Privacy Protections May Slow Adoption of Electronic Medical Records, New Research Finds

June 2, 2009 — This February's federal stimulus bill included $20 billion to promote the computerization of the American health care system. The adoption of electronic medical records promises increased efficiency, lower costs and a reduction of preventable errors.

This summer, the secretary of Health and Human Services is defining standards for those records, including strong authentication and encryption requirements. But tougher privacy and security regulations may stunt the efficiency and adoption of electronic medical records, according to new research co-authored by Amalia Miller, University of Virginia economics assistant professor.

More than 30 years after the first software to digitize medical records appeared, the vast majority of the U.S. health care system is still paper-based. Digital progress has been highly piecemeal. While more than 75 percent of U.S. hospitals make use of computerized laboratory or radiology reports, only about 1.5 percent have comprehensive electronic medical records, and only 17 percent have even a hospital-wide capability to write prescriptions via computer, according to a recent study by the New England Journal of Medicine.

In states that require stronger privacy safeguards for medical records than is prescribed by the federal Health Insurance Portability and Accountability Act, the adoption of electronic medical records systems was 24 percent lower than in states without stronger privacy laws, according to the research by Miller and Catherine Tucker, an assistant professor at the Massachusetts Institute of Technology's Sloan School of Management.

When states removed extra regulations, they saw a 21 percent increase in hospital electronic medical record adoption, compared with only an 11 percent gain during the same years in states that kept them intact.

"Privacy advocates don't talk about the tradeoffs, and they don't necessarily welcome the discussion of tradeoffs, but we're hoping to change that with this paper," Miller said.

The study analyzed data from 1995 to 2005 from more than 4,000 hospitals, about 1,400 of which reported exactly when they adopted an electronic medical record system.

More stringent privacy regulations increase the cost of exchanging patient information, the study says, reducing the relative value of electronic medical records and undercutting their "network effects."

"Hospitals derive network benefits from EMR when they can electronically exchange information about patient histories with other health providers," explains the paper, published online in May by the journal Management Science. "Exchanging EMR is quicker and more reliable than exchanging paper records by fax, mail or patient delivery.

"It is especially useful for patients with chronic conditions who want to see a new specialist who requires access to previous tests. It is also useful for emergency room patients whose records (containing information about previous conditions and allergies) are stored elsewhere."

As more hospitals and providers adopt electronic medical records, the interoperability value to each new adopter presumably increases, Miller said. This "network effect" is indeed observed in states without additional privacy laws, where electronic medical record adoption by one hospital increases the probability of a neighboring hospital's adoption by 7 percent.

But in states with hospital privacy protections, the network effect disappears, she said, in accord with claims by hospital administrators and software designers that the regulations make it more difficult and costly for hospitals to exchange information electronically.

A tradeoff between technology diffusion and privacy protection has been demonstrated in several fields, the paper explains, but this research is the first attempt to show that such a tradeoff exists in the realm of electronic medical records.

The research does not attempt to quantify the costs of reduced adoption, or the possible value created by greater privacy protection (such as the value to consumers of increased information security). Nor does the study make any recommendations on the right balance between more privacy and better electronic medical record adoption. The research also raises the question of whether there are better ways to promote electronic medical record privacy that don't inhibit adoption.

But the lesson from states' medical privacy laws is clear, Miller noted: Ratcheting up the privacy and security of medical records means slower adoption of electronic medical records.

"Reducing adoption by more than 24 percent – that's a pretty big effect," Miller said. "It's important to know those costs and have that be part of the policy decision-making process. To decide how much privacy is optimal, we need to quantify the costs and benefits, and those haven't been well quantified."

— By Brevy Cannon