Pursuant to the Regulatory Flexibility Act 5 USC 601 et.seq., HHS must prepare a regulatory flexibility analysis if the Secretary certifies that a proposed rule would have a significant economic impact on a substantial number of small entities.
This analysis addresses six issues: (1) reasons for promulgating the rule; (2) the proposed rule’s objectives and legal basis; (3) the number and types of small entities affected by the proposed rule; (4) the specific activities and costs associated with compliance; (5) options that HHS considered to minimize the rule’s economic burdens or increase its benefits for small entities; and (6) the relevant Federal rules that could duplicate, overlap, or conflict with the proposed rule. The following sections provide details on each of these issues.
This proposed rule is being promulgated primarily because we have been statutorily mandated to do so under section 264 of Public Law 104-191. Additional information on the reasons for promulgating the rule can be found in earlier preamble discussions (section I.).
This information can be found in earlier preamble discussions (section I.).
This information can be found in earlier preamble discussions (section I.B.)
The Small Business Administration defines small entities in the health care sector as those organizations with less than $5 million in annual revenues. (1) Nonprofit organizations are also considered small entities; however, individuals and States are not included in the definition of a small entity. Similarly, small government jurisdictions with a population of less than 50,000 are considered small entities.
Small health entities affected include: nonprofit health plans, hospitals, and skilled nursing facilities (SNFs); small businesses providing health coverage; small physician practices; pharmacies; laboratories; and durable medical equipment (DME) suppliers; health care clearinghouses; billing companies; and vendors that supply software applications to health care entities.
The U.S. Small Business Administration reports that as of 1996, there were 1,078,020 small health care establishments (2) classified within the SIC codes we have designated (Table A).
Table A. Number of Health Care Entities That Meet SBA Size Standards, 1996* |
||||
| Standard Industrial Code (SIC) | Industry | Total Number of Health Care Entities | Number of Entities that Meet SBA Size Standards** | % of Entities that Meet SBA Size Standards** |
| 5910 | Drug Stores & Proprietary Stores | 44,062 | 23,771 | 53.9% |
| 6320 | Accident & Health Insurance & Medical Service Plans (Accident & Health Insurance and Hospital & Medical Service Plans) | 3,346 | 428 | 12.8% |
| 8010 | Offices & Clinics Of Doctors Of Medicine | 188,508 | 171,750 | 91.1% |
| 8020 | Offices & Clinics Of Dentists | 113,965 | 113,141 | 99.3% |
| 8030 | Offices & Clinics Of Doctors Of Osteopathy | 9,168 | 9,000 | 98.2% |
| 8040 | Offices & Clinics Of Other Health Practitioners | 85,326 | 83,563 | 97.9% |
| 8050 | Nursing & Personal Care Facilities | 24,246 | 11,736 | 48.4% |
| 8060 | Hospitals | 7,284 | 837 | 11.5% |
| 8070 | Medical & Dental Laboratories | 15,354 | 12,322 | 80.3% |
| 8080 | Home Health Care Services | 16,218 | 9,238 | 57.0% |
| 8090 | Miscellaneous Health & Allied Services | 20,986 | 12,712 | 60.6% |
| N/A | Total | 528,463 | 448,498 | 84.9% |
|
* Source: Office of Advocacy, U.S. Small Business Administration, from data provided by the Bureau of the Census, Statistics of U.S. Businesses, 1996 ** Less than $5,000,000 in annual revenue |
||||
These small businesses represent 83.8% of all health care entities we have examined (3). Small businesses represent a significant portion of the total number of health care entities but a small portion of the revenue stream for all health care entities. In 1996, the small businesses represented generated approximately $235 million in annual receipts, or 22.2% of the total revenue generated by small health care entities (Table B) (4). The following sections provide estimates of the number of small health care entities that will be required to comply with the rule. We should note, however, that the SBA’s published annual receipts of health care industries differs substantially from the National health expenditure data that the Health Care Finance Administration (HCFA) maintains. HCFA’s data are generally considered more accurate because the data are validated by several sources.
