1 Comm. on Redesigning Health Ins. Performance Measures, Payment, and Performance Improvement Programs, Bd. on Healthcare Serv., Inst. of Med., Rewarding Provider Performance: Aligning Incentives in Medicare 3 (2007)Google Scholar [hereinafter “Rewarding Provider Performance”]; Cook, Stacy L., Will Pay for Performance Be Worth the Price to Medical Providers? A Look at Pay for Performance and Its Legal Implications for Providers, 16 Annals Health L. 163, 165 (2007)Google Scholar.

3 See Comm. on Quality of Healthcare in Am., Inst. of Med., Crossing the Quality Chasm: A New Health System for the 21st Century 214 (2001)Google Scholar.

3 See Stark Law, 42 U.S.C. § 1395nn (2006).

4 See Anti-Kickback Statute, 42 U.S.C. § 1320a-7b (2006).

5 The Medicare and Medicaid Patient and Program Protection Act of 1987, Section 14 of Public Law 100-93, specifically required the development and promulgation of “safe harbor” provisions “to limit the reach of the statute somewhat by permitting certain non-abusive arrangements, while encouraging beneficial and innocuous arrangements.” See Medicare and State Health Care Programs: Fraud and Abuse; OIG Anti-Kickback Provisions, 56 Fed. Reg. 35,952, 35,952 (July 29, 1991) (codified at 42 C.F.R. pt. 1001); Pub. L. No. 100-93, 101 Stat. 680, 697-98 (1987). The safe harbor regulations themselves are found at 42 C.F.R. § 1001.952.

6 Section 1128A(a)(5) of the Social Security Act. Civil Monetary Penalties Statute, 42 U.S.C. § 1320a-7a(b) (2006).

7 D. McCarty Thornton & Kevin McAnaney, Recent Commentary Distorts [HHS OIG’s] Gainsharing Bulletin, http://oig.hhs.gov/fraud/docs/alertsandbulletins/bnagain.htm (issued in response to an article by Luce, Gregory and Witten, Jesse, HHS IG's Gainsharing Prohibition Lacks Legal Support, Health L. Rep. (BNA) No. 8, at 1387 (Aug. 19, 1999)Google Scholar) [both articles hereinafter “Recent Commentary”].

8 Special Advisory Bulletin: Gainsharing Arrangements and CMPs for Hospital Payments to Physicians to Reduce or Limit Services to Beneficiaries, 64 Fed. Reg. 37,985, 37,985-86 (July 14, 1999) [hereinafter “Special Advisory Bulletin”]; OIG Advisory Op., No. 01-1 (Jan. 11, 2001) [hereinafter “OIG Advisory Opinion 01-1”].

9 The Privacy Rule only applies to certain “covered entities,” which include health plans, healthcare clearinghouses, and healthcare providers who transmit data in electronic form. 45 C.F.R. § 164.104 (2008).

10 PHI is “individually identifiable health information [that is] transmitted by electronic media … or maintained in electronic media or [t]ransmitted or maintained any other form or medium.” 45 C.F.R. § 160.103 (internal numbering omitted). Individually identifiable information is the subset of health information that is created or received by a covered entity; relates to either (i) the past, present or future physical or mental health, or condition of an individual; (ii) the provision of healthcare to an individual; or (iii) the payment for the provision of healthcare to an individual; and either (a) identifies that individual; or (b) there is a reasonable basis to believe that the individual can be identified from the information. See id.

11 45 C.F.R. § 164.502.

12 45 C.F.R. § 160.103.

13 45 C.F.R. § 164.306.

14 An entity that performs services on behalf of a covered entity involving the use or disclosure of individually identifiable health information, but that is not a member of the covered entity's workforce constitutes a business associate of the covered entity. See 45 C.F.R. § 160.103.

15 45 C.F.R. § 164.502(e)(2) (2008).

16 I.R.C. § 501(c).

17 Id. § 501(c)(3) (prohibiting the inurement of any net earnings “to the benefit of any private shareholder or individual”).

18 The IRS has informally defined “private shareholder or individual” as “a person having a personal and private interest in the activities of an organization.” Internal Revenue Service Resources, Inurement/Private Benefit – Charitable Organizations, http://www.irs.gov/charities/charitable/article/0,,id=123297,00.html (last visited Sept. 22, 2009).

19 I.R.C. § 4958 (2006).

20 15 U.S.C. §§ 1–7 (2006).

21 Id. §§ 12–27; 29 U.S.C. §§ 52–53 (2006).

22 15 U.S.C. §§ 41-58 (2006).

23 See, e.g., id. § 2.

24 See, e.g., id. § 1.

25 See Arizona v. Maricopa County Med. Soc’y, 457 U.S. 332, 342–52 (1982); United States v. Socony-Vacuum Oil Co., 310 U.S. 150, 223-28 (1940).

26 NCAA v. Bd. of Regents of Univ. of Okla., 468 U.S. 85, 134-35 (1984).

27 Deficit Reduction Act of 2005, Pub. L. No. 109-71, 120 Stat. 4 (2006).

28 Exec. Order No. 13,410, 71 Fed. Reg. 51,089 (Aug. 28, 2006) [hereinafter Exec. Order No. 13,410]. See also U.S. Dep't of Health & Human Servs., Value-Driven Health Care: Four Cornerstones, http://www.hhs.gov/valuedriven/fourcornerstones/index.html (last visited Sept. 23, 2009).

29 See Press Release, Nat’l Quality Forum, National Quality Forum Endorses National Consensus Standards for Health Information Technology (Aug. 29, 2008), http://www.qualityforum.org/News_And_Resources/Press_Releases/2008/NATIONAL_QUALITY_FORUM_ENDORSES_NATIONAL_CONSENSUS_STANDARDS_FOR_HEALTH_INFORMATION_TECHNOLOGY.aspx.

30 U.S. Gov't Accountability Office, GAO-04-991R, HHS's Efforts to Promote Health Information Technology and Legal Barriers to Its Adoption 1 (2004), available at http://www.gao.gov/new.items/d04991r.pdf [hereinafter “GAO Report”].

31 Exec. Order No. 13,410, 71 Fed. Reg. 51089 (2006).

32 See id.; Consolidated Health Informatics (CHI) Initiative; Health Care and Vocabulary Standards for Use in Federal Health Information Technology Systems, 70 Fed. Reg. 76287 (Dec. 25, 2005).

33 Exec. Order No. 13,410. Pursuant to the Executive Order, HHS is currently developing interoperability standards.

34 See Pub. L. No. 111-5, 123 Stat. 115 (2009) [hereinafter “ARRA”].

35 See AHIC Successor, Inc., Newsletter, supra note 52.

36 U.S. Dep't of Health & Human Servs., News Release, New Web Site Helps Patients Shop for Hospital Care Based on Quality and Price (Mar. 28, 2008), http://www.hhs.gov/news/press/2008pres/03/20080328a.html; U.S. Dep't of Health & Human Servs., Hospital Compare – A Quality Tool Provided by Medicare, www.hospitalcompare.hhs.gov (last visited Sept. 25, 2009) [hereinafter “Hospital Compare Website”]; Agency for Healthcare Research and Quality, U.S. Dep't of Health & Human Servs., National Quality Measures Clearinghouse, http://www.qualitymeasures.ahrq.gov (last visited Sept. 25, 2009).

37 For example, see The Leapfrog Group's Hospital Quality and Safety Survey and public reporting of hospital quality rankings, available at http://www.leapfroggroup.org.

38 Exec. Order No. 13,410.

39 Hospital Compare Website, supra note 36.

40 See, e.g., Guy Boulton, Blue Cross to Disclose Prices: Costs of Some Procedures Will Be Posted on Web Site, Milwaukee J. Sentinel, July 7, 2008, at D1. For a detailed summary of efforts by states, provider associations, and private insurers to make healthcare pricing information publicly available, see the National Conference of State Legislatures website, available at http://www.ncsl.org/programs/health/transparency.htm.

41 Exec. Order No. 13,410.

42 Ctrs. for Medicare & Medicaid Servs., Report to Congress: Plan to Implement a Medicare Hospital Value-Based Purchasing Program 1-2 (2007), available at http://www.cms.hhs.gov/AcuteInpatientPPS/downloads/HospitalVBPPlanRTCFINALSUBMITTED2007.pdf.

43 See id.

44 Medicare Improvements for Patients and Providers Act of 2008, Pub. L. No. 110-275, §131(d), 122 Stat. 2494, 2527 (2008).

45 Ctrs. for Medicare & Medicaid Servs., Roadmap for Implementing Value-Driven Healthcare in the Traditional Medicare Fee-for-Service Program (2009), available at http://www.cms.hhs.gov/QualityInitiativesGenInfo/downloads/VBPRoadmap_OEA_1-16_508.pdf.

46 These include the Acute Care Episode Demonstration, the Medicare Hospital Gainsharing Demonstration, and the Physician Hospital Collaboration Demonstration. Information about the Medicare gainsharing demonstration projects is available at http://www.cms.hhs.gov/demoprojectsevalrpts/md/list.asp.

47 Rosenthal, Meredith B. et al., Pay for Performance in Commercial HMOs, 355 New Eng. J. Med. 1895, 1900 (2006)CrossRefGoogle ScholarPubMed (noting that of 242 health maintenance organizations surveyed, more than half use pay for performance strategies in their provider contracts). One recent example is Blue Cross of California's “Quality-in-Sights Hospital Incentive Program,” a program that rewards California hospitals for achieving quality goals in patient safety, outcome and patient satisfaction. Blue Cross of California Starts Pay-for-Performance Program for Hospitals, San Jose Bus. J., Mar. 20, 2008, available at http://www.bizjournals.com/sanjose/stories/2008/03/17/daily55.html.

48 The ONC was established in 2004, through Presidential Executive Order 13,335, to promote interoperable HIT at the national level. See Exec. Order No. 13,335, 69 Fed. Reg. 24,059 (Apr. 30, 2004).

49 U.S. Dep't of Health & Human Servs., Office of the Nat’l Coordinator for Health Info. Tech., ONC-Coordinated Federal Health IT Strategic Plan: 2008–2012 (2008), http://www.hhs.gov/healthit/resources/HITStrategicPlan.pdf.

50 ARRA, supra note 34, at § 3001.

51 See U.S. Dep't of Health & Human Servs., Office of the Nat’l Coordinator for Health Information Technology, Federal Advisory Committees, American Health Information Community (AHIC) http://healthit.hhs.gov/portal/server.pt?open=512&objID=1199&parentname=CommunityPage&parentid=3&mode=2&in_hi_userid=10741&cached=true (last visited Sept. 23, 2009).

