5U.S.C. 804(2) (as added by section 251 of Public Law 104-21), specifies that a "major rule" is any rule that the Office of Management and Budget finds is likely to result in:
Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects; distributive impacts; and equity). According to Executive Order 12866, a regulatory action is "significant" if it meets any one of a number of specified conditions, including having an annual effect on the economy of $100 million or more adversely affecting in a material way a sector of the economy, competition, or jobs, or if it raises novel legal or policy issues. The purpose of the regulatory impact analysis is to assist decision-makers in understanding the potential ramifications of a regulation as it is being developed. The analysis is also intended to assist the public in understanding the general economic ramifications of a regulation, both in the aggregate as well as the major policy areas of a regulation and how they are likely to affect the major industries or sectors of the economy covered by it.
In accordance with the Small Business Regulatory Enforcement and Fairness Act (Pub. L. 104-121), the Administrator of the Office of Information and Regulatory Affairs of the Office of Management and Budget (OMB) has determined that this rule is a major rule for the purpose of congressional review.
The proposal for the privacy regulation included a preliminary regulatory impact analysis (RIA) which estimated the cost of the rule at $3.8 billion over five years. The preliminary analysis also noted that a number of significant areas were not included in the estimate due to inadequate information. The proposal solicited public comment on these and all other aspects of the analysis. In this preamble, the Department has summarized the public comments pertinent to the cost analysis and its response to them. However, because of the extensive policy changes incorporated in the final regulation, additional data collected from the public comments and the Department's fact-finding, and changes in the methodology underlying the estimates, the Department is setting forth in this section a more complete explanation of its revised estimates and how they were obtained. This will facilitate a better understanding by the public of how the estimates were developed and provide more insight into how the Department believes the regulation will ultimately affect the health care sector.
The impact analysis measures the effect of the regulation on current practices. In the case of privacy, as discussed in the preamble, there already exists considerable, though quite varied, efforts to protect the confidentiality of medical information. The RIA is measuring the change in these current practices and the cost of new and additional responsibilities that are required to conform to the new regulation.
To achieve a reasonable level of privacy protection, the Department defined three objectives for the final rule: 1) to establish national baseline standards, implementation specifications, and requirements for health information privacy protection, 2) to protect the privacy of individually identifiable health information maintained or transmitted by covered entities, and 3) to protect the privacy of all individually identifiable health information within covered entities, regardless of its form.
Establishing minimum standards, implementation specifications, and requirements for health information privacy protection creates a level baseline of privacy protection for patients across states. The Health Privacy Project's report, The State of Health Privacy: An Uneven Terrain (33) makes it clear that under the current system of state laws, privacy protection is extremely variable. The Department's statutory authority under HIPAA which allows the privacy regulation to preempt any state law if such law is contrary to and not more stringent than privacy protection pursuant to this regulation. This sets a floor, but permits a state to create laws that are more protective of privacy. We discuss preemption in greater detail in other parts of the preamble.
The second objective is to establish a uniform base of privacy protection for individually identifiable health information maintained or transmitted by covered entities. HIPAA restricts the type of entities covered by the rule to three broad categories: health care providers that transmit health information in HIPAA standard transactions, health plans, and health care clearinghouses. However, there are similar public and private entities that are not within the Department's authority to regulate under HIPAA. For example, life insurance companies are not covered by this rule but may have access to a large amount of individually identifiable health information.
The third objective is to protect the privacy of all individually identifiable health information held by covered entities, including their business associates. Health information is currently stored and transmitted in multiple forms, including electronic, paper, and oral forms. To provide consistent protection to information, and to avoid requiring covered entities from distinguishing between health information that has been transmitted or maintained electronically and that which has not, this rule covers all individually identifiable health information in any form maintained or transmitted by a covered entity.
For purposes of this cost analysis, the Department has assumed all health care providers will be affected by the rule. This results in an overestimation of costs because there are providers that do not engage in any HIPAA standard transactions, and therefore, are not affected. The Department could not obtain any reliable data on the number of such providers, but the available data suggest that there are very few such entities, and given the expected increase in all forms of electronic health care in the coming decade, the number of paper-only providers is likely to decrease.
Congress has recognized that privacy standards, implementation specifications and requirements must accompany the electronic data interchange standards, implementation specifications and requirements because the increased ease of transmitting and sharing individually identifiable health information will result in an increase in concern regarding privacy and confidentiality of such information. The bulk of the first Administrative Simplification section that was debated on the floor of the Senate in 1994 (as part of the Health Security Act) was made up of privacy provisions. The requirement for the issuance of concomitant privacy measures remained a part of the HIPAA bill passed by the House of Representatives in 1996, but the requirement for privacy measures was removed in conference. Instead, Congress added section 264 to Title II of HIPAA, which directs the Secretary to develop and submit to Congress recommendations addressing at least the following:
(1) The rights that an individual who is a subject of individually identifiable health information should have.
(2) The procedures that should be established for the exercise of such rights.
(3) The uses and disclosures of such information that should be authorized or required. The Secretary's Recommendations were submitted to Congress on September 11, 1997, and are summarized below. Section 264(c)(1) of HIPAA provides that:
If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than [February 21, 2000]. Such regulations shall address at least the subjects described in subsection [regarding recommendations].
Because the Congress did not enact legislation governing standards with respect to the privacy of individually identifiable health information prior to August 21, 1999, the Department has, in accordance with this statutory mandate, developed final rules setting forth standards to protect the privacy of such information.
Title II of the Health Insurance Portability and Accountability Act (HIPAA) also provides a statutory framework for the promulgation of other administrative simplification regulations. On August 17, 2000, the Transactions Rule was published. Proposals for health care provider identifier (May 1998), employer identifier (June 1998), and security and electronic signature standards (August 1998) have also been published. These regulations are expected to be made final in the foreseeable future.
HIPAA states that, "any standard adopted under this part shall be consistent with the objective of reducing the administrative costs of providing and paying for health care." (Section 1172 (b)). This provision refers to the administrative simplification regulations in their totality, including this rule regarding privacy standards. The savings and costs generated by the various standards should result in a net savings to the health care system. The Transactions Rule shows a net savings of $29.9 billion over ten years (2002-2011), or a net present value savings of $19 billion. This estimate does not include the growth in "e-health" and "e-commerce" that may be spurred by the adoption of uniform codes and standards.
This final Privacy Rule is estimated to produce net costs of $18.0 billion, with net present value costs of $11.8 billion (2003 dollars) over ten years (2003-2012). This estimate is based on some costs already having been incurred due to the requirements of the Transactions Rule, which included an estimate of a net savings to the health care system of $29.9 billion over ten years (2002 dollars) and a net present value of $19.1 billion. The Department expects that the savings and costs generated by all administrative simplification standards should result in a net savings to the health care system.
Measuring both the economic costs and benefits of health information privacy is difficult. Traditionally, privacy has been addressed by state laws, contracts, and professional practices and guidelines. Moreover, these practices have been evolving as computers have dramatically increased the potential use of medical data; the scope and form of health information is likely to be very different ten years from now than it is today. This final regulation is both altering current health information privacy practice and shaping its evolution as electronic uses expand.
To estimate costs, the Department used information from published studies, trade groups and associations, public comments to the proposed regulation, and fact-finding by staff. The analysis focused on the major policy areas in the regulation that would result in significant costs. Given the vast array of institutions affected by this regulation and the considerable variation in practices, the Department sought to identify the "typical" current practice for each of the major policy areas and estimate the cost of change resulting from the regulation. Because of the paucity of data and incomplete information on current practices, the Department has consistently made conservative assumptions (that is, given uncertainty, we have made assumptions that, if incorrect, are more likely to overstate rather than understate the true cost).
Benefits are difficult to measure because people conceive of privacy primarily as a right, not as a commodity. Furthermore, a wide gap appears to exist between what people perceive to be the level of privacy afforded health information about them and what actually occurs with the use of such information today. Arguably, the "cost" of the privacy regulation is the amount necessary to bring health information privacy to these perceived levels.
The benefits of enhanced privacy protections for individually identifiable health information are significant, even though they are hard to quantify. The Department solicited comments on this issue, but no commenters offered a better alternative. Therefore, the Department is essentially reiterating the analysis it offered in the proposed Privacy Rule. The illustrative examples set forth below, using existing data on mental health, cancer screening, and HIV/AIDS patients, suggest the level of economic and health benefits that might accrue to individuals and society. Moreover, the benefits of improved privacy protection are likely to increase in the future as patients gain trust in health care practitioners' ability to maintain the confidentiality of their health information.
The estimated cost of compliance with the final rule is $17.6 billion over the ten year period, 2003-2012. (34) This includes the cost of all the major requirements for the rule, including costs to federal, state and local governments. The net present value of the final rule, applying a 11.2 percent discount rate, (35) is $11.8 billion. (36)
The first year estimate is $3.2 billion (this includes expenditures that may be incurred before the effective date in 2003). This represents about 0.23 percent of projected national health expenditures for 2003. (37) By 2008, seven years after the rule's effective date, the rule is estimated to cost 0.07 percent of projected national health expenditures.
