ABA Health eSource
 June 2006 Volume 2 Number 10

Electronic Health Information Exchange Initiatives: Health Improvement Possibilities and Legal Challenges
by Barbara J. Zabawa, J.D., M.P.H., LaFollette Godfrey & Kahn, Madison, WI

Barbara J. ZabawaThe ability to collect and exchange health information electronically is at the core of many current healthcare initiatives, such as public health monitoring, patient safety, quality improvement, provider performance comparisons and consumer decision-making. In theory, electronic health information exchange can integrate the concerns and goals of a diverse set of healthcare stakeholders, such as insurers, clinicians, researchers, purchasers and consumers, thereby improving health and healthcare delivery. 1 Several studies of institutions that have adopted decision support systems or electronic health records have shown that such health information technologies can improve the quality and efficiency of healthcare. 2

Recognizing the importance of electronic health information exchange, the government is taking steps to facilitate the effort. For example, the Medicare Modernization Act (MMA) of 2003 mandated the adoption of standards for electronic prescribing as part of the new Part D Medicare benefit. 3 In April 2004, President Bush called for the adoption of electronic medical records for most Americans within the next 10 years and created the Office of the National Coordinator for Health Information Technology (ONCHIT) within the Department of Health and Human Services (DHHS). 4

ONCHIT hopes to create a national health information network by 2015. 5 The national network will likely consist of smaller “Regional Health Information Organizations” (RHIOs), which are regional and local entities and groups of healthcare stakeholders such as physicians, hospitals, insurers, patients and community members that oversee and support the exchange of electronic information at the local level to support care. 6 For example, Wisconsin has created “WHIO,” which is a voluntary partnership among key Wisconsin healthcare stakeholders that will develop a statewide warehouse of healthcare information spanning providers and systems. 7 WHIO will serve as a data repository for provider-specific healthcare claims data that can be used to track, analyze and measure entire episodes of care. 8

Despite the effort to encourage health information exchange, clinicians face some legal challenges to its widespread adoption, particularly under the state and federal privacy laws, as well as the Stark and Anti-Kickback laws.

1. Privacy Laws

Because health information exchange is premised on the sharing of patient and provider information, a key concern will be protecting the privacy of that information. Depending on how electronic health information is shared between clinicians and other organizations, a variety of privacy issues may arise. For example, a RHIO could share information among participants through contractual arrangements, in which case clinicians should have HIPAA-compliant patient authorizations and business associate agreements for those purposes. Alternatively, the RHIO could be considered a covered entity or part of an organized healthcare arrangement (OHCA), in which case the purpose and extent of the disclosure of personal health information will differ. Another problem may exist in HIPAA’s “more stringent” requirement, which allows state laws that are more stringent (i.e., more patient friendly) to take precedence over HIPAA. 9 A lack of a uniform privacy law could inhibit implementation of a national electronic health information network. 10 Moreover, efforts to circumvent privacy hurdles may create other, unanticipated challenges. For example, Wisconsin recently passed legislation to help WHIO with its data collection efforts by designating WHIO as a “public health authority.” 11 Under HIPAA, covered entities do not need an authorization to disclose protected health information to public health authorities. 12 However, designating WHIO as a public health authority, an arguably governmental entity, may require disclosure of information held by WHIO under Wisconsin’s open records law. 13

Many clinicians are wary of using and accessing personal health information electronically because of potential unauthorized disclosures and subsequent penalties. DHHS recently published the final rules regarding HIPAA privacy enforcement and penalties. 14 Although the government is aiming to take a cooperative approach to privacy rule enforcement, many clinicians may fear being subject to public scrutiny or civil and criminal penalties, given that almost 20,000 complaints of HIPAA privacy violations have been filed with the federal Office of Civil Rights 15 and stories of penalties abound in other areas of the law, such as Stark and Anti-Kickback (see below). For instance, one hospital offered free laptops to doctors to help them connect to the hospital’s information system, yet hardly any of the physicians accepted the offer because of fear and uncertainty about HIPAA complaints and enforcement. 16 Educating clinicians about the various privacy laws may allay fears about participating in health information exchange initiatives.

2. Stark and Anti-Kickback

Hospitals that offer computer equipment, software or other incentives to physicians to help them with health information exchange initiatives may violate the federal Stark and Anti-Kickback laws. 17 These laws attempt to curb fraud and abuse in federal health insurance programs, such as Medicare, and to insure that healthcare is provided in the absence of financial incentives.

Physicians and hospitals may wish to pool their resources to gain economic and educational efficiencies in health information exchange initiatives. Physicians, in particular, require financial incentives and assistance to encourage widespread adoption and use of electronic health information systems. 18 However, according to a 2004 Government Accountability Office report, physicians may be reluctant to accept financial resources from a hospital or other provider because the resources may be viewed as remuneration in violation of the Anti-Kickback law. 19 In the past, the government has been very strict about the uses of free or discounted computer resources given to healthcare clinicians. 20 Therefore, sharing costs of implementing health information exchange initiatives may implicate federal fraud and abuse laws.

