consent requirements withincentives are also associated with changes in atti-tudes toward health IT and the value of technol-ogy in healthcare settings. However, we consider thisunlikely, because HIEs have expressed significant con-cerns over consent-based regulation. For instance, in

a recent report (National eHealth Collaborative 2011),HIE administrators suggested that requiring patientsto opt in to an HIE was a barrier to achieving thecritical mass of patient records needed to generatetheorized benefits. As a result, we suggest that it ismore likely that states that adopt consent require-ments signal a shift toward a more tempered atti-tude toward the trade-offs associated with health ITrelative to states with HIE incentives alongside lessstringent regulation, likely making our results moreconservative.

Finally, the combination of incentives and con-sent requirements could reflect the sophistication ofstate legislative bodies in anticipating and proac-tively addressing the central concerns associated withincreased HIE activity in the state. This sophistica-tion could also be correlated with better administered,managed, and otherwise executed incentive programsthat yield improved HIE outcomes. To evaluate thisconcern, we leverage work by Squire (2007) that ranksstate legislatures based on their professionalism. We

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


first find that measures of state legislative profession-alism do not vary considerably over time: all but oneof the states ranking below the median in 1996 con-tinued to rank below the median in 2003 (the mostrecent ranking). Moreover, the states that passed con-sent requirements and incentives varied considerablyin their legislative professionalism, with four of theeight states ranking below the median in 2003.

Although we take a number of steps to con-sider and evaluate potential endogeneity of legislativeefforts, we acknowledge that these concerns may per-sist to some degree, as they often do with empiricalwork of this nature.

7.2. HRR BoundariesMeasuring HIE activity at the level of an HRR allowsus to identify the impact of legislation on the propen-sity of an HIE to be operational or in the plan-ning stage within relatively self-contained healthcaremarkets; it also allows for meaningful comparisonacross states with regions subject to varying legisla-tive approaches. This approach requires us to assumethat each HRR is contained within a single state andthus a single legislative approach. However, HRRboundaries can sometimes span multiple states thatmay have different legislative approaches. We findthat this is fairly uncommon, with 80% of HRRs eitherbeing fully contained in a single state or overlappingwith states that had the same legislative approach. Anadditional 11% of HRRs had minor overlap (less than25% of their population) in states with different leg-islative approaches. When we exclude the remaining9% of HRRs, which had significant overlap in stateswith different legislation approaches, and estimateour main model (see Table 4, columns (E) and (F)), wefind consistent results with our original estimation.29

7.3. Incentive Heterogeneity andHigh-Impact States

Although we control for the most prominent variationin the strategies that states take toward HIE incen-tives, there may also be other HIE incentives that areless common in our analysis but may still have animpact on the nature of HIE incentives and also onHIE outcomes. Specifically, we identified four otherfeatures of HIE incentives that were less frequentbut still of potential interest: whether HIE incentiveswere directed to an existing private organization asopposed to a government entity, whether HIE incen-tives instituted a pilot program, whether incentivesaddressed existing regulation viewed as an impedi-ment to HIE progress, and whether incentives had

29 Although not presented here for clarity, our results are also con-sistent when using a state-level ordinary least squares estimationapproach with aggregated count measures of HIE activity, state andtime fixed effects, and state-level controls.

an interstate dimension. To evaluate whether theseless common features of HIE incentives impact ourestimation, we estimate our main model with addi-tional controls capturing these less frequent featuresof HIE incentives and find consistent results with ourmain estimation (see EC.3 in the electronic compan-ion). Because our analysis relies on a limited num-ber of states, it is also possible that our results arenot due to a correlation between consent requirementsand incentives but by a single state with unique HIEincentives or with disproportionate HIE success as aresult of factors not captured in our model. To addressthis concern, we limit our analysis to states withHIE incentives and sequentially exclude all regionsin a given state that coupled incentives with consentrequirements from our estimation for PlanningHIEand OperationalHIE (see EC.3 in the electronic com-panion). We find that our results for PlanningHIEand OperationalHIE are robust to sequential exclusionof states with incentives and consent requirements.Excluding New York seems to have the largest impacton estimates of the effect of incentives coupled withconsent requirements, but these estimates are still sig-nificant for OperationalHIE and marginally significantfor PlanningHIE.

