Hospitals and other health-care entities are often reluctant to implement an EMR system if it requires a lot of customization work upfront to accommodate privacy requirements, she said. For example, if a state law allows only specific groups of people within an organization to access specific kinds of medical information, a hospital might need to implement filters and access controls to comply with the requirement, she said. Such customization also can be costly, which is another factor that results in slower adoption of EMR in states with stringent privacy requirements, Tucker said.

Deven McGraw, director of the health privacy project at the , blasted the study's conclusions. She said the study was based on old data and did not consider all of the factors that a health-care entity would typically look at when deciding whether to adopt an EMR system.

The study simply looked at whether a state has a medical privacy law and then looked at EMR adoption in that state to draw its conclusions, McGraw said. What it doesn't appear to have done is to examine whether other important factors, such as funding and business value, might have also had an impact on EMR adoption. Often health-care entities point to these two issues as being the two most important considerations when making decisions on EMR systems, she said. As a result, the study is "not of much value," she said.

"We just had $19 billion put on the table by the federal government to spur adoption of electronic medical records," McGraw said. "There's been an acknowledgement by this Congress that you need privacy protections," for people to begin trusting their health-care data to EMR systems. Trying to suggest at this stage that policy makers might have to choose between privacy and speedy adoption of EMR is disingenuous, she said.