The largest cost items are the requirement to have a privacy official, $5.9 billion over ten years, and the requirement that disclosures of protected health information only involve the minimum amount necessary, $5.8 billion over ten years (see Table 1). These costs reflect the change that affected organizations will have to undertake to implement and maintain compliance with the requirements of the rule and achieve enhanced privacy of protected health information.
| Table 1. The Cost of Complying with the Proposed Privacy Regulation, in Dollars | |||
| Provision | Initial or First Year Cost (2003, $Million) |
Average Annual Cost ($Million, Years 2-10) | Ten Year Cost (2003-2012) ($Million) |
| Policy Development | $597.7 | $0 | $597.7 |
| Minimum Necessary | 926.2 | 536.7 | 5,756.7 |
| Privacy Officials | 723.2 | 575.8 | 5,905.8 |
| Disclosure Tracking/History | 261.5 | 95.9 | 1,125.1 |
| Business Associates | 299.7 | 55.6 | 800.3 |
| Notice Distribution | 50.8 | 37.8 | 391.0 |
| Consent | 166.1 | 6.8 | 227.5 |
| Inspection/Copying | 1.3 | 1.7 | 16.8 |
| Amendment | 5.0 | 8.2 | 78.8 |
| Requirements on Research | 40.2 | 60.5 | 584.8 |
| Training | 287.1 | 50.0 | 737.2 |
| De-Identification of Information | 124.2 | 117.0 | 1,177.4 |
| Employers with Insured Group Health Plans | 52.4 | 0 | 52.4 |
| Internal Complaints | 6.6 | 10.7 | 103.2 |
| Total* | 3,242.0 | 1,556.9 | 17,554.7 |
| Net Present Value | 3,242.0 | 917.8 | 11,801.8 |
| *Note: Numbers may not add due to rounding. | |||
The need for a national health information privacy framework is described in detail in Section I of the preamble above. In short, privacy is a necessary foundation for delivery of high quality health care -- the entire health care system is built upon the willingness of individuals to share the most intimate details of their lives with their health care providers. At the same time, there is increasing public concern about loss of privacy generally, and health privacy in particular. The growing use of interconnected electronic media for business and personal activities, our increasing ability to know an individual's genetic make-up, and the increasing complexity of the health care system each bring the potential for tremendous benefits to individuals and society, but each also brings new potential for invasions of our privacy.
Concerns about the lack of attention to information privacy in the health care industry are not merely theoretical. Section I of the preamble, above, lists numerous examples of the kinds of deliberate or accidental privacy violations that call for a national legal framework of health privacy protections. Disclosure of health information about an individual can have significant implications well beyond the physical health of that person, including the loss of a job, alienation of family and friends, the loss of health insurance, and public humiliation. The answer to these concerns is not for consumers to withdraw from the health care system, but for society to establish a clear national legal framework for privacy.
This section adds to the discussion in Section I, above, a discussion of the market failures inherent in the current system which create additional and compelling reasons to establish national health information privacy standards. Market failures will arise to the extent that privacy is less well protected than the parties would have agreed to, if they were fully informed and had the ability to monitor and enforce contracts. The chief market failures with respect to privacy of health information concern information, negotiation, and enforcement costs between the entity and the individual. The information costs arise because of the information asymmetry between the company and the patient -- the company typically knows far more than the patient about how the protected health information will be used by that company. A health care provider or plan, for instance, knows many details about how protected health information may be generated, combined with other databases, or sold to third parties.
Absent this regulation, patients face at least two layers of cost in learning about how their information is used. First, as with many aspects of health care, patients face the challenge of trying to understand technical medical terminology and practices. A patient generally will have difficulty understanding medical records and the implications of transferring health information about them to a third party. Second, in the absence of consistent national rules, patients may face significant costs in trying to learn and understand the nature of a company's privacy policies.
The costs of learning about companies' policies are magnified by the difficulty patients face in detecting whether companies, in fact, are complying with those policies. Patients might try to adopt strategies for monitoring whether companies have complied with their announced policies. These sorts of strategies, however, are both costly (in time and effort) and likely to be ineffective. In addition, modern health care often requires protected health information to flow legitimately among multiple entities for purposes of treatment, payment, health care operations, and other necessary uses. Even if the patient could identify the provider whose data ultimately leaked, the patient could not easily tell which of those multiple entities had impermissibly transferred her information. Therefore, the cost and ineffectiveness of monitoring leads to less than optimal protection of individually identifiable health information.
The incentives facing a company that acquires individually identifiable health information also discourage privacy protection. A company gains the full benefit of using such information, including its own marketing efforts or its ability to sell the information to third parties. The company, however, does not suffer the losses from disclosure of protected health information; the patient does. Because of imperfect monitoring, customers often will not learn of, and thus not be able to take efficient action to prevent uses or disclosures of sensitive information. Because the company internalizes the gains from using the information, but does not bear a significant share, if any, of the cost to patients (in terms of lost privacy), it will have a systematic incentive to over-use individually identifiable health information. In market failure terms, companies will have an incentive to use individually identifiable health information where the patient would not have freely agreed to such use.
These difficulties are exacerbated by the third-party nature of many health insurance and payment systems. Even where individuals would wish to bargain for privacy, they may lack the legal standing to do so. For instance, employers often negotiate the terms of health plans with insurers. The employee may have no voice in the privacy or other terms of the plan, facing a take-it-or-leave-it choice of whether to be covered by insurance. The current system leads to significant market failures in bargaining privacy protection. Many privacy-protective agreements that patients would wish to make, absent barriers to bargaining, will not be reached.
The economic arguments become more compelling as the medical system shifts from predominantly paper to predominantly electronic records. Rapid changes in information technology should result in increased market failures in the markets for individually identifiable health information. Improvements in computers and networking mean that the costs of gathering, analyzing, and disseminating electronic data are plunging. Market forces are leading many health care providers and health plans to shift from paper to electronic records, due both to lower cost and the increased functionality provided by having information in electronic form. These market changes will be accelerated by the administrative simplification implemented by the other regulations promulgated under HIPAA. A chief goal of administrative simplification, in fact, is to create a more efficient flow of medical information, where appropriate. This privacy regulation is an integral part of the overall effort of administrative simplification; it creates a framework for more efficient flows for certain purposes, including treatment and payment, while restricting flows in other circumstances except where appropriate institutional safeguards exist.
If the medical system shifts predominantly to electronic records in the near future, accompanying privacy rules will become more critical to prevent unanticipated, inappropriate, or unnecessary uses or disclosures of individually identifiable health information without patient consent and without effective institutional controls against further dissemination. In terms of the market failure, it will become more difficult for patients to know how their health provider or health plan is using health information about them. It will become more difficult to monitor the subsequent flows of individually identifiable health information, as the number of electronic flows and possible points of leakage both increase. Similarly, the costs and difficulties of bargaining to get the patients' desired level of use will likely rise due to the greater number and types of entities that receive protected health information.
As the benefits section, below, discusses in more detail, the protection of privacy and correcting the market failure also have practical implications. Where patients are concerned about lack of privacy protections, they might fail to get medical treatment that they would otherwise seek. This failure to get treatment may be especially likely for certain conditions, including mental health, and HIV. Similarly, patients who are concerned about lack of privacy protections may report health information inaccurately to their providers when they do seek treatment. For instance, they might decide not to mention that they are taking prescription drugs that indicate that they have an embarrassing condition. These inaccurate reports may lead to mis-diagnosis and less-than-optimal treatment, including inappropriate additional medications. In short, the lack of privacy safeguards can lead to efficiency losses in the form of foregone or inappropriate treatment.
In summarizing the economic arguments supporting the need for this regulation, the discussion here has emphasized the market failures that will be addressed by this regulation. These arguments become considerably stronger with the shift from predominantly paper to predominantly electronic records. As discussed in the benefits section below, the proposed privacy protections may prevent or reduce the risk of unfair treatment or discrimination against vulnerable categories of persons, such as those who are HIV positive, and thereby, foster better health. The proposed regulation may also help educate providers, health plans, and the general public about how protected health information is used. This education, in turn, may lead to better information practices in the future.
An analysis of the costs and benefits of the regulation requires a baseline from which to measure the regulation's effects. For some regulations, the baseline is relatively straightforward. For instance, an industry might widely use a particular technology, but a new regulation may require a different technology, which would not otherwise have been adopted by the industry. In this example, the old and widely used technology provides the baseline for measuring the effects of the regulation. The costs and the benefits are the difference between keeping the old technology and implementing the new technology.
Where the underlying technology and industry practices are rapidly changing, however, it can be far more difficult to determine the baseline and thereby measure the costs and benefits of a regulation. There is no simple way to know what technology industry would have chosen to introduce if the regulation had never existed, nor how industry practices would have evolved.
Today, the entities covered by the HIPAA privacy regulation are in the midst of a shift from primarily paper records to electronic records. As covered entities spend significant resources on hardware, software, and other information technology costs, questions arise about which of these costs are fairly attributable to the privacy regulations as opposed to costs that would have been expended even in the absence of the regulations. Industry practices generally are rapidly evolving, as described in more detail in Part I of this preamble. New technological or other measure taken to protect privacy are in part attributable to the expected expense of shifting to electronic medical records, rather than being solely attributable to the new regulations. In addition, the existence of privacy rules in other sectors of the economy help set a norm for what practices will be considered good practices for health information. The level of privacy protection that would exist in the health care sector, in the absence of regulations, thus would likely be affected by regulatory and related developments in other sectors. In short, it is therefore difficult to project a cost or benefits baseline for this rule.