8. Discussion and ConclusionsWe evaluated the impact of legislation that variedin whether it included requirements for patient con-sent and provided HIE incentives over a span of sixyears. We document a surprising interplay betweenstate attempts to incentivize HIE efforts and pri-vacy regulation. Specifically, although privacy regula-tion alone—and, in particular, regulation with consentrequirements—resulted in a negative effect on HIEefforts, coupling HIE incentives with consent require-ments was the only legislative approach intended toencourage HIE efforts that actually resulted in anincrease in operational HIEs. We find that this resultis robust to considerations of reverse causality, endo-geneity of HIE incentives and consent requirements,considerations of HRR legislative boundaries, incen-tive heterogeneity, and a single state driving the effect.We also find that HIEs in states with both incen-tives and consent requirements reported lower lev-els of concern about patient privacy issues, whereasexchanges in states with HIE incentives but with-out consent requirements reported higher levels ofpatient privacy concerns. We propose that this ele-vated concern may be due to an association betweenHIE incentives and privacy concerns that inhibit theeffectiveness of such incentives when consent require-ments are not in place.

There are limitations to this research. The depen-dent variables presented in this work may not cover

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.


the full breadth of potential measures of success forHIEs. For instance, prior research on HIEs has notedthat sharing by HIEs has been limited in breadthand scope (Adler-Milstein et al. 2009). We evaluatethese measures using cross-sectional data, but futurework may evaluate the impact of various legislativeapproaches on these measures in more substantiveterms. Moreover, an increase in regional HIE effortsmay not necessarily be a positive outcome. For exam-ple, a better outcome might be to have only oneexchange that facilitates exchange for all providers inthe state. However, the current national strategy forthe exchange of health information involves spurringsmall regional efforts and then linking them as build-ing blocks of state and national exchange (Vest andGamm 2010). As is true in prior work, we can thusview a higher probability of HIEs in planning andoperational stages in HRRs as a positive indicator ofHIE progress. Moreover, our work focuses specificallyon the role of providing patients with the choice toconsent in the context of HIEs, but other key con-cerns with HIEs may also be relevant. For example,it may be prudent in future work to evaluate the roleof information security requirements on the develop-ment and progress of HIEs. Finally, this paper focuseson regional models of HIE and, although alternativeapproaches to HIE exist (e.g., national EMR vendorHIE networks), we use an inclusive and widely helddefinition of clinical data exchange between unaffil-iated entities (i.e., those with no shared ownershipor governance). Moreover, regional efforts are morelikely to capture the full benefits of HIE because theother approaches (e.g., vendor driven) restrict dataexchange in some way. It is therefore critical to under-stand the conditions under which the HIE effortsincluded in our study can succeed and, in particular,the policy conditions that foster their success.

Our results help to inform the large national effortunderway to achieve the broad-based exchange ofhealth information. Given that HIEs offer innova-tive healthcare technology solutions with the poten-tial to alleviate two of the most pressing concernsof the current healthcare system—rising costs andinconsistent quality—this study proposes a comple-mentarity of technology incentives and substantiveconsumer privacy protections, highlighting the poten-tial for future efforts to incentivize HIE growth whilebalancing patient privacy concerns. Such results mayhelp to inform the broader debate on the role ofprivacy regulation in information technology efforts.First, the findings highlight the potential for the neg-ative effects of privacy regulation on informationtechnology efforts to be counteracted by technologyincentives. Additionally, the focus on both the impactof technology incentives and privacy requirementsextends the growing body of empirical work in this

space and bolsters the notion that privacy regulationcan have heterogeneous and complex effects on infor-mation technology efforts. Specifically, we suggestthat a symbiotic relationship may exist between tech-nology incentives and substantive privacy regulationwith simultaneous benefit to both consumers and pro-ponents of information technology efforts. This yieldsa possible lesson for regulators and policy makers:legislative approaches that both incentivize technol-ogy efforts and provide consumer privacy protectionsmay be one approach for enabling the growth of valu-able information technology efforts while addressingconsumer privacy concerns.