Table B. Annual Receipts of Health Care Entities, 1996* |
||||
| Standard Industrial Code (SIC) | Industry | Total Revenue | Revenue Generated by Small Entities** | % of Total Revenue Generated by Small Entities |
| 5910 | Drug Stores & Proprietary Stores | $91,701,331 | $23,762,195 | 25.9% |
| 6320 | Accident & Health Insurance & Medical Service Plans (Accident & Health Insurance and Hospital & Medical Service Plans) | $225,866,321 | $657,074 | 0.3% |
| 8010 | Offices & Clinics Of Doctors Of Medicine | $186,598,097 | $102,355,549 | 54.9% |
| 8020 | Offices & Clinics Of Dentists | $46,131,244 | $44,811,866 | 97.1% |
| 8030 | Offices & Clinics Of Doctors Of Osteopathy | $4,582,835 | $3,992,558 | 87.1% |
| 8040 | Offices & Clinics Of Other Health Practitioners | $25,053,745 | $21,891,338 | 87.4% |
| OTHER Health Practitioners (8030 and 8040) | $29,636,580 | $25,883,896 | 87.3% | |
| 8050 | Nursing & Personal Care Facilities | $63,625,522 | $14,672,710 | 23.1% |
| 8060 | Hospitals | $343,314,509 | $2,021,845 | 0.6% |
| 8070 | Medical & Dental Laboratories | $16,543,625 | $4,976,094 | 30.1% |
| 8080 | Home Health Care Services | $27,690,537 | $7,960,035 | 28.7% |
| 8090 | Miscellaneous Health & Allied Services | $26,036,633 | $7,697,264 | 29.6% |
| OTHER Health Care Services (8070,8080,8090) | $70,270,795 | $20,633,393 | 29.4% | |
| N/A | Total Receipts | $1,057,144,399 | $234,798,528 | 22.2% |
|
* Source: Office of Advocacy, U.S. Small Business Administration, from data provided by the Bureau of the Census, Statistics of U.S. Businesses, 1996. ** The SBA defines a small business as those businesses with less than $5,000,000 in annual revenue. For consistency with the Regulation, we employ the term 'entity' in place of 'business'. |
||||
The Small Business Administration reports that approximately 80 percent of the 15,000 medical laboratories and dental laboratories in the U.S. are small entities (5). Furthermore, based on HCFA data, we estimate that 98 percent of the 160,000 durable medical equipment suppliers in the U.S. are small entities. Over 90 percent of health practitioner offices are small businesses (6). Doctor offices (91%), dentist offices (99%), osteopathy (98%) and other health practitioner offices (98%) are primarily considered small businesses.
There are also a small number of hospitals, home health agencies, non-profit nursing facilities, and skilled nursing facilities that will be affected by the proposed rule. According to the American Hospital Association, there are approximately 3,131 nonprofit hospitals nationwide. Additionally, there are 2,788 nonprofit home health agencies in the U.S. The Health Care Finance Administration reports that there are 591 nonprofit nursing facilities and 4,280 nonprofit skilled nursing facilities (7).
While it is difficult to calculate the number of clearinghouses that meet the definition of a small business, we believe that a significant portion of the 80 health care clearinghouses that process health care claims in the U.S. have annual revenues of less than $5 million annually (8). We believe that all of the 4,500 billing companies (9) that provide administrative and billing services for physicians’ offices have annual revenues below $5 million per year.
Some contractors that work with health care entities will be required to adopt policies and procedures to protect information. We do not expect that the additional burden placed on contractors will be significant. We have not estimated the effect of the proposed rule on these entities because we cannot reasonably anticipate the number or type of contracts affected by the proposed rule. We also do not know the extent to which contractors would be required to modify their policy practices as a result of the rule’s implementation.
For a summary of the basic activities that a small entity would need to do to comply with this rule, please refer to section III of the preamble. This discussion summarizes some of the specific activities that covered entities must undertake to comply with the proposed rule’s provisions and options considered that would reduce the burden to small entities. In developing this proposed rule, we considered a variety of alternatives for minimizing the economic burden that it will create for small entities. We could not exempt small businesses from the entire proposed rule because they represent such a large and critical proportion of the health care industry (84 percent).
The guiding principle in our considerations of how to address the burden on small entities has been to make provisions scalable. To the extent possible, we have allowed for entities to determine how extensively they will address certain issues. This ability to adapt provisions to minimize burden has been addressed in earlier preamble language and will be briefly discussed again in the following section.
Before discussing specific provisions, it is important to note some of the broader questions that were addressed in formulating this proposed rule. We considered extending the compliance period for small entities but decided that because they represent such a large portion of the health care market, such an extension would be inappropriate. However, HIPAA does create an extended compliance time of 36 months for small plans. For all other time limit questions, we also considered giving small entities the same sort of extensions. For example, entities are required to either approve or deny a request to inspect and copy information within 20 days. We considered allowing small entities a longer response time. Rather than giving small entities extensions, we decided to establish time limits that we believe are reasonable for affected entities of all sizes, with the understanding that larger entities may not need as much time as they have been allocated in certain situations.
While we considered the needs of small entities during our discussions of provisions for this proposed rule, we are highlighting the most significant discussions in the following sections:
Covered entities of all types and sizes would be required to comply with the proposed privacy standards outlined below. The proposed standards would not impose particular mechanisms or procedures that covered entities must adopt to implement the standards. Instead, we would require that each affected entity assess its own needs and devise, implement, and maintain appropriate privacy policies, procedures, and documentation to address its business requirements. How each privacy standard would be satisfied would be business decisions that each entity would have to make. This allows the privacy standards to establish a stable baseline, yet remain flexible enough to take advantage of developments and methods for protecting privacy that will evolve over time.