52 See HHS Secretary Mike Leavitt Commends AHIC Successor, Predicts that the Public- Private Approach Will Lead to Success, AHIC Successor, Inc., Newsletter Special Issue, Nov. 14, 2008, available at www.nationalehealth.org/WorkArea/DownloadAsset.aspx?id=109.

52 See ARRA, supra note 34 at § 13101. ARRA, HITECH Act, § 13101.

54 See U.S. Dep't of Health & Human Servs., Office of the Nat’l Coordinator for Health Info. Tech., Standards and Certification, HIT Certification: CCHIT, http://healthit.hhs.gov/portal/server.pt?open=512&objID=1196&&PageID=15507&mode=2&in_hi_userid=10741&cached=true (last visited Sept. 23, 2009).

55 See U.S. Dep't of Health & Human Servs., Office of the Nat’l Coordinator for Health Information Technology, Data & Technical Standards: Health Information Technology Standards Panel (HITSP), http://healthit.hhs.gov/portal/server.pt?open=512&objID=1195&&PageID=15501&mode=2&in_hi_userid=10741&cached=true (last visited Sept. 23, 2009).

56 See U.S. Gov't Accountability Office, Health Information Technology: HHS Has Taken Important Steps To Address Privacy Principles and Challenges, Although More Work Remains 9-14 (2008), available at http://www.gao.gov/new.items/d081138.pdf.

57 See, e.g., Ctrs. for Medicare & Medicaid Servs., Details for Electronic Health Records Demonstration, http://www.cms.hhs.gov/DemoProjectsEvalRpts/MD/itemdetail.asp?itemID=CMS1204776 (last visited Sept. 23, 2009).

58 See National Quality Forum, supra note 29. The NQF standards expressly link the use of interoperable HIT to improved quality of care and care management by promoting not only adoption of e-prescribing technologies and EHRs, but also mechanisms to increase care coordination and ultimately to deliver continuous, patient-centered care through the medical home model.

59 Ctrs. for Medicare & Medicaid Servs., Details for Electronic Health Records Demonstration, http://www.cms.hhs.gov/DemoProjectsEvalRpts/MD/itemdetail.asp?itemID=CMS1204776 (last visited Sept. 23, 2009).

60 Id.

61 Pittsburgh Regional Health Initiative, Electronic Health Record (EHR) Demonstration, http://www.prhi.org/ehrdemo/ (last visited Sept. 12, 2009).

62 Press Release, Ctrs. for Medicare & Medicaid Servs., Medicare Selects Four Companies Where Beneficiaries Can Maintain Their Own Personal Health Records (Nov. 12, 2008), http://www.cms.hhs.gov/apps/media/press/release.asp?Counter=3359&intNumPerPage=10&checkDate=&checkKey=&srchType=1&numDays=3500&srchOpt=0&srchData=&keywordType=All&chkNewsType=1,+2,+3,+4.

63 See ARRA, supra note 34, at §§ 4101-4102.

64 Hospitals that are not meaningful EHR users in 2015 will have three-quarters of their annual market basket update reduced by one-third; in 2016 the reduction will be two-thirds, and in 2017 and thereafter, the reduction will be the full three-quarters of the market basket update. Id. §4102. Physicians who are not meaningful EHR users in 2015 will face a 1 percent reduction to their Medicare Physician Fee Schedule payments (or 2 percent, if these physicians also were required, but failed, to e-prescribe). The payment penalty increases to 2 percent in 2016 and 3 percent in 2017. In 2018 and afterward, CMS will continue increasing the payment penalty by one percentage point up to 5 percent if less than 75 percent of physicians are meaningful EHR users. Id. §4101.

65 Id. §4201. Unlike the Medicare hospital payments, an eligible hospital can qualify for the first year of Medicaid payments by demonstrating that “it is engaged in efforts to adopt, implement, or upgrade certified EHR technology.” To be eligible for payments in subsequent years, however, the hospital must demonstrate “meaningful use” of EHR, as dictated by each state. Also unlike the Medicare payments, which specify 2011 as the starting point, Medicaid payments could be available as soon as CMS and the states get the program up and running. Hospitals can receive the payments over 6 years (subject to certain limitations), but will not be eligible for payments after 2016 if they have not previously qualified.

66 Id. § 4101.

67 See U.S. Dep't of Health & Human Servs., Meaningful Use Workgroup Update, Aug. 14, 2009, http://healthit.hhs.gov/portal/server.pt?open=512&objID=1325&parentname=CommunityPage&parentid=1&mode=2.

68 Editorial, Better Data for Better Health, Boston Globe, July 3, 2008, at A8.

69 Mass. Gen. Laws ch. 40J, § 6D (2008); 2008 Mass. Acts 302. In August of 2008, Massachusetts had appropriated $25 million to the e-Health Institute Fund, the source of funding for the Institute. This appropriation was reduced to $15 million by State budget cuts in October of 2008.

70 Minn. Stat. § 62J.495 (2008).

71 Chris Newmarker, Minnesota Awards Grants for E-Health Records, Minneapolis/St. Paul Bus. J. (Oct. 30, 2008), available at http://www.bizjournals.com/twincities/stories/2008/10/27/daily31.html?t=printable.

72 Id.

73 Greenberg, Michael D. & Ridgely, M. Susan, Patient Identifiers and the National Health Information Network: Debunking a False Front in the Privacy Wars, 4 J. Health & Biomed. L. 31, 35-36 (2008).Google Scholar

74 Adler-Milstein, Julia et al., The State of Regional Health Information Organizations: Current Activities and Financing, 27 Health Aff. 60, 60, 63-64 (2008).Google ScholarPubMed

75 See, e.g., Robert H. Miller & Bradley S. Miller, The Santa Barbara County Care Data Exchange: Lessons Learned, California HealthCare Foundation iHealth Reports (2007), available at http://www.chcf.org/documents/chronicdisease/SantaBarbaraLessonsLearned.pdf; see also William Bernstein & Robert Belfort, The New Health Care Frontier: Navigating Through the Land of Regional Health Information Organizations, Advance for Health Information Executives (2005), available at http://www.manatt.com/pdfs/RHIO.pdf.

76 42 C.F.R. § 411.357(u). See Medicare Program; Physicians Referrals to Health Care Entities With Which They Have Financial Relationships; Exceptions for Certain Electronic Prescribing and Electronic Health Records Arrangements, 69 Fed. Reg. 16,113 (Mar. 26, 2004).

77 GAO Report, supra note 30 at 47.

78 Medicare Program; Physicians Referrals to Health Care Entities With Which They Have Financial Relationships; Exceptions for Certain Electronic Prescribing and Electronic Health Records Arrangements , 71 Fed. Reg. 45,140 (Aug. 8, 2006).

79 42 C.F.R. § 411.357(v).

80 Id. § 411.357(w).

81 71 Fed. Reg. 45,140, 45,142, 45,162.

82 Id. at 45,146.

83 Id. at 45,143.

84 Joy M. Grossman & Genna Cohen, Issue Brief No. 123, Ctr. for Studying Health Sys. Change, Despite Regulatory Changes, Hospitals Cautious in Helping Physicians Purchase Electronic Medical Records 1 (2008), available at http://hschange.org/CONTENT/1015/1015.pdf. See also Joy M. Grossman, Kathryn L. Kushner & Elizabeth A. November, Ctr. for Studying Health Sys. Change, Report No. 2, Creating Sustainable Local Health Information Exchanges: Can Barriers to Stakeholder Participation Be Overcome? (2008), available at http://www.hschange.com/CONTENT/970/970.pdf, for a discussion of barriers to implementation and participation in local health information exchanges more generally.

85 Medicare and State Health Care Programs: Fraud and Abuse; Safe Harbors for Certain Electronic Prescribing and Electronic Health Records Arrangements Under the Anti-Kickback Statute, 71 Fed. Reg. 45,110, 45,110 (Aug. 6, 2006). The exceptions are codified at 42 C.F.R. § 1001.952(x) and 42 C.F.R. § 1001.952(y).

86 Id. at 45,114. See, e.g., Mass.Gen.Laws ch. 175H, § 3 (2008) (Massachusetts antikickback law); Ohio. Rev. Code Ann. § 3999.2 (2002) (Ohio anti-kickback law); N.Y. Educ. Law § 6530 (McKinney 2000) (giving or receiving kickbacks as professional misconduct); and N.Y. Comp. Codes R. & Regs. tit. 8, § 29.1 (2009) (New York anti-kickback law).

87 I.R.S. Memorandum, Hospitals Providing Financial Assistance to Staff Physicians Involving Electronic Health Records (May 11, 2007), available at http://www.irs.gov/pub/irstege/ehrdirective.pdf.

88 I.R.S. Question and Answer Document, Q&A on Hospitals’ Health IT Subsidy Arrangements with Medical Staff Physicians (June 21, 2007) available at http://www.irs.gov/pub/irs-tege/ehr_qa_062007.pdf.

89 Access may be denied if it would violate federal and state privacy laws or a physician's contractual obligation to patients, in which case the hospital and physician may enter into an agreement regarding reasonable access to information. For example, their agreement could allow the hospital to access a patient's medical records only when that patient becomes a patient of the hospital, and could deny the hospital access to nonmedical information such as billing, insurance eligibility, and referral information. Id. at Q5.

90 I.R.C. § 61 (2006).

91 I.R.C. § 132(a)(3) (2006).

92 I.R.C. § 162(a) (2006).

93 Treas. Reg. § 1.132-1(b)(2) (2009).

94 Fred Stokeld, Progress Being Made on Study on Donor-Advised Funds, Supporting Orgs, Officials Say, Tax Notes Today 197-7 (Oct. 11, 2007) (citing comments made by IRS official Geoffrey Campbell at the October 2007 meeting of the D.C. Bar Tax Section's Exempt Organizations Committee).

95 Joint purchasing initiatives could be structured to fall within the existing antitrust safety zone for joint purchasing arrangements, including the “purchase of computer or data processing services by hospitals or other groups of providers … .” Dep't of Justice & Fed. Trade Comm’n, Statements of Antitrust Enforcement Policy in Health Care 53 (1996), available at http://www.usdoj.gov/atr/public/guidelines/1791.pdf [hereinafter “Health Care Statements”]. “Such arrangements are unlikely to raise antitrust concerns unless an arrangement accounts for so large a portion of the purchases of an HIT product or service in the market that the joint purchasing arrangement can exercise market power, or it accounts for such a large proportion of the total cost of services being sold that the arrangement may facilitate price fixing or otherwise reduce competition.” Id. at 53-54 (internal numbering omitted).