Supplemental MaterialSupplemental material to this paper is available at http://dx.doi.org/10.1287/mnsc.2015.2194.

AcknowledgmentsThe authors thank their reviewers for helpful commentsand suggestions and their associate editor for exceptionaleffort and guidance throughout the review process. Theythank HIMSS Analytics for providing some of the data usedin this study and multiple discussants and seminar par-ticipants for their insights. In particular, the authors aregrateful for the useful feedback from participants at the2013 National Bureau of Economic Research Workshop onthe Economics of IT and Digitization, with distinct grati-tude for the insightful feedback of Avi Goldfarb, CatherineTucker, and Amalia Miller. The authors also thank SashaRomanosky, Zia Hydari, and Corey Angst for their reviewof early drafts of the manuscript. In addition, the authorsthank their research assistants Megan McGovern, DanningChen, and Kara Cronin for their diligent work in supportof this manuscript. Finally, Alessandro Acquisti gratefullyacknowledges support from the Carnegie Corporation ofNew York via an Andrew Carnegie Fellowship. The state-ments made and views expressed in this paper are solely theresponsibility of the authors. All errors are the authors’ own.

ReferencesAdler-Milstein J, Bates DW, Jha AK (2009) U.S. regional health

information organizations: Progress but challenges remain.Health Affairs 28(2):483–492.

Adler-Milstein J, Bates DW, Jha AK (2011) A survey of health infor-mation exchange organizations in the United States: Impli-cations for meaningful use. Ann. Internal Medicine 154(10):666–671.

Anderson CL, Agarwal R (2011) The digitization of healthcare:Boundary risks, emotion, and consumer willingness to disclosepersonal health information. Inform. Systems Res. 22(3):469–490.

Angrist JD, Pischke JS (2008) Mostly Harmless Econometrics: AnEmpiricist’s Companion (Princeton University Press, Prince-ton, NJ).

Angst CM, Agarwal R (2009) Adoption of electronic health recordsin the presence of privacy concerns: The elaboration likelihoodmodel and individual persuasion. MIS Quart. 33(2):339–370.

Angst CM, Agarwal R, Sambamurthy V, Kelley K (2010) Social con-tagion and information technology diffusion: The adoption ofelectronic medical records in U.S. hospitals. Management Sci.56(8):1219–1241.

Bamberger K, Mulligan D (2011) Privacy on the books and on theground. Stanford Law Rev. 63(274):274–315.

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.




Bertrand M, Duflo E, Mullainathan S (2004) How much shouldwe trust differences-in-differences estimates? Quart. J. Econom.119(1):249–275.

Blumenthal D (2010) Launching HITECH. New Engl. J. Med.362(5):382–385.

Blumenthal D, Tavenner M (2010) The “meaningful use” regulationfor electronic health records. New Engl. J. Med. 363(6):501–504.

Brandimarte L, Acquisti A, Loewenstein G (2012) Misplaced confi-dences: Privacy and the control paradox. Soc. Psych. PersonalitySci. 4(3):340–347.

Cala A (2013) Renewable energy in Spain is taking a beating.New York Times (October 8), http://www.nytimes.com/2013/10/09/business/energy-environment/renewable-energy-in-spain-is-taking-a-beating.html.

Comarow A America’s best hospitals: The 2009–2010 honor roll.U.S. News & World Report (July 15), http://health.usnews.com/health-news/best-hospitals/articles/2009/07/15/americas-best-hospitals-the-2009-2010-honor-roll.

eHealth Initiative (2005–2010) Annual survey of Health Informa-tion Exchange at the state and local levels. Report, eHealthInitiative, Washington, DC. https://www.ehidc.org/articles/reports.