Because the privacy standards would need to be implemented by all covered entities, from the smallest provider to the largest, multi-state health plan, a single approach to implementing these standards would be neither economically feasible nor effective in safeguarding health information privacy. For example, in a small physician practice the office manager might be designated to serve as the privacy official as one of many duties (see proposed § 164.518(a)) whereas at a large health plan, the privacy official may constitute a full time position and have the regular support and advice of a privacy staff or board.
In taking this approach, we intend to strike a balance between the need to maintain the confidentiality of protected health information and the economic cost of doing so. Health care entities must consider both aspects in devising their solutions. This approach is similar to the approach we proposed in the Notice of Proposed Rulemaking for the administrative simplification security and electronic signature standards.
We decided to use this scaled approach to minimize the burden on all entities with an emphasis on small entities.
The decisions called for in determining what would be the minimum necessary information to accomplish an allowable purpose should include both a respect for the privacy rights of the subjects of the medical record and the reasonable ability of covered entities to delimit the amount of individually identifiable health information in otherwise permitted uses and disclosures. For example, a large enterprise that makes frequent electronic disclosures of similar data would be expected to remove identifiers or to limit the data fields that are disclosed to fit the purpose of the disclosure. An individual physician’s office would not be expected to have the same capabilities to limit the amount of information disclosed, although, in the cases of disclosures involving a small number of records, such an office could be expected to hide identifiers or to limit disclosures to certain pages of the medical record that are relevant to the purpose of the disclosure.
We understand that the requirements outlined in this section do not create a bright line test for determining the minimum necessary amount of protected health information appropriate for most uses or disclosures. Because of this lack of precision, we considered eliminating the requirement altogether. We also considered merely requiring covered entities to address the concept within their internal privacy procedures, with no further guidance as to how each covered entity would address the issue. These approaches were rejected because minimizing both the amount of protected health information used and disclosed within the health care system and the number of persons who have access to such information is vital if we are to successfully enhance the confidentiality of people’s personal health information. We invite comments on the approach that we have adopted and on alternative methods of implementing the minimum necessary principle.
We propose to permit in § 164.506(c) that individuals be able to request that a covered entity restrict further uses and disclosures of protected health information for treatment, payment, or health care operations, and if the covered entity agrees to the requested restrictions, the covered entity may not make uses or disclosures for treatment, payment or health care operations that are inconsistent with such restrictions, unless such uses or disclosures are mandated by law. This provision would not apply to health care provided to an individual on an emergency basis.
It should be noted that there is nothing in this proposed rule that requires a health care provider to agree to a request to restrict uses or disclosures for treatment, payment, or health care operations. Providers who do not wish to, or due to contractual obligations cannot, restrict further use or disclosure are not obligated to treat an individual making a request under this provision.
If small entities view this proposed provision as overly burdensome, they would not have to provide treatment to individuals requesting restrictions. We considered requiring that providers conform to requests to restrict use or disclosures. We rejected this approach due to the potential ethical conflicts these restrictions could pose to health care professionals and the possible burden to providers. Providers comprise a large proportion of the small businesses covered under this proposed regulation.
In this rule we are proposing that covered entities and their business partners be permitted to use protected health information to create de-identified health information. Covered entities would be permitted to further use and disclose such de-identified information in any way, provided that they do not disclose the key or other mechanism that would enable the information to be re-identified, and provided that they reasonably believe that such use or disclosure of de- identified information will not result in the use or disclosure of protected health information. This means that a covered entity could not disclose de-identified information to a person if the covered entity reasonably believes that the person would be able to re-identify some or all of that information, unless disclosure of protected health information to such person would be permitted under this proposed rule. In addition, a covered entity could not use or disclose the key to coded identifiers if this rule would not permit the use or disclosure of the identified information to which the key pertains. If a covered entity re-identifies the de-identified information, it may only use or disclose the re-identified information consistent with these proposed rules, as if it were the original protected health information. See proposed § 164.506(d)(1).
As with other components of this proposed rule, removal of identifiers from data could be scaled. Small entities without the resources to determine at what point information is truly de- identified could remove the full list of possible identifiers listed in this regulation. Unless they have reason to believe that the information could still be linked to an individual, this proposed requirement would be fulfilled. However, larger, more sophisticated entities, could choose to determine independently what information needs to be removed.
Furthermore, efforts to remove identifiers from information would be optional. If an entity believes that removing identifiers would be excessively burdensome, it could choose not to release the information or to obtain an authorization from individuals before releasing any information.
Covered entities must obtain individual authorization to use protected health information for purposes other than those allowed under the proposed rule. Activities requiring authorization would include, for example, marketing and eligibility determinations for health coverage or employment. Costs would be ongoing for staffing and administrative activities related to obtaining authorization from individuals.
In establishing the requirement for covered entities to obtain patient authorization to use individually identifiable health information for purposes other than those allowed under the proposed rule, we decided to include in the proposed rule a model “request for authorization.” By following such a model, covered entities, particularly small entities, could avoid the legal and administrative expenses that would be necessary to develop an authorization form that complies with the proposed rule’s standards. The proposed rule would not prevent entities from developing their own patient authorization forms or from modifying existing forms in a manner consistent with the model.
