NRPM: Standards for Privacy of Individually Identifiable Health Information. B. Summary of Costs and Benefits.


The Department has estimated the costs and benefits of the proposed rule based on several caveats. In general, it is difficult to estimate the costs and benefits of improved privacy protection. The ability to measure costs of the proposed regulation is limited because there is very little data currently available on the cost of privacy protection. The Department has not been able to estimate costs for a number of requirements of the proposed regulation that we know will impose some cost to covered entities. For those elements for which there are estimated costs, data and information limitations limit the precision of the Department’s estimates; for those reasons we have provided an overall range of costs in addition to point estimates, and welcome further information from the public as part of the comment process. Furthermore, the number of new privacy requirements that the regulation will introduce to the health care industry exacerbates difficulties estimating the benefits of privacy. Benefits are difficult to measure because we conceive of privacy primarily as a right and secondarily as a commodity. As discussed below, the significant benefits of the proposed regulation to individuals and society can be demonstrated by illustrating the serious privacy concerns raised by mental health, substance abuse, cancer screening, and HIV/AIDS patients and the benefits that may be derived from greater privacy.

The estimated cost of compliance with the proposed rule would be at least $3.8 billion over five years. The cost includes estimates for the majority of the requirements of the proposed regulation, but not all. These estimates include costs to federal, State, and local governments. Federal, and State and local costs are therefore a subset of total costs. Based on a plausible range of costs for the key components of the analysis, the cost of the regulation would likely be in the range $1.8 to $6.3 billion over five years (not including those elements of the regulation for which we could not make any cost estimates).

The compliance costs are in addition to Administrative Simplification estimates. The cost of complying with the privacy regulation represents about 0.09 percent of projected national health expenditures during the first year following the regulation’s enactment. The five-year cost of the proposed regulation also represents 1.0 percent of the increase in health care costs that will occur during the same five-year period 3.

The largest cost item is the amending and correcting of records, which would represent over one-half of total costs. Provider and plan notices, which we estimate would cost $439 million, is the second largest cost, and inspection and copying of records is estimated to be $405 million. The one-time costs for providers to develop policies and procedures represent somewhat less than 10 percent of the total cost, or $333 million. Plans would bear a substantially smaller cost--approximately $62 million. Other systems changes would cost about $90 million over the period. The cost of administering written authorizations would total approximately $271 million over five years.

The cost estimates include private- and public-sector costs. Many of the public- sector cost elements will be the same as those in the private market. However, privacy notices are likely to represent a smaller fraction of total public-sector costs, while systems compliance costs in the public sector may be higher than in the private sector due to oversight and administrative requirements.

The costs presented in this document are the Department’s best estimates of the cost of implementing the proposed regulation based on available information and data. Because of inadequate data, we have not made cost estimates for the following compnents of the regulation: the principle of minimum necessary disclosure; the requirement that entities monitor business partners with whom they share PHI; creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacy board; and additional requirements on research/optional disclosures that will be imposed by the regulation. The cost of these provisions may be significant in some cases, but it would be inaccurate to project costs for these requirements given the fact that several of these concepts are new to the industry, and there is little direct evidence on costs. We solicit comment regarding costs of the regulation that we have not quantified.

The privacy protections established by this regulation will provide major social benefits. Establishing privacy protection as a fundamental right is an important goal and will have significant, non-quantifiable social benefits. A well-designed privacy standard can be expected to build confidence among the public about the confidentiality of their health information. Increased confidence in the privacy of an individual’s health information can be expected to increase the likelihood that many people will seek treatment for particular classes of disease, particularly mental health conditions, sexually transmitted diseases such as HIV/AIDS, and earlier screening for certain cancers. The increased utilization of medical services that would result from increased confidence in privacy would lead to improved health for the individuals involved, reduced costs to society associated with delayed treatments, and improved public health attributable to reduced transmission of communicable diseases.

Provision Initial or First Year Cost (2000) Annual Cost after the First Year Five Year (2000-2004) Cost
Table 1. The Cost of Complying with the Proposed Privacy Regulation, in Dollars
Development of Policies and Procedures- Providers (totaling 871,294) $333,000,000   $333,000,000
Development of Policies and Procedures- Plans (totaling 18,225) $62,000,000   $62,000,000
System Changes- All Entities $90,000,000   $90,000,000
Notice Development Cost- All Entities $20,000,000   $30,000,000
Notice Issuance- Providers $59,730,000 $37,152,000 $208,340,000
Notice Issuance- Plans $46,200,000 $46,200,000 $231,000,000
Inspection/Copying $81,000,000 $81,000,000 $405,000,000
Amendment/Correction $407,000,000 $407,000,000 $2,035,000,000
Written Authorization $54,300,000 $54,300,000 $271,500,000
Paperwork/Training $22,000,000 $22,000,000 $110,000,000
Other Costs* N/E** N/E N/E
Total $1,165,230,000 $647,652,000 $3,775,840,000

*Other Costs include: minimum necessary disclosure; monitoring business partners with whom entities share PHI; creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacy board; additional requirements on research/optional disclosures that will be imposed by the regulation.

**N/E = “Not estimated”

We promote the view that privacy protection is an important personal right, and suggest that the greatest of the benefits of the proposed regulation are impossible to estimate based on the market value of health information alone. However, it is possible to evaluate some of the benefits that may accrue to individuals as a result of proposed regulation, and these benefits, alone, demonstrate that the regulation is warranted.

These benefits are considered both qualitatively and quantitatively. As a framework for the discussion, the cost of the provisions in the regulation that have been quantified is $0.46 per health care encounter. Although the value of privacy cannot be fully calculated, it is worth noting that if individuals would be willing to pay more than $0.46 per health care encounter to improve health information privacy, the benefits of the proposed regulation would outweigh the cost.

Several qualitative examples illustrate the benefits of the proposed regulation. In one case, medical privacy concerns may prevent patients from obtaining early testing and screening for certain types of cancer. Of types of cancer for which screening is available, survival rates might increase to 95 percent diagnosed in the early stages 4. For HIV/AIDS patients, new treatments for patients who are diagnosed with HIV in the early stages may save $23,700 per quality-adjusted year of life saved 5. Later in this document, the potential to reduce illness and disability associated with sexually transmitted diseases is discussed.

We recognize that many of the costs and benefits of health information privacy are difficult to quantify, but we believe that our estimates represent a reasonable range of the economic costs and benefits associated with the regulation.