Federal Trade Commission (2012) Protecting consumer privacyin an era of rapid change: Recommendations for businessesand policy makers. Report, Federal Trade Commission, Wash-ington, DC. https://www.ftc.go/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers.

Goldfarb A, Tucker CE (2011) Privacy regulation and online adver-tising. Management Sci. 57(1):57–71.

Goldstein M, Rein A (2010) Consumer consent options for elec-tronic health information exchange: Policy considerationsand analysis. Report, Office of the National Coordinator forHealth Information Technology, U.S. Department of Healthand Human Services, Washington, DC.

Greenberg MD, Ridgely MS, Hillestad RJ (2009) Crossed wires:How yesterday’s privacy rules might undercut tomorrow’snationwide health information network. Health Affairs 28(2):450–452.

Greene W (2002) The behavior of the fixed effects estimator in non-linear models. Working Paper EC-02-05, New York University,New York.

Grossman JM, Kushner KL, November EA (2008) Creating sus-tainable local health information exchanges: Can barriers tostakeholder participation be overcome? Res. Brief February(2):1–12.

Jha AK, Chan DC, Ridgway AB, Franz C, Bates DW (2009) Improv-ing safety and eliminating redundant tests: Cutting costs inU.S. hospitals. Health Affairs 28(5):1475–1484.

Kennedy P (1992) A Guide to Econometrics (Blackwell, Oxford, UK).Lai Y, Hui K (2006) Internet opt-in and opt-out: Investigating the

roles of frames, defaults and privacy concerns. Proc. 2006 ACMSIGMIS CPR, (ACM, New York), 253–263.

Lenard TM, Rubin PH (2005) Slow down on data secu-rity legislation. Progress Snapshot (Release 1.9), https://www.techpolicyinstitute.org/files/ps1.9.pdf.

McDonald C (2009) Protecting patients in health informationexchange: A defense of the HIPAA privacy rule. Health Affairs28(2):447–449.

McGraw D, Dempsey JX, Harris L, Goldman J (2009) Privacy as anenabler, not an impediment: Building trust into health infor-mation exchange. Health Affairs 28(2):416–427.

Miliard M (2010) ACLU brings suit against Rhode Island HIE.it Healthcare IT News (December 1), http://www.healthcareitnews.com/news/aclu-brings-suit-against-rhode-island-hie-0.

Miller AR, Tucker C (2009) Privacy protection and technology dif-fusion: The case of electronic medical records. Management Sci.55(7):1077–1093.

Miller AR, Tucker CE (2011) Can health care information technol-ogy save babies? J. Political Econom. 119(2):289–324.

National eHealth Collaborative (2011) Secrets of HIE successrevealed: Lessons from the leaders. Report, HIE Networks,Tallahassee, FL. http://www.nationalehealth.org/ckfinder/userfiles/files/REPORT%20-SecretsofHIESuccessRevealed.pdf.

National Rural Health Resource Center (2015) Health informa-tion exchange—First considerations. Report, National RuralHealth Resource Center, Duluth, MN. Accessed September 1,2015, https://www.ruralcenter.org/sites/default/files/rhitnd/HIE-First%20Considerations-National%20Rural%20Health%20Resource%20Center.pdf.

Neyman J, Scott EL (1948) Consistent estimates based on partiallyconsistent observations. Econometrica 16(1):1–32.

Office of the National Coordinator for Health Information Technol-ogy (2012) Electronic health record adoption and utilization:2012 highlights and accomplishments. Report, Office of theNational Coordinator for Health Information Technology, U.S.Department of Health and Human Services, Washington, DC.

Posner R (1981) The economics of privacy. Amer. Econom. Rev.71(2):405–409.

