NRPM: Standards for Privacy of Individually Identifiable Health Information. § 164.520 Internal privacy practices; standards and procedures.

11/03/1999

A covered entity would need to ensure that all employees who have access to protected health information have received appropriate training about the entity’s policies for use and disclosure of such information. Upon completion of the training and at least once every three years thereafter, covered entities would require each employee to sign a statement that he or she received the privacy training and will honor all of the entity’s privacy policies and procedures.

The burden associated with these requirements is the time and effort necessary for a covered entity to obtain and maintain certification documentation demonstrating that applicable employees have received privacy training and will honor all of the entity’s privacy policies and procedures. It is estimated that it will take 890,269 entities, a range of 1 hour to 40 hours per entity to obtain and maintain documentation on an annual basis. Given that we believe the majority of the covered entities will be minimally affected by this requirement, we estimate the annual average burden to be 3 hours per entity for a total annual burden of 2,700,000 hours. Using previous calculations, 900,000 (rounded) entities break down to about 95% small, 5% various types of large, and 1 burden hour for 95%, and 40 burden hours for 5%, the average burden would be 3 hours.

In addition, this section would require a covered entity that is a health plan or health care provider to develop and document its policies and procedures for implementing the requirements of this proposed rule, and amend the documentation to reflect any change to a policy or procedure.

The burden associated with these requirements is the time and effort necessary for a covered entity to maintain documentation demonstrating that they have implemented procedures that meet the requirements of this proposed rule. It is estimated that it will take 890,269 entities a range of 15 minutes to 1 hour per entity to maintain procedural documentation on an annual basis. We believe the majority (95%) of the covered entities will be minimally affected by this requirement. Using the 95% small/5% large, the average burden is 17 minutes. Multiplying by 890,269, results in a total annual burden of 256,000 hours (see discussion below).

Since the requirements for developing formal processes and documentation of procedures mirror what will already have been required under the HIPAA security regulations, the burden and additional costs should be small. To the extent that national or state associations will develop guidelines or general sets of processes and procedures which will be reviewed by individual member entity, the costs would be primarily those of the individual reviewers. Assuming this process occurs, we believe that entities will review information from associations in each state and prepare a set of written policies to meet their needs. Our estimates are based on assumed costs for providers ranging from $300 to $3000, with the average being about $375. The range correlates to the size and complexity of the provider. With less than 1 million provider entities, the aggregate cost would be on the order of $300 million. For plans and clearinghouses, our estimate assumes that the legal review and development of written policies will be more costly because of the scope of their operations. They are often dealing with a large number of different providers and may be dealing with requirements from multiple states. We believe the costs for these entities will range from $300 for smaller plans to $15,000 for the largest plans. Because there are very few large plans in relation to the number of small plans, the average implementation costs will be about $3050.