NRPM: Security and Electronic Signature Standards. Impact Analysis


[Please label written comments or e-mailed comments about this section with the subject: IMPACT]

As the effect of any one standard is affected by the implementation of other standards, it can be misleading to discuss the impact of one standard by itself. Therefore, we did an impact analysis on the total effect of all the standards in the proposed rule concerning the national provider identifier (HCFA-0045-P), which was published on May 7, 1998 (63 FR 25320).

We intend to publish in each proposed rule an impact analysis that is specific to the standard or standards proposed in that rule, but the impact analysis will assess only the relative cost impact of implementing a given standard. Thus, the following discussion contains the impact analysis for the security standard and the electronic signature standard proposed in this rule. As stated in the general impact analysis in HCFA-0045-P, we do not intend to associate costs and savings to specific standards.

Although we cannot determine the specific economic impact of the standards being proposed in this rule (and individually each standard may not have a significant impact), the overall impact analysis makes clear that, collectively, all the standards will have a significant impact of over $100 million on the economy. Also, while each standard may not have a significant impact on a substantial number of small entities, the combined effects of all the proposed standards may have a significant effect on a substantial number of small entities. Therefore, the following impact analysis should be read in conjunction with the overall impact analysis.

The following describes the specific impacts that relate to the security and electronic signature standards. Security protection for health care information is not a "stand-alone" type requirement. Appropriate security protections will be a business enabler, encouraging the growth and use of electronic data interchange. The synergistic effect of the employment of the recommended security practices, procedures and technologies will enhance all aspects of HIPAA’s Administrative Simplification requirements. In addition, it is important to recognize that security is not a product, but is an on-going, dynamic process.

In accordance with the provisions of Executive Order 12866, this proposed rule was reviewed by the Office of Management and Budget.

A. Security Standard

HIPAA requires that all health plans, health care providers, and health care clearinghouses that maintain or transmit health information electronically establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure integrity, confidentiality, and availability of the information. The safeguards also protect the information against any reasonably anticipated threats or hazards to the security or integrity of the information and protect it against unauthorized use or disclosure. Recommendation 1 from the National Research Council's (NRC) report For the Record: Protecting Electronic Health Information ("All organizations that handle patient-identifiable health care information--regardless of size--should adopt the set of technical and organization policies, practices, and procedures described * * * to protect such information.") would apply to all health care providers regardless of size, health care clearinghouses, and health plans. We agree with the NRC's belief that implementation of the practices and technologies delineated in Recommendation 1 would be possible today, and at a reasonable cost.

Health care providers that conduct electronic transactions with health plans would have to comply with the recommendation(s) for security protection. There is, however, no requirement to maintain health records electronically or transmit health care information by electronic means. There may also be health care providers that currently submit health care information on paper but archive records electronically. These entities will need to ensure that their existing electronic systems conform to security requirements for maintaining health information. Once they have done so, however, they may also take advantage of all the other benefits of electronic recordkeeping and transmittal. Therefore, no individual small entity is expected to experience direct costs that exceed benefits as a result of this rule. Furthermore, because almost all of the NRC recommendations reflect contemporary security measures and controls, most organizations that currently have security measures should have to make few, if any, modifications to their systems to meet the requirements proposed in the security standard.

The singular exception to the above lies in the area of providing security for the electronic transmission of health care information over insecure, public media. Here, the choice of a method to use is driven by economic factors. If an organization wishes to use an insecure transmission media such as the Internet, and take advantage of the low costs involved, off-setting costs may need to be incurred to provide for an acceptable form of encryption so that health information will be protected from intercept and possible misuse.

One alternative course of action to encrypting the information would be to use the services of a VAN. VANs do not manipulate data, but rather transmit data in its native form over telecommunication lines. We anticipate that VANs would be positively affected by administrative simplification, because use of the proposed transactions standards would eliminate the need for data to be reformatted. This would allow providers to purchase the services of a VAN directly, rather than as a service bundled with the functions of other clearinghouses. Another course of action might be to use private lines which would provide an appropriate level of protection for data in transmission.