96 See U.S. Dep't of Health & Human Servs., Office of the Nat’l Coordinator for Health Info. Tech., White Paper: American Health Information Community Successor 13 (2007).

97 See e.g., Fed. Trade Comm’n and the Dep't of Justice, Improving Health Care: A Dose of Competition ch. 2 at 37 (2004) (stating that indicia of clinical integration include “use of common information technology to ensure exchange of all relevant patient data”); Letter from Jeffrey W. Brennan, Assistant Director, Bureau of Competition, Fed. Trade Comm’n, to John J. Miles (February 19, 2002) (Fed. Trade Comm’n Staff Advisory Opinion to MedSouth, Inc. granting provisional approval to a clinical integration plan), available at http://www.ftc.gov/bc/adops/medsouth.htm; Letter from Markus H. Meier, Assistant Director, Bureau of Competition, Fed. Trade Comm’n, to John J. Miles (June 18, 2007) (follow-up to 2002 Fed. Trade Comm’n Staff Advisory Opinion to MedSouth, Inc. affirming prior advisory opinion), available at http://www.ftc.gov/bc/adops/070618medsouth.pdf.

98 Linda L. Dimitropoulos, RTI Int’l, Privacy and Security Solutions for Interoperable Health Information Exchange: Assessment of Variation and Analysis of Solutions 3-1 - 3-9 (2007), available at http://www.rti.org/pubs/avas.pdf [hereinafter “AHRQ Report”].

99 Id. at 3-6 - 3-7.

100 Gottlieb, Lawrence K. et al., Regulatory and Policy Barriers to Effective Clinical Data Exchange: Lessons Learned from MedsInfo-ED, 24 Health Aff. 1197, 1201 (2005)CrossRefGoogle ScholarPubMed [hereinafter “Lessons Learned from MedsInfo-ED”].

101 See AHRQ Report, supra note 98, at 3-1 – 3-9.

102 See U.S. Dep't of Health & Human Servs., Health Information Privacy, http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/index.html (last visited Sept. 29, 2009).

103 ARRA, supra note 34, § 13405(b).

104 Id. The HIPAA provisions of ARRA respond in part to an ongoing policy dialogue regarding application of HIPAA privacy and security rules in the context of development and adoption of HIT. In 2006, AHIC convened a Confidentiality, Privacy, and Security Workgroup (the “CPS Workgroup”). The CPS Workgroup consists of privacy, security, clinical, and technology experts and is intended to frame privacy and security policy issues relevant to AHIC initiatives. The “broad charge” of the CPS Workgroup is to make recommendations to AHIC regarding the protection of personal health information in order to secure trust and support appropriate electronic health information exchange. Beginning in 2007, AHIC considered and accepted a series of recommendations from the CPS Workgroup relating to, among other things, patient identity verification and potential expansions of the HIPAA Privacy or Security Rules. See Letter from CPS Workgroup to Michael O. Leavitt, Chairman, American Health Information Community (Sept. 23, 2008), available at http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10731_848349_0_0_18/Recommendations%20Presented%20at%20the%20September%202008%20AHIC%20Meeting.pdf [hereinafter “CPS Workgroup Final Recommendations”]. For example, the CPS Workgroup recommended that “all persons and entities, excluding consumers, that participate directly in, or comprise, an electronic health information exchange network, through which individually identifiable health information is stored, compiled, transmitted, modified, or accessed should be required to meet enforceable privacy and security criteria at least equivalent to … [HIPAA] requirements,” independent of those established by contract. Id. at Appendix A (describing June 2007 recommendation to AHIC). The CPS Workgroup also recommended that electronic health information exchange networks with direct relationships with consumers or patients should be required to meet all the requirements of the HIPAA Privacy Rule, and also should be required to make publicly available a document that reasonably and accurately describes how they use and disclose health information and their privacy policies and practices, as well as how they safeguard patient or consumer information. In its final recommendations letter, however, issued on September 23, 2008, the CPS Workgroup declined to issue any recommendations, other than the ones described above, that would further expand the HIPAA Privacy and Security Rules and instead recommended that HHS conduct further work with stakeholders to “create a set of guidelines for protecting the confidentiality, privacy and security of information that is collected by, or shared through, an electronic health information exchange network.” Id. at 5. The CPS Workgroup also failed to address ongoing concerns about the lack of clarity in application of the “minimum necessary” rule and instead recommended that HHS “address how ‘minimum necessary’ would apply to the access, use, and disclosure of personal health information in or through a network … [and as] there is sufficient confusion and concern about how the minimum necessary rule would apply in this exchange environment that, at a minimum, HHS should provide additional guidance on this issue.” Id. at 6. The CPS Workgroup cited the immaturity of current efforts to develop HIT and electronic health information exchanges to explain its caution in not “making overly restrictive policy recommendations based on speculation.” Id. at 2. However, by leaving these issues for HHS (or Congress) to address in the future, the CPS Workgroup failed to resolve some of the most pressing concerns about existing HIPAA privacy and security requirements that hamper widespread HIT adoption. These concerns also provided an illustration and an indicator of the ongoing difficulties encountered by Congress during consideration of ARRA, to balance privacy concerns with the acknowledged need for widespread adoption of HIT.

105 See 45 C.F.R. § 160.103 (2008) (“business associate means … a person who … [,] [o]n behalf of [a] covered entity … performs, or assists in the performance of: … [a] function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or … [p]rovides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation … , management, administrative, accreditation, or financial services to or for such covered entity … , where the provision of the service involves the disclosure of individually identifiable health information from [the] covered entity … .”); see also U.S. Dep't of Health & Human Servs., Health Information Privacy Frequently Asked Questions, Is A Software Vendor a Business Associate of a Covered Entity?, http://www.hhs.gov/ocr/privacy/hipaa/faq/providers/business/256.html (last visited Sep. 19, 2009) (“If the [software] vendor does need access to the protected health information of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity. For example, a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity. In these examples, a covered entity would be required to enter into a business associate agreement before allowing the software company access to protected health information.”).

106 ARRA, by its language, limits the application of privacy standards to business associates to those “additional requirements of [ARRA] that relate to privacy,” thus, suggesting that HIPAA privacy requirements in effect prior to passage of ARRA do not apply to business associates. ARRA, supra note 34, at § 13404(a). However, the Congressional Conference Report suggests that Congress intended to apply all of the HIPAA privacy protections to business associates, stating that the bills “would apply the HIPAA Privacy Rule, the additional privacy requirements, and the civil and criminal penalties for violating those standards to business associates in the same manner as they apply to the providers and health plans for whom they are working.” See H.R. Rep. No. 111-16, at 493 (2009) (Conf. Rep.). ARRA imposes HIPAA Security Rule provisions directly to HIPAA business associates “in the same manner that such sections apply to the covered entity” (including those related to Administrative Safeguards (45 C.F.R. § 164.308 (2008)), Physical Safeguards (45 C.F.R. § 164.310 (2008)), Technical Safeguards (45 C.F.R. § 164.312 (2008)) and Policies & Procedures and Documentation Requirements (45 C.F.R. § 164.316(2008)). ARRA, supra note 34, at § 13401(a). Civil and criminal penalties for improper disclosure of health information also apply to business associates, exposing them to the same liability as HIPAA covered entities. See id. § 13401(b).

107 See id. § 13408.

108 The ONC has commissioned a study to catalog the thousands of state privacy laws on the books; the study, which is to be named The State of Health Privacy, has not yet been released by the ONC. See Jeff Day, Quick Action by State Leaders on HIT Vital to Tapping Stimulus Funds, Panel Told, Health Care Daily Rep. (BNA) (Mar. 2, 2009).

109 45 C.F.R. § 164.506 (2008).

110 42 C.F.R. pt. 2 (2008).

111 Lessons Learned from MedsInfo-ED, supra note 100, at 1200-1201.

112 Id.

113 For example, to comply with federal and state condition-specific privacy laws, one Massachusetts electronic clinical data sharing program screened out over 150 “sensitive” medications from a shared electronic database. The resulting data limitations reportedly inhibited clinicians’ use of the database. See id. at 1203.

114 See GAO Report, supra note 30, at 50–52.

115 The authors would like to acknowledge the substantial contribution made by Rebecca Haffajee to this section of the paper.

116 The Leapfrog Group is a coalition of major companies and other large private and public healthcare purchasers. The Leapfrog Group has identified a range of hospital quality and safety practices and rate a hospital's achievement of these practices through the Leapfrog Hospital Quality and Safety Survey and has also implemented hospital recognition and reward programs. The Leapfrog Group's hospital and safety practices were developed using independent scientific evidence endorsed by NQF and focus on: computer physician order entry; evidence-based hospital referral; ICU staffing by physicians experienced in critical care medicine; and the Leapfrog Safe Practices Score (which is a measurement of a hospital's adherence to 27 NQF-endorsed hospital safety practices, in addition to the other three NQF criteria already mentioned above). The Leapfrog Group began collecting hospital data in 2001 and now surveys hospitals in 33 regions within the United States. The Leapfrog Group publishes its hospital rankings on its website as well as in academic journals. See Performance Measurement: Accelerating Improvement, infra note 131, at 141, 265; see also The Leapfrog Group Website, http://www.leapfroggroup.org.

117 Blum, John D., Leveraging Quality in Managed Care: Moving Advocates Back into the Box, 2002 Wis. L. Rev. 603, 606-607 (2002)Google Scholar.

118 Bodenheimer, Thomas, The Movement for Improved Quality in Health Care, 340 New Eng. J. Med. 488, 488 (1999)CrossRefGoogle ScholarPubMed.

119 Sage, William M. & Kalyan, Dev N., Horses or Unicorns: Can Paying for Performance Make Quality Competition Routine?, 31 J. Health Pol. Pol’y & L. 531, 535 (2006)CrossRefGoogle ScholarPubMed.

120 Id. Examples of this information infrastructure are electronic health records, computerized patient order entry systems and other hi-tech tools. See Sage, William N., Pay for Performance: Will it Work?, 3 Ind. Health L. Rev. 303, 314 (2006)Google Scholar.

121 “‘Participation’ [in quality reporting programs] involves collecting and submitting to the payor the data needed to construct performance measures, which in turn makes providers eligible to receive financial rewards if they have performed well.” Rewarding Provider Performance, supra note Error ! Bookmark not defined.., at 112.