The alternative to providing this model would be to state that an authorization would be required and allow entities to develop the authorization. We believe that providing no guidance in this area would have caused unnecessary difficulties and burdens for small entities.
This proposed rule would not require any uses or authorizations other than to the subject individual and to the Secretary for compliance. If small entities believe that the costs of making such discretionary disclosures are considered too high, they could choose not to make such disclosures. We would allow all covered entities, but particularly small entities, to base their decisions about these disclosures on any criteria that they believe to be important. We expect that the additional costs related to these disclosures would be factored into their decisions.
In cases where uses or disclosures without authorization are required by other law, we would attempt to minimize costs by not requiring application of the minimum necessary principle.
The proposed rule would require covered entities to prepare and make available a notice that informs patients about their privacy rights and the entity’s actions to protect privacy. Entities that do not already comply with the proposed rule’s requirements would incur one-time legal and administrative costs. In addition, plans would incur ongoing costs related to the dissemination of the notice at least once every three years, and all covered entities would have ongoing costs related to dissemination to new individuals requesting services and requests for copies of the notice. Entities would also incur ongoing costs related to answering questions that are associated with the notice.
In discussing the requirement for covered entities to prepare and make available a notice regarding patient privacy rights and the entity’s privacy practices, we considered exempting small businesses. Because this would exempt 84 percent of firms, we decided not to create this exemption. The second option would be to exempt extremely small entities. One discussion defined small entities as those with fewer than 10 employees. We decided that informing consumers of their privacy rights and of the activities of covered entities with which they conduct business was too important to exempt any entities.
In addition to requiring a basic notice, we considered requiring a longer more detailed notice that would be available to individuals on request. However, we decided that making information available on request and allowing the covered entity to decide how best to provide such information represents a more balanced approach. We believe that it would be overly burdensome to all entities, especially small entities, to require two notices.
We considered prescribing specific language that each covered plan or provider would include in its notice. The advantages of this approach would be that the recipient would receive exactly the same information from each covered plan or provider in the same format and that it would be convenient for covered entities to use a uniform model notice.
There are, however, several disadvantages to this approach. First, and most importantly, no model notice could fully capture the information practices of every covered plan or provider. Large entities will have information practices different from those of small entities. Some health care providers, for example, academic teaching hospitals, might routinely disclose identifiable health information for research purposes. Other health care providers might rarely or never make such disclosures. To be useful to individuals, each entity’s notice of information practices should reflect its unique privacy practices.
Another disadvantage of prescribing specific language is that it would limit each covered plan or provider’s ability to distinguish itself in the area of privacy protections. We believe that if information on privacy protections becomes readily available, individuals might compare and select plans or providers based on their information practices. In addition, a uniform model notice could easily become outdated. As new communication methods or technologies are introduced, the content of the notices might need to reflect those changes.
We believe that the proposed rule appropriately balances a patient’s need for information and assurances regarding privacy with the covered entities’ need for flexibility in describing their operations and procedures to protect patient privacy. Instead of a model notice, we have included a sample notice to guide the development of notices. We believe that this is an appropriate way to reduce the burden on all entities including those classified as small.
We propose that covered entities be required to implement five basic administrative requirements to safeguard protected health information: designation of a privacy official, the provision of privacy training, establishment of safeguards, a complaint process, and establishment of sanctions. Implementation of these requirements would vary depending on a variety of different factors such as type of entity (e.g., provider or plan), size of entity (e.g., number of employees, number of patients), the level of automation within the entity (e.g., electronic medical records), and organization of the entity (e.g., existence of an office of information systems, affiliation with a medical school).
In proposed § 164.518(a), we would require covered plans and providers to designate a privacy official to be responsible for the development of policies for the use and disclosure of protected health information and for the supervision of personnel with respect to use and disclosure of protected health information. The designation of a privacy official would focus the responsibility for development of privacy policy.
The implementation of this requirement would depend on the size of the entity. For example, a small physician’s practice might designate the office manager as the privacy official, and he or she would assume this as one of his or her broader administrative responsibilities. A large entity might appoint an individual whose sole responsibility is privacy policy, and that individual could choose to convene a committee representing several different components of the entity to develop and implement privacy policy.
In proposed § 164.518(b), we would require covered entities to provide training on the their policies and procedures with respect to protected health information. Entities would determine the most effective means of communicating with their workforce. For example, in a small physician practice, the training requirement could be satisfied by providing each new member of the workforce with a copy of the practice’s information policies and requiring members of the workforce to acknowledge that they have reviewed the policies. A large health plan could provide for a training program with live instruction, video presentations or interactive software programs. The small physician practice’s solution would not protect the large plan’s data, and the plan’s solution would be neither economically feasible nor necessary for the small physician practice.
In proposed § 164.518(c), we would require covered entities to put in place administrative, technical, and physical safeguards to protect against any reasonably anticipated threats or hazards to the privacy of the information, and unauthorized uses or disclosures of the information.