B. Electronic Signature Standard

HIPAA does not require the use of electronic signatures. This particular capability, however, would be necessary for a completely paperless environment. Certain features of the digital signature type of electronic signature make this particular system the most desirable. Only digital signatures, using current technology, provide the combination of authenticity, message integrity, and nonrepudiation which is viewed as a desirable complement to the security standards required by the law.

The use of digital signatures requires a certain infrastructure (Public Key Infrastructure) that may necessitate the expenditure of initial and recurring costs for users. We do not know what these costs are presently, due to the lack of maturity of digital signature technology, and minimal use in the marketplace today. It is noted that public key certificate management systems and services do exist today, and it is presumed more quantifiable information will be forthcoming, as to potential costs and savings that can be associated with the use of digital signature systems. Other forms of electronic signature were considered, such as biometric and digitized signatures. While they provide a useful capability in certain circumstances, we believe that digital signature technology is most appropriate for this particular application.

C. Guiding Principles for Standard Selection

The implementation teams charged with designating standards under the statute have defined, with significant input from the health care industry, a set of common criteria for evaluating potential standards. These criteria are based on direct specifications in the HIPAA, the purpose of the law, and principles that support the regulatory philosophy set forth in EO 12866 of September 30, 1993. In order to be designated as a standard, EO 12866 requires that a proposed standard:

  • Improve the efficiency and effectiveness of the health care system by leading to cost reductions for or improvements in benefits from electronic HIPAA health care transactions. This principle supports the regulatory goals of cost-effectiveness and avoidance of burden.
  • Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses. This principle supports the regulatory goal of cost-effectiveness.
  • Be consistent and uniform with the other HIPAA standards (that is, their data element definitions and codes and their privacy and security requirements) and, secondarily, with other private and public sector health data standards. This principle supports the regulatory goals of consistency and avoidance of incompatibility, and it establishes a performance objective for the standard.
  • Have low additional development and implementation costs relative to the benefits of using the standard. This principle supports the regulatory goals of cost-effectiveness and avoidance of burden.
  • Be supported by an ANSI-accredited standards developing organization or other private or public organization that would ensure continuity and efficient updating of the standard over time. This principle supports the regulatory goal of predictability.
  • Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster. This principle establishes a performance objective for the standard.
  • Be technologically independent of the computer platforms and transmission protocols used in HIPAA health transactions, except when they are explicitly part of the standard. This principle establishes a performance objective for the standard and supports the regulatory goal of flexibility.
  • Be precise and unambiguous but as simple as possible. This principle supports the regulatory goals of predictability and simplicity.
  • Keep data collection and paperwork burdens on users as low as is feasible. This principle supports the regulatory goals of cost-effectiveness and avoidance of duplication and burden.
  • Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology. This principle supports the regulatory goals of flexibility and encouragement of innovation.

We assessed a wide variety of security standards, guidelines and electronic signature standards against the principles listed above, with the overall goal of achieving the maximum benefit for the least cost. We found that there exists no single standard for security or electronic signature that encompasses all the requirements that have been deemed necessary. However, in this particular area, technology is rapidly developing enhancements and better means for accomplishing the stated goals.

D. Affected Entities

1. Health care providers.

Health care providers that conduct business using electronic transactions with other health care participants (such as other health care providers, health plans, and employers) or maintain electronic health information are encouraged, but are not required to simultaneously implement the proposed security standard. However, if the effective date for the electronic transaction standards is later than the effective date for the security standard, the implementation of the security standard will not be delayed until the standard transactions are in use.