122 See Sage & Kalyan, supra note 119, at 536.

123 See Sage, supra note 120, at 315.

124 Cook, supra note Error ! Bookmark not defined.., at 175-76.

125 Sage & Kalyan, supra note 119, at 536.

126 Cannon, Michael F., Pay-for-Performance: Is Medicare a Good Candidate?, 7 Yale J. Health Pol’y L. & Ethics 1, 5-6 (2007)Google ScholarPubMed.

127 In fact, the initial complaints over the release of Medicare mortality data were so numerous that Medicare stopped reporting on mortality outcomes until it could create more “unassailable” measures of outcomes, rather than finding a formulate for adjusting for the risk of the patient populations. See Sarah Klein, In Focus: Making Quality More Meaningful, Quality Matters (The Commonwealth Fund), Sept./Oct. 2007, available at http://www.commonwealthfund.org/Content/Newsletters/Quality-Matters/2007/September-October/In-Focus-Making-Mortality-Data-More-Meaningful.aspx.

128 Cannon, supra note 126, at 6.

129 Physicians, patients and MCOs may perceive quality in unique ways and place emphasis on differing quality measures of performance – in other words, “quality is in the eye of the beholder.” For example, patients may value how providers communicate information to them and the length of wait-times. Meanwhile, physicians may consider quality to be the application of evidence-based medical knowledge to a given case and clinical outcomes. MCOs may place a greater emphasis on patient satisfaction and the use of preventative services over clinical outcomes. In sum, defining quality and creating appropriate measures pose real challenges given the diversity and complexity of healthcare as a product. See McGlynn, Elizabeth A., Six Challenges in Measuring the Quality of Health Care, 16 Health Aff. 7, 9 (1997)CrossRefGoogle ScholarPubMed; Bodenheimer, supra note 119, at 488-89.

130 Comm. on Redesigning Health Ins. Performance Measures, Payment, & Performance Improvement Programs, Inst of Med., Medicare's Quality Improvement Organization Program: Maximizing Potential 83 (2006)Google Scholar [hereinafter “Maximizing Potential”].

131 Comm. on Redesigning Health Ins. Performance Measures, Payment, & Performance Improvement Programs, Inst. of Med, Performance Measurement: Accelerating Improvement 51, 84 (2006)Google Scholar [hereinafter “Performance Measurement: Accelerating Improvement”]. The IOM found many important conditions unrepresented in measures. Id. at 85.

132 Id. at 85.

133 Lohr, Kathleen N., How Do We Measure Quality?, 16 Health Aff. 22, 24 (1997)CrossRefGoogle ScholarPubMed; see also Berenson, Robert A., Paying for Quality and Doing it Right, 60 Wash. & Lee L. Rev. 1315, 1332-33 (2003)Google Scholar (noting that a lack of case-mix adjustment in quality measures may serve as a perverse incentive by rewarding already well-funded, elite providers at the expense of providers serving disadvantaged populations).

134 Maximizing Potential, supra note 130, at 83.

135 Bates, David W. & Gawande, Atul A., The Impact of the Internet on Quality Measurement, 19 Health Aff. 104, 106-07 (2000)CrossRefGoogle ScholarPubMed (noting that the internet has remedied some of the availability issues associated with quality data).

136 E.g., Stevenson, David G., Is a Public Reporting Approach Appropriate for Nursing Home Care?, 31 J. Health Pol. Pol’y & L. 773, 801 (2006)CrossRefGoogle Scholar (finding that quality measures and reporting could have a limited role in promoting quality improvement in the nursing home setting, given initial indicators of the HHS Nursing Home Quality Initiative instituted in 2001).

137 The medical community has also raised legal concerns challenging the reliability and accuracy of payor-initiated provider report cards, network tiering, and ranking systems. Concerns about payor quality ranking systems are briefly discussed in Section 0. Payor tiering or ranking systems that expressly include a cost-efficiency component are more fully addressed in Section VI.

138 Crossing the Quality Chasm, supra note 2, at 218.

139 See Healy, Jason M., Altman, William M. & Fox, Thomas C., Confidentiality of Health Care Provider Quality of Care Information, 40 Brandeis L.J. 595, 600 (2002)Google ScholarPubMed.

140 Id. at 616-617.

141 Cook, supra note Error ! Bookmark not defined.., at 178.

142 Id. at 177-78 (citing Darling v. Charleston Cmty. Mem’l Hosp., 211 N.E. 2d 253, 257- 58 (Ill. 1965)).

143 Id.

144 See id. (citing Johnson v. Misericordia Cmty. Hosp., 301 N.W.2d 156 (Wis. 1981); Thompson v. Nason Hosp., 591 A.2d 703 (Pa. 1991)).

145 Pastore v. Samson, 900 A.2d 1067, 1082 (R.I. 2006) (quoting Rodrigues v. Miriam Hosp., 623 A.2d 456, 463 (R.I. 1993)).

146 Cook, supra note Error ! Bookmark not defined.. at 178. See, e.g., Jones v. Chicago HMO Ltd. of Ill., 730 N.E.2d 1119 (Ill. 2000); Shannon v. McNulty, 718 A.2d 828 (Pa. Super. Ct. 1998); Herrera v. Lovelace Health Sys., Inc., 35 F. Supp. 2d 1327 (D.N.M. 1999); McClellan v. Health Maint. Org. of Pa., 604 A.2d 1053 (Pa. Super. Ct. 1992), aff’d, 686 A.2d 801 (Pa. 1996); see also Iheukwumere, Emmanuel O., Application of the Corporate Negligence Doctrine to Managed Care Organizations: Sound Public Policy or Judicial Overkill?, 17 J. Contemp. Health L. & Pol’y 585, 613 (2001)Google ScholarPubMed (stating that “[i]ndividuals normally enroll in an MCO with a reputation for qualified and reputable healthcare providers, reasonable premiums, and adequate and timely provision of care. In the case of staff model MCOs, which directly employ physicians and other healthcare providers to care for their enrollees, it is clearly reasonable to assume that the enrollees expect the MCOs to ensure their safety and well-being while receiving care from those retained by the MCOs. Accordingly, MCOs have the same obligations as hospitals to select and retain on their enrollment lists only competent healthcare providers. They also have the obligation to maintain safe and adequate facilities and equipment for enrollees when the MCOs decide to provide direct medical care. Further, the duty to oversee all who practice under their influence and control should fall on MCOs, as well as the obligation to formulate, adopt, enforce and insist on the enrolled providers’ formulation, adoption and enforcement of adequate rules to ensure quality care for enrollees.”).

147 Healy, supra note 139, at 600-601.

148 Kesselheim, Aaron S. et. al., Will Physician-Level Measures of Clinical Performance Be Used in Medical Malpractice Litigation?, 295 JAMA 1831, 1831 (2006)CrossRefGoogle ScholarPubMed; see also PSQIA Proposed Rule, infra note 162, at 8113 (reporting that providers are unwilling to provide quality data due to lack of privilege protection).

149 Comm. on Quality of Health Care in Am., Inst. of Med., To Err Is Human: Building a Safer Health System 110 (Linda T. Kohn et al. eds., 2000) [hereinafter “To Err Is Human”].

150 Scheutzow, Susan O., State Medical Peer Review: High Cost But No Benefit – Is It Time for a Change?, 25 Am. J.L. & Med. 7, 35 (1999)Google ScholarPubMed.

151 Cook, supra note Error ! Bookmark not defined., at 186; see also Fed. R. Civ. P. 26(b)(1).

152 Scheutzow, supra note 150, at 13.

153 Id. at 8.

154 Liang, Bryan A., Collaborating on Patient Safety: Legal Concerns and Policy Requirements, 12 Widener L. Rev. 83, 90-91 (2005)Google Scholar.

155 Cook, supra note Error ! Bookmark not defined.., at 188.

156 Id. But see Kan. Stat. Ann. § 65-4915(a) (2008) (which includes the following as entities engaged in peer review: an insurance company, a health maintenance organization or an administrator of a health benefits plan which engages in peer review functions).

157 Cook, supra note Error ! Bookmark not defined.., at 192.

158 Id. at 192. See, e.g., Cal. Evid. Code § 1157 (2006) (extending medical review privilege to peer review committees of various medical professions); Mass. Gen. Laws ch. 111, §§ 204(a), 205(b) (2008) (extending medical review privilege to institutional peer review committees and quality assurance programs established by the Board of Registration only).

159 Liang, supra note 154, at 90-92. Instead, the federal common law on privilege applies in federal court, which law does not protect peer review activities. See Cook, supra note Error ! Bookmark not defined.., at 193.

160 To Err Is Human, supra note 149, at 111-12.

161 Pub. L. No. 109-41, 119 Stat. 424 (2005).

162 Patient Safety and Quality Improvement; Proposed Rule, 73 Fed. Reg. 8112 (proposed Feb. 12, 2008) (to be codified at 42 C.F.R. pt. 3) [hereinafter “PSQIA Proposed Rule”]. Patient safety information is defined broadly in the proposed rule as follows:

See id. at 8113 .

163 Patient Safety and Quality Improvement; Final Rule, 73 Fed. Reg. 70732, 70745– 70770 (Nov. 21, 2008) (to be codified at 42 C.F.R. pt. 3) [hereinafter “PSQIA Final Rule”]. Most of the provisions of the PSQIA Proposed Rule were adopted without modification in the final rule; the final rule does, however, make several significant changes. See id. at 70,733. The AHRQ has already listed 15 PSOs under its interim guidance published on October 8, 2008, which PSOs are expected to be in compliance with the PSQIA Final Rule when it takes effect. Patient Safety Organization Rule Finalized; HHS Says Entities Will Encourage Reporting, Health Care Daily Rep. (BNA) No. 226 (Nov. 24, 2008)Google Scholar. See also U.S. Dep't of Health & Human Servs., Implementing the Patient Safety and Quality Improvement Act of 2005 Including How To Become a Patient Safety Organization: Interim Guidance, available at http://www.pso.ahrq.gov/regulations/intguid.htm (last visited Sept. 23, 2009); see also Agency for Healthcare Research and Quality, Listed Patient Safety Organizations, http://www.pso.ahrq.gov/listing/psolist.htm (last visited Sept. 23, 2009).

164 PSQIA Proposed Rule, supra note 162, at 8114, 8140-8146; see also PSQIA Final Rule, supra note 163, at 70,770–70,784.