The common security practice of using "firewalls" illustrates how each of the three baselines might apply. Under the first baseline, the full cost of implementing firewalls should be included in a Regulatory Impact Analysis for a rule that expects entities to have firewalls. Because current law has not required firewalls, a new rule expecting this security measure must include the full cost of creating firewalls. This approach, however, would seem to overstate the cost of such a regulation. Firewalls would seem to be an integral part of the decision to move to an on-line, electronic system of records. Firewalls are also being widely deployed by users and industries where no binding security or privacy regulations have been proposed.
Under the second baseline, the touchstone is the level of risk of security breaches for individually identifiable health information under current practices. There is quite possibly a greater risk of breach for an electronic system of records, especially where such records are accessible globally through the Internet, than for patient records dispersed among various doctors' offices in paper form. Using the second baseline, the costs of firewalls for electronic systems should not be counted as a cost of the regulation except where firewalls create greater security than existed under the previous, paper-based system.
Finally, the third baseline would require an estimate of the typical level of firewall protections that covered entities would adopt in the absence of regulation, and include in the Regulatory Impact Analysis only the costs that exceed what would otherwise have been adopted. For this analysis, the Department has generally assumed that the status quo would otherwise exist throughout the ten-year period (in a few areas we explicitly discuss likely changes). We made this decision for two reasons. First, predicting the level of change that would otherwise occur is highly problematic. Second, it is a "conservative" assumption-that is, any error will likely be an overstatement of the true costs of the regulation.
Privacy practices are most often shaped by professional organizations that publish ethical codes of conduct and by state law. On occasion, state laws defer to professional conduct codes. At present, where professional organizations and states have developed only limited guidelines for privacy practices, an entity may implement privacy practices independently. However, it is worth noting that changes in privacy protection continue to increase in various areas. For example, European Union countries may only send individually identifiable information to companies, including U.S. firms, that comply with their privacy standards, and the growing use of health data in other areas of commerce, such as finance and general commercial marketing, have also increased the demand for privacy in ways that were not of concern in the past.
The Department examined statements issued by five major professional groups, one national electronic network association and a leading managed care association. (38)
There are a number of common themes that all the organizations appear to subscribe to:
Beyond these principles, the major associations differ with respect to the methods used to protect individually identifiable health information. There is no common professional standard across the health care field with respect to the protection of individually identifiable health information. One critical area of difference is the extent to which professional organizations should release individually identifiable health information. A major mental health association advocates the release of identifiable patient information ". . .only when de-identified data are inadequate for the purpose at hand." A major association of physicians counsels members who use electronically maintained and transmitted data to require that they and their patients know in advance who has access to protected patient data, and the purposes for which the data will be used. In another document, the association advises physicians not to "sell" patient information to data collection companies without fully informing their patients of this practice and receiving authorization in advance to release of the information.
Only two of the five professional groups state that patients have the right to review their medical records. One group declares this as a fundamental patient right, while the second association qualifies its position by stating that the physician has the final word on whether a patient has access to his or her health information. This association also recommends that its members respond to requests for access to patient information within ten days, and recommends that entities allow for an appeal process when patients are denied access. The association further recommends that when a patient contests the accuracy of the information in his or her record and the entity refuses to accept the patient's change, the patient's statement should be included as a permanent part of the patient's record.
In addition, three of the five professional groups endorse the maintenance of audit trails that can track the history of disclosures of individually identifiable health information.
The one set of standards that we reviewed from a health network association advocated the protection of individually identifiable health information from disclosure without patient authorization and emphasized that encrypting information should be a principal means of protecting individually identifiable health information. The statements of a leading managed care association, while endorsing the general principles of privacy protection, were vague on the release of information for purposes other than treatment. The association suggested allowing the use of protected health information without the patient's authorization for what they term "health promotion." It is possible that the use of protected health information for "health promotion" may be construed under the rule as part of marketing activities.
Based on the review of the leading association standards, we believe that the final rule embodies most or all of the major principles expressed in the standards. However, there are some major areas of difference between the rule and the professional standards reviewed. The final rule generally provides stronger, more consistent, and more comprehensive guarantees of privacy for individually identifiable health information than the professional standards. The differences between the rule and the professional codes include the individual's right of access to health information in the covered entity's possession, relationships between contractors and covered entities, and the requirement that covered entities make their privacy policies and practices available to patients through a notice and the ability to respond to questions related to the notice. Because the regulation requires that (with a few exceptions) patients have access to their protected health information that a covered entity possesses, large numbers of health care providers may have to modify their current practices in order to allow patient access, and to establish a review process if they deny a patient access. Also, none of the privacy protection standards reviewed require that health care providers or health plans prepare a formal statement of privacy practices for patients (although the major physician association urges members to inform patients about who would have access to their protected health information and how their health information would be used). Only one HMO association explicitly made reference to information released for legitimate research purposes. The regulation allows for the release of protected health information for research purposes without an individual's authorization, but only if the research where such authorization is waived by an institutional research board or an equivalent privacy board. This research requirement may cause some groups to revise their disclosure authorization standards.
The second body of privacy protections is found in a complex, and often confusing, myriad of state laws and requirements. To determine whether or not the final rule would preempt a state law, first we identified the relevant laws, and second, we addressed whether state or federal law provides individuals with greater privacy protection.
Identifying the relevant state statutes: Health information privacy provisions can be found in laws applicable to many issues including insurance, worker's compensation, public health, birth and death records, adoptions, education, and welfare. In many cases, state laws were enacted to address a specific situation, such as the reporting of HIV/AIDS, or medical conditions that would impair a person's ability to drive a car. For example, Florida has over 60 laws that apply to protected health information. According to the Georgetown Privacy Project, (39) Florida is not unique. Every state has laws and regulations covering some aspect of medical information privacy. For the purpose of this analysis, we simply acknowledge the variation in state requirements.
We recognize that covered entities will need to learn the laws of their states in order to comply with such laws that are not contrary to the rule, or that are contrary to and more stringent than the rule. This analysis should be completed in the context of individual markets; therefore, we expect that professional associations or individual businesses will complete this task.
Recognizing the limits of our ability to effectively summarize state privacy laws, we discuss conclusions generated by the Georgetown University Privacy Project's report, The State of Health Privacy: An Uneven Terrain. The Georgetown report is among the most comprehensive examination of state health privacy laws currently published, although it is not exhaustive. The report, which was completed in July 1999, is based on a 50-state survey.
To facilitate discussion, we have organized the analysis into two sections: access to health information and disclosure of health information. Our analysis is intended to suggest areas where the final rule appears to preempt various state laws; it is not designed to be a definitive or wholly comprehensive state-by-state comparison.
Access to Subject's Information: In general, state statutes provide individuals with some access to medical records about them. However, only a few states allow individuals access to health information held by all their health care providers and health plans. In 33 states, individuals may access their hospital and health facility records. Only 13 states guarantee individuals access to their HMO records, and 16 states provide individuals access to their medical information when it is held by insurers. Seven states have no statutory right of patient access; three states and the District of Columbia have laws that only assure individuals' right to access their mental health records. Only one state permits individuals access to records about them held by health care providers, but it excludes pharmacists from the definition of provider. Thirteen states grant individuals statutory right of access to pharmacy records.
The amount that entities are allowed to charge for copying of individuals' records varies widely from state to state. A study conducted by the American Health Information Management Association (40) found considerable variation in the amounts, structure, and combination of fees for search and retrieval, and the copying of the record.
In 35 states, there are laws or regulations that set a basis for charging individuals inspecting and copying fees. Charges vary not only by state, but also by the purpose of the request and the facility holding the health information. Also, charges vary by the number of pages and whether the request is for X-rays or for standard medical information.
Of the 35 states with laws regulating inspection and copying charges, seven states either do not allow charges for retrieval of records or require that the entity provide the first copy free of charge. Some states may prohibit hospitals from charging patients a retrieval and copying fee, but allow clinics to do so. Many states allow fee structures, while eleven states specify only that the record holder may charge "reasonable/actual costs."
According to the report by the Georgetown Privacy Project, among states that do grant access to patient records, the most common basis for denying individuals access is concern for the life and safety of the individual or others.
The amount of time an entity is given to supply the individual with his or her record varies widely. Many states allow individuals to amend or correct inaccurate health information, especially information held by insurers. However, few states provide the right to insert a statement in the record challenging the covered entity's information when the individual and entity disagree. (41)
Disclosure of Health Information: State laws vary widely with respect to disclosure of individually identifiable health information. Generally, states have applied restrictions on the disclosure of health information either to specific entities or for specific health conditions. Only three state laws place broad limits on disclosure of individually identifiable health information without regard for policies and procedures developed by covered entities. Most states require patient authorization before an entity may disclose health information to certain recipients, but the patient often does not have an opportunity to object to any disclosures. (42)
It is also important to point out that none of the states appear to offer individuals the right to restrict disclosure of their health information for treatment.
State statutes often have exceptions to requiring authorization before disclosure. The most common exceptions are for purposes of treatment, payment, or auditing and quality assurance functions. Restrictions on re-disclosure of individually identifiable health information also vary widely from state to state. Some states restrict the re-disclosure of health information, and others do not. The Georgetown report cites state laws that require providers to adhere to professional codes of conduct and ethics with respect to disclosure and re-disclosure of protected health information.
