There is a Time to Keep Silent and a Time to Speak, the Hard Part is Knowing Which is Which: Striking the Balance between Privacy Protection and the Flow of Health Care Information
76 Pages Posted: 10 Sep 2009 Last revised: 30 Sep 2019
Date Written: September 9, 2009
This paper explores fundamental policy trade-offs between health information technology (HIT) and regulatory protection of health information privacy and data security. The paper argues that barriers to HIT development and adoption have been complex, including not just misaligned payment incentives – addressed by the ARRA – but significant implementation issues, risk, “cultural” barriers to adoption, standard-setting issues, network externalities, and regulatory costs. We then focus on one species of regulatory costs that may be especially amenable to reform – those imposed by privacy and data security regulations. We investigate the expected tangible privacy harms related to HIT and find them to be less stark than some believe. We suggest that data security may be a more efficient substitute for many consent and breach notification requirements. We also examine the costs associated with state regulation of medical privacy and find them to be substantial. Although we do not advocate any particular legislative response to the costs of state regulation, we consider the express preemption of state law in the field as a potentially efficient response to those costs. Views expressed in this abstract and the accompanying paper are those of the authors alone, and do not represent the views of the Federal Trade Commission or any of its individual Commissioners.
Keywords: health information technology, HIT, telemedicine, privacy, identity theft, electronic health, preemption, network effects, regulatory barriers
Suggested Citation: Suggested Citation