165 See PSQIA Proposed Rule, supra note 162, at 8113, 8121 (“[T]o become patient safety work product … information must be reported by a provider to a PSO.”); see also PSQIA Final Rule, supra note 163, at 70741 (providing that “information documented as collected within a patient safety evaluation system by a provider shall be protected as patient safety work product”).

166 Cook, supra note Error ! Bookmark not defined.., at 193-94; see also PSQIA Proposed Rule, supra note 162, at 8165 (“While the Patient Safety Act does establish new Federal confidentiality and privilege protections for certain information, these protections only apply when health care providers work with PSOs and new processes, such as patient safety evaluation systems, that do not currently exist.”); PSQIA Final Rule, supra note 163, at 70,745–70.

167 Bredice v. Doctor's Hosp., 50 F.R.D. 249 (D.D.C. 1970).

168 Donohue, Sharon K., Healthcare Quality Information Liability & Privilege, 11 Annals Health L. 147, 156 (2002)Google Scholar.

169 Id. at 155-56; see, e.g., Dowling v. Am. Hawaii Cruises, Inc., 971 F.2d 423, 426 (9th Cir. 1992).

170 Healy, supra note 139, at 630.

171 Id.

172 See, e.g., Grimes v. DSC Commc’ns Corp., 724 A.2d 561, 570 (Del. Ch. 1998) (noting that Delaware courts have refused to recognize the privilege).

173 See, e.g., Tinman v. Blue Cross Blue Shield of Mich., 176 F. Supp. 2d 743, 746 (E.D. Mich. 2001) (noting that Michigan courts have recognized the self-analysis privilege in the hospital context); Sheppard v. Consol. Edison Co., 893 F. Supp. 6, 8 (E.D.N.Y. 2000) (holding that the privilege extends to study regarding an employer's equal employment opportunity); Reichhold Chems, Inc. v. Textron, 157 F.R.D. 522, 526 (N.D. Fla. 1994) (holding that privilege extends to a report concerning environmental regulations); Granger v. Nat’l R.R. Corp., 116 F.R.D. 507 (E.D. Pa. 1987) (holding that the privilege extends to accident reports).

174 See Bradley v. Melroe Co., 141 F.R.D. 1, 3 (D.D.C. 1992); Granger, 116 F.R.D. at 510.

175 45 C.F.R. § 164.506 (2008); id. § 164.514.

176 45 C.F.R. § 160.103; see, e.g., the “Compare” data sets archived at http://www.cms.hhs.gov/QualityInitiativesGenInfo/AMCD/list.asp.

177 See, e.g., Final Rule, Medicare Program; Changes to the Hospital Inpatient Prospective Payment Systems and Fiscal Year 2009 Rates, 73 Fed. Reg. 48,434, 48,598 (Aug. 19, 2008) (CMS notes that QualityNet, the website through which RHQDAPU data are submitted, “meets or exceeds all current [HIPAA] requirements for security of [PHI].”); Am. Med. Ass’n, Guidelines for Pay-for-Performance Programs 3 (2005), http://www.amaassn.org/ama1/pub/upload/mm/368/guidelines4pay62705.pdf (“Data collection must be administratively simple and consistent with [HIPAA]”).

178 Rosenbaum, Sara, et al., An Assessment of Legal Issues Raised in “High Performing” Health Plan Quality and Efficiency Tiering Arrangements: Can the Patient Be Saved?, Health Care Pol’y Rep. (BNA) No. 39, at 1325 (Oct. 8, 2007)Google Scholar.

179 See Mark Joffe & Kelli Black, Physician Tiering Programs: Holding Health Plans Responsible for Tiering Methodology and Disclosure to Their Insureds, HMOs and Health Plans (Am. Health Lawyers Ass’n), Feb. 2008, at 1.

180 Id; see also Chen, Jersey, et al., Performance of the ‘100 Top Hospitals’: What Does the Report Card Report?, 18 Health Aff. 53 (1999)CrossRefGoogle ScholarPubMed; Hofer, Timothy P., et al., The Unreliability of Individual Physician “Report Cards” for Assessing the Costs and Quality of Care of a Chronic Disease, 281 JAMA 2098 (1999)CrossRefGoogle ScholarPubMed; Reed Abelson, National Standards Used to Rank Physicians Planned, N. Y. Times, Apr. 2, 2008, at C3; Amy L. Sorrel, Mass. Doctors Due, Saying Ranking Program is Flawed, Am. Med. News, July 7, 2008, at 10 (discussing suit in which physicians claim that inaccurate records obtained from claims data and faulty computer tools were used to rank them arbitrarily into three tiers).

181 Rosenbaum, supra note 178, at 1327-28.

182 See Complaint at ¶¶ 2.2-2.1, Wash. State Med. Ass’n v. Regence BlueShield, No. 06-2- 30665-1 (King Co. Super. Ct. Sept. 20, 2007), dismissed with prejudice Aug. 10, 2007.

183 Id.; see also Washington Doctors, AMA Settle Lawsuit with Regence, Foresee New Quality System, Health L. Rep. (BNA) No. 16, at 1009 (Aug. 16, 2007); Rosenbaum, supra note 180, at 1326. In Connecticut, the Fairfield County Medical Association has sued United Healthcare, Oxford, and Cigna health plans on behalf of physicians who were not designated as “elite” in elite physician designation programs that those plans implemented. Similarly, in Massachusetts, the Massachusetts Medical Society and a group of physicians have filed suit against the Massachusetts Group Insurance Commission alleging the use of unreliable and invalid methodologies to measure the care provided by participating physicians, with the primary goal of achieving cost savings at the expense of patient care. See, e.g., Mass. Med. Soc’y v. Group Insurance Comm’n, No. 08-2124 (filed May 21, 2008), First Amended Complaint at 2-3 [hereinafter “First Amended Complaint”]. The plaintiffs claim that the measures are arbitrary and incapable of accurately measuring quality or cost-efficiency, because they are not risk-adjusted and fail to account for medical appropriateness of procedures, among other alleged defects. Furthermore, according to the complaint, due to lack of transparency in the ranking methodology, physicians excluded from the top tiers are unable to validate or challenge their ranking.

184 Rosenbaum, supra note 178, at 1328-29.

185 Performance Measurement: Accelerating Improvement, supra note 131, at 43.

186 Id.

187 Maximizing Potential, supra note 130, at 83-84.

188 Nat’l Quality Forum, Mission and Vision, http://www.qualityforum.org/About_NQF/Mission_and_Vision.aspx (last visited Sept. 18, 2009).

189 Heather W. Tesoriero, Uniform Doctor Ratings Sought, Wall St. J., Apr. 2, 2008, at D7.

190 In testimony before the Senate Finance Committee, industry representatives emphasized the need for development of consistent standards. Consistent Standards, Payment Incentives Would Improve Care Quality, Witnesses Say, Health Care Daily Rep. (BNA) No. 175 (Sept. 10, 2008).

191 Performance Measurement: Accelerating Improvement, supra note 131, at 6-7.

192 Id.

193 Id. at 8.

194 Id. at 10-13.

195 Sage, supra note 120, at 322.

196 Sage & Kalyan, supra note 119, at 550.

197 Jacobsen, Peter D., Regulating Healthcare: From Self-Regulation to Self Regulation?, 26 J. Health Pol’y & L. 1165, 1172 (2001)Google Scholar.

198 See Reinhardt, Uwe E., The Pricing of U.S. Hospital Services: Chaos Behind a Veil of Secrecy, 25 Health Aff. 57 (2006)CrossRefGoogle ScholarPubMed. The article describes how U.S. hospitals now price their services to the various third-party payors and self-paying patients, and how that system would have to be changed to accommodate the increasingly popular concept of “consumer-directed healthcare,” and argues that “ ‘consumer empowerment’ … can only occur … if prospective patients actually have easy access to user-friendly, reliable information on at least three dimensions of their care: the prices charged by competing providers of healthcare; the costliness of the practice styles adopted by these various providers – that is, the prices times the quantities of services and supplies they package into the treatments they render; and the quality of these providers’ services.” Id. at 65.

199 D. Andrew Austin & Jane G. Gravelle, Cong. Research Serv., CRS Report for Congress: Does Price Transparency Improve Market Efficiency? Implications of Empirical Evidence in Other Markets for the Health Sector 30 (2007), available at http://www.fas.org/sgp/crs/secrecy/RL34101.pdf.

200 Federal and state governments enjoy antitrust immunity that does not apply to private actors. See Jonathan Rubin, Regulation-Based Antitrust Quasi-Immunity, 2005 ABA Sec. Antitrust L. 1, available at http://www.antitrustinstitute.org/archives/files/401.pdf.

201 Health Care Statements, supra note 95, at § 6 (“Participation by competing providers in surveys of prices for healthcare services … does not necessarily raise antitrust concerns. In fact, such surveys can have significant benefits for healthcare consumers. Providers can use information derived from price and compensation surveys to price their services more competitively … Purchasers can use price survey information to make more informed decisions when buying healthcare services.”); United States v. U.S. Gypsum Co., 438 U.S. 422, 441 n.16 (1978) (“The exchange of price data and other information among competitors does not invariably have anticompetitive effects; indeed such practices can in certain circumstances increase economic efficiency and render markets more, rather than less, competitive.”).

202 See infra for discussion of the antitrust safe harbor applicable to information sharing initiatives.

203 U.S. Dep't of Justice & Fed. Trade Comm’n, supra note 95, at 63-65.

204 Id.

205 See, e.g., Letter from Robert F. Leibenluft, Assistant Director, Federal Trade Commission, Bureau of Competition, Health Care Division, to Ralph T. Smith, Business Health Companies, Inc. (October 18, 1996), http://www.ftc.gov/bc/adops/waco_fin.shtm.

206 Health Care Statements, supra note 95, at 83 n.27.

207 See Maple Flooring Mfrs. Ass'n v. United States, 268 U.S. 563, 585 (1925) (citing United States v. Am. Linseed Oil, 262 U.S. 371 (1923)).

208 Todd. v. Exxon Corp., 275 F.3d 191, 207–08 (2d. Cir. 2001).

209 See id. at 211.

210 See supra Part V.B.4.

211 Agreement Concerning Physician Performance Measurement, Reporting and Tiering Programs, AG Andrew Cuomo-Empire HealthChoice, Nov. 2007 [hereinafter “Agreement”]; Agreement between Conn. Gen. Life Ins. Co. - CIGNA Healthcare N.Y., Inc. - Att’y Gen. Andrew Cuomo, Oct. 29, 2007; Agreement between Aetna Life Ins. Co. - Aetna Health Inc. - Att’y Gen. Andrew Cuomo, Nov. 13, 2007; Agreement between United Healthcare N.Y. - Att’y Gen. Andrew Cuomo, Nov. 20, 2007; Agreement between Health Ins. Plan of Greater N. Y. Group Health Inc. -Att’y Gen. Andrew Cuomo, Nov. 20, 2007; Agreement between Indep. Health - Att’y Gen. Andrew Cuomo, Dec. 2007. All agreements are available online from the New York Attorney General's office at http://www.oag.state.ny.us/bureaus/health_care/HIT/doctor_ranking.html.

