III. Collection of Information Requirements

Under the Paperwork Reduction Act of 1995 (PRA), agencies are required to provide a 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that we solicit comment on the following issues:

• Whether the information collection is necessary and useful to carry out the proper functions of the agency;

• The accuracy of the agency's estimate of the information collection burden;

• The quality, utility, and clarity of the information to be collected; and

• Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

Under the PRA, the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section are to be considered. Due to the complexity of this regulation, and to avoid redundancy of effort, we are referring readers to Section IV (Regulatory Impact Analysis) above, to review the detailed cost assumptions associated with these PRA requirements. We explicitly seek, and will consider public comment on our cost assumptions, as they relate to the PRA requirements summarized in this section.

Summary PRA Burden Hours

§ 160.204 Process for requesting exceptions.

Section 160.204 would require States to: 1) submit a written request, that meets the requirements of this section, to the Secretary to except a provision of State law from preemption under 160.203; 2) submit a new request to the Secretary, should there be any changes to the standard, requirement, or implementation specification or provision of State law upon which an exception previously was granted, and 3) submit a written request for an extension of the exception prior to the end of the three-year approval period for a given exception. In addition, section 160.204 would require a State to submit a written request for an advisory opinion to the Secretary that meets the requirements of 160.204.

The burden associated with these requirements is the time and effort necessary for a State to prepare and submit the written request for preemption or advisory opinion to HCFA for approval. On an annual basis it is estimated that it will take 10 States 16 hours each to prepare and submit a request. The total annual burden associated with this requirement is 160 hours.

§ 164.506 General standards and implementation specifications for uses and disclosures of protected health information.

Given that the burden associated with the following information collection requirements will differ significantly, by the type and size of plan or provider, we are explicitly soliciting comment on the burden associated with the following requirements:

• Except for disclosures of protected health information by a covered entity that is a health care provider to another health care provider for treatment purposes, section 160.204(e) would requires a covered entity to maintain documentation demonstrating that they have entered into a contract that meets the requirements of this part with each of their business partners;

• A covered entity would have to make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure;

• A covered entity could use protected health information to create de-identified information if the individually identifiable information has been removed, coded, encrypted, or otherwise eliminated or concealed.

§ 164.508 Standards and implementation specifications for uses and disclosures for which individual authorization would be required.

Pursuant to the conditions set forth in this section, a covered entity would need to obtain a written request from an individual, before it uses or discloses protected health information of an individual. A copy of the model form which appears in the Appendix to subpart E of part 164, or a form that contains the elements listed in paragraphs (c) or (d) of this section, as applicable, would need to be accepted by the covered entity.

The burden associated with these proposed requirements is the time and effort necessary for a covered entity to obtain written authorization prior to the disclosure of identifiable information. On an annual basis it is estimated that it will take 890,269 entities, a range of 0 to 80 hours per entity to obtain and maintain authorization documentation on an annual basis. Given that we believe the majority of the covered entities will be minimally affected by this requirement, we estimate the annual average burden per entity to be 4 hours for a total annual burden of 3,561,076 hours. Collecting such authorization should have costs on the order of those associated with providing access to records (not on a per page basis). Since the proposed requirement does not apply to treatment and payment, assuming 1% of the 543 million health care encounters might be reasonable. At a cost of about $10 each, the aggregate cost would be about $54 million. Therefore, on average the cost per entity would be about $60, with many entities receiving no requests and thus having no costs.

§ 164.510 Standards and implementation specifications for uses and disclosures for which individual authorization would not be required.

A covered entity could disclose protected health information to a health researcher for health research purposes subject to 45 CFR part 46 and purposes other than those subject to 45 CFR part 46, provided that the covered entity has obtained written documentation demonstrating that the applicable requirements proposed in this section have been met.

The burden associated with these proposed requirements is the time and effort necessary for a covered entity to maintain documentation demonstrating that they have obtained institutional review board or privacy board approval, which meet the requirements of this section. On an annual basis it is estimated that this proposed requirement will affect 1 % or 8,903 of covered entities. We further estimate that it will take an average of 1 hour per entity to meet these proposed requirements on an annual basis. Therefore, the total estimated annual burden associated with this proposed requirement is 8,903 hours.

§ 164.512 Notice of privacy practices; rights and procedures.