On October 11, 2005, the Centers for Medicare and Medicaid Services (CMS) and the Office of the Inspector General (OIG) for DHHS published proposed rules to facilitate certain e-prescribing and electronic health records efforts under the federal Stark and Anti-kickback laws. 21 These rules create exceptions to those laws for efforts aimed at increasing use of e-prescribing and electronic health records. Unfortunately, the proposed exceptions and safe harbors contain several gaps that may undermine information exchange efforts. For example, the exceptions and safe harbors do not extend to hospitals providing resources to physician networks, IPAs and group practices. In addition, for electronic health record initiatives, the exception applies to donations of software and training services only. For electronic prescribing initiatives, donations of hardware are permissible but the hardware must be used solely for that purpose, limiting the ability of health information exchange initiatives to make a significant impact on improving healthcare costs and quality. Finally, because the rules prohibit electronic health record donations that are related to the “volume or value of referrals,” hospitals may be unable to donate to physicians on the basis of the number of shared patients, quality objectives, disease-specific initiatives or pay for performance/outcomes considerations. 22 Because of these limitations, clinicians interested in collaborating on health information exchange initiatives may have to avoid Stark and Anti-Kickback pitfalls through other exceptions, such as the Stark fair market value exception and the Anti-Kickback personal services and management contracts safe harbor.


Converging healthcare quality and cost improvement initiatives will soon compel all providers to exchange electronic health information in order to stay informed and competitive. Clinicians considering the various options for sharing cost and quality data must be cognizant of the legal hurdles that could stifle their efforts, including various privacy and fraud and abuse laws. However, with proper guidance, clinicians can lead health information exchange initiatives and thereby improve health and healthcare delivery in the United States.

1 Basit Chaudry, et al., Systematic Review: Impact of Health Information technology on Quality, Efficiency and Costs of Medical Care, Annals of Internal Medicine, 144:E-12, E-12 (2006).
2 Id.
3 Medicare Modernization Act of 2003, Pub. L. No. 108-173, § 1860D-4(e)(4), 117 Stat. 2066, 2089 (2003).
4 Kristen Rosati, The Quest for Interoperable Electronic Health Records, at 2 (July 2005) (available from author).
5 Id.
6 Hospitals and Health Networks, A Primer for Building RHIOs, Insert (Feb. 2006).
7 Press Release, Wisconsin Health Information Organization (Nov. 11, 2005).
8 Id.
9 45 CFR § 160.202 (2006).
10 Rosati, The Quest for Interoperable Electronic Health Records, at 20-21 (July 2005). It should be noted, however, that there is a national collaborative effort to address variations in state privacy and security laws. Press Release, RTI International, 22 States Join National Health Information Privacy and Security Collaboration (May 23, 2006) available at http://www.rti.org. In addition, Representative Johnson has introduced a bill that could create uniform health information laws and regulations. H.R. 4157, 109 th Cong. (2005).
11 2005 Wis. Act 228 § 15
12 45 CFR § 164.512(b) (2006).
13 Wis. Stat. § 19.35 (2003-2004).
14 45 CFR § 160.300 (2006).
15 Email from Alan S. Goldberg, HIPAA Summit Statistics (April 14, 2006).
16 Report on Patient Privacy, Remote Access Project Reveals Serious Flaws in Physician Privacy Compliance (Feb. 2006).
17 The Stark law, 42 U.S.C. § 1395nn, is a civil statute that prohibits physicians who have a financial relationship with a healthcare entity from making referrals for certain services to that entity, unless an exception applies. In addition, the Stark law prohibits the healthcare entity from billing Medicare for such referred services, unless an exception applies. The Anti-Kickback law, 42 U.S.C. § 1320a-7b(b), is a criminal statute that prohibits individuals and entities from knowingly and willfully offering, paying, soliciting or receiving any remuneration to induce federal program referrals.
18 Tyler Chin, American Medical News, Is IT Ready to Pay for Itself?, at 27 (March 13, 2006).
19 Rosati, The Quest for Interoperable Electronic Health Records, at 49 (July 2005).
20 For example, in 1991 the federal Office of the Inspector General (OIG) stated that if a physician who is provided a free computer is able to use the computer for purposes other than for medical services, “the computer has a definite value to the physician, and, depending on the circumstances may well constitute an illegal inducement.” 56 Fed. Reg. 35,978 (July 29, 1991).
21 70 Fed. Reg. 59,015 (Oct. 11, 2005); 70 Fed. Reg. 59,182 (Oct. 11, 2005). Final rules on the Stark and Anti-kickback exceptions are expected to be released within a few months. Resigning Health IT Chief: Efforts on Track, Interview with David Brailer, former National Health Information Technology Coordinator, in American Medical News (May 15, 2006).
22 Kathy Kenyon, A Policy Analysis of The Proposed Stark and Anti-Kickback Rules for Electronic Health Records and E-Prescribing, Health Lawyers News, at 5 (March 2006)
23 Geisin