212 See, e.g., Letter from Att’y Gen. Andrew Cuomo to Louis L. Benza, Esq., Assoc. Counsel, Empire Blue Cross Blue Shield (Oct. 18, 2007) at 3 (describing the Empire “Blue Precision” ranking program).

213 See, e.g., Agreement between Empire HealthChoice Assurance Inc. - Att’y Gen. Andrew Cuomo at 3, Nov. 2007; Agreement between Aetna Life Ins. Co. - Aetna Health Inc. - Att’y Gen. Andrew Cuomo at 3 Nov. 13, 2007.

214 Letter from Att’y Gen. Andrew Cuomo to Louis L. Benza, Esq., Assoc. Counsel, Empire Blue Cross Blue Shield (Oct. 18, 2007) at 4 (requesting information about the Empire's New York physician ranking program).

215 United, GHI/HIP Agree to New York AG Model Standards for Physician Rankings, Health Care Daily Rep. (BNA) No. 224 (Nov. 21, 2007); see also Joffe & Black, supra note 179, at 3 (describing New York settlement agreements). The core principles comprising this model program are laid out in the provisions of each settlement agreement. See supra note 211.

216 The selected Ratings Examiner, the National Committee for Quality Assurance (NCQA), recently issued its first report on the four health plans for which it has conducted a review: Aetna Health Inc., Aetna Life Insurance Company, CIGNA HealthCare of New York, Inc., and Connecticut General Life Insurance Company. Each met the 8 existing transparency and due process requirements of the New York model standards, and will be required to meet 4 additional requirements for their measurement methodologies within 6 months. See Nat’l Comm. for Quality Assurance, Ratings Examiner Report on New York Health Plan Methodologies (2008), http://nyrxreport.ncqa.org/Overview.aspx.

217 The insurers that have agreed to apply the model nationally include Aetna, CIGNA, UnitedHealthcare, and WellPoint (the parent company of Empire Blue Cross Blue Shield). Barr, Sarah, Speakers Cite Consumer Desires for Data, Need for Standards With Provider Rankings, 17 Health L. Rep (BNA) No. 106 (Jan. 17, 2008)Google Scholar.

218 Rosenbaum, supra note 178, at 1328.

219 Id.

220 See id.

221 The authors would like to acknowledge the substantial contribution made by Erin Fuse Brown to this section of the paper.

222 For the sake of simplicity, Medicare data sets generated in connection with these three categories of quality initiatives are all referred to herein as “Medicare quality data sets.”

223 Press Release, U.S. Dep't of Health & Human Servs., Medicare Trustees Report Shows Serious Financial Status of Medicare Program (Mar. 25, 2008), available at http://www.hhs.gov/news/press/2008pres/03/20080325a.html.

224 Rosenthal, Meredith et al., Paying for Quality: Providers’ Incentives for Quality Improvement, 23 Health Aff. 127, 131-132 (2004)CrossRefGoogle Scholar; Cannon, supra note 126, at 4.

225 Cannon, supra note 126, at 4.

226 Rewarding Provider Performance, supra note Error ! Bookmark not defined.., at 39-41.

227 Rosenthal et al., supra note 47, at 1901; Sage & Kalyan, supra note 121, at 534.

228 Cannon, supra note 126, at 4; see, e.g., First Amended Complaint, supra note 183, at 18-20 (discussing variable co-pays instituted according to physician tiering systems by Tufts Associated Health Plans, Inc. d/b/a Tufts Health Plan and UniCare Life & Health Insurance).

229 Rosenthal et al., supra note 47, at 1899-1901.

230 Mass. Special Comm’n on Health Care Payment Reform, Recommendations of the Special Commission on the Health Care Payment System 53 (2009), available at http://www.mass.gov/Eeohhs2/docs/dhcfp/pc/Final_Report/Final_Report.pdf.

231 See Warnke, Stephen, Roble, Daniel, & Willis, Jane, Is Massachusetts Poised to Leap Ahead of the Curve on Cost Containment?, 15 Health Plan & Provider Rep. (BNA) No. 1011 (Aug. 26, 2009)Google Scholar.

232 See Ketcham, Jonathan D. & Furukawa, Michael F., Hospital-Physician Gainsharing In Cardiology, 27 Health Aff. 803, 804 (2008)CrossRefGoogle ScholarPubMed; see also Special Advisory Bulletin, supra note 8, at 37986.

233 The OIG has issued a number of opinions in recent years where it evaluated gainsharing programs and decided not to impose sanctions because safeguards were put in place to protect against inappropriate reductions in services. See, e.g., OIG Advisory Op., No. 09-06 (June 30, 2009), available at http://oig.hhs.gov/fraud/docs/advisoryopinions/2009/AdvOpn09-06.pdf (related to a hospital-physician gainsharing program involving a cardiology group, a vascular surgical group, and an interventional radiology group related to cardiac catheterization procedures); OIG Advisory Op., No. 08-21 (Dec. 8, 2008), available at http://oig.hhs.gov/fraud/docs/advisoryopinions/2008/AdvOpn08-21.2.pdf (related to a hospital-physician gainsharing program involving cardiology groups and a radiology group related to cardiac catheterization procedures); OIG Advisory Op., No. 08-15 (Oct. 14, 2008), available at http://oig.hhs.gov/fraud/docs/advisoryopinions/2008/AdvOpn08-15.pdf (involving a hospital-physician gainsharing program involving cardiologists); OIG Advisory Op., No. 08-09 (Aug. 7, 2008), available at http://oig.hhs.gov/fraud/docs/advisoryopinions/2008/AdvOpn08-09B.pdf (related to a hospital-physician gainsharing program involving orthopedic surgeons and neurosurgeons related to spine fusion surgical procedures).

234 Deficit Reduction Act of 2005, Pub. L. No. 109-171, § 5007, 120 Stat. 4, 34-36 (2006).

235 Medicare Modernization Act, Pub. L. No. 108-173, § 646, 117 Stat. 2066, 2324-26 (2003).

236 In quality sharing programs, physicians are rewarded for implementing certain quality and efficiency enhancing measures only if they also achieve certain quality outcomes. There are additional types of gainsharing and quality improvement programs that hospitals and physicians could enter into that would not involve the sharing of cost savings from implementing certain clinical care “best practices.” Such programs would generally not implicate the CMP Statute and are less likely to be challenged. However, such programs would also not tie the incentives of physicians and hospitals as closely together.

237 See, e.g., Press Release, Ctrs. for Medicare & Medicaid Servs., Medicare Demonstrations Show Paying for Quality Health Care Pays Off (Aug. 17, 2009), available at http://www.cms.hhs.gov/apps/media/press/release.asp?Counter=3495&intNumPerPage=10&checkDate=&checkKaey=&srchType=1&numDays=3500&srchOpt=0&srchData=&keywordType=All&chkNewsType=1%2C+2%2C+3%2C+4%2C+5&intPage=&showAll=365&pYear=&year=0&desc=&cboOrder=date.

238 42 U.S.C. § 1320a-7a(b)(1)(2007) (emphasis added).

239 Thornton & McAnaney, supra note 7, at 1-2.

240 See Special Advisory Bulletin, supra note 8, at 37,985; OIG Advisory Op. No. 01-1, supra note 8, at 7.

241 In its 1999 Special Advisory Bulletin on gainsharing, OIG argued that the legislative history of the CMP Statute suggests that the breadth of the CMP Statute's prohibition was intentional because Congress simultaneously drafted a provision allowing Medicare managed care plans to implement physician incentive plans as long as the payment did not induce the reduction of medically necessary care to individual patients. See Special Advisory Bulletin, supra note 8, at 37,986. OIG concluded that the difference in the parallel language reflects a congressional decision to apply the CMP Statute prohibition broadly. Commenters have countered that OIG failed to reconcile its interpretation of the CMP Statute with the fact that Medicare only covers medically necessary services, and that there is evidence in the Budget Conference Report accompanying the Omnibus Budget Reconciliation Act of 1990 (in which Congress drafted the parallel provision for Medicare managed care plans) that Congress understood “services” to mean “medically necessary services.” See Recent Commentary, supra note 7, at 10 (citing H.R. Rep. 101-964 at 782); see also Donald H. Romano, A Fresh Look at the CMP Statute: It May Not be as Proscriptive for Gainsharing Arrangements as the OIG Believes, Health Law. Wkly., Mar. 6, 2009 (arguing that the text of the CMP does not necessarily prohibit paying physicians to use one medical supply or device rather than a clinically equivalent supply or device or to reduce medically unnecessary services).

242 The “set in advance” criteria are met if the formula for calculating compensation: (1) is established with specificity prospectively; (2) is objectively verifiable; and (3) may not be changed over the course of the agreement. Compensation may also be deemed “set in advance” if it is set in an agreement before the services for which payment is being made are rendered. 42 C.F.R. § 411.354(d)(1) (2008).

243 73 Fed. Reg. 38,502, 38,604–06 (July 7, 2008) (to be codified at 42 C.F.R. pt. 411).

244 Previous guidance from OIG has required measures to be clearly and separately identified and transparent. See, e.g., OIG Advisory Op. 07-22 (Dec. 28, 2007), available at http://oig.hhs.gov/fraud/docs/advisoryopinions/2007/AdvOpn07-22A.pdf.

245 Previous guidance from OIG has required the financial incentives in gainsharing arrangements be reasonably limited in duration and amount.

246 73 Fed. Reg. 69,726, 69,793-98 (Nov. 19, 2008)(to be codified at 42 C.F.R. pt. 411).

247 73 Fed. Reg. at 69,798.

248 Hospital Industry Groups Urge CMS To Ease Use of Gainsharing Deals, Revisit Proposal, Health Care Fraud Rep. (BNA) No. 13 (Feb. 25, 2009)Google Scholar.