In proposed § 164.518(d), we would require covered plans and providers to have some mechanism for receiving complaints from individuals regarding the covered plan’s or provider’s compliance with the requirements of this proposed rule. We considered requiring covered plans and providers to provide a formal internal appeal mechanism, but rejected that option as too costly and burdensome for some entities. We also considered eliminating this requirement entirely, but rejected that option because a complaint process would give covered plans or providers a way to learn about potential problems with privacy policies or practices, or training issues. We also hope that providing an avenue for covered plans or providers to address complaints would lead to increased consumer satisfaction. We believe this approach strikes a reasonable balance between allowing covered plans or providers flexibility and accomplishing the goal of promoting attention to improvement in privacy practices.
We expect that sanctions would be more formally described and consistently carried out in larger, more sophisticated entities. Smaller, less sophisticated entities would be given more latitude and flexibility. For such smaller entities and less sophisticated entities, we would not expect a prescribed sanctions policy, but would expect that actions be taken if repeated instances of violations occur. In proposed § 164.518(e), we would require all covered entities to develop and apply when appropriate sanctions for failure to comply with policies or procedures of the covered entity or with the requirements of this proposed rule.
We are proposing that covered entities be required to document policies and procedures in several important areas. These areas would include use within the entity; informing business partners; disclosures with and without authorization; limitations on use and disclosure for self- pay; inspection and copying; amendment or correction; accounting for uses and disclosures; notice development, maintenance, and dissemination; sanctions; and complaint procedures. We considered whether formal documentation of these policies would be necessary. A key factor in making this decision was determining the burden on entities, particularly the burden on small entities. We also considered whether it would be reasonable to exempt very small entities from this provision. For example, entities with fewer than ten employees could be able to effectively communicate policies and procedures verbally. We decided that we needed to include all entities in the provision because these documentation requirements are intended as tools to educate the management, employees, and business partners about the consideration that should be given to protecting the privacy of health information.
We expect that small entities will face a cost burden as a result of complying with the proposed regulation. We estimate that the burden of developing privacy policies and procedures is lower in dollar terms for small businesses than for large businesses, but we recognize that the cost of implementing privacy provisions will be a larger burden to small entities as a proportion of total revenue. Due to these concerns, we rely on the principle of scalability stated in the proposed rule, and have based our cost estimates on the expectation that small entities will develop less expensive and less complex privacy measures than large entities.
In many cases, we have specifically considered the impact that the proposed rule may have on solo practitioners or rural providers. Where these providers do not have large technical systems, it is possible that the regulation may not apply to small providers, or that small providers will not be required to change their business practices other than adhering to the basic requirements that they state their privacy policies and notify patients of their privacy rights. For both activities, the proposed regulation accounts for the activities and size of the practice. Scalability implies that in developing policies and procedures to comply with the proposed regulation, businesses should consider their basic functions and the amount of health information exchanged electronically. All covered entities must take appropriate steps to address privacy concerns, and in determining the scope and extent of their compliance activities, businesses should weigh the costs and benefits of alternative approaches and should scale their compliance activities to their structure, functions, and capabilities.
Our analysis of the costs to small businesses is divided into three sections: 1) initial start- up costs associated with development of privacy policy; 2) initial start-up costs associated with system change; and 3) ongoing costs, including notification of privacy policies.
Overall, our analysis suggests that the average start-up cost of complying with the proposed rule is $396 per entity. This includes the cost of developing privacy policies and systems compliance changes (Table C). The ongoing costs of privacy compliance are approximately $337 per entity in the first year and $343 every year thereafter (Table D). The total cost of implementing initial and ongoing costs of the proposed regulation in the first year is $733 per entity. After the first year, the total compliance cost to the entity is $343 per year. We estimate that the relative average cost of initial compliance is approximately 0.12 percent of a small entity’s annual expenditures in the first year. The relative average cost of ongoing privacy compliance is approximately 0.05 percent of a small entity’s annual expenditures.
Our cost calculations are based on several assumptions. The cost of developing privacy policies is based on figures from the regulatory impact analysis that accompanied the HIPAA National Provider Identifier (63 FR 25320). The cost of initial systems compliance is based on current assumptions about market behavior; including the assumption that a relatively small proportion of the total cost of system compliance (20%) will be absorbed by small covered entities. We evaluated the ongoing costs of an entity’s privacy protection by calculating that privacy protection costs should be proportional to the number of patients served by the business. For example, the cost of notifying patients of privacy practices will be directly proportional to the number of patients served. We then multiplied the proportion of small entities by the total ongoing costs of privacy compliance.