Most states have adopted specific measures to provide additional protections for health information regarding certain sensitive conditions or illnesses. The conditions and illnesses most commonly afforded added privacy protection are:
Some states place restrictions on releasing condition-specific health information for research purposes, while others allow release of information for research without the patient's authorization. States frequently require that researchers studying genetic diseases, HIV/AIDS, and other sexually transmitted diseases have different authorization and privacy controls than those used for other types of research. Some states require approval from an IRB or agreements that the data will be destroyed or identifiers removed at the earliest possible time. Another approach has been for states to require researchers to obtain sensitive, identifiable information from a state public health department. One state does not allow automatic release of protected health information for research purposes without notifying the subjects that their health information may be used in research and allowing them an opportunity to object to the use of their information. (43)
Comparing state statutes to the final rule: The variability of state law regarding privacy of individually identifiable health information and the limitations of the applicability of many such laws demonstrates the need for uniformity and minimum standards for privacy protection. This regulation is designed to meet these goals while allowing stricter state laws to be enacted and remain effective. A comparison of state privacy laws with the final regulation highlights several of the rule's key implications:
• No state law requires covered entities to make their privacy and access policies available to patients. Thus, all covered entities that have direct contact with patients will be required by this rule to prepare a statement of their privacy protection and access policies. This necessarily assumes that entities have to develop procedures if they do not already have them in place.
• The rule will affect more entities than are covered or encompassed under many state laws.
• Among the three categories of covered entities, it appears that health plans will be the most significantly affected by the access provisions of the rule. Based on the Health Insurance Association of America (HIAA) data, (44) there are approximately 94.7 million non-elderly persons with private health insurance in the 35 states that do not provide patients a legal right to inspect and copy their records.
• Under the rule, covered entities will have to obtain an individual's authorization before they could use or disclose their information for purposes other than treatment, payment, and health care operations -- except in the situations explicitly defined as allowable disclosures without authorization. Although the final rule would establish a generally uniform disclosure and re-disclosure requirement for all covered entities, the entities that currently have the greatest ability and economic incentives to use and disclose protected health information for marketing services to both patients and health care providers without individual authorization.
• While the final rule appears to encompass many of the requirements found in current state laws, it also is clear that within state laws, there are many provisions that cover specific cases and health conditions. Certainly, in states that have no restrictions on disclosure, the rule will establish a baseline standard. But in states that do place conditions on the disclosure of protected health information, the rule may place additional requirements on covered entities.
The relationship with other federal statutes is discussed above in the preamble.
Covered entities will be implementing the privacy final rules at the same time many of the administrative simplification standards are being implemented. As described in the overall impact analysis for the Transactions Rule, the data handling change occurring due to the other HIPAA standards will have both costs and benefits. To the extent the changes required for the privacy standards, implementation specifications, and requirements can be made concurrently with the changes required by the other regulations, costs for the combined implementation should be only marginally higher than for the administrative simplification standards alone. The extent of this incremental cost is uncertain, in the same way that the costs associated with each of the individual administrative simplification standards is uncertain.
The costs associated with implementing the requirements under this Privacy Rule will be directly related to the number of affected entities and the number of affected transactions in each entity. There are approximately 12,200 health plans (including self-insured employer and government health plans that are at least partially self-administered), (45) 6480 hospitals, and 630,000 non-hospital providers that will bear implementation costs under the final rule.
The relationship between the HIPAA security and privacy standards is particularly relevant. On August 17, 2000, the Secretary published a final rule to implement the HIPAA standards on electronic transactions. That rule adopted standards for eight electronic code sets to be used for those transactions. The proposed rule for security and electronic signature standards was published on August 12, 1998. That proposal specified the security requirements for covered entities that transmit and store information specified in Part C, Title II of the Act. In general, that proposed rule proposed administrative and technical standards for protecting "...any health information pertaining to an individual that is electronically maintained or transmitted." (63 FR 43243). The final Security Rule will detail the system and administrative requirements that a covered entity must meet in order to assure itself and the Secretary that health information is safe from destruction and tampering from people without authorization for its access.
By contrast, the Privacy Rule describes the requirements that govern the circumstances under which protected health information must be used or disclosed with and without patient involvement and when a patient may have access to his or her protected health information.
While the vast majority of health care entities are privately owned and operated, we note that federal, state, and local government providers are reflected in the total costs as well. Federal, state, and locally funded hospitals represent approximately 26 percent of hospitals in the United States. This is a significant portion of hospitals, but it represents a relatively small proportion of all provider entities. We estimated that the number of government providers who are employed at locations other than government hospitals is significantly smaller (approximately two percent of all providers). Weighting the relative number of government hospital and non-hospital providers by the revenue these types of providers generate, we estimate that health care services provided directly by government entities represent 3.4 percent of total health care services. Indian Health Service and tribal facilities costs are included in the total, since the adjustments made to the original private provider data to reflect federal providers included them. In developing the rule, the Department consulted with states, representatives of the National Congress of American Indians, representatives of the National Indian Health Board, and a representative of the self-governance tribes. During the consultation we discussed issues regarding the application of Title II of HIPAA to the states and tribes.
The costs associated with this final rule involve, for each provision, consideration of both the degree to which covered entities must modify their existing records management systems and privacy policies under the final rule, and the extent to which there is a change in behavior by both patients and the covered entities as a result of the final rule. The following sections examine these provisions as they apply to the various covered entities under the final rule. The major costs that covered entities will incur are one-time costs associated with implementation of the final rules, and ongoing costs that result in continuous requirements in the final rule.
The Department has quantified the costs imposed by the final regulation to the extent possible. The cost of many provisions were estimated by first using data from the Census Bureau's Statistics of U.S. Business to identify the number of non-hospital health care providers, hospitals and health plans. Then, using the Census Bureau's Current Population Survey (CPS) wage data for the classes of employees affected by the rule, the Department identified the hourly wage of the type of employee assumed to be mostly likely responsible for compliance with a given provision. Where the Department believed a number of different types of employees might be responsible for complying with a certain provision, as is often expected to be the case, the Department established a weighted-average wage based on the types of employees involved. Finally, the Department made assumptions regarding the number of person-hours per institution required to comply with the rule.
The Department cannot determine precisely how many person-hours per institution will be required to comply with a given provision, however, the Department attempted to establish reasonable estimates based on fact-finding discussions with private sector health care providers, the advice of the Department's consultants, and the Department's own best judgement of the level of burden required to comply with a given provision. Moreover, the Department recognizes that the number of hours required to comply with a given requirement of the rule will vary from provider to provider and health plan to health plan, particularly given the flexibility and scalability permitted under the rule. Therefore, the Department considers the estimates to be averages across the entire class of health care providers, hospitals, or health plans in question.
Underlying all annual cost estimates are growth projections. For growth in the number of patients, the Department used data from the National Ambulatory Medical Care Survey, the National Hospital Ambulatory Medical Care Survey, the National Home and Hospice Survey, the National Nursing Home Survey, and information from the American Hospital Association. For growth in the number of health care workers, the Department used data from the Bureau of Health Professions in the Department's Health Resources Services Administration (HRSA). For insurance coverage growth (private and military coverage), we used a five-year average annual growth rate in employer-sponsored, individual, military, and overall coverage growth from the Census Bureau's CPS, 1995-1999. To estimate growth in the number of Medicare and Medicaid enrollees, the Department used the enrollment projections of the Health Care Financing Administration's Office of the Actuary. For growth in the number of hospitals, health care providers and health plans, trend rates were derived from the Census Bureau's Statistics of U.S. Businesses, using SIC code-specific five-year annual average growth rate from1992-1997 (the most recent data available). For wage growth, the Department used the same assumptions made in the Medicare Trustees' Hospital Insurance Trust Fund report for 2000.
In some areas, the Department was able to obtain very reliable data, such as survey data from the Statistics of U.S. Businesses and the Medical Expenditures Panel Survey (MEPS). In numerous areas, however, there was too little information or data to support quantitative estimates. As a result, the Department relied on data provided in the public comments or subsequent fact-finding to provide a basis for making key assumptions. We were able to provide a reasonable cost estimate for virtually all aspects of the regulation, except law enforcement. In this latter area, the Department was unable to obtain sufficient data about current practices (e.g., the number of criminal and civil investigations that may involve requests for protected health information., the number of subpoenas for protected health information., etc.) to determine the marginal effects of the regulation. As discussed more fully below, the Department believes the effects of the final rule are marginal because the policies adopted in the final rule appear to largely reflect current practice.
The NPRM included an estimate of $3.8 billion for the privacy proposal. The estimate for the final rule is $18.0 billion. Much of the difference can be explained by two factors. First, the NPRM estimate was for five years; the final rule estimate is for ten years. The Department chose the longer period for the final rule because ten years was also the period of analysis in the Transactions Rule RIA, and we wanted to facilitate comparisons, given that the net benefits and costs of the administrative simplification rules should be considered together. Second, the final impact analysis includes cost estimates for a number of key provisions that were not estimated in the NPRM because the Department did not have adequate information at the time. Although we received little useable data in the public comments (see comment and response section), the Department was able to undertake more extensive fact-finding and collect sufficient information to make informed assumptions about the level of effort and time various provisions of the final rule are likely to impose on different types of affected entities.