249 The OIG has recently issued three Advisory Opinions approving gainsharing arrangements between acute-care hospitals and cardiology and radiology groups. In Advisory Opinions 08-15 and 08-22, the OIG addressed a gainsharing arrangement where the hospital agreed to pay cardiology groups (Advis. Op. 08-15) and a radiology group (Advis. Op. 08-22) fifty percent of the yearly savings achieved from the physicians implementing thirty cost savings recommendations. OIG Advisory Opinion, 08-15, available at http://oig.hhs.gov/fraud/docs/advisoryopinions/2008/AdvOpn08-15.pdf (Oct. 14, 2008); OIG Advisory Opinion, 08-22, available at http://oig.hhs.gov/fraud/docs/advisoryopinions/2008/AdvOpn08-22.pdf (Dec. 15, 2008). The program was ongoing at the time the parties requested the Advisory Opinion, but the hospital would only release the funds to the physicians upon receipt of a favorable advisory opinion. In Advisory Opinion 08-16 (also issued on October 14, 2008), the OIG approved a pay-for-performance arrangement where the hospital intended to pay physicians up to fifty percent of the incentive payments that the hospital itself would receive from an insurance company for meeting certain quality standards. OIG Advisory Opinion, 08-16, available at http://oig.hhs.gov/fraud/docs/advisoryopinions/2008/AdvOpn08-16A.pdf (Oct. 14, 2008). While the OIG has approved 12 gainsharing programs in recent years, the pay-forperformance arrangement is the first the OIG has advised on or approved. Interestingly, the OIG decided not to impose CMP sanctions because the quality targets used in the P4P program had been endorsed by CMS and the Joint Commission through the Quality Measures Manual. The OIG explained: “[b]ecause the measures identified in the Quality Measures Manual are subject to regular update by CMS and the Joint Commission as the consensus regarding appropriate standard of care evolves, they carry a presumption of legitimacy, even where they might implicate the CMP by potentially inducing the reduction or limitation of items and services.” Id. at 8.

250 Marvin Friedlander, IRS, Information Letter 2002-021 (Jan. 9, 2002), available at http://www.irs.gov/pub/irs-wd/02-0021.pdf [hereinafter “IRS Information Letter 2002-0021”].

251 See, e.g., I.R.S. Priv. Ltr. Rul. 200926005 (Mar. 17, 2009).

252 “Clinical integration” has been defined as “an active and ongoing program to evaluate and modify practice patterns by the network's physician participants and create a high degree of interdependence and cooperation among the physicians to control costs and ensure quality.” Health Care Statements, supra note 95, § 8(B)(1), at 72-73.

253 See Warnke et al., supra note 231, at 8.

254 See id. at 7-8.

255 The Massachusetts initiative to implement ACOs statewide may be protected by the state action doctrine, though this analysis is also uncertain in the absence of draft legislation. Under the state action doctrine, activities that would otherwise violate the antitrust laws that are conducted pursuant to a state regime are not subject to antitrust enforcement or challenge by private parties. Federal case law has established the following two-part test: (1) the activity must be conducted pursuant to a clearly articulated and affirmatively expressed state policy; and (2) the state must be engaged in the “active supervision” of the conduct. See Cal. Retail Liquor Dealers Ass’n [EN- T.6] v. Midcal Aluminum, Inc., 445 U.S. 97, 106 (1980). To meet the first prong of this test, the state must have clearly intended to displace competition with the state-established program. See Patrick v. Burget, 486 U.S. 94, 102 (1988). The second prong of the test requires, at a minimum, substantial oversight by a state agency. The Commission's recommendations with regard to the Commonwealth's supervision of the formation and conduct of ACOs is unclear. Notably, the Commission has stated that it “recommends that the market determine global payment amounts consistent with the methodology established by the oversight entity.” Commission Report, supra note 232, at 14. Any proposed legislation and proposed agency structure to implement comprehensive payment reform should explicitly address what private activities will be authorized and supervised by the Commonwealth and therefore immune from antitrust challenge.

256 See also Rewarding Provider Performance, supra note Error ! Bookmark not defined.., at 129.

257 Klein, supra note 129, at 1-2. Criticism was levied against the outcome measures used in the initiative, notwithstanding the fact that statisticians had not finished their risk adjustments when the data were released in response to Freedom of Information Act requests.

258 Rewarding Provider Performance, supra note Error ! Bookmark not defined.., at 130; Cannon, supra note 126, at 22.

259 Ctrs. for Medicare and Medicaid Servs., Frequently Asked Questions, Implementation and Maintenance of CMS Mortality Measures for AMI & HF (June 19, 2007), http://www.cms.hhs.gov/HospitalQualityInits/downloads/HospitalMortalityAboutAMI_HF.pdf; QualityNet.org, Methodologies, http://www.qualitynet.org/dcs/ContentServer?cid=1163010421830&pagename=QnetPublic%2FPage%2FQnetTier4&c=Page (last visited Sept. 22, 2009).

260 The authors would like to acknowledge the substantial contribution made by Brett Friedman to this section of the paper.

261 Comm. on Assuring the Health of the Public in the 21st Century, The Future of the Public's Health in the 21st Century 28 (2002) [hereinafter “Future of Public Health”].

262 Gostin, Lawrence O. et al., The Future of the Public's Health: Vision, Values and Strategy, 23 Health Aff. 96, 97 (2004)CrossRefGoogle Scholar.

263 Id. at 104.

264 Id. at 100; see also Future of Public Health, supra note 261, at 17 (“Governmental public health agencies have the responsibility to facilitate and nurture the conditions conducive to good health. Without the active collaboration of other important institutions, however, they cannot produce the healthy people in healthy communities envisioned in Healthy People 2010.”). But see Rothstein, Mark A., Rethinking the Meaning of Public Health, 30 J.L. Med. & Ethics 144, 145 (2002)CrossRefGoogle ScholarPubMed (arguing that there is an even broader definition of public health, the “human rights” definition, and putting the IOM's definition in a middle category, “population as public health.”).

265 See Future of Public Health, supra note 261, at 17.

266 Id.

267 Id.

268 “‘Participation’ [in quality reporting programs] involves collecting and submitting to the payer the data needed to construct performance measures, which in turn makes providers eligible to receive financial rewards if they have performed well.” Rewarding Provider Performance, supra note Error ! Bookmark not defined.., at 112.

269 Sage & Kalyan, supra note 119, at 535.

270 Rewarding Provider Performance, supra note Error ! Bookmark not defined.., at 46. Examples of these process outcome measures include the twenty-six point National Committee for Quality Assurance's (“NCQA”) Healthcare Effectiveness Data and Information Set (“HEDIS”). Included in this information set are immunizations and vaccinations, cancer screening, measurement on tobacco use and prevention, diabetes testing and prevention, cholesterol testing and HIV screening during prenatal care. Nat’l Comm. Quality Assurance, HEDIS 2008: Summary Table of Measures, Product Lines & Changes (2008), http://www.ncqa.org/Portals/0/HEDISQM/HEDIS2008/2008_Measures.pdf.

271 Data “validity” refers to the accuracy of the measurements relative to what is being measured, while data “reliability” refers to the reproducibility of the same measurement over time. P4P and other programs that measure quality are forced to build in both these components to any data set. See Sachdeva, Ramesh C., Electronic Healthcare Data Collection and Pay-for-Performance: Translating Theory Into Practice, 16 Annals Health L. 291, 295-96 (2007)Google Scholar; see also Etheredge, Lynn M., A Rapid Learning Health System, 26 Health Aff. w107, w108 (2007)CrossRefGoogle ScholarPubMed.

272 Klein, supra note 127, at 3.

273 See Krent, Harold J. et al., Whose Business is Your Pancreas? Potential Privacy Problems in New York City's Mandatory Diabetes Registry, 17 Annals Health L. 1, 1-3 (2008)Google ScholarPubMed.

274 See, e.g., Eichner, June & Vladeck, Bruce C., Medicare as a Catalyst for Reducing Health Disparities, 24 Health Aff. 365, 368 (2005)CrossRefGoogle ScholarPubMed (crediting Medicare's administrative database with the ability to capture the broad picture of a beneficiary's health).

275 See, e.g., Torchiana, David F. & Meyer, Gregg S., Use of Administrative Data for Clinical Quality Measurement, 129 J. Thoracic & Cardiovascular Surgery 1223, 1224 (2005)CrossRefGoogle ScholarPubMed.

276 Shahian, David M. et al., Comparison of Clinical and Administrative Data Sources for Hospital Coronary Artery Bypass Graft Surgery Report Cards, 115 Circulation 1518, 1524-25 (2007)CrossRefGoogle ScholarPubMed. See supra Section 0 for a discussion of quality collection and reporting efforts for the Medicare programs.

277 See Madison, Kristin, Regulating Health Care Quality in an Information Age, 40 U.C. Davis L. Rev. 1577, 1642 (2007)Google Scholar; see also Eichner & Vladek, supra note 274, at 368.

278 See, e.g., John E. Wennberg et al., Use of Medicare Claims Data to Monitor Provider-Specific Performance Among Patients with Severe Chronic Illness, 2004 Health Aff. VAR-5 (2004) (using Medicare claims data to assess performance of hospitals in managing chronic disease); see also Torchiana & Meyer, supra note 275, at 1223 (despite administrative data being inaccurate and fallible, researchers still use these data because it is “accessible to everyone and relatively inexpensive to use.”).

279 Shahian, supra note 276, at 1524; see also Sachdeva, supra note 271, at 297 (“Although many comprehensive clinical databases are being rapidly developed, and such data is likely to be more readily available in the future, the current lack of databases does represent a significant limitation” to research).

280 See Stoto, Michael A., Public Health Surveillance in the 21st Century: Achieving Population Health Goals While Protecting Individuals’ Privacy and Confidentiality, 96 Geo. L.J. 703, 714-15 (2008)Google Scholar (discussing the need for individual information when performing disease surveillance functions).

281 Robert Pear, Employers Push White House to Disclose Medicare Data, N.Y. Times, Apr. 11, 2006, at A15.

282 See Florida Med. Ass’n, Inc. v. U.S. Dep't of Health, Educ. & Welfare, 479 F. Supp. 1291, 1305 (M.D. Fla. 1979).

283 See infra Section VIII.B.1.c for further discussion on data use agreements.

284 See, e.g., Health and Retirement Study, Medicare Claims and Summary Data, http://hrsonline.isr.umich.edu/index.php?p=medicare (last visited Nov. 20, 2008).

285 Klein, supra note 127, at 3. Certain states, such as Massachusetts and Pennsylvania, have periodically released outcomes measures of Coronary Artery Bypass Graft or CABG procedures. CABG procedures are easily measured as a result of the difficulty involved and frequency of their occurrence. Shahian, supra note 276, at 1527.