Table C. Annual Cost of Implementing Provisions of the Proposed Privacy Regulation In the First Year |
|||||||||
| Industry | Initial Costs | Ongoing Costs | Total Costs | ||||||
| Initial Privacy Policy Costs Incurred by Small Entities, per Entity | Initial System Compliance Cost Incurred by Small Entities*, per Entity | Notice Development Cost, per Small Entity | Total Initial Compliance Cost, per Small Entity** | First Year Notice Issuance Costs for Small Entities, per Small Entity | Annual Amendment and Correction Cost to Small Entities, per Small Entity | Annual Written Authorization Cost to Small Entities, per Small Entity | Total Annual Ongoing Cost in the First Year, per Small Entity | Total Annual Initial and Ongoing Cost in the First Year, per Small Entity | |
| Drug Stores & Proprietary Stores^ | $300 | $131.19 | $59.40 | $490.58 | $118.26 | $768.64 | $102.55 | $989.45 | $1,480.03 |
| Accident & Health Insurance & Medical Service Plans^ (Accident & Health Insurance and Hospital & Medical Service Plans) | $1,000 | $1,939.86 | $203.91 | $3,143.77 | $314.02 | $127.60 | $17.02 | $458.65 | $3,602.41 |
| Offices & Clinics Of Doctors Of Medicine | $300 | $21.04 | $21.20 | $342.24 | $42.21 | $260.93 | $34.81 | $337.96 | $680.20 |
| Offices & Clinics Of Dentists | $300 | $7.43 | $13.25 | $320.68 | $26.39 | $163.11 | $21.76 | $211.26 | $531.94 |
| Offices & Clinics Of Other Health Practitioners | $300 | $11.10 | $17.82 | $328.92 | $35.47 | $219.29 | $29.26 | $284.02 | $612.94 |
| Nursing & Personal Care Facilities | $1,500 | $117.15 | $49.63 | $1,666.79 | $98.82 | $610.88 | $81.50 | $791.20 | $2,457.99 |
| Hospitals | $1,500 | $7,362.22 | $79.65 | $8,941.87 | $158.59 | $980.36 | $130.80 | $1,269.75 | $10,211.62 |
| Home Health Care Services | $300 | $58.06 | $30.66 | $388.72 | $61.05 | $377.38 | $50.35 | $488.77 | $877.49 |
| Other Health Care Services including Lab Services | $300 | $19.83 | $10.84 | $330.68 | $21.59 | $133.47 | $17.81 | $172.87 | $503.55 |
| Average Cost | $334.31 | $40.13 | $21.17 | $395.61 | $42.05 | $260.23 | $34.72 | $337.00 | $732.61 |
|
* The SBA defines small health care entities as those with annual revenue under $5,000,000. ** Total Initial Compliance Cost includes policy implementation and systems compliance costs ^ Includes some entities not covered by this regulation. Pharmacies are the only component of Drug Stores and Proprietary Stores covered by the regulation. Accident and workers compensation insurance are not covered by the regulation. |
|||||||||
Table D. Annual Cost of Implementing Provisions of the Proposed Privacy Regulation, After the First Year |
|||||
| Industry | Ongoing Costs | ||||
| Annual Notice Issuance Costs After the First Year, per Small Entity | Annual Amendment and Correction Cost to Small Entities*, per Small Entity | Annual Written Authorization Cost to Small Entities, per Small Entity | Annual Ongoing Costs for Paperwork and Training, per Small Entity | Total Annual Ongoing Cost After the First Year, per Small Entity | |
| Drug Stores & Proprietary Stores^ | $73.26 | $768.64 | $102.55 | $20 | $964.45 |
| Accident & Health Insurance & Medical Service Plans^ (Accident & Health Insurance and Hospital & Medical Service Plans) | $314.02 | $127.60 | $17.02 | $60 | $518.65 |
| Offices & Clinics Of Doctors Of Medicine | $26.15 | $260.93 | $34.81 | $20 | $341.90 |
| Offices & Clinics Of Dentists | $16.35 | $163.11 | $21.76 | $20 | $221.22 |
| Offices & Clinics Of Other Health Practitioners | $21.97 | $219.29 | $29.26 | $20 | $290.52 |
| Nursing & Personal Care Facilities | $61.22 | $610.88 | $81.50 | $100 | $853.59 |
| Hospitals | $98.24 | $980.36 | $130.80 | $100 | $1,309.40 |
| Home Health Care Services | $37.82 | $377.38 | $50.35 | $20 | $485.54 |
| Other Health Care Services including Lab Services | $13.38 | $133.47 | $17.81 | $20 | $184.65 |
| Average Cost | $26.16 | $260.23 | $34.72 | $22.28 | $343.39 |
|
* The SBA defines small health care entities as those with annual revenue under $5,000,000. ^ Includes some entities not covered by this regulation. Pharmacies are the only component of Drug Stores and Proprietary Stores covered by the regulation. Accident and workers compensation insurance are not covered by the regulation. |
|||||
Table C shows the results of our calculations of the cost of initial compliance. We calculated initial privacy policy costs separate from initial system compliance costs because we made different assumptions about the cost of each. To calculate initial privacy policy costs per small entity, we multiplied the estimated cost of developing privacy policies (per entity) by the number of establishments. We then averaged these costs and computed that the average cost of developing privacy policies is $334.31 per small entity. The average cost of implementing privacy policies is greater than the $300 cost we assume most health care provider offices will pay, because we assume that small health plans, hospitals, and nursing and patient care services will spend between $500-$1,000 to implement privacy policies. Calculating the cost of system compliance per entity required us to estimate the percent of total system costs that each type of entity would incur. We used the $90 million figure (cited in the RIA) as the basis for distributing system compliance costs across various types of entities affected by the proposed rule. We estimated how this cost would be divided between small and large entities, and among plans, providers and clearinghouses.
