NRPM: Standards for Privacy of Individually Identifiable Health Information. E. Costs.

11/03/1999

Affected entities will be implementing the privacy proposed rules at the same time many of the administrative simplification standards are being implemented. As described in the overall impact analysis for the administrative simplification standards in the Federal Register, Vol. 63, No. 88, May 7, 1998, page 25344, the data handling changes occurring due to the other HIPAA standards will have both costs and benefits. To the extent the changes required for the privacy standards implementations can be made concurrently with the changes required for the other standards, costs for the combined implementation should be only marginally higher than for the administrative simplification standards alone. The extent of this additional cost is uncertain, in the same way that the costs associated with each of the individual administrative simplification standards was uncertain.

The costs associated with implementing the privacy standards will be directly related to the number of affected entities and the number of affected transactions in each entity. 12 We chose to use the SBA data in the RFA because we wanted our analysis to be as consistent to SBA definitions as possible to give the greatest accuracy for the RFA purposes. As described in the overall administrative simplification impact estimates (Tables 1 and 2, page 25344), about 20,000 health plans (excluding non-self administered employer plans) 13 and hundreds of thousands of providers face implementation costs. In the administrative simplification analysis, the costs of provider system upgrades were expected to be $3.6 billion over the period 1998-2002, and plan system cost upgrades were expected to be $2.2 billion. (In the aggregate, this $5.8 billion cost is expected to be more than completely offset by $7.3 billion in savings during the 5 year period analyzed).

The relationship between the HIPAA security and privacy standards is particularly relevant. On August 12, 1998, the Secretary published a proposed rule to implement the HIPAA standards on security and electronic standards. That rule specified the security requirements for covered entities that transmit and store information specified in Part C, Title XI of the Act. In general, that rule would establish the administrative and technical standards for protecting “...any health information pertaining to an individual that is electronically maintained or transmitted.” (63 FR 43243). The security rule is intended to spell out the system and administrative requirements that a covered entity must meet in order to assure itself and the Secretary that the protected health information is safe from destruction and tampering from people without authorization for its access.

By contrast, the privacy rule describes the policies and procedures that would govern the circumstances under which protected health information may be used and released with and without patient authorization and when a patient may have access to his or her protected medical information. This rule assumes that a covered entity will have in place the appropriate security apparatus to successfully carry out and enforce the provisions contained in the security rule.

Although the vast majority of health care entities are privately owned and operated, Federal, State, and local government providers are reflected in the total costs. 14 Federal, state, and locally funded hospitals represent approximately 26 percent of hospitals in the United States. This is a significant portion of hospitals, but represents a relatively small proportion of all provider entities. The number of government providers who are employed at locations other than government hospitals is significantly smaller (approximately 2 percent of all providers). Weighting the relative number of government hospital and non-hospital providers by the revenue these types of providers generate, we estimate that health care services provided directly by government entities represent 3.4 percent of total health care services. IHS and Tribal facilities costs are included in the total, since the adjustments made to the original private provider data to reflect federal providers included them. In drafting the proposed rule the Department consulted with States, representatives of the National Congress of American Indians, representatives of the National Indian Health Board, and a representative of the self-governance tribes. During the consultation we discussed issues regarding the application of Title II of HIPAA to the States and Tribes.

Estimating the costs associated with the privacy proposed rule involves, for each provision, consideration of both the degree to which covered entities must modify their records management systems and privacy policies under the proposed rule, and the extent to which there is a change in behavior of both patients and the covered entities as a result of the proposed rule. In the following sections we will examine these provisions as they would apply to the various covered entities as they undertake to comply with the proposed rule. The major costs that covered entities will incur are one time costs associated with implementation of the proposed rules, and ongoing costs that result from changes in behavior that both the covered entities and patients would make in response to the new proposed rules.

We have quantified the costs imposed by the proposed regulation to the extent that we had adequate data. In some areas, however, there was too little data to support quantitative estimates. As a result, the RIA does not include cost estimates for all of the requirements of the regulation. The areas for which explicit cost estimates have not be made are: the principle of minimum necessary disclosure; the requirement that entities monitor business partners with whom they share PHI; creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacy board; and additional requirements on research/optional disclosures that will be imposed by the regulation. The cost of some of these provisions may be significant, but it would be inaccurate to project costs for these requirements given the fact that several of these concepts are new to the industry.