286 Sachdeva, supra note 271, at 299.

287 See id.

288 See Klein, supra note 272, at 3 (describing the difficulty in the release of Medicare mortality data and the attempts made by CMS to produce outcomes data that adjusted for the associated patient populations of providers). Most recently, the Hospital Quality Alliance (“HQA”), a partnership between CMS and private health care providers, began releasing riskadjusted mortality data on acute myocardial infarction, congestive heart failure, and pneumonia on its Hospital Compare website. Recent studies assessing the validity of the mortality data has shown that it is accurately risk adjusted and reflects the quality of care received at these hospitals. Jha, Ashish K. et al., The Inverse Relationship Between Mortality Rates and Performance in the Hospital Quality Alliance Measures, 26 Health Aff. 1104, 1106-09 (2007)CrossRefGoogle Scholar.

289 “Health Plan Employer Data and Information Set (“HEDIS”) data are collected by health plans for quality reporting purposes and therefore, not considered research information. Once used for conducting further research, however, authorization must be obtained from members whose HEDIS data are being used.” Durham, Mary L., How Research Will Adapt to HIPAA: A View from Within the Healthcare Delivery System, 28 Am. J.L. & Med. 491, 497 (2002)Google Scholar.

290 U.S. Dep't of Health & Human Servs., Research Repositories, Databases and the HIPAA Privacy Rule 2 (2004), available at http://privacyruleandresearch.nih.gov/pdf/research_repositories_final.pdf [hereinafter “Research Repositories”].

291 It is often seen as excessively burdensome for a researcher to get individual authorization from each individual whose PHI he or she is accessing. See U.S. Dep't of Health & Human Servs., Health Services Research and the HIPAA Privacy Rule 2, 5 (2005), available at http://privacyruleandresearch.nih.gov/pdf/HealthServicesResearchHIPAAPrivacyRule.pdf. In fact, articles have recognized that aggregate data used by public health officials and researchers can produce unintended consequences, such as stigmatization and economic discrimination for the populations being studied. See Krent, supra note 273, at 24 (discussing multiple deleterious effects from a public health researcher's use of identifiable information).

292 See Health Services Research at 2, 5.

293 See 45 C.F.R. § 164.514(a)-(c) (2008); see also Research Repositories, supra note 290, at 4.

294 See, e.g., Mariner, Wendy K., Mission Creep: Public Health Surveillance and Medical Privacy, 87 B.U. L. Rev. 347, 350 (2007)Google Scholar (discussing that a goal of public health is “to collect data about chronic diseases outside the context of a research study and without the need to obtain any individual patient's informed consent”).

295 See, e.g., Krent, supra note 273, at 21-22 (“Reports under New York's regulatory scheme create a treasure trove of information for public health officials and researchers alike. Researchers will be able to match A1C levels by neighborhood and evaluate trends as the A1C levels dip or rise.”).

296 A “public health authority” is broadly defined as including federal, state or local public health entities or individuals acting under the grant of authority from such agencies as part of an official mandate. 45 C.F.R. § 164.501 (2008).

297 Id. § 164.512(b).

298 Hodge, James G. Jr., Health Information Privacy and Public Health, 31 J.L. Med. & Ethics 663, 668 (2003)CrossRefGoogle Scholar.

299 Early Release: HIPAA Privacy Rule & Public Health: Guidance from CDC and the U.S. Department of Health and Human Services, Morbitity & Mortality Wkly. Rep., Apr. 11, 2003, at 8, available at http://www.cdc.gov/mmwr/pdf/other/m2e411.pdf.

300 See id.

301 45 C.F.R. § 164.528.

302 Id. § 164.514(e)(2)-(4); Research Repositories, supra note 290, at 3-4.

303 See 45 C.F.R. § 164.514(e)(2).

304 See Research Repositories, supra note 290, at 4, 6.

305 See id. at 7.

306 45 C.F.R. § 164.514(e)(4)(ii)(C)(1)-(4).

307 ARRA, supra note 34, at § 13405(d)(1), 123 Stat. 115, 266-267.

308 Id. at § 13405(d)(2)(A)-(B), 123 Stat. 115, 267.

309 Id. § 13405 (d)(3), 123 Stat. 115, 267.

310 See Echols, Heidi et al., HITECH Act: Analysis of Policy Implications, Requirements of Health IT Stimulus Provisions, 15 Health Plan & Pol’y Rep. (BNA) No. 8, at 6 (Feb. 25, 2009)Google Scholar.

311 See id.

312 See 45 C.F.R. § 164.514(e)(2)-(4); see also Research Repositories, supra note 290, at 4.

313 See U.S. Dep't of Health & Human Servs., Office of Human Research Protections [hereinafter “OHRP”], 45 C.F.R. Part 46 Frequently Asked Questions, http://www.hhs.gov/ohrp/45CFRpt46faq.html (last visited Sept. 21, 2009).

314 Nat’l Comm’n for the Protection of Human Subjects, Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects Research (1979), available at http://www.hhs.gov/ohrp/humansubjects/guidance/belmont.htm.

315 See OHRP, Human Subjects Regulation Decision Charts (Sept. 24, 2004), http://www.hhs.gov/ohrp/humansubjects/guidance/decisioncharts.htm. We have not considered the third question for determining Common Rule applicability, whether a federal department or agency is funding the research. Most public health research will fall under the Common Rule because most public health authorities receive federal funds, and much research will be conducted by institutions operating under a Federalwide Assurance (“FWA”). Even so, it is important to note that privately funded research is potentially outside the reach of the Common Rule.

316 See Burris, Scott et al., Applying the Common Rule to Public Health Agencies: Questions and Tentative Answers About a Separate Regulatory Regime, 31 J.L. Med. & Ethics 638, 639 (2003)CrossRefGoogle ScholarPubMed. The Common Rule defines research as “a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.” 45 C.F.R. § 46.102(d) (2008).

317 Burris et al., supra note 316, at 630.

318 The National Bioethics Advisory Commission has argued for a different definition of research to apply. See Hodge, James G. Jr., An Enhanced Approach to Distinguishing Public Health Practice and Human Subjects Research, 33 J.L. Med. & Ethics 125, 127 (2005)CrossRefGoogle ScholarPubMed. Other scholars have also argued for a categorical exemption for public health activities. See Burris, supra note 316, at 638-653 (arguing that public health agencies should not be subject to federal regulations of human subjects research).

319 A human subject is “a living individual about whom an investigator … conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.” 45 C.F.R. § 46.102(f).

320 See id. § 46.101(b)(4).

321 See id.

322 45 C.F.R. § 46.110; see also OHRP, May the IRB Continuing Review Be Done by Expedited Procedures Under 45 C.F.R. § 46.110? (Sept. 24, 2004), http://www.hhs.gov/ohrp/humansubjects/guidance/decisioncharts.htm#c8.

323 OHRP, Categories of Research that May Be Reviewed by the Institutional Review Board Through an Expedited Review Procedure (Nov. 9, 1998), http://www.hhs.gov/ohrp/humansubjects/guidance/expedited98.htm.

324 Id.

325 Id.

326 Deciding whether a research project qualifies for a waiver requires: (1) determining that the study poses minimal risk to the participants; (2) the research cannot practically be conducted without a waiver; (3) an analysis of the effects on the participants’ rights and welfare; and (4) the possibility of providing participants with additional pertinent information after the study. See 45 C.F.R. §§ 46.116(c)-(d); see also OHRP, Can Informed Consent Be Waived or Consent Elements Be Altered Under 45 CFR § 46.116(c) or (d)? (2004), http://www.hhs.gov/ohrp/humansubjects/guidance/decisioncharts.htm#c10.

327 Informed consent is supposed to be prospective and given by a subject who has decided to participate after learning about the details of the proposed study. See id.

328 HIPAA is not implicated if the data are stripped of their eighteen identifiers because it no longer qualifies as PHI. See 45 C.F.R. § 164.514(a) (2008). Similarly, informed consent is not required under the Common Rule because non-identifiable health information is not considered research. See 45 C.F.R. § 46.101(b)(4).

329 See Stoto, supra note 280, at 703-04 (defining surveillance as “ongoing, systematic collection, analysis, and interpretation of health data essential to the planning, implementation, evaluation of public health practice, closely integrated with the timely dissemination of these data to those who need to know” (citing Thacker, Stephen B. & Berkelman, Ruth L., Public Health Surveillance in the United States, 10 Epidemiologic Revs. 164, 164 (1988)CrossRefGoogle ScholarPubMed).

330 Weinick, Robin M. et al., Measuring Racial and Ethnic Disparities in Massachusetts: Lessons from Implementing a Publicly Mandated Data Collection Program, 26 Health Aff. 1293, 1299-1300 (2007)CrossRefGoogle Scholar.

331 Id.

332 See id. at 1294. Similar studies have been conducted on the federal level using Medicare quality data to inform researchers on racial disparities in healthcare. See Trivedi, Amal N. et al., Relationship Between Quality of Care and Racial Disparities in Medicare Health Plans, 296 JAMA 1998, 1999 (2006)CrossRefGoogle ScholarPubMed.

333 According to a recent Commonwealth Fund report, 85% of state Medicaid agencies have incorporated some sort of P4P program, with existing in planned programs in all but eight states. Kathryn Kuhmerker & Thomas Hartman, Pay-For-Performance in State Medicaid Programs: A Survey of State Medicaid Directors and Programs 4-5 (2007), available at http://www.commonwealthfund.org/usr_doc/Kuhmerker_P4PstateMedicaidprogs_1018.pdf?section=4039.

334 See 45 C.F.R. § 164.512(b)(1)(i).

335 Currently, public health authorities are permitted to request data from covered entities in accordance with their general public health mission and without a specific statutory mandate, see id., but a specific mandate will ensure that these authorities have a defensible position against which to respond to HIPAA arguments made by covered entities asked to supply their quality data.

336 Thacker, supra note 299, at 3. Additionally, laws in most states protect the privacy of information and limit the sharing of the data to non-health related areas. See Burris, Scott et al., The Role of State Law in Protecting Human Subjects of Public Health Research and Practice, 31 J.L. Med. & Ethics 654, 657 (2003)Google Scholar.

337 Although traditional public health practice functions are not considered research under the Common Rule, when public health entities are performing “research” in line with these activities, the Common Rule is applicable. Burris, supra note 316, at 638-41.

338 Id. at 650.

339 Id. at 646.