Our calculations regarding division of costs are based on two assumptions: 1) system costs are principally fixed costs associated with the purchase of hardware and software (10); and 2) large entities will continue to invest more heavily in hardware and software expenditures than small entities. We estimate that 80 percent of the system costs will be born by large entities. The remaining 20 percent of total systems costs will be absorbed by small entities. To calculate the effect on small businesses, we multiplied the system compliance costs cited in the RIA by the proportion of the costs we expect small entities to incur (20 percent of total). We then multiplied the total cost of system compliance for small entities by the percentage of health care revenue by industry and calculated a cost per entity.
We used HCFA’s estimate of total national health expenditures to calculate the percent of total health care business that is represented by types of health care entities. We calculated the proportion of business transacted by a type of health care entity (by SIC code) and multiplied this by the total expenditures ($1.084 billion total) (11). National expenditure data is a useful measure for allocating system compliance costs for two reasons. Even though system compliance costs are primarily fixed costs, we assume that they bear some relationship to the size and level of the activity of the entity. Similarly, national expenditures vary according to both size and level of activity. Second, in contrast to the annual receipts compiled by the Business Census Survey, national expenditure information compares its data to other sources in order to validate its results. Thus, we decided that the national expenditure data are a more reliable source of overall business activity for our purposes. Based on these assumptions, we believe that the total cost of system compliance for all small health care entities will be approximately $18 million. Dividing costs by the number of small entities suggests that the average cost of system compliance is $40.13 per entity.
The cost of notice development is approximately $21 per small entity. We assume that many small providers will receive assistance developing their notice policies from professional associations. Thus, the overall cost of developing compliant notices is significant, but the cost per entity is small. The cost to small entities of developing notices is based on the proportion of expenditures generated by small entities. We recognize that this may not adequately capture the costs of developing a provider or plan’s notice of their privacy policies, and invite comment on our approach.
We added the per-entity cost of privacy policy implementation to the cost of systems compliance to determine the total average cost of start-up compliance. Our figures indicate that initial compliance will cost an average of $396 per small entity. These costs vary across entity type (Table C). For example, small hospitals have a much higher cost of compliance than the average cost for all small entities, whereas dentists’ offices tend to have initial compliance costs that are lower than the average for small entities. Most small practitioner offices have low costs ($320 per dentist office), whereas small hospitals ($8,942 per entity) and small insurance companies have much higher costs ($3,144 per entity) than other health care entities.
Finally, we attempted to estimate the impact of compliance costs on small entities by comparing the cost of complying with the proposed rule to an entity’s annual expenditures (Table E). We computed the percent of small entity expenditures as a percent of national expenditures by calculating the proportion of small business receipts (from census data compiled for the SBA) that apply to segments of the health care market. Although we believe that the SBA data understates the amount of annual receipts, we assumed that the underestimates are consistent across all entities. Thus, although the dollar amounts reported by the SBA are incorrect, our assumption is that the proportion of small entity receipts relative to total annual receipts is correct.
Applying the percent of small entity receipts to the national expenditure data allows us to estimate the percent of national expenditures represented by small entities. We then considered the total compliance cost (initial and ongoing cost) as a percent of small business expenditures. Our estimates suggest that the cost of complying with the proposed rule represent approximately 0.12 percent of total annual expenditures for a small health care entity in the first year. The relative cost of complying with the proposed rule is substantially lower in subsequent years, representing 0.04 percent of an entity’s annual expenditures. The relative cost of complying with the proposed regulation cost of complying is highest for small health insurers (1.03 percent of expenditures). These costs will be higher due to the volume and complexity of health plan billing systems; health plans are required to implement more policies and procedures to protect health information because they handle so much personally identifiable information. Because health plan costs are higher and there is a smaller number of plans than other type of entities affected by the regulation, these costs result in a higher annual cost per small health plan. Table E further illustrates the cost impact by type of entity in the first year.