The estimate of $18.0 billion represents a gross cost, not a net cost. As discussed more fully below in the benefits section, the benefits of enhanced privacy and confidentiality of personal health information are very significant. If people believe their information will be used properly and not disseminated beyond certain bounds without their knowledge and consent, they will be much more likely to seek proper health care, provide all relevant health information, and abide by their providers' recommendations. In addition, more confidence by individuals and covered entities that privacy will be maintained will lead to an increase in electronic transactions and the efficiencies and cost savings that stem from such action. The benefits section quantifies some examples of benefits. The Department was not able to identify data sources or models that would permit us to measure benefits more broadly or accurately. The inability to quantify benefits, however, does not lessen the importance or value that is ultimately realized by having a national standard for health information privacy.
The largest initial costs resulting from the final Privacy Rule stem primarily from the requirement that covered entities use and disclose only the minimum necessary protected health information, that covered entities develop policies and codify their privacy procedures, and that covered entities designate a privacy official and train all personnel with access to individually identifiable health information. The largest ongoing costs will result from the minimum necessary provisions pertaining internal uses of individually identifiable health information, and the cost of a privacy official. In addition, covered entities will have recurring costs for training, disclosure tracking and notice requirements. A smaller number of large entities may have significant costs for de-identification of protected health information and additional requirements for research.
The privacy costs are in addition to the Transactions Rule estimates. The cost of complying with the regulation represents approximately 0.23 percent of projected national health expenditures the first year the regulation is enacted. The costs for the first eight years of the final regulation represents 0.07 percent of the increase in national health care costs experienced over the same period. (46)
The "minimum necessary" policy in the final rule has essentially three components: first, it does not pertain to certain uses and disclosures including treatment-related exchange of information among health care providers; second, for disclosures that are made on a routine and recurring basis, such as insurance claims, a covered entity is required to have policies and procedures for governing such exchanges (but the rule does not require a case-by-case determination); and third, providers must have a process for reviewing non-routine requests on a case-by-case basis to assure that only the minimum necessary information is disclosed.
Based on public comments and subsequent fact-finding, the Department has concluded that the requirements of the final rule are generally similar to the current practice of most providers. For standard disclosure requests, for example, providers generally have established procedures for determining how much health information is released. For non-routine disclosures, providers have indicated that they currently ask questions to discern how much health information is necessary for such disclosure. Under the final rule, we anticipate providers will have to be more thorough in their policies and procedures and more vigilant in their oversight of them; hence, the costs of this provision are significant.
To make the final estimates for this provision, the Department considered the minimum necessary requirement in two parts. First, providers, hospitals, and health plans will need to establish policies and procedures which govern uses and disclosures of protected health information. Next, these entities will need to adjust current practices that do not comply with the rule, such as updating passwords and making revisions to software.
To determine the policies and procedures for the minimum necessary requirement, the Department assumed that each hospital would spend 160 hours, health plans would spend 107 hours, and non-hospital providers would spend 8 hours. As noted above, the time estimates for this and other provisions of the rule are considered an average number of person-hours for the institutions involved. An underlying assumption is that some hospitals, and to a lesser extent health plans, are part of chains or larger entities that will be able to prepare the basic materials at a corporate level for a number of covered entities.
Once the policies and procedures are established, the Department estimates there will be costs resulting from implementing the new policies and procedures to restrict internal uses of protected health information to the minimum necessary. Initially, this will require 560 hours for hospitals, 160 hours for health plans, and 12 hours for non-hospital providers. (47) The wage for health care providers and hospitals is estimated at $47.28, a weighted average of various health care professionals based on CPS data; the wage for health plans is estimated to be $33.82, based on average wages in the insurance industry (note that all wage assumptions in this impact analysis assume a 39 percent load for benefits, the standard Bureau of Labor Statistics assumption). In addition, there will be time required on an annual basis to ensure that the implemented practices continue to meet the requirements of the rule. Therefore, the Department estimates that on an annual ongoing basis (after the first year), hospitals will require 320 hours, health plans 100 hours, and non-hospital providers 8 hours to comply with this provision.
The initial cost attributable to the minimum necessary provision is $926 million. The total cost of the provision is $5.757 billion. (These estimates are for the cost of complying with the minimum necessary provisions that restrict internal uses to the minimum necessary. The Department has estimated in the business associates section below the requirement limiting disclosures outside the covered entity to the minimum amount necessary.)
The final rule requires entities to designate a privacy official who will be responsible for the development and implementation of privacy policies and procedures. In this cost analysis, the Department has estimated each of the primary administrative requirements of the rule (e.g., training, policy and procedure development, etc), including the development and implementation costs associated with each specific requirement. These activities will certainly involve the privacy official to some degree; thus, some costs for the privacy official, particularly in the initial years, are subsumed in other cost requirements. Nonetheless, we anticipate that there will be additional ongoing responsibilities that the privacy official will have to address, such as coordinating between departments, evaluating procedures and assuring compliance. To avoid double-counting, the cost calculated in this section is only for the ongoing, operational functions of a privacy official (e.g., clarifying procedures for staff) that are in addition to items discussed in other sections of this impact analysis.
The Department assumes the privacy official role will be an additional responsibility given to an existing employee in the covered entity, such as an office manager in a small entity or a compliance official in a larger institution. Moreover, today any covered entity that handles individually identifiable health information has one or more people with responsibility for handling and protecting the confidentiality of such information. As a result of the specific requirement for a privacy official, the Department assumes covered entities will centralize this function, but the overall effort is not likely to increase significantly. Specifically, the Department has assumed non-hospital providers will need to devote, on average, an additional 30 minutes per week of an official's time (i.e., 26 hours per year) to compliance with the final regulation for the first two years and 15 minutes per week for the remaining eight years (i.e., 13 hours per year). For hospitals and health plans, which are more likely to have a greater diversity of activities involving privacy issues, we have assumed three hours per week for the first two years (i.e., 156 hours per year), and 1.5 hours per week for the remaining eight years (i.e., 78 hours per year).
For non-hospital providers, the time was calculated at a wage of $34.13 per hour, which is the average wage for managers of medicine and health according to the CPS. For hospitals, we used a wage of $79.44, which is the rate for senior planning officers. (48) For health plans, the Department assumed a wage of $88.42 based on the wage for top claims executives. (49) Although individual hospitals and health plans may not necessarily select their planning officers or claims executives to be their privacy officials, we believe they will be of comparable responsibility, and therefore comparable pay, in larger institutions.
The initial year cost for privacy officials will be $723 million; the ten-year cost will be $5.9 billion.
The final rule requires each covered entity to have an internal process to allow an individual to file a complaint concerning the covered entity's compliance with its privacy policies and procedures. The requirement includes designating a contact person or office responsible for receiving complaints and documenting the disposition of them, if any. This function may be performed by the privacy official, but because it is a distinct right under the final rule and may be performed by someone else, we are costing it separately.
The covered entity only is required to receive and document a complaint (no response is required), which we assume will take, on average, ten minutes (the complaint can be oral or in writing). The Department believes that such complaints will be uncommon. We have assumed that one in every thousand patients will file a complaint, which is approximately 10.6 million complaints over ten years. Based on a weighted-average hourly wage of $47.28 at ten minutes per complaint, the cost of this policy is $6.6 million in the first year. Using wage growth and patient growth assumptions, the cost of this policy is $103 million over ten years.
The final rule requires providers to be able to produce a record of all disclosures of protected health information, except in certain circumstances. The exceptions include disclosures for treatment, payment, health care operations, or disclosures to an individual. This requirement will require a notation in the record (electronic or paper) of when, to whom, and what information was disclosed, as well as the purpose of such disclosure or a copy of an individual's written authorization or request for a disclosure.
Based on information from several hospital sources, the Department assumes that all hospitals already track disclosures of individually identifiable health information and that 15 percent of all patient records held by a hospital will have an annual disclosure that will have to be recorded in an individual's record. It was more difficult to obtain a reliable estimate for non-hospital providers, though it appears that they receive many fewer requests. The Department assumed a ten percent rate for ambulatory care patients and five percent, for nursing homes, home health, dental and pharmacy providers. (It was difficult to obtain any reliable data for these latter groups, but those we talked to said that they had very few, and some indicated that they currently keep track of them in the records.) These estimated percentages represent about 63 million disclosures that will have to be recorded in the first year, with each recording estimated to require two minutes. At the average nurse's salary of $30.39 per hour, the cost in the first year is $25.7 million. For health plans, the Department assumed that disclosures of protected health information are more rare than for health care providers. Therefore, the Department assumed that there will be disclosures of protected health information for five percent of covered lives. At the average wage for the insurance industry of $33.82 per hour, the initial cost for health plans is $6.8 million. Using our standard growth rates for wages, patients, and covered entities, the ten-year cost for providers and health plans is $519 million.
In addition, although hospitals generally track patient disclosures today, the Department assumes that hospitals will seek to update software systems to assure full compliance. Based on software upgrade costs provided by the Department's private sector consultants with expertise in the area (the Gartner Group), the Department assumed that each upgrade would cost $35,000 initially and $6,300 annually thereafter, for a total cost of $572 million over ten years.
