Opt-In Consent Policies: Potential Barriers to Hospital Health Information Exchange

Nate C. Apathy, BS; and A. Jay Holmgren, MHI

Policy makers continue to advance interoperable health information exchange (HIE) as an important goal for the US healthcare system.1,2 One of the anticipated benefits of HIE is reduced administrative burden of data sharing, which in turn can give providers more complete information at the point of care.3-5 Digitization of the US healthcare system has brought us closer to realizing this goal through the Health Information Technology for Economic and Clinical Health Act’s incentives for hospitals and physician practices to adopt increasingly sophisticated electronic health records (EHRs).5,6 These incentives included supplementary Medicare reimbursements for hospitals that successfully demonstrated “meaningful use” of EHR functionality.5 In the case of HIE, this consisted of sending electronic summaries of care during care transitions.4 Despite these incentives, HIE capabilities among hospitals have continued to lag behind EHR adoption.7,8 As patients struggle with a lack of infrastructure for exchange between providers,9 hospitals have their own administrative burdens to enabling HIE, including the complex regulatory environment governing HIE across states,10 which can create significant barriers for hospitals that already face uncertain incentives to share patient data.

Perhaps the biggest legal challenge to a robust national HIE infrastructure is the varied state policies regarding patient consent for data exchange.10 State variation in consent policies comes from different approaches to default patient consent assumptions. States generally have either “opt-in” or “opt-out” patient consent requirements, although some have ambiguous or undefined patient consent policies.11 Opt-in states like New York assume no patient consent and therefore require explicit consent from each patient to allow providers to share and access that patient’s information via HIE.12 Opt-out states like Kansas assume patient consent for exchange but allow patients the opportunity to decline exchange.13 Rates of participation in HIE have been found to vary by consent policy, with more than 95% of patients participating under opt-out scenarios and only 19% participating in opt-in settings,10 consistent with the behavioral economics literature.14-17 In the case that a patient chooses to not participate in HIE, that patient’s information is not permitted to be shared or sent outside of the organization collecting the information. Disallowing this sharing would in turn depress the overall volume of HIE observed at the organization. Therefore, one would expect organizations under opt-in policies to engage in less exchange because of lower patient participation rates.

Despite this potential impact of opt-in consent policies on HIE, we are aware of no national studies of the impact of these laws on hospitals’ barriers to and volume of HIE. Previous studies have examined patient decisions in the context of a single HIE and individual patient-level factors associated with opt-in to HIE data sharing.18,19 These studies’ findings provide important insight into the factors related to patients’ HIE consent decisions and imply that there is significant administrative cost to obtaining patient consent. Research at the organizational level has found that policies requiring explicit (ie, opt-in) consent correlate with lower volume of clinical document exchange.20 Finally, 2 nationwide studies found the presence of consent laws to be associated with increased participation in HIE efforts.21,22 Importantly, these studies compared the presence of explicit consent laws with the lack of consent laws, as unclear legal environments (ie, when no consent laws exist) often require organizations to behave as conservatively as possible. To advance this literature, it is important to also study the nature of these laws. However, we are aware of no studies directly comparing opt-in and opt-out consent policies at the state level to determine if opt-in approaches lead to perceived regulatory barriers to HIE for hospitals and, in turn, reduced HIE volume.

The purpose of our study was 2-fold. First, we aimed to estimate the relationship between state laws governing patient consent requirements and hospitals’ probability of reporting regulatory and compliance barriers to HIE. Our second aim was to examine the extent to which these laws correlated with the level of hospital engagement in HIE. We anticipate our findings to be of interest to both state and federal policy makers and regulators currently crafting regulations for the future of HIE in the 21st Century Cures Act.23 Understanding the impact of different regulatory approaches to HIE on creating barriers to hospital participation and volume of data sharing is critical to informing the construction of future HIE infrastructure.