Table E. Small Entity Business Expenditures and Proportion of Annual Expenditures Represented by Initial and Ongoing Compliance Costs in the First Year* |
|||
| Industry | Total Annual Initial and Ongoing Costs in the First Year, per Small Entity | Annual Expenditure per Small Entity~ | Compliance Cost as a Percentage of a Small Entity's Annual Expenditures |
| Drug Stores & Proprietary Stores^ | $1,480.03 | $2,046,199 | 0.07% |
| Accident & Health Insurance & Medical Service Plans^ (Accident & Health Insurance and Hospital & Medical Service Plans) | $3,602.41 | $350,467 | 1.03% |
| Offices & Clinics Of Doctors Of Medicine | $680.20 | $695,560 | 0.10% |
| Offices & Clinics Of Dentists | $531.94 | $434,260 | 0.12% |
| Offices & Clinics Of Other Health Practitioners | $612.94 | $583,805 | 0.10% |
| Nursing & Personal Care Facilities | $2,457.99 | $1,629,755 | 0.15% |
| Hospitals | $10,211.62 | $2,660,215 | 0.38% |
| Home Health Care Services | $877.49 | $1,003,475 | 0.09% |
| Other Health Care Services including Lab Services | $503.55 | $351,146 | 0.14% |
| Average Cost | $732.61 | $625,992 | 0.12% |
|
* The SBA defines small health care entities as those with annual revenue under $5,000,000. ** Total Initial Compliance Cost includes policy implementation and systems compliance costs ~ Based on the assumption that the proportion of revenue generated by small businesses approximates the proportion of expenditures faced by small businesses ^ Includes some entities not covered by this regulation. Pharmacies are the only component of Drug Stores and Proprietary Stores covered by the regulation. Accident and workers compensation insurance are not covered by the regulation. |
|||
In this section, we evaluate the ongoing costs of providing patient notices, the annual cost of amending and correcting medical information, the cost of providing written authorizations, and the ongoing cost of paperwork and training. We estimated the ongoing costs of compliance through calculations similar to those used for our systems compliance estimates. Ongoing costs are most heavily influenced by the size of the business. Therefore, we assume that the number of patients an entity serves is directly proportional to its ongoing compliance costs.
We estimated market share using Small Business Administration data estimating total receipts (12). We divided the small entity receipts by total receipts and arrived at an estimate that 22 percent of the revenue generated by the health care classifications we examined is from small businesses. Using annual receipts to estimate cost burden is more accurate than using information on the number of health care entities. The size of the small entity is more likely to be correlated with the number of patients served than the number of businesses, and therefore, the amount of business conducted by an entity. Because it is difficult to find a single good estimate of market share, we considered estimating market share over a range, using the proportion of annual receipts as a lower bound and number of entities as the higher bound. We concluded that even if the SBA data does not capture the total amount of health care receipts accurately, estimating market share by examining receipts would be much more accurate than using the number of entities.
We multiplied the percent total receipts by the total ongoing costs (by entity type) to obtain a range of ongoing costs for small entities. We were then able to divide these costs by the number of small entities by type of entity. We estimated ongoing costs in the first year that the proposed rule takes effect separately from our estimate of ongoing cost in the following years. The estimates were approximately the same; $337 and $343 respectively.
We estimate that the ongoing cost of compliance will be approximately 0.05 percent of a small entity’s annual expenditures. This cost burden is fairly consistent across all types of entities.
Clearinghouses and Nonprofit Entities: We should note that the above discussion does not consider health care clearinghouses, nonprofit hospitals, home health agencies, or nursing and skilled nursing facilities. To the extent that clearinghouses and nonprofit facilities have annual receipts of less than $5 million, they were included in the preceding analysis.
Although we do not have precise information on the number of clearinghouses that qualify as small entities under the RFA, we believe that approximately half would meet the criteria. As noted in the regulatory impact analysis, as long as clearinghouses perform the function of merely reformatting information they receive and transmitting the data to other entities, the cost of complying with the proposed rule should be minimal.
A similar logic applies for nonprofit health plans and hospitals. We do know how many nonprofit organizations currently exist in the U.S., but do not have reliable revenue and expenditure data for these entities. In the absence of such data, we assume that nonprofit entities have a similar ratio of revenues to expenditures as the for-profit entities we have examined. Thus, we believe that the impact of complying with the proposed rule should be similar to that described for-profit plans and hospitals.
The preceding analysis indicates that the expected burden on small entities of implementing the proposed rule would be minimal. However, by necessity, the analysis is based on average costs, and as such, they may not reflect the actual burden on some or even a substantial number of small entities. Therefore, the Secretary does not certify that the proposed rule will not have a significant impact on a substantial number of small entities.
(1) We have used two different data sources for our estimates of the number of entities. In the regulatory impact analysis (RIA), we chose to use the same numbers as we used in other Administrative Simplification rules. In the regulatory flexibility analysis (RFA), we used the most recent data available from the Small Business Administration (SBA).
We chose to use the Administrative Simplification estimates in the RIA because we wanted our analysis to be as consistent as possible with those regulations and also believe that because it is higher than the more recent SBA data, it was the more conservative data source.
We chose to use the SBA data in the RFA because we wanted our analysis to be as consistent to SBA definitions as possible to give the greatest accuracy for the RFA purposes.
(7) Health Care Finance Administration, OSCAR
(8) Faulkner & Gray’s Health Data Directory, 1999
(9) International Billing Association, 1999
(11) Health Care Finance Administration, 1996, http://www.hcfa.gov/stats/nhe- oact/tables/t10.htm