The final rule also requires covered entities to provide individuals with an accounting of disclosures upon request. The Department assumes that few patients will request a history of disclosures of their protected medical information. Therefore, we estimate that one in a thousand patients will request such an accounting each year, which is approximately 850,000 requests. If it takes an average of five minutes to copy any disclosures and the work is done by a nurse, the cost will for the first year will be $2.1 million. The total ten-year cost is $33.8 million.
The rule allows covered entities to determine that health information is de-identified (i.e., that it is not individually identifiable health information) if certain conditions are met. Currently, some entities release de-identified information for research purposes. De-identified information may originate from automated systems (such as records maintained by pharmacy benefit managers) and non-automated systems (such as individual medical records maintained by providers). As compared with current practice, the rule requires that an expanded list of identifiers be removed for the data (such as driver's license numbers, and detailed geographic and certain age information). For example, as noted in a number of public comments, currently complete birth dates (day, month, and year) and zip codes are often included in de-identified information. The final rule requires that only the year of birth (except in certain circumstances) and the first three digits of the zip code can be included in de-identified information.
These changes will not require extensive change from current practice. Providers generally remove most of the 19 identifiers listed in the final rule. The Department relied on Gartner Group estimates that some additional programmer time will be required by covered entities that produce de-identified information to make revisions in their procedures to eliminate additional identifiers. Entities that de-identify information will have to review existing and future data flows to assure compliance with the final rule. For example, an automated system may need to be re-programmed to remove additional identifiers from otherwise protected health information. (The costs of educating staff about the de-identification requirements are included in the cost estimate for training staff on privacy policies.)
The Department was not able to obtain any reliable information on the volume of medical data that is currently de-identified. To provide some measure of the potential magnitude, we assumed that health plans and hospitals would have an average of two existing agreements that would need to be reviewed and modified. Based on information provided by our consultants, we estimate that these agreements would require an average of 152 hours by hospitals and 116 hours by health plans to review and revise existing agreements to conform to the final rule. Using the weighted average wage of $47.28, the initial costs will be $124 million. Using our standard growth rates for wages, patients, and covered entities, the total cost of the provision is $1.1 billion over ten years.
The Department expects that the final rule and the increasing trend toward computerization of large record sets will result over time in de-identification being performed by relatively few firms or associations. Whether the covered entity is a small provider with relatively few files or a hospital or health plan with large record files, it will be more efficient to contract with specialists in these firms or associations (as "business associates" of the covered entity) to de-identify files. The process will be different but the ultimate cost is likely to be the same or only slightly higher, if at all, than the costs for de-identification today. The estimate is for the costs required to conform existing and future agreements to the provisions of the rule. The Department has not quantified the benefits that might arise from changes in the market for de-identified information because the centralization and efficiency that will come from it will not be fully realized for several years, and we do not have a reliable means of estimating such changes.
The final regulation imposes a variety of requirements which collectively will necessitate entities to develop policies and procedures (henceforth in this section to be referred to as policies) to establish and maintain compliance with the regulation. These include policies such as those for inspection and copying, amending records, and receiving complaints. (50) In developing the final regulations, simplifying the administrative burden was a significant consideration. To the extent practical, consistent with maintaining adequate protection of protected health information, the final rule is designed to encourage the development of policies by professional associations and others, that will reduce costs and facilitate greater consistency across providers and other covered entities.
The development of policies will occur at two levels: first, at the association or other large scale levels; and second, at the entity level. Because of the generic nature of many of the final rule's provisions, the Department anticipates that trade, professional associations, and other groups serving large numbers of members or clients will develop materials that can be used broadly. These will likely include the model privacy practice notice that all covered entities will have to provide patients; general descriptions of the regulation's requirements appropriate for various types of health care providers; checklists of steps entities will have to take to comply; training materials; and recommended procedures or guidelines. The Department spoke with a number of professional associations, and they confirmed that they would expect to provide such materials for their members at either the federal or state level.
Using Faulkner and Gray's Health Data Directory 2000, we identified 216 associations that would be likely to provide guidance to members. In addition, we assume three organizations (i.e., one for hospitals, health plans, and other health care providers) in each state would also provide some additional services to help covered entities coordinate the requirements of this rule with state laws and requirements. The Department assumed that these associations would each provide 320 hours of legal analysis at $150 per hour, and 640 hours of senior analysts time at $50 per hour. This equals $17.3 million. Hourly rates for legal council are the average billing rate for a staff attorney. (51) The senior analysts rates are based on a salary of $75,000 per year, plus benefits, which was provided by a major professional association.
For larger health care entities such as hospitals and health plans, the Department assumed that the complexity of their operations would require them to seek more customized assistance from outside council or consultants. Therefore, the Department assumes that each hospital and health plan (including self-administered, self-insured health plans) will, on average, require 40 hours of outside assistance. The resulting cost for external policy development is estimated to be $112 million.
All covered entities are expected to require some time for internal policy development beyond what is provided by associations or outside consultants. For most non-hospital providers, the external assistance will provide most of the necessary information. Therefore, we expect these health care providers will need only eight hours to adapt these policies for their specific use (training cost is estimated separately in the impact analysis). Hospitals and health plans, which employ more individuals and are involved in a wider array of endeavors, are likely to require more specific policies tailored to their operations to comply with the final rule. For these entities, we assume an average of 320 hours of policy development per institution. The total cost for internal policy development is estimated to be $468 million.
The total cost for policy, plan, and procedures development for the final regulation is estimated to be $598 million. All of these costs are initial costs.
The final regulation's requirements provide covered entities with considerable flexibility in how to best fulfill the necessary training of their workforce. As a result, the actual practices may vary substantially based on such factors as the number of members of the workforce, the types of operations, worker turnover, and experience of the workforce. Training is estimated to cost $737 million over ten years. The Department estimates that at the time of the effective date, approximately 6.7 million health care workers will have to be trained, and in the subsequent ten years, 7 million more will have to be trained because of worker turnover. The estimate of employee numbers are based on 2000 CPS data regarding the number of health care workers who indicated they worked for a health care institution. To estimate a workforce turnover rate, the Department relied on a study submitted in the public comments which used a turnover rate of ten percent or less, depending on the labor category. To be conservative, the Department assumed ten percent for all categories.
Covered entities will need to provide members of the workforce with varying amounts of training depending on their responsibilities, but on average, the Department estimates that each member of the workforce who is likely to have access to protected health information will require one hour of training in the policies and procedures of the covered entity. The initial training cost estimate is based on teacher training with an average class size of ten. After the initial training, the Department expects some training (for example, new employees in larger institutions) will be done by videotape, video conference, or computer, all of which are likely to be less expensive. Training materials were assumed to cost an average of $2 per worker. The opportunity cost for the training time is based on the average wage for each health care labor category listed in the CPS, plus a 39 percent load for benefits. Wages were increased based on the wage inflation factor utilized for the short-term assumptions (which covers ten years) in the Medicare Trustees' Annual Report for 1999.
This section describes only the cost associated with the production and provision of a notice. The cost of developing the policy stated in the notice is covered under policies and procedures, above.
Covered health care providers with direct treatment relationships are required to provide a notice of privacy practices no later than the date of the first service delivery to individuals after the compliance date for the covered health care provider. The Department assumed that for most types of health care providers (such as physicians, dentists, and pharmacists) one notice would be distributed to each patient during his or her first visit following the compliance date for the covered provider, but not for subsequent visits. For hospitals, however, the Department assumed that a notice would be provided at each admission, regardless of how many visits an individual has in a given year. In subsequent years, the Department assumed that non-hospital providers would only provide notices to their new patients, because it is assumed that providers can distinguish between new and old patients, although hospitals will continue to provide a notice for each admission. The total number of notices provided in the initial year is estimated to be 816 million.
Under the final rule, only providers that have direct treatment relationships with individuals are required to provide notices to them. To estimate the number of visits that trigger a notice in the initial year and in subsequent years, the Department relied on the Medical Expenditure Panel Survey (MEPS, 1996 data) conducted by the Department's Agency for Healthcare Quality and Research. This data set provides estimates for the number of total visits to a variety of health care providers in a given year and estimates of the number of patients with at least one visit to each type of each care provider. To estimate the number of new patients in a given year, the Department used the National Ambulatory Medical Care Survey and the National Hospital Ambulatory Medical Care Survey, which indicate that for ambulatory care visits to physician offices and hospital ambulatory care departments, 13 percent of all patients are new. This data was used as a proxy for other types of providers, such as dentists and nursing homes, because the Department did not have estimates for new patients for other types of providers. The number of new patients was increased over time to account for growth in the patient population. Therefore, the number of notices provided in years 2004 through 2012 is estimated to be 5.3 billion.
For health plans, the Department estimated the number of notices by trending forward the average annual rate of growth from 1995 through 1998 (the most recent data available) of private policy holders using the Census Bureau's Current Population Survey, and also by using Health Care Financing Administration Office of the Actuary's estimates for growth in Medicare and Medicaid enrollment. It should be noted that the regulation does not require that the notice be mailed to individuals. Therefore, the Department assumed that health plans would include their privacy policy in the annual mailings they make to members, such as by adding a page to an existing information booklet.
Since clinical laboratories generally do not have direct contact with patients, they would not normally be required to provide notices. However, there are some laboratory services that involve direct patient contact, such as patients who have tests performed in a laboratory or at a health fair. We found no data from which we could estimate the number of such visits. Therefore, we have assumed that labs would incur no costs as a result of this requirement.
