NRPM: Standards for Privacy of Individually Identifiable Health Information. 3. The burden on a typical small business.

11/03/1999

We expect that small entities will face a cost burden as a result of complying with the proposed regulation. We estimate that the burden of developing privacy policies and procedures is lower in dollar terms for small businesses than for large businesses, but we recognize that the cost of implementing privacy provisions will be a larger burden to small entities as a proportion of total revenue. Due to these concerns, we rely on the principle of scalability stated in the proposed rule, and have based our cost estimates on the expectation that small entities will develop less expensive and less complex privacy measures than large entities.

In many cases, we have specifically considered the impact that the proposed rule may have on solo practitioners or rural providers. Where these providers do not have large technical systems, it is possible that the regulation may not apply to small providers, or that small providers will not be required to change their business practices other than adhering to the basic requirements that they state their privacy policies and notify patients of their privacy rights. For both activities, the proposed regulation accounts for the activities and size of the practice. Scalability implies that in developing policies and procedures to comply with the proposed regulation, businesses should consider their basic functions and the amount of health information exchanged electronically. All covered entities must take appropriate steps to address privacy concerns, and in determining the scope and extent of their compliance activities, businesses should weigh the costs and benefits of alternative approaches and should scale their compliance activities to their structure, functions, and capabilities.

Our analysis of the costs to small businesses is divided into three sections: 1) initial start- up costs associated with development of privacy policy; 2) initial start-up costs associated with system change; and 3) ongoing costs, including notification of privacy policies.

Overall, our analysis suggests that the average start-up cost of complying with the proposed rule is $396 per entity. This includes the cost of developing privacy policies and systems compliance changes (Table C). The ongoing costs of privacy compliance are approximately $337 per entity in the first year and $343 every year thereafter (Table D). The total cost of implementing initial and ongoing costs of the proposed regulation in the first year is $733 per entity. After the first year, the total compliance cost to the entity is $343 per year. We estimate that the relative average cost of initial compliance is approximately 0.12 percent of a small entity’s annual expenditures in the first year. The relative average cost of ongoing privacy compliance is approximately 0.05 percent of a small entity’s annual expenditures.

Our cost calculations are based on several assumptions. The cost of developing privacy policies is based on figures from the regulatory impact analysis that accompanied the HIPAA National Provider Identifier (63 FR 25320). The cost of initial systems compliance is based on current assumptions about market behavior; including the assumption that a relatively small proportion of the total cost of system compliance (20%) will be absorbed by small covered entities. We evaluated the ongoing costs of an entity’s privacy protection by calculating that privacy protection costs should be proportional to the number of patients served by the business. For example, the cost of notifying patients of privacy practices will be directly proportional to the number of patients served. We then multiplied the proportion of small entities by the total ongoing costs of privacy compliance.

Table C. Annual Cost of Implementing Provisions of the Proposed Privacy Regulation In the First Year
Industry Initial Costs Ongoing Costs Total Costs
Initial Privacy Policy Costs Incurred by Small Entities, per Entity Initial System Compliance Cost Incurred by Small Entities*, per Entity Notice Development Cost, per Small Entity Total Initial Compliance Cost, per Small Entity** First Year Notice Issuance Costs for Small Entities, per Small Entity Annual Amendment and Correction Cost to Small Entities, per Small Entity Annual Written Authorization Cost to Small Entities, per Small Entity Total Annual Ongoing Cost in the First Year, per Small Entity Total Annual Initial and Ongoing Cost in the First Year, per Small Entity
Drug Stores & Proprietary Stores^ $300 $131.19 $59.40 $490.58 $118.26 $768.64 $102.55 $989.45 $1,480.03
Accident & Health Insurance & Medical Service Plans^ (Accident & Health Insurance and Hospital & Medical Service Plans) $1,000 $1,939.86 $203.91 $3,143.77 $314.02 $127.60 $17.02 $458.65 $3,602.41
Offices & Clinics Of Doctors Of Medicine $300 $21.04 $21.20 $342.24 $42.21 $260.93 $34.81 $337.96 $680.20
Offices & Clinics Of Dentists $300 $7.43 $13.25 $320.68 $26.39 $163.11 $21.76 $211.26 $531.94
Offices & Clinics Of Other Health Practitioners $300 $11.10 $17.82 $328.92 $35.47 $219.29 $29.26 $284.02 $612.94
Nursing & Personal Care Facilities $1,500 $117.15 $49.63 $1,666.79 $98.82 $610.88 $81.50 $791.20 $2,457.99
Hospitals $1,500 $7,362.22 $79.65 $8,941.87 $158.59 $980.36 $130.80 $1,269.75 $10,211.62
Home Health Care Services $300 $58.06 $30.66 $388.72 $61.05 $377.38 $50.35 $488.77 $877.49
Other Health Care Services including Lab Services $300 $19.83 $10.84 $330.68 $21.59 $133.47 $17.81 $172.87 $503.55
Average Cost $334.31 $40.13 $21.17 $395.61 $42.05 $260.23 $34.72 $337.00 $732.61

* The SBA defines small health care entities as those with annual revenue under $5,000,000.

** Total Initial Compliance Cost includes policy implementation and systems compliance costs

^ Includes some entities not covered by this regulation. Pharmacies are the only component of Drug Stores and Proprietary Stores covered by the regulation. Accident and workers compensation insurance are not covered by the regulation.

 

Table D. Annual Cost of Implementing Provisions of the Proposed Privacy Regulation, After the First Year
Industry Ongoing Costs
Annual Notice Issuance Costs After the First Year, per Small Entity Annual Amendment and Correction Cost to Small Entities*, per Small Entity Annual Written Authorization Cost to Small Entities, per Small Entity Annual Ongoing Costs for Paperwork and Training, per Small Entity Total Annual Ongoing Cost After the First Year, per Small Entity
Drug Stores & Proprietary Stores^ $73.26 $768.64 $102.55 $20 $964.45
Accident & Health Insurance & Medical Service Plans^ (Accident & Health Insurance and Hospital & Medical Service Plans) $314.02 $127.60 $17.02 $60 $518.65
Offices & Clinics Of Doctors Of Medicine $26.15 $260.93 $34.81 $20 $341.90
Offices & Clinics Of Dentists $16.35 $163.11 $21.76 $20 $221.22
Offices & Clinics Of Other Health Practitioners $21.97 $219.29 $29.26 $20 $290.52
Nursing & Personal Care Facilities $61.22 $610.88 $81.50 $100 $853.59
Hospitals $98.24 $980.36 $130.80 $100 $1,309.40
Home Health Care Services $37.82 $377.38 $50.35 $20 $485.54
Other Health Care Services including Lab Services $13.38 $133.47 $17.81 $20 $184.65
Average Cost $26.16 $260.23 $34.72 $22.28 $343.39

* The SBA defines small health care entities as those with annual revenue under $5,000,000.

^ Includes some entities not covered by this regulation. Pharmacies are the only component of Drug Stores and Proprietary Stores covered by the regulation. Accident and workers compensation insurance are not covered by the regulation.