Setting and Data Sources

We used the American Hospital Association (AHA) Annual Survey and AHA Annual Survey Information Technology (IT) Supplement for 2016, as well as hospital-level Meaningful Use stage 2 (MU2; renamed “Promoting Interoperability” in 2018) performance measures. The AHA Annual Survey is sent annually to the chief executive officer of every hospital in the United States, with a request to complete it or designate completion to the person most knowledgeable in the organization. Respondents receive multiple mailings and follow-up phone calls. The 2016 survey was fielded from November 2016 to April 2017, and the IT Supplement received a response rate of 58%. We limited our sample to nonfederal acute care hospitals to construct the largest sample of comparable hospitals in the data, especially those subject to similar market forces. This sample construction allows for comparison with the existing literature discussing hospital IT adoption and use.6,24,25 Our analytic sample included 2613 hospitals.

We merged these data with 2016 publicly reported MU2 HIE performance measures using each hospital’s National Provider Identifier to obtain the level of HIE usage for that particular hospital. MU2 performance measures are derived from the Medicare incentive program for hospitals and providers to adopt and use increasingly sophisticated health IT. Hospitals report performance measures annually, with successful attestation translating into increased reimbursements from Medicare. These data were available only for hospitals that had attested to MU2 in 2016, limiting our subsample for this analysis to 1135 hospitals.

Regulatory barriers to HIE. For our first aim, examining the relationship between consent policy and hospitals experiencing regulatory barriers to HIE, our dependent variable was hospital-reported regulatory barriers to HIE. In the AHA survey, hospitals describe “barriers when trying to electronically (not eFax) send, receive, or find (query) patient health information to/from other care settings or organizations.” We classified hospitals as experiencing regulatory barriers to HIE if they responded “yes” to the following barrier: “The complexity of state and federal privacy and security regulations makes it difficult for us to determine whether it is permissible to electronically exchange patient health information.”

Hospital HIE volume. For our second aim, evaluating the relationship between state laws and the amount of HIE in which a hospital engaged, our primary dependent variable was hospital level of HIE usage, measured via MU2 public use files for eligible hospitals in 2016. As a requirement of attestation to MU2, hospitals report the percentage of patient transfers sent with an electronic summary of care record (eSCR). To successfully attest, the hospital must send at least 10% of transfers with eSCRs. This measure is calculated by dividing the number of patient transitions or referrals in which an eSCR was transmitted using certified EHR technology or an HIE or health information organization (HIO) by the total number of transfers of care a hospital completed during the 90-day MU2 reporting period.26 This measure has been used in previous work investigating how hospital factors and payment reform efforts relate to the level of HIE among hospitals.7,25 It is worth noting that the nature of this measure introduces possible confounding via selection bias for this aim. We discuss the implications and empirical evaluations of this selection bias in the Limitations section. Additionally, it may be that hospitals already using HIE and attesting to MU2 may be insensitive to regulatory barriers, having already achieved HIE in their state’s regulatory environment. We investigate this specifically in aim 1 of our analysis.

State HIE consent laws. The independent variables of interest capture state laws governing patient consent policies for HIE that were in effect as of June 2016 and do not include the effective dates of each policy, thus precluding a longitudinal analysis. Schmit et al surveyed the HIE legal landscape as of 2016 and classified state laws that affected HIE organizations and participants.11 Our independent variable captures the state law regarding patient consent for HIE. These laws are classified as opt-in, opt-out, or other (Figure 1). The “other” group consists of state laws that are ambiguous or describe patient HIE participation as “voluntary” without specifying a consent approach. For example, in Texas, the relevant legislation stipulates that HIE organizations may “implement, promote, and facilitate the voluntary exchange of secure electronic health information.”27 Ambiguous state policies were those that could not be interpreted as strictly opt-in or opt-out. For example, Nevada stipulates that patient consent must be obtained upon retrieval of information from an HIE but does not explicitly dictate the nature of that consent, nor does it clarify rules for consent to patient participation in the HIE prior to information retrieval.28 We operationalized this variable with opt-out policies as the reference group to estimate the effect of opt-in consent policies compared with opt-out policies. Our hypothesis was that opt-in consent policies would be associated with greater likelihood of reporting regulatory barriers to exchange. We matched policies via the state that each hospital reported in the 2016 AHA survey.