The printing cost of the policy is estimated to be $0.05, based on data obtained from the Social Security Administration, which does a significant number of printings for distribution. Some large bulk users, such as health plans, can probably reproduce the document for less, and small providers simply may copy the notice, which would also be less than $0.05. Nonetheless, at $0.05, the total cost of the initial notice is $50.8 million.
Using our standard growth rate for patients, the total cost for notices is estimated to be $391 million for the ten-year period.
The final regulation places certain requirements on covered entities that supply individually identifiable health information to researchers. As a result of these requirements, researchers who seek such health information and the Institutional Review Boards (IRBs) that review research projects will have additional responsibilities. Moreover, a covered entity doing research, or another entity requesting disclosure of protected health information for research that is not currently subject to IRB review (research that is 100 percent privately funded and which takes place in institutions which do not have "multiple project assurances") may need to seek IRB or privacy board approval if they want to avoid the requirement to obtain authorization for use or disclosure of protected health information for research, thereby creating the need for additional IRBs and privacy boards that do not currently exist.
To estimate the additional requirements placed on existing IRBs, the Department relied on a survey of IRBs conducted by James Bell Associates on behalf of NIH and on estimates of the total number of existing IRBs provided by NIH staff. Based on this information, the Department concluded that of the estimated 4,000 IRBs in existence, the median number of initial current research project reviews is 133 per IRB, of which only ten percent do not receive direct consent for the use of protected health information. (Obtaining consent nullifies the need for IRB privacy scrutiny.) Therefore, in the first year of implementation, there will be 76,609 initial reviews affected by the regulation, and the Department assumes that the requirement to consider the privacy protections in the research protocols under review will add an average of 1 hour to each review. The cost to researchers for having to develop protocols which protect protected health information is difficult to estimate, but the Department assumes that each of the affected 76,609 studies will require an average of an additional 8 hours of time for protocol development and implementation. At the average medical scientist hourly wage of $46.61, the initial cost is $32.1 million; the total ten-year cost of these requirements is $468 million over ten years.
As stated above, some privately funded research not subject to any IRB review currently may need to obtain IRB or privacy board approval under the final rule. Estimating how much research exists which does not currently go through any IRB review is highly speculative, because the experts consulted by the Department all agree that there is no data on the volume of privately funded research. Likewise, public comments on this subject provided no useful data. However, the Department assumed that most research that takes place today is subject to IRB review, given that so much research has some government funding and many large research institutions have multiple project assurances. As a result, the Department assumed that the total volume of non-IRB reviewed research is equal to 25 percent of all IRB-reviewed research, leading to 19,152 new IRB or privacy board reviews in the first year of the regulation. Using the same assumptions as used above for wages, time spent developing privacy protection protocols for researchers, and time spent by IRB and privacy board members, the total one-year cost for new IRB and privacy board reviews is $8 million.
For estimating total ten-year costs, the Department used the Bell study, which showed an average annual growth rate of 3.7 percent in the number of studies reviewed by IRBs. Using this growth rate, the total ten-year cost for the new research requirements is $117 million.
Under the final rule, a covered health care provider with direct treatment relationships must obtain an individual's consent for use or disclosure of protected health information for treatment, payment, or health care operations. Covered providers with indirect treatment relationships and health plans may obtain such consent if they so choose. Providers and health plans that seek consent under this rule can condition treatment or enrollment upon provision of such consent. Based on public comments and discussions with a wide array of health care providers, it is apparent that most currently obtain written consent for use and disclosure of individually identifiable health information for payment. Under the final rule, they will have to obtain consent for treatment and health care operations, as well, but this may entail only minor changes in the language of the consent to incorporate these other categories and to conform to the rule.
Although the Department was unable to obtain any systematic data, the anecdotal evidence suggests that most non-hospital providers and virtually all hospitals follow this practice. For the cost analysis, the Department assumes that 90 percent of the non-hospital providers and all hospitals currently obtain some consent for use and disclosure of individually identifiable health information. For providers that currently obtain written consent, there is only a nominal cost for changing the language on the document to conform to the rule. For this activity, we assumed $0.05 cost per document for revising existing consent documents.
For the ten percent of treating providers who currently do not obtain consent, there is the cost of creating consent documents (which will be standardized), which is also assumed to be $0.05 per document. It is assumed that all providers required to obtain consent under the rule will do so upon the first visit, so there will be no mailing cost. For non-hospital providers, we assume the consent will be maintained in paper form, which is what most providers currently do (electronic form, if available, is cheaper to maintain). There is no new cost for records maintenance because the consent will be kept in active files (paper or electronic).
The initial cost of the consent requirement is estimated to be $166 million. Using our standard assumptions for patient growth, the total costs for the ten years is estimated to be $227 million.
Patient authorizations are required for uses or disclosures of protected health information that are not otherwise explicitly permitted under the final rule with or without consent. In addition to uses and disclosures of protected health information for treatment, payment, and health care operations with or without consent, the rule also permits certain uses of protected health information, such as fund-raising for the covered entity and certain types of marketing activity, without prior consent or authorization. Authorizations are generally required if a covered entity wants to provide protected health information to third party for use by the third party for marketing or for research that is not approved by an IRB or privacy board.
The requirement for obtaining authorizations for use or disclosure of protected health information for most marketing activity will make direct third-party marketing more difficult because covered entities may not want to obtain and track such authorizations, or they may obtain too few to make the effort economically worthwhile. However, the final rule permits an alternative arrangement: the covered entity can engage in health-related marketing on behalf of a third party, presumably for a fee. Moreover, the covered entity could retain another party, through a business associate relationship, to conduct the actual health-related marketing, such as mailings or telemarketing, under the covered entity's name. The Department is unable to estimate the cost of these changes because there is no credible data on the extent of current third party marketing practices or the price that third party marketers currently pay for information from covered entities. The effect of the final rule is to change the arrangement of practices to enhance accountability of protected health information by the covered entity and its business associates; however, there is nothing inherently costly in these changes.
Examples of other circumstances in which authorizations are required under the final rule include disclosure of protected health information to an employer for an employment physical, pre-enrollment underwriting for insurance, or the sharing of protected health insurance information by an insurer with an employer. The Department assumes there is no new cost associated with these requirements because providers have said that obtaining authorization under such circumstances is current practice.
To use or disclose psychotherapy notes for most purposes (including for treatment, payment, or health care operations), a covered entity must obtain specific authorization by the individual that is distinct from any authorization for use and disclosure of other protected health information. This is current practice, so there is no new cost associated with this provision.
The final rule permits individuals to receive communications of protected health information from a covered health care provider or a health plan by an alternative means or at an alternative address. A covered provider and a health plan must accommodate reasonable requests; however, a health plan may require the individual to state that disclosure of such information may endanger the individual. A number of providers and health plans indicated that they currently provide this service for patients who request it. For providers and health plans with electronic records system, maintaining separate addresses for certain information is simple and inexpensive, requiring little or no change in the system. For providers with paper records, the cost may be higher because they will have to manually check records to determine which information must be treated in accordance with such requests. Although some providers currently provide this service, the Department was unable to obtain any reliable estimate of the number of such requests today or the number of providers who perform this service. The cost attributable to this requirement to send materials to alternate addresses does not appear to be significant.
Some group health plans will use or maintain protected health information, particularly group health plans that are self-insured. Also, some plan sponsors that perform administrative functions on behalf of their group health plans, may need protected health information. The final rule permits a group health plan, or a health insurance issuer or HMO that provides benefits on behalf of the group health plan, to disclose protected health information to a plan sponsor who performs administrative functions on its behalf for certain purposes and if certain requirements are met. The plan documents must be amended to: describe the permitted uses and disclosures of protected health information by the plan sponsor; specify that disclosure is permitted only upon receipt of a certification by the plan sponsor that the plan documents have been amended and the plan sponsor agrees to certain restrictions on the use of protected health information; and provide for adequate firewalls to assure unauthorized personnel do not have access to individually identifiable health information.
Some plan sponsors may need information, not to administer the group health plan, but to amend, modify, or terminate the plan. ERISA case law describes such activities as settlor functions. For example, a plan sponsor may want to change its contract from a preferred provider organization to a health maintenance organization (HMO). In order to obtain premium information, the plan sponsor may need to provide the HMO with aggregate claims information. Under the rule, the plan sponsor can obtain summary information with certain identifiers removed, in order to provide it to the HMO and receive a premium rate.
The Department assumes that most plan sponsors who are small employers (those with 50 or fewer employees) will elect not to receive protected health information because they will have little, if any, need for such data. Any needs that plan sponsors of small group health plans may have for information can be accomplished by receiving the information in summary form. The Department has assumed that only 5 percent of plan sponsors of small group health plans that provide coverage through a contract with an issuer will actually take the steps necessary to receive protected health information. This is approximately 96,900 firms. For these firms, the Department assumes it will take one hour to determine procedural and organization issues and an additional 1/3 hour of an attorney's time to make plan document changes, which will be simple and essentially standardized. This will cost $7.1 million.