The one time costs are primarily in the area of development and codification of procedures. Specific activities include: (1) analysis of the significance of the federal regulations on covered entity operation; (2) development and documentation of policies and procedures (including new ones or modification of existing ones); (3) dissemination of such policies and procedures both inside and outside the organization; (4) changing existing records management systems or developing new systems; and (5) training personnel on the new policies and system changes.

Covered entities will also incur ongoing costs. These are likely to be the result of

(1) increased numbers of patient requests for access and copying of their own records;

(2) the need for covered entities to obtain patient authorization for uses of protected information that had not previously required an authorization;

(3) increased patient interest in limiting payer and provider access to their records;

(4) dissemination and implementation both internally and externally of changes in privacy policies, procedures, and system changes; and

(5) training on the changes.

Compliance with the proposed rule will cost $3.8 billion over five years. These costs are in addition to the administrative simplification estimates. The cost of complying with the regulation represents 0.09 percent of projected national health expenditures the first year the regulation is enacted. The five year costs of the proposed regulation also represents 1.0 percent of the increase in health care costs experienced over the same five- year period. 15 Because of the uncertainty of the data currently available, the Department has made estimates on “low” and “high” range assumptions of the key variables. These estimates show a range of $ 1.8 to $6.3 billion over five years. It is important to note that these estimates do not include the areas for which we have made no cost estimates (discussed above).

Initial Costs

Privacy Policies and Procedures

With respect to the initial costs for covered entities, the expectation that most of the required HIPAA procedures will be implemented as a package suggests that additional costs for the privacy standards should be small. Since the requirements for developing formal processes and documentation of procedures mirror what will already have been required under the security regulations, the additional costs should be small. The expectation is that national and state associations will develop guidelines or general sets of processes and procedures and that these will generally be adopted by individual member entities. Relatively few providers or entities are expected to develop their own procedures independently or to modify significantly those developed by their associations. Our estimates are based on assumed costs for providers ranging from $300 to $3000, with the weighted average being about $375. The range correlates to the size and complexity of the provider, and is a reasonable estimate of the cost of coordinating the policies and procedures outlined in the proposed regulation. With fewer than 1 million provider entities, the aggregate cost would be on the order of $300 million.For plans, our estimate assumes that the legal review and development of written policies will be more costly because of the scope of their operations. They are often dealing with a large number of different providers and may be dealing with requirements from multiple states. Again, we expect associations to do much of the basic legal analysis but plans are more likely to make individual adaptations. We believe this cost will range from $300 for smaller plans and $15,000 for the largest plans. Because there are very few large plans in relation to the number of small plans, the weighted average implementation costs will be about $3050.

The total cost of development of policies and procedures for providers and plans is estimated to be $395 million over five years.

System Compliance Costs

With respect to revisions to electronic data systems, the specific refinements needed to fulfill the privacy obligations ought to be closely tied to the refinements needed for security obligations. The overall administrative simplification system upgrades (procedures, systems, and training) of $5.8 billion would certainly be disproportionately associated with the security standard, relative to the other 11 elements. If in privacy it constitutes 15 percent, then the security standard would represent about $900 million system cost. If the marginal cost of the privacy elements is another 10 percent, then the addition cost would be $90 million.

Ongoing Costs

The recurrent costs may be more closely related to total numbers of persons with claims than to the number of covered entities. The number of individuals served by an entity will vary greatly. The number of persons with claims will give a closer approximation of how many people entities will have to interact with for various provisions.

Notice of Privacy Practices

No State laws or professional associations currently require entities to provide patients “notice” of their privacy policies. Thus, we expect that all entities will incur costs developing and disseminating privacy policy notices. Each entity will have a notice cost associated with each person to whom they provide services. Data from the 1996 Medical Expenditure Panel Survey shows that there are approximately 200 million ambulatory care encounters per year, nearly 20 million persons with a hospital episode, 7 million with home-health episodes, and over 170 million with prescription drug use (350 million total). For the remaining four years of the five year period, we have estimated that, on average, a quarter of the remaining population will enter the system, and thus receive a notice. If we account for growth in the number of people who may enter the health care system over the five year period of our analysis, we estimate that approximately 543 million patients will be seen at least once by one or more types of providers.