Section 164.512 would require covered entities to provide written notice of the entities’ privacy practices, rights, and procedures that meet the requirements of this section to affected parties upon request and as summarized below.

Health plans would provide a copy of the notice to an individual covered by the plan at enrollment and whenever the content of the notice is significantly altered thereafter, but no less frequently than once every three years. Total notice counts are estimated to be about 230 million, assuming plans choose to send them out annually rather than keeping track of duration since last notice. The average number of notices per plan per year would be about 1,200. For the approximately 19,000 plans issuing notices, the number of notices can be as few as 1,000 for a small self-insured self-administered employer, or as many as a million or more for a large commercial insurer or HMO. We further estimate that it will require each plan, on average, 8 hours to disseminate the required notices. This estimate is based upon the assumption that the required notice will be incorporated and disseminated with a plan’s annual policy materials. The total burden associated with this requirement is calculated to be 151,800 hours.

Health care providers would provide a copy of the notice to an individual at the time of first service delivery to the individual, provide as promptly as possible a copy of the notice to an individual served by the provider whenever the content of the notice is significantly altered, post a copy of the notice in a location where it is reasonable to expect individuals seeking services from the provider to be able to read the notice, and date each version of the notice. Total notices in the first year are estimated to be about 700 million (based on annual patient contacts with hospitals, physicians, and other providers), with subsequent year counts of 350 million. Small providers could be providing 400 or fewer notices (based on 150 million persons with ambulatory physician contacts per year and approximately 370,000 physician offices). The overall average will also be close to that amount, since the bulk of providers are small entities. Large providers could be sending out 3,000 or more notices (based on 20 million persons with hospitalizations and approximately 6600 hospitals). We further estimate that it will require each provider, on average, 8 hours to disseminate the required notices. This estimate is based upon the assumption that the required notice will be incorporated into and disseminated with other patient materials. The total burden associated with this requirement is calculated to be 7,122,152 hours.

§ 164.514 Access of individuals to protected health information.

Given that the burden associated with the following information collection requirements will differ significantly, by the type and size of plan or provider, we are explicitly soliciting comment on the burden associated with the following proposed requirements:

• An individual has a right of access to, which includes a right to inspect and obtain a copy of, his or her protected health information in a designated record set of a covered entity that is a health plan or a health care provider, including such information in a business partner’s designated record set that is not a duplicate of the information held by the provider or plan, for so long as the information is maintained;

• Where the request is denied in whole or in part, the health plan or a health care provider would provide the individual with a written statement of the basis for the denial and a description of how the individual may complain to the covered entity pursuant to the complaint procedures established in § 164.518 or to the Secretary pursuant to the procedures established in § 164.522 of this subpart.

§164.515 Accounting for uses and disclosures of protected health information.

Given that the burden associated with maintaining records to facilitate the recreation of disclosures will differ significantly, be the type and size of plan or provider, we are explicitly soliciting comment on the burden associated with the following proposed record keeping requirement:

• A covered entity that is a plan or provider would need to be able to give individuals an accurate accounting of all uses and disclosures that are for purposes other than treatment, payment, and health care operations; except that such procedures would provide for the exclusion from such accounting of protected health information which is disclosed to a health oversight or law enforcement agency, if the health oversight or law enforcement agency provides a written request stating that the exclusion is necessary because disclosure would be reasonably likely to impede the agency’s activities and specifies the time for which such exclusion is required.

§ 164.516 Amendment and correction.

Given that burden will associated with the following information collection requirements will differ significantly, by the type and size of plan or provider, we are explicitly soliciting comment on the burden associated with the following proposed requirements:

• An individual would have the right to request amendment or correction of his or her protected health information in designated records created by a covered entity that is a health plan or health care provider, where the individual asserts that the information is not accurate or complete and where the error or omission may have an adverse effect on the individual.

• Where the request is denied , provide the individual with a written statement of the basis for the denial, a description of how the individual may file a statement of disagreement with the denial, a description of how the individual may file a complaint with the covered entity, including the name and telephone number of a contact person within the covered entity who can answer questions concerning the denial and the complaint process; and a description of how the individual may file a complaint with the Secretary pursuant to § 164.522 of this subpart.

§ 164.520 Internal privacy practices; standards and procedures.