Plan sponsors who are employers of medium (51-199 employees) and large (over 200 employees) firms that provide health benefits through contracts with issuers are more likely to want access to protected health information for plan administration, for example to use it to audit claims or perform quality assurance functions on behalf of the group health plan. The Department assumes that 25 percent of plan sponsors of medium sized firms and 75 percent of larger firms will want to receive protected health information. This is approximately 38,000 medium size firms and 27,000 larger firms. To provided access to protected health information by the group health plan, a plan sponsor will have to assess the current flow of protected health information from their issuer and determine what information is necessary and appropriate. The plan sponsors may then have to make internal organizational changes to assure adequate protection of protected health information so that the relevant requirements are met for the group health plan. We assume that medium size firms will take 16 work hours to complete organizational changes, plus one hour of legal time to make changes to plan documents and certify to the insurance carrier that the firm is eligible to receive protected health information. We assume that larger firms will require 32 hours of internal organizational work and one hour of legal time. This will cost $52.4 million and is a one-time expense.
The final rule requires a covered entity to have a written contract or other arrangement that documents satisfactory assurance that business associate will appropriately safeguard protected health information in order to disclose it to a business associate based on such an arrangement. The Department expects business associate contracts to be fairly standardized, except for language that will have to be tailored to the specific arrangement between the parties, such as the allowable uses and disclosures of information. The Department assumes the standard language initially will be developed by trade and professional associations for their members. Small providers are likely to simply adopt the language or make minor modifications, while health plans and hospitals may start with the prototype language but may make more specific changes to meet their institutional needs. The regulation includes a requirement that the covered entity take steps to correct, and in some cases terminate, a contract, if necessary, if they know of violations by a business associate. This oversight requirement is consistent with standard oversight of a contract.
The Department could not derive a per entity cost for this work directly. In lieu of this, we have assumed that the trade and professional associations' work plus any minor tailoring of it by a covered entity would amount to one hour per non-hospital provider and two hours for hospitals and health plans. The larger figure for hospitals and health plans reflects the fact that they are likely to have a more extensive array of relationships with business associates.
The cost for the changes in business associate contracts is estimated to be $103 million. This will be an initial year cost only because the Department assumes that this contract language will become standard in future contracts.
In addition, the Department has estimated the cost for business associates to comply with the minimum necessary provisions. As part of the minimum necessary provisions, covered entities will have to establish policies to ensure that only the minimum necessary protected health information is shared with business associates. To the extent that data are exchanged, covered entities will have to review the data and systems programs to assure compliance.
For non-hospital providers, we estimate that the first year will require an average of three hours to review existing agreements, and thereafter, they will require an additional hour to assure business associate compliance. We estimate that hospitals will require an additional 200 hours the first year and 16 hours in subsequent years; health plans will require an additional 112 hours the first year and 8 hours in subsequent years. As in other areas, we have assumed a weighted average wage for the respective sectors.
The cost of the covered entities assuring business associates' complying with the minimum necessary is $197 million in the first year, and a total of $697 million over ten years. (These estimates include the both the cost for the covered entity and the business associates.)
In the NPRM estimate, inspection and copying were a major cost. Based on data and information from the public comments and further fact-finding, however, the Department has re-estimated these policies and found them to be much less expensive.
The public comments demonstrate that copying of records is wide-spread today. Records are routinely copied, in whole or in part, as part of treatment or when patients change providers. In addition, copying occurs as part of legal proceedings. The amount of inspection and copying of medical records that occurs for these purposes is not expected to change measurably as a result of the final regulation.
The final regulation establishes the right of individuals to access, that is to inspect and obtain a copy of, protected health information about them in designated record sets. Although this is an important right, the Department does not expect it to result in dramatic increases in requests from individuals. The Georgetown report on state privacy laws indicates that 33 states currently give patients some right to access medical information. The most common right of access granted by state law is the right to inspect personal information held by physicians and hospitals. In the process of developing estimates for the cost of providing access, we assumed that most providers currently have procedures for allowing patients to inspect and obtain a copy of individually identifiable health information about themselves. The economic impact of requiring entities to allow individuals to access their records should be relatively small. One public commenter addressed this issue and provided specific data which supports this conclusion.
Few studies address the cost of providing medical records to patients. The most recent was a study in 1998 by the Tennessee Comptroller of the Treasury. It found an average cost of $9.96 per request, with an average of 31 pages per request. The cost per page of providing copies was $0.32 per page. This study was performed on hospitals only. The cost per request may be lower for other types of providers, since those seeking hospital records are more likely to have more complicated records than those in a primary care or other types of offices. An earlier report showed much higher costs than the Tennessee study. In 1992, Rose Dunn published a report based on her experience as a manager of medical records. She estimated a 10-page request would cost $5.32 in labor costs only, equaling labor cost per page of $0.53. However, this estimate appears to reflect costs before computerization. The expected time spent per search was 30.6 minutes; 85 percent of this time could be significantly reduced with computerization (this includes time taken for file retrieval, photocopying, and re-filing; file retrieval is the only time cost that would remain under computerization).
In estimating the cost of copying records, the Department relied on the public comment from a medical records outsourcing industry representative, which submitted specific volume and cost data from a major firm that provides extensive medical record copying services. According to these data, 900 million pages of medical records are copied each year in the U.S., the average medical record is 31 pages, and copying costs are $0.50 per page. In addition, the commenter noted that only 10 percent of all requests are made directly from patients, and of those, the majority are for purposes of continuing care (transfer to another provider), not for purposes of individual inspection. The Department assumed that 25 percent of direct patient requests to copy medical records are for purposes of inspecting their accuracy (i.e., 2.5 percent of all copy requests) or 850,000 in 2003 if the current practice remained unchanged.
To estimate the marginal increase in copying that might result from the regulation, the Department assumed that as patients gained more awareness of their right to inspect and copy their records, more requests will occur. As a result, the Department assumed a ten percent increase in the number of requests to inspect and copy medical records over the current baseline, which would amount to a little over 85,000 additional requests in 2003 at a cost of $1.3 million. Allowing for a 5.3 percent increase in records based on the increase in ambulatory care visits, the highest growth rate among health service sectors (the National Ambulatory Medical Care Survey, 1998), the total cost for the ten-year period would be $16.8 million.
The final rule allows a provider to deny an individual the right to inspect or obtain a copy of protected health information in a designated record set under certain circumstances, and it provides, in certain circumstances, that the patient can request the denial to be reviewed by another licensed health care professional. The initial provider can choose a licensed health care professional to render the second review.
The Department assumes denials and subsequent requests for reviews will be extremely rare. The Department estimates there are about 932,000 annual requests for inspections (i.e., base plus new requests resulting from the regulation), or approximately 11 million over the ten-year period. If one-tenth of one percent of these requests were to result in a denial in accordance with the rule, the result would be 11,890 cases. Not all these cases would be appealed. If 25 percent were appealed, the result would be 2,972 cases. If a second provider were to spend 15 minutes reviewing the case, the cost would be $6,000 in the first year and $86,360 over ten years.
Many providers and health plans currently allow patients to amend the information in their medical record, where appropriate. If an error exists, both the patient and the provider or health plan benefit from the correction. However, as with inspection and copying, many states do not provide individuals with the right to request amendment to protected health information about themselves. Based on these assumptions, the Department concludes that the principal economic effect of the final rule would be to expand the right to request amendments to protected health information held by a health plan or provider to those who are not currently covered by amendment requirements under state laws or codes of conduct. In addition, the rule may draw additional attention to the issue of inaccuracies in information and may stimulate patient demand for amendment of medical records, including in those states that currently provide a right to amend medical records.
Under the final regulation, if a patient requests an amendment to his or her medical record, the provider must either accept the amendment or provide the individual with the opportunity to submit a statement disagreeing with the denial. The provider must acknowledge the request and inform the patient of his action.
The cost calculations assume that individuals who request an opportunity to amend their medical record have already obtained a copy of it. Therefore, the administrative cost of amending the patient's record is completely separate from inspection and copying costs.
Based on fact-finding discussions with a variety of providers, the Department assumes that 25 percent of the projected 850,000 people who request to inspect their records will seek to amend them. This number is the existing demand plus the additional requests resulting from the rule. Over ten years, the number of expected amendment requests will be 2.7 million. Unlike inspections, which currently occur in a small percentage of cases, our fact-finding suggests that patients very rarely seek to amend their records, but that the establishment of this right in the rule will spur more requests. The 25 percent appears to be high based on our discussions with providers but it is being used to avoid an underestimation of the cost.
As noted, the provider or health plan is not required to evaluate any amendment requests, only to append or otherwise link to the request in the record. We expect the responses will vary: sometimes an assistant will only make the appropriate notation in the record, requiring only a few minutes; other times a provider or manager will review the request and make changes if appropriate, which may require as much as an hour. To be conservative in its estimate, the Department has assumed, on average, 30 minutes for each amendment request at a cost of $47.28 per hour (2000 CPS).
The first-year cost for the amendment policy is estimated to be $5 million. The ten-year cost of this provision is $78.8 million.
The law enforcement provisions of the final rule allow disclosure of protected health information without patient authorization under four circumstances: (1) pursuant to legal process or as otherwise required by law; (2) to locate or identify a suspect, fugitive, material witness, or missing person; (3) under specified conditions regarding a victim of crime; and (4) and when a covered entity believes the protected health information constitutes evidence of a crime committed on its premises. As under current law and practice, a covered entity may disclose protected health information to a law enforcement official if such official.
Based on our fact finding, we are not able to estimate any additional costs from the final rule regarding disclosures to law enforcement officials. The final rule makes clear that curre