Health care providers that transmit, receive, or maintain health information would incur implementation costs for establishing or updating their security systems. Any negative impact on these health care providers caused by implementing the proposed security standard would generally be related to the initial implementation period for the specific requirements of the security standard. Health care providers that are indirectly involved in electronic transactions (for example, those who submit a paper claim that the health plan transmits electronically to a secondary payer) and do not maintain electronic health information would not be affected.

2. Health plans.

Health plans that engage in electronic health care transactions would have to modify their systems to use the security standard and the electronic signature standard, if used. Health plans that maintain electronic health information would also have to modify their systems to use the security standard. This conversion would have a one-time cost impact on Federal, State and private plans alike.

We recognize that this conversion process has the potential to cause business disruption of some health plans. However, health plans would be able to schedule their implementation of the security standard and other standards in a way that best fits their needs, as long as they meet the deadlines specified in the law.

Implementation of the security standard and the electronic signature standard, if used by the entities, would enhance payment safeguard activities and protect the integrity of the Medicare trust fund by reducing fraud and abuse that occurs when health care information is used by those who are not authorized to receive it. In addition these standards would assist the plans, providers, and clearinghouses to more effectively maintain the security of all health information in their databases.

3. Clearinghouses.

Health care clearinghouses would face impacts similar to those experienced by health care providers and health plans. Systems vendors, that provide computer software applications to health care providers and other billers of health care services, would likely be positively affected. These vendors would have to develop software solutions that would allow health care providers and other billers of health care transactions to protect the information in their databases from unwanted access to their systems.

4. Unfunded Mandates

This proposed rule has been reviewed in accordance with the Unfunded Mandates Reform Act of 1995 (UMRA) (U.S.C. 1501 et seq.) and Executive Order 12875. As discussed in the combined impact analysis referenced above (see Federal Register, Volume 63, No. 88), DHHS estimates that implementation of the standards will require the expenditure of more than $100 million by the private sector. Therefore, the rule establishes a Federal private sector mandate and is a significant regulatory action within the meaning of section 202 of UMRA (2 U.S.C. 1532). DHHS has included this statement to address the anticipated effects of the proposed rules pursuant to section 202.

These standards also apply to State and local governments in their roles as health plans or health care providers. Thus, the proposed rules impose unfunded mandates on these entities. While we do not have sufficient information to provide estimates of these impacts, several State Medicaid agencies have estimated that it would cost $1 million per State to implement all of the HIPAA standards. However, the Congressional Budget Office analysis stated that “States are already in the forefront in administering the Medicaid program electronically; the only costs -- which should not be significant -- would involve bringing the software and computer systems for the Medicaid programs into compliance with the new standards.”

The anticipated benefits and costs of this proposed standard, and other issues raised in section 202 of the UMRA, are addressed in the analysis below, and in the combined impact analysis. In addition, under section 205 of the UMRA (2 U.S.C. 1535), having considered a reasonable number of alternatives as outlined in the preamble to this rule and in the following analysis, the Department has concluded that the rule is the most cost-effective alternative for implementation of DHHS’ statutory objective of administrative simplification.

5. Regulatory Flexibility Act

The Regulatory Flexibility Act (RFA) of 1980, Public Law 96- 354, requires us to prepare a regulatory flexibility analysis if the Secretary certifies that a proposed regulation would have a significant economic impact on a substantial number of small entities. The security and electronic signature standards will affect small entities, such as providers. A more detailed analysis of the impact on small entities is part of the impact analysis we published on May 7, 1998 (63 FR 25320) for all the HIPAA standards. A detailed illustration of the potential impact of the security standard on a small health care provider can be found in the preamble in section D.

E. Factors in Establishing the Security Standard

1. Selection of security systems and procedures.

Because there is no national security standard in widespread use throughout the industry, adopting any of the candidate standards would require most health care providers, health plans and health care clearinghouses to conform to the new standard. Implementation of the security standard would require all health plans, health care providers, and health care clearinghouses to establish or revise their security precautions because the proposed standard is not currently in use. The selection of the security standard does not impose a greater burden on the industry than the nonselected options, and presents significant advantages in terms of universality, uniqueness and flexibility.