Hospital Characteristics

Control variables were constructed from the AHA IT Supplement to control for a variety of organizational, technological, and market factors that have been shown to be related to the adoption of IT and HIE in existing literature.8,29 We included the following control variables for organizational IT: hospital EHR adoption level (less than basic EHR, basic EHR, or comprehensive EHR)30 and primary EHR vendor (individual vendors for the top 90% of hospitals listed individually, with all others classified as “other”). We also included a measure of whether or not the hospital used the dominant EHR in the hospital referral region (HRR), which has been found to be related to HIE capabilities.31 For our second aim, we included hospital program year in the MU program as a proxy for experience with MU. We controlled for the following hospital factors: participation in a regional HIO (RHIO), ownership (for-profit, local government, or nonprofit), size (<100 beds, 100-400 beds, or >400 beds), health system membership, teaching hospital status, critical access hospital status, medical home status, participation in CMS’ bundled payments program, participation in an accountable care organization (ACO), percentage of total inpatient days for Medicare patients, and percentage of total inpatient days for Medicaid patients. Regional control variables included US Census region where the hospital is located and urbanicity, defined by core-based statistical area codes of rural, micro, and metro. Finally, we included a measure of HRR market concentration using the Herfindahl-Hirschman Index. We used the total number of hospital beds per hospital in the HRR as the measure of hospital market share.32 This was classified into Federal Trade Commission categories of unconcentrated, moderately concentrated, and highly concentrated.33

Analytic Approach: Design and Statistical Analyses

We examined differences in hospitals under different HIE consent policy regimes, using χ2 analyses to test for bivariate relationships. We used logistic regression adjusting for hospital technology adoption levels and HIE participation, as well as hospital and regional characteristics, with standard errors clustered at the state level to correct for correlation across hospitals in the same state. From these models, we computed marginal effects estimates and 95% CIs for ease of interpretation. We also conducted subgroup analyses to disaggregate the findings from aim 1 across hospitals differing in their levels of technological sophistication. We divided our sample into hospitals attesting to MU2 (ie, those with HIE volume performance data) and those not attesting to MU2, and we used the same logistic regression model. We compared these results with our main model including all hospitals to identify potential differences in the relationship between opt-in consent policies and reported regulatory barriers across these 2 groups of hospitals. This allowed us to investigate the hypothesis that less technologically advanced hospitals were more likely to report regulatory barriers than relatively more technologically advanced hospitals.

For our second aim, we used multiple linear regression, controlling for hospital technology adoption and experience in the MU program, organizational factors, and regional characteristics. We clustered standard errors at the state level. As a robustness check for both aims, we added controls for potential collider variables capturing hospital HIE capabilities that we excluded from our main regression models in separate regression models to validate that our primary estimates did not differ from those adjusting for these capabilities. All data preparation and analyses were performed in R (R Project; Vienna, Austria) using the RStudio development environment (RStudio; Boston, Massachusetts).

State Consent Laws

In the legal data collected by Schmit et al, 34 states had HIE consent policies defined as either opt-in, opt-out, or other.11 The remaining states and the District of Columbia are classified as missing in our data set. In 2016, 7 states had opt-in HIE consent policies, 15 had opt-out policies, and 12 were classified as having other approaches (Figure 1). In our primary regression model, there were 2023 hospitals with complete data from these 34 states. Of these hospitals, 478 were from opt-in states, 783 from opt-out states, and 762 from states classified as other.

Barriers to HIE

On average, 13% of hospitals reported regulatory barriers to HIE in 2016. In our bivariate analysis, 20% of hospitals in states with opt-in consent policies reported regulatory barriers to HIE compared with 13% of hospitals in states with opt-out, ambiguous, or voluntary policies (Figure 2), a statistically significant difference (P <.001). Hospitals also differed across consent policy types with respect to their RHIO participation, ownership, size, region, medical home status, critical access status, participation in ACOs and bundled payment programs, and location in urban or rural areas (Table 1). A complete table of descriptive statistics across all covariates can be found in eAppendix Table 1 (eAppendix available at

In our logistic regression, hospitals in states with opt-in consent policies had a 7.8 percentage point higher probability of reporting regulatory barriers to HIE compared with hospitals in states with opt-out policies (average marginal effect [AME], 0.087; P = .034) (Table 2). In a second model using other consent policies as the reference, neither opt-in nor opt-out policies illustrated a relationship with reporting regulatory barriers. Full regression results for our first aim, with both opt-out and other policies as the reference policy, are available in eAppendix Tables 2 and 3.

