Yet, even with widespread digitization of health information and a $36 billion-dollar taxpayer investment to make that happen, that information seems to be flowing at a sluggish pace, and the exchange of digital health information among competitors is the exception, not the norm. This is distinct from some other industries where sharing data is more common and firms compete on the basis of using that data to create value.
In this article, we argue that the sluggish pace of information exchange results from firms’ incentives and abilities to maintain or enhance their competitive advantage. Health care organizations and their software vendors control the data collected or generated in the course of patients’ encounters with them. These organizations decide if, when, and how they will share that information with others, including other health care organizations, other software vendors, and, in some cases, even the patients themselves.
Not surprisingly, if retaining data is profitable while sharing it is not, there will not be a large amount of data sharing. In particular, if firms perceive that control of these data confer competitive advantage, they will be reluctant to share the data with rivals, even if sharing the data likely enables better care to be delivered to patients. Holding on to data may allow market participants to maintain, and in some cases enhance, their market position. We believe this “data blocking” is already a barrier to choice and competition and can make it difficult for new innovative organizations to successfully enter health care markets and compete. Furthermore, we anticipate that these issues will become even more pressing as data become an ever more important asset in health care, as it is in the rest of the economy.
The Executive and Legislative branches have recognized the apparent lack of data sharing by health care organizations may be attributable to data blocking (also called “information blocking”). In 2014, Congress requested that the U.S. Department of Health and Human Services Office of the National Coordinator for Health IT (ONC) publish a report on information blocking. Information blocking occurs when an entity that controls health data—such as a health care organization or an electronic health record (EHR) software vendor—refuses to share the data or engages in practices that impede efficient access and use of the data by competitors or other individuals or entities.
In April 2015, ONC published the report requested by Congress on the nature and extent of information blocking. In late 2016, Congress passed the 21st Century Cures Act (Cures). Cures defines information blocking, and requires ONC in conjunction with the HHS Office of the Inspector General (OIG) to define business practices that do not constitute information blocking. It also authorizes OIG to root out information blocking, including authorizing levying fines of up to $1 million per violation. On February 11, 2019, ONC released an “HHS approved” draft of its Notice of Proposed Rulemaking to Improve the Interoperability of Health Information, which will be published shortly in the Federal Register.
Whether these provisions will be sufficiently strong to overcome firms’ incentives to engage in information blocking remains an open question. In what follows, we trace the background and public policy behind the federal government’s drive to dramatically increase the availability of clinical digital health data and its expectation that those data would be exchanged widely and appropriately. We focus on how the sharing (and lack of sharing) of clinical digital health data affects competition. We analyze the problem from the perspectives of the health care providers and EHR vendors, the most important participants in the flow of patient medical data from an antitrust and policy perspective. We conclude with a look forward and suggestions of policy efforts that could shift firms’ incentives from not sharing data to sharing it.
I. Federal Policy to Digitize Health Information and Promote Information Sharing
In this Part, we first briefly describe the federal legal landscape that permits physicians and hospitals to exchange identifiable health information about patients they have in common. Next, we summarize how Congress built on that foundation in 2009 by enacting HITECH, creating significant financial incentives for physicians and hospitals to digitize their record keeping and to share the resulting digital data.
A. Health Insurance Portability and Accountability Act Supports Information Sharing
In 1996, Congress passed the Health Information Portability and Accountability Act (HIPAA). Although this act is now synonymous with the health information privacy regulation it spawned, HIPAA actually focused on two other features. “Portability” refers to insurance coverage portability, not data portability. (Twenty years ago policy makers believed insurance coverage portability would help alleviate the worse health effects of pre-existing condition exclusions to insurance coverage.) “Accountability” referred to the federal legal requirement that, in order to be paid by CMS (Centers for Medicare and Medicaid Services), providers would have to bill CMS digitally and therefore digitize claims information. Thus, through HIPAA, Congress made its first attempt to bring the power of computing to health care, specifically in the context of data transmissions. To avoid unintended consequences deriving from the electronic billing requirement, Congress delegated to HHS the development of regulations that specified how digital health data can be accessed, used and disclosed. As a result, we have the HIPAA Privacy, Security and Breach Notification federal regulations still in use today. In general, unless the context requires more specificity, we will simply refer to HIPAA for the totality of the Privacy, Security, and Breach Notification rules.
What HIPAA permits and requires by way of information sharing is important, because if HIPAA does not permit sharing, holders of data protected by HIPAA should not be accused of “information blocking.” But, where HIPAA permits or even requires data sharing, a failure to do so should be examined to make sure that HIPAA is not being employed as a pretext to justify data “hoarding,” as has been alleged by ONC, or to prevent patients from being “poached.” Therefore, we will briefly summarize what HIPAA permits and requires relative to information sharing.
The basic regulations governing when health information protected by HIPAA can be exchanged were written in 2000 and 2002, and are unchanged since then. HIPAA applies to the holders of identifiable health information, called “protected health information” or PHI, when those holders (called “covered entities”) are physicians, hospitals, health plans (including selffunded employer medical benefits plans), and certain businesses that process digital health information for billing. We are focused on health information in the custody of physicians and hospitals. HIPAA further recognizes that covered entities will need to hire various “business associates” to serve special purposes. The Privacy and Security Rules apply to both covered entities and business associates either by regulation or contract. For hospitals and physicians, EHR vendors are their business associates under HIPAA.
HIPAA requires that when requested to do so, covered entities provide an individual with copies of that individual’s PHI. The individual can then do whatever he or she wants with it, including giving it to another covered entity. In HITECH, Congress interpreted this regulation, and required that where a person sought his or her PHI from a health care organization that used a certified EHR, the person must be able to view, download, or transmit their PHI to a recipient of his or her’s own choosing, including a competing provider. HIPAA also permits two covered entities to share PHI, without the person’s written consent, about a person to whom they are both delivering care. In 2015, the HHS Office for Civil Rights clarified that this permission includes sharing health information using ONC certified EHRs. That guidance also specified that the disclosing covered entity was legally not responsible for the security conditions at the recipient covered entity. As a result, it is well documented that while other privacy rules may place additional restrictions on when and how sharing occurs, lack of health information sharing is not due to HIPAA specifically prohibiting it.
Continue reading the full text of this article in PDF format.