The development cost for notices is estimated to cost $30 million over five years, though most of this is likely to occur the first year. The first year cost of providing notices to patients, customers and plan enrollees would be $106 million. The total five year cost of providing new and subsequent copies to all provider patients and customers would be approximately $209 million.

The notice obligations of insurers apply on initial enrollment, with updated notices at least every 3 years. However, given enrollment changes and the sophistication of automation, we believe many plans would find it cheaper and more efficient to provide annual notices.

The 1998 National Health Interview Survey (NHIS) from the Census Bureau shows about 174.1 million persons are covered by private health insurance, on an unduplicated basis. NHIS calculates that persons who are privately insured hold approximately 1.3 policies per person. Based on information provided by several plans, we believe most plans would provide an independent mailing the first year, but in subsequent years would provide notices as an inclusion in other mailings. The cost for this would be $0.75 over five years. If we account for these duplicate policies and assume that the cost of sending the notices to a policyholder is $0.75, the total cost to plans would be $231 million over five years. This includes both public and private plans.

We request comments regarding our cost estimates for development and distribution of notices.

The costs for more careful internal operation of covered entities to execute their formal privacy procedures are highly dependent on the extent to which current practice tracks the future procedures. Entities that already have strict data sharing and confidentiality procedures will incur minimal costs, since their activities need not change much. Entities that have not developed explicit health information privacy policies may be compelled to obtain patient authorization in situations where they did not previously. These changes will generate ongoing costs as well as initial costs. We solicit comment with respect to the way current costs differ from those projected by the requirements of the proposed privacy rule. An example of such an area is “the minimum necessary disclosure principle” - because of differing current practices, we do not have data that reliably indicate how much this provision will cost.

Inspection and Copying

The Georgetown report on State privacy laws indicates that 33 states currently give patients some right to access medical information. The most common right of access granted by State law is the right to inspect personal information held by physicians and hospitals. In the process of developing estimates for the cost of providing access and copying, we assumed that most providers currently have procedures for allowing patients to inspect and copying their own record. Thus, we expect that the economic impact of requiring entities to allow individuals to access and copy their records should be relatively small. Copying costs, including labor, should be a fraction of a dollar per page. We expect the cost to be passed on to the consumer.

There are few studies that address the cost of providing medical records to patients.

The most recent was a study in 1998 by the Tennessee Comtroller of the Treasury. It found an average cost of $9.96 per request, with an average of 31 pages per request. The total cost per page of providing copies was $0.32 per page. This study was performed on hospitals only. The cost per request may be lower for other types of providers, since those seeking hospital records are more likely to be sick and have more complicated records than those in a primary care or other type of office. An earlier report showed much higher costs than the Tennessee study. In 1992, Rose Dunn published a report based on her experience as a manager of medical records. She estimated a 10 page request would cost $5.32 in labor costs only, equaling labor cost per page of $0.53. However, this estimate appears to reflect costs before computerization. The expected time spent per search was 30.6 minutes; 85 percent of this time could be significantly reduced with computerization (this includes time taken for file retrieval, photocopying, and re- filing; file retrieval is the only time cost that would remain under computerization.) For subsequent estimates, we will use the Tennessee experience.

The proposed regulation states that entities may charge patients a reasonable fee to inspect and copy their health information. For this reason, we expect the cost of inspecting and copying an individual medical record to be passed on to consumers who request the service. Nonetheless, it is important to provide an estimate of the potential costs associated with inspection and copying. We assume that 1.5 percent of patients will request access to inspect and copy their medical record, and that the cost of accessing and copying a record is approximately $10 (as cited in the Tennessee study). The cost of inspection and copying is $81 million a year, or $405 million over five years. This cost is likely to be borne entirely by the consumer.

Amendment and Correction

We have assumed that many providers make provisions to help patients expedite amendment and correction of their medical record where appropriate. However, as with inspection and copying, the right to request amendment and correction of an individual’s medical record is not guaranteed by all States. Based on these assumptions and our cost analysis, we conclude that the principal economic effect of the proposed rule would be to expand the right to request amendment and correction to plans and providers that are not covered by state laws or codes of conduct. In addition, we expect that the proposed rule may draw additional attention to the issue of record inaccuracies and stimulate patient demand for access, amendment, and correction of medical records.