Only those plans, providers, and clearinghouses that decide to use the digital signature would be affected by the electronic signature standard. Some large health plans, health care providers, and health care clearinghouses that currently exchange health information among trading partners may have security systems and procedures in place to protect the information from unauthorized access. These entities may not incur significant costs to meet the proposed security standard and if they opt not use the digital signature they would not incur costs to meet the electronic signature requirements. Also, some entities that currently use electronic signatures as an added security measure may also be using digital signature technology. At most, large entities that may have sophisticated security systems in place may only need to revise or update their systems to meet the proposed security standard and electronic signature standard.

2. Complexity of conversion.

The complexity of the conversion would be significantly affected by the volume of claims health plans process electronically and the desire to transmit the claims themselves or to use the services of a VAN or a clearinghouse. If they chose to transmit themselves, they would need to convert to the proposed transaction standards. Specific technology limitations of existing systems could affect the complexity of the conversion. For example, some entities may only have a minimum level of security and procedures in place and therefore may require a full upgrade, while others may already have a very sophisticated system and procedures and require very little enhancement.

3. Cost of conversion.

We expect that most providers, health plans, and clearinghouses that transmit or store data electronically have already implemented some security measures and will primarily need to assess existing security, identify areas of risk, and implement additional measures. We cannot estimate the per-entity cost of implementation because there is no information available regarding the extent to which providers’, plans’, and clearinghouses’ current security practices are deficient. Moreover, some security solutions are almost cost-free to implement (e.g., reminding employees not to post passwords on their monitors) while others are not.

Affected entities will have many choices regarding how they will implement security. Some may choose to assess security using in-house staff, while others will utilize consultants. Practice management software vendors may also provide security consultation services to their customers. Entities may also choose to implement security measures that require hardware or software purchases at the time they do routine equipment upgrades.

The security requirements we are proposing were developed with considerable input from the health care industry, including providers, health plans, clearinghouses, vendors, and standards organizations. Industry members strongly advocated this flexible approach, which permits each affected entity to develop cost-effective security measures. We believe that this approach will yield the lowest implementation cost to industry while assuring that health information is safeguarded. We solicit input regarding implementation costs.

We are unable to estimate, of the nation’s 4 million- plus health plans and 1.2 million-plus providers, the number of entities that would require security systems and procedures because they conduct electronic transactions or maintain electronic health information. Nor are we able to estimate the number of entities that neither conduct electronic transactions nor maintain electronic health information but may choose to do so at some future time. (These would be entities that send and receive paper transactions and maintain paper records and thus would not be affected because they would have no need to implement security standards.) However, we are aware of the possibility that those small entities that currently process claims electronically or maintain electronic health information may not be able to continue to do so due to the cost of establishing security systems to meet the requirements of the proposed security standard. Those entities that are not able to bill and exchange health information electronically may use clearinghouses. We believe that the proposed security standard represents the minimum necessary for adequate protection of health information in an electronic format. As discussed earlier in this preamble, the security requirements are both scalable and technically flexible; and while the law requires each health plan that is not a small plan to comply with the security and electronic signature requirements no later than 24 months after the effective date of the final rule, small plans will be allowed an additional 12 months to comply.

Since we are unable to estimate the number of entities, we are also unable to estimate the cost to the entities that will process electronic transactions. However, we believe that the cost of establishing security systems and procedures is a portion of the costs associated with converting to the transaction standards that are required under HIPAA.

This discussion on conversion costs relates only to health plans, health care providers, and health care clearinghouses that are required to follow the security standard to maintain, transmit or receive electronic health information. Other entities would not be required to follow the security standard and procedures until they choose to maintain, transmit, or receive electronic health information. The cost of establishing security systems and procedures for entities that do not transmit, receive or maintain health information electronically is not included in our estimates.