In our subgroup analyses stratifying hospitals by MU2 attestation for HIE level, we found no evidence of a relationship between opt-in consent policies and reported regulatory barriers for hospitals that reported MU2 attestation (AME, 0.08; P = .13) (Table 2). However, the finding that opt-in consent laws were associated with perceived legal barriers to HIE held among the subsample of hospitals not attesting to MU2 (AME, 0.077; P = .019) (Table 2), which may suggest that the burden of opt-in policies falls primarily on less technologically advanced hospitals. The full results of our subgroup analyses can be found in eAppendix Tables 4 and 5.

Finally, in our robustness check that included hospital HIE capabilities as potential collider variables, our primary aim 1 finding held in direction, magnitude, and significance (eAppendix Table 6). HIE capabilities of finding, sending, receiving, and using electronic patient health information were excluded from our main regression models examining consent policies and hospital-reported regulatory barriers to avoid collider bias, but these findings do not suggest that these variables constitute colliders in this analysis.

Volume of HIE

Among hospitals reporting to MU2, on average, hospitals reported that 43% of patient transfers were sent with an eSCR (Table 1). In bivariate analyses of our second research aim, hospital HIE volume differed across state HIE consent policies, with hospitals in opt-in states reporting an average of 42% of transfers sent with eSCR compared with 45% and 41% of transfers in opt-out and other policy states, respectively (P = .016). However, in multivariate linear regression adjusting for hospital EHR adoption, demographics, and regional characteristics, we found no evidence of a relationship between opt-in state HIE consent policies and volume of HIE usage compared with opt-out policies (β = 0.560; P = .763) (Table 2). Full regression results for the second aim can be found in eAppendix Table 7. Additionally, given the lower levels of HIE volume in opt-in states and the attenuation of that relationship in the adjusted model, we suspected that opt-in consent policies may be related to EHR adoption, which then would affect HIE volume. To test this, we conducted a multinomial logistic regression with consent policy type as the independent variable and EHR adoption level as the dependent variable. This test showed no significant relationship between these variables (eAppendix Figure).


Our study is the first to directly compare opt-in and opt-out HIE consent policies across states. We found that, on average, hospitals in states with opt-in consent policies for HIE were more likely to report regulatory barriers to HIE compared with hospitals in states with opt-out consent policies, even when adjusting for a variety of hospital IT, organizational, and market characteristics. This finding suggests that opt-in policies may uniquely contribute to hospital barriers to HIE compared with opt-out policies. Given the administrative burden that opt-in consent policies introduce,19 our findings are consistent with a larger body of work supporting the claim that opt-in policies are more burdensome to implement. However, policies requiring explicit consent such as these may serve an important protective role in the use of patient health information.

Our subgroup analyses found that the relationship between opt-in consent policies and reported regulatory barriers held only for hospitals not attesting to MU2 in 2016. Hospitals subject to opt-in consent but having some degree of interoperable HIE capabilities were not more likely to report regulatory barriers. This finding supports the interpretation that regulatory barriers may be borne primarily by hospitals that lag in technological sophistication and HIE capabilities in particular or that opt-in consent policies discourage HIE on the extensive margin only. Opt-in consent policies may in turn further delay these hospitals in achieving interoperable HIE.

Despite hospitals’ increased likelihood of reporting regulatory barriers to HIE in the presence of opt-in policies, we found no evidence of a relationship between opt-in consent policies and volume of HIE usage. This finding suggests that consent policy type does not directly influence the amount of HIE in which a hospital engages, although this analysis is limited only to the subgroup of hospitals attesting to MU2 and, as noted previously, no more likely to report regulatory barriers to HIE. Additionally, given the cross-sectional nature of our data, we are unable to observe hospitals’ reported regulatory barriers to HIE in prior years. Regulatory barriers to HIE, including opt-in consent policies, may have been more salient in previous years as hospitals were establishing HIE capabilities, and by 2016, these barriers may have been largely overcome.
Taken together, these findings illustrate that although opt-in consent regimes are related to barriers to HIE for hospitals, relatively technologically sophisticated hospitals use HIE at the same rate regardless of their state’s consent policy. That is to say that although opt-in consent policies may contribute to a variety of administrative or technical barriers, organizations are able to overcome these barriers if and when interoperable data exchange becomes an important institutional goal. Our findings fit with other work finding that both incentives and hospital technical capabilities relate to HIE volume.7,25