Our cost calculations assume that persons who request an opportunity to amend or correct their record have already obtained a copy of their medical record. Therefore, the administrative cost of amending and correcting the patient’s record is completely separate from inspection and copying costs. In this section we have only addressed the cost of disputing a factual statement within the patient record, and do not calculate the cost of appeals or third party review.

Administrative review of factual statements contained within a patient’s record may be expensive. Most errors may be of a nature that a clerk or nurse can correct (e.g., the date of a procedure is incorrect) but some may require physician review. Thus, we have estimated that the average cost of amending and correcting a patient record may be $75 per instance.

If amendment and correction requests are associated with two-thirds of requests for inspection and copying, and the cost of correcting (or noting the patient’s request for correction) is $75, the total cost of amending and correcting patient records will be $407 million annually, or $2 billion over five years. Comments on our estimate of amendment and correction costs would be helpful, particularly if they speak to current amendment and correction costs or frequency in the health care industry.

Reconstructing a history of disclosures (other than for treatment and payment)

To our knowledge, no current State law or professional code requires providers and plans to maintain the capability to reconstruct a patient’s health information history. Therefore, the requirement in this rule to be able to reconstruct the disclosure history of protected health information is completely new. Although it is likely that some providers and plans have already developed this capability, we assume that all providers and plans would be required to invest in developing the capacity to generate disclosure histories.

With respect to reconstruction of disclosure history, two sets of costs would exist. On electronic records, fields for disclosure reason, information recipient, and date would have to be built into the data system. The fixed cost of the designing the system to include this would be a component of the $90 million additional costs discussed earlier. The ongoing cost would be the data entry time, which should be at de minimis levels. Comments would again be especially useful with respect to the extent to which recording the additional information goes beyond current practice.

Authorizations

Although many States have laws that require entities to obtain patient authorization before releasing individually identified health information to payers and other third parties, many of the authorization requirements either allow for blanket authorizations that deprive the patient of meaningful control over the release of their health information, or the authorization statutes are less stringent than the provisions of the proposed rule. Therefore, for purposes of estimating the economic impact of the NPRM, we are assuming that all providers and plans will have to develop new procedures to conform to the proposed rule.

Written patient authorization requirements will generate costs, to the extent covered entities are currently releasing information in the targeted circumstances without specific authority. Collecting such authorization should have costs on the order of those associated with providing access to records (not on a per page basis). The frequency of such collections is unknown. Since the requirement does not apply to treatment and payment, assuming 1 percent of the 543 million encounters over five years might be reasonable. At a cost of about $10 each, the aggregate cost would be about $54 million annually, or $271million over five years. Comments would be especially useful from entities currently following such procedures.

Training

The ongoing costs associated with paperwork and training are likely to be minimal. Because training happens as a regular business practice, and employee certification connected to this training is also the norm, we estimate that the marginal cost of paperwork and training is likely to be small. We assume a cost of approximately $20 per provider office, and approximately $60-100 for health plans and hospitals. Thus, we estimate that the total cost of paperwork and training will be $22 million a year.

Conclusion

Overall, the five-year costs beyond those already shown in the administrative simplification estimates would be about $3.8 billion over five years, with an estimated range of $1.8 to $6.3 billion. Table 2 shows the components described above. The largest cost item is for amendment and correction, which is over half of the estimated total cost of the regulation. Inspection and copying, at $405 million over five years, and issuance of notices by providers and plans, at $439 million over five years, are the second biggest components. The one-time costs of development of policies and procedures by providers would represent approximately 10 percent of the total cost, or $333 million. Plans and clearinghouses would have a substantially smaller cost, about $62 million. Other systems changes are expected to cost about $90 million over the period. Finally, the estimates do not consider all of the costs imposed by the regulation.