Pritts J, Choy A, Emmart L, Hustead J (2002) The State of HealthPrivacy: A Survey of State Health Privacy Statutes (GeorgetownUniversity, Washington, DC).

Pritts J, Lewis S, Jacobson R, Lucia K, Kayne K (2009) Privacyand security solutions for interoperable health informationexchange: Report on state law requirements for patient per-mission to disclose health information. Report, Office of theNational Coordinator for Health Information Technology, U.S.Department of Health and Human Services, Washington, DC.

Sheng H, Nah FH, Siau K (2008) An experimental study on ubiq-uitous commerce adoption: Impact of personalization and pri-vacy concerns. J. Assoc. Inform. Systems 9(6):Article 15.

Simon S, Evans JS, Benjamin A, Delano D, Bates DW (2009)Patients’ attitudes toward electronic health informationexchange: Qualitative study. J. Medical Internet Res. 11(3):e30.

Solove DJ (2004) The Digital Person: Technology and Privacy in theInformation Age (New York University Press, New York).

Somaskanda S (2013) Renewable energy losing its shine in Europe.USA Today (March 23), http://www.usatoday.com/story/money/business/2013/03/21/europe-renewable-energy/2006245/.

Squire P (2007) Measuring state legislative professionalism: TheSquire index revisited. State Politics Policy Quart. 7(2):211–227.

Stigler G (1980) An introduction to privacy in economics and poli-tics. J. Legal Stud. 9(4):628–633.

Stutzman F, Gross R, Acquisti A (2013) Silent listeners: The evolu-tion of privacy and disclosure on Facebook. J. Privacy Confiden-tiality 4(2):7–41.

Vest JR, Gamm LD (2010) Health information exchange: Persis-tent challenges and new strategies. J. Amer. Medical InformaticsAssoc. 17(3):288–294.

Walker J, Pan E, Johnston D, Adler-Milstein J, Bates DW, MiddletonB (2005) The value of health care information exchange andinteroperability. Health Affairs 24(2):10–18.

Wennberg JE, Cooper MM (1996) The diagnosis and surgical treat-ment of common medical conditions. The Dartmouth Atlas ofHealthcare (American Hospital Publishing, Chicago), 113–144.

White House (2012) Consumer data privacy in a networked world:A framework for protecting privacy and promoting innovationin the global digital economy. Report, U.S. Government Print-ing Office, Washington, DC.

Dow

nloa

ded

from

info

rms.

org

by [

128.

237.

116.

93]

on 1

6 M

arch

201

8, a

t 08:

44 .

For

pers

onal

use

onl

y, a

ll ri

ghts

res

erve

d.

http://www.nytimes.com/2013/10/09/business/energy-environment/renewable-energy-in-spain-taking-a-beating.html



http://health.usnews.com/health-news/best-hospitals/articles/2009/07/15/Americas-best-hospitals-the-2009-2010-honor-roll



https://www.ehidc.org/articles/reports

https://www.ehidc.org/articles/reports

https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers



https://www.techpolicyinstitute.org/files/ps1.9.pdf.

https://www.techpolicyinstitute.org/files/ps1.9.pdf.

http://www.healthcareitnews.com/news/aclu-brings-suit-against-rhode-island-hie-0

http://www.healthcareitnews.com/news/aclu-brings-suit-against-rhode-island-hie-0

http://www.nationalehealth.org/ckfinder/userfiles/files/REPORT%20SecretsofHIESuccessRevealed.pdf

http://www.nationalehealth.org/ckfinder/userfiles/files/REPORT%20SecretsofHIESuccessRevealed.pdf

https://www.ruralcenter.org/sites/default/files/rhitnd/HIE-First%20Considerations-National%20Rural%20Health%20Resource%20Center.pdf



http://www.usatoday.com/story/money/business/2013/03/21/europe-renewable-energy/2006245/



the impact of privacy regulation and technology incentives ...acquisti/papers/adjerid... · patient...

Documents