A covered entity would need to ensure that all employees who have access to protected health information have received appropriate training about the entity’s policies for use and disclosure of such information. Upon completion of the training and at least once every three years thereafter, covered entities would require each employee to sign a statement that he or she received the privacy training and will honor all of the entity’s privacy policies and procedures.

The burden associated with these requirements is the time and effort necessary for a covered entity to obtain and maintain certification documentation demonstrating that applicable employees have received privacy training and will honor all of the entity’s privacy policies and procedures. It is estimated that it will take 890,269 entities, a range of 1 hour to 40 hours per entity to obtain and maintain documentation on an annual basis. Given that we believe the majority of the covered entities will be minimally affected by this requirement, we estimate the annual average burden to be 3 hours per entity for a total annual burden of 2,700,000 hours. Using previous calculations, 900,000 (rounded) entities break down to about 95% small, 5% various types of large, and 1 burden hour for 95%, and 40 burden hours for 5%, the average burden would be 3 hours.

In addition, this section would require a covered entity that is a health plan or health care provider to develop and document its policies and procedures for implementing the requirements of this proposed rule, and amend the documentation to reflect any change to a policy or procedure.

The burden associated with these requirements is the time and effort necessary for a covered entity to maintain documentation demonstrating that they have implemented procedures that meet the requirements of this proposed rule. It is estimated that it will take 890,269 entities a range of 15 minutes to 1 hour per entity to maintain procedural documentation on an annual basis. We believe the majority (95%) of the covered entities will be minimally affected by this requirement. Using the 95% small/5% large, the average burden is 17 minutes. Multiplying by 890,269, results in a total annual burden of 256,000 hours (see discussion below).

Since the requirements for developing formal processes and documentation of procedures mirror what will already have been required under the HIPAA security regulations, the burden and additional costs should be small. To the extent that national or state associations will develop guidelines or general sets of processes and procedures which will be reviewed by individual member entity, the costs would be primarily those of the individual reviewers. Assuming this process occurs, we believe that entities will review information from associations in each state and prepare a set of written policies to meet their needs. Our estimates are based on assumed costs for providers ranging from $300 to $3000, with the average being about $375. The range correlates to the size and complexity of the provider. With less than 1 million provider entities, the aggregate cost would be on the order of $300 million. For plans and clearinghouses, our estimate assumes that the legal review and development of written policies will be more costly because of the scope of their operations. They are often dealing with a large number of different providers and may be dealing with requirements from multiple states. We believe the costs for these entities will range from $300 for smaller plans to $15,000 for the largest plans. Because there are very few large plans in relation to the number of small plans, the average implementation costs will be about $3050.

§ 164.522 Compliance and Enforcement.

An individual who believes that a covered entity is not complying with the requirements of this subpart may file a complaint with the Secretary within 180 days from the date of the alleged non-compliance, unless the time for filing is extended by the Secretary. The complaint would describe in detail the acts or omissions believed to be in violation of the requirements of this subpart.

The burden associated with these requirements is the time and effort necessary for an individual to prepare and submit a written complaint to the Secretary. On an annual basis it is estimated that 10,000 complaints will be filed on an annual basis. We further estimate that it will take an average of 15 minutes per individual to submit a complaint. Therefore, the total estimated annual burden associated with this requirement is 2,500 hours.

A covered entity would need to maintain documentation necessary for the Secretary to ascertain whether the covered entity has complied or is complying with the requirements of this subpart. While this section is subject to the PRA, the burden associated with this requirement is addressed under sections referenced above, which discuss specific record keeping requirements.

We have submitted a copy of this proposed rule to OMB for its review of the information collection requirements in §§160.204, 164.506, 164.508, 164.510, 164.512, 164.514, 164.515, 164.516, 164.520, and §164.522. These requirements are not effective until they have been approved by OMB.

If you comment on any of these information collection and record keeping requirements, please mail copies directly to the following:

Health Care Financing Administration,
Office of Information Services,
Information Technology Investment Management Group,
Division of HCFA Enterprise Standards,
Room C2-26-17, 7500 Security Boulevard,
Baltimore, MD 21244-1850.
ATTN: John Burke HIPAA Privacy-P

Office of Information and Regulatory Affairs,
Office of Management and Budget
Room 10235, New Executive Office Building
Washington, DC 20503
ATTN: Allison Herron Eydt, HCFA Desk Officer.