Although we find that opt-in consent policies are related to higher reported rates of regulatory barriers to HIE among hospitals, opt-out policies may not be strictly superior. Opt-out policies raise concerns among patients of violating rights to informed choice.34 Although opt-out consent policies are generally less burdensome for clinicians and administrators and are fully within the law under the Health Insurance Portability and Accountability Act, some evidence shows that patients may prefer opt-in systems for HIE consent.35 Opt-in consent policies are often motivated by these twin forces that prioritize privacy and patient preference, despite the administrative burdens they may bring.34 Policy makers should carefully consider these trade-offs going forward in deciding how laws pertaining to HIE should be crafted.

Future studies should consider directly examining variation in consent laws across jurisdictions or hospitals in different jurisdictions that share substantial numbers of patients, as the regulatory differences specific to patient consent in these settings are likely to be highly salient to hospitals. Furthermore, studies should examine the extent to which the volume of HIE is associated with the ultimate goals of interoperable HIE­—namely, improving efficiency, quality of care, and eventually health outcomes.


Our study has several limitations. First, the analysis is cross-sectional in nature and representative only of hospitals and state policies in 2016. Furthermore, we can draw no causal conclusions given the cross-sectional data and lack of exogenous variation. Given that both the database of state HIE laws and MU2 performance reporting are as of 2016, we were limited in our ability to analyze the effects of laws over time. States passed HIE laws over a number of years, further limiting longitudinal analysis. For example, the effective dates of consent laws range from June 2008 to March 2016, with two-thirds going into effect after 2011. Second, some states in the legal database contained missing values for certain laws—in particular, consent policies. Despite the listwise deletion of hospital observations in states with missing values for HIE policies, our sample sizes remained relatively robust from the states that were included in the analysis. However, this limits the generalizability of our findings outside of states included in the analysis and prevents us from drawing conclusions at the national level. Third, in the analysis for our second research aim, it is possible that our estimates are affected by selection bias. We observe only hospitals that successfully attested to MU2, a sample that may exclude hospitals with systematically lower levels of health IT sophistication from those analyses. This may be especially pronounced in analyses of HIE volume due to the volume threshold required for MU2 attestation. However, previous work has found limited evidence of selection bias in this sample of hospitals.7 In this work, authors Lin et al used a Heckman selection model to identify if hospitals that did not attest to MU2 had lower predicted HIE volume compared with those that did. They found that the Heckman model estimates were essentially the same as multiple linear regression, indicating that using only MU2-attesting hospitals was unlikely to bias the findings. Furthermore, our measure of HIE usage—percentage of patient transfers sent with eSCRs—has limitations in that it may not be perfectly sensitive to state consent policies, given that eSCR transitions have low administrative costs once exchange capabilities are in place. Nevertheless, we do find variation in this variable across hospitals, suggesting that rates of eSCR are not uniformly distributed.


Any policies that states implement for HIE will have trade-offs. In the case of opt-in consent policies, states may choose to prioritize patient privacy, right to consent, and patient preferences at the cost of added administrative burden and regulatory hurdles for hospitals and providers. Policy makers should consider the existing legal structures related to HIE in their regions and the technical capabilities of hospitals in their states to anticipate the burden that opt-in consent policies are likely to bring. Furthermore, federal policy makers tasked with reducing administrative burdens related to the use of EHRs—a specific provision of the 21st Century Cures Act—should consider that hospitals at varying levels of technological sophistication may experience different administrative burdens.


We compared opt-in state HIE consent policies with opt-out policies in 2016 and found that hospitals in states with opt-in consent policies were 7.8 percentage points more likely to report experiencing regulatory barriers to HIE. However, hospitals attesting to MU2 in these states did not systematically engage in less HIE, suggesting that these barriers are not borne by more technologically advanced hospitals. Our results fit with previous literature emphasizing the added administrative burden of opt-in consent policies compared with opt-out policies, especially for less technologically advanced hospitals. Policy makers should consider the complexity of regional differences in consent policies and the incidence of regulatory burdens when crafting HIE consent policies or guidance to hospitals for policy compliance.
Print | AJMC Printing...