Provision Initial or First Year Cost (2000) Annual Cost after the First Year Five Year (2000-2004) Cost
Table 2. The Cost of Complying with the Proposed Privacy Regulation, in Dollars
Development of Policies and Procedures- Providers (totaling 871,294) $333,000,000   $333,000,000
Development of Policies and Procedures- Plans (totaling 18,225) $62,000,000   $62,000,000
System Changes- All Entities $90,000,000   $90,000,000
Notice Development Cost—all entities $20,000,000   $30,000,000
Notice Issuance- Providers $59,730,000 $37,152,000 $208,340,000
Notice Issuance- Plans $46,200,000 $46,200,000 $231,000,000
Inspection/Copying $81,000,000 $81,000,000 $405,000,000
Amendment/Correction $407,000,000 $407,000,000 $2,035,000,000
Written Authorization $54,300,000 $54,300,000 $271,500,000
Paperwork/Training $22,000,000 $22,000,000 $110,000,000
Other Costs* N/E** N/E N/E
Total $1,165,230,000 $647,652,000 $3,775,840,000

*Other Costs include: minimum necessary disclosure; monitoring business partners with whom entities share PHI; creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacy board; additional requirements on research/optional disclosures that will be imposed by the regulation.

**N/E = “Not estimated”

Costs to the Federal Government

The proposed rule will have a cost impact on various federal agencies that administer programs that require the use of individual health information. Federal agencies or programs clearly affected by the rule are those that meet the definition of a covered entity. The costs when government entities are serving as providers are included in the total cost estimates. However, non-covered agencies or programs that handle medical information, either under permissible exceptions to the disclosure rules or through an individual’s expressed authorization, will likely incur some costs complying with provisions of this rule. A sample of federal agencies encompassed by the broad scope of this rule include the: Department of Health and Human Services, Department of Defense, Department of Veterans Affairs, Department of State, and the Social Security Administration.

The federal costs of complying with the regulation are included in the estimates of total costs. The greatest cost and administrative burden on the federal government will fall to agencies and programs that act as covered entities, by virtue of being either a health plan or provider. Examples include the Medicare, Medicaid, Children’s Health Insurance and Indian Health Service programs at the Department of Health and Human Services; the CHAMPVA health program at the Department of Veterans Affairs; and the TRICARE health program at the Department of Defense. These and other health insurance or provider programs operated by the federal government are subject to requirements placed on covered entities under this proposed rule, including, but not limited to, those outlined in Section D of the impact analysis. While many of these federal programs already afford privacy protections for individual health information through the Privacy Act, this rule is expected to create additional requirements beyond those covered by existing Privacy Act rule. Further, we anticipate that most federal health programs will, to some extent, need to modify their existing Privacy Act practices to fully comply with this rule.

The cost to federal programs that function as health plans will be generally the same as those for the private sector. The primary difference is the expectation that systems compliance costs may be higher due to the additional burden of compliance and oversight costs.

A unique cost to the federal government will be in the area of enforcement. The Office of Civil Rights (OCR), located at the Department of Health and Human Services, has the primary responsibility to monitor and audit covered entities. OCR will monitor and audit covered entities in both the private and government sectors, will ensure compliance with requirements of this rule, and will investigate complaints from individuals alleging violations of their privacy rights. In addition, OCR will be required to recommend penalties and other remedies as part of their enforcement activities. These responsibilities represent an expanded role for OCR. Beyond OCR, the enforcement provisions of this rule will have additional costs to the federal government through increased litigation, appeals, and inspector general oversight.

Examples of other unique costs to the federal government include such activities as public health surveillance at the Centers for Disease Control and Prevention, health research projects at the Agency for Health Care Policy and Research, clinical trials at the National Institutes of Health, and law enforcement investigations and prosecutions by the Federal Bureau of Investigations. For these and other activities, federal agencies will incur some costs to ensure that protected health information is handled and tracked in ways that comply with the requirements of this title. A preliminary analysis of these activities suggests that the federal cost will be on the order of $31 million. We are currently in the process of refining these estimates and will include better information on them in the final rule.

Costs to State Governments

The proposed rule will also have a cost effect on various state agencies that administer programs that require the use of individual health information. State agencies or programs clearly affected by the rule are those that meet the definition of a covered entity. The costs when government entities are serving as providers are included in the total cost estimates. However, non-covered agencies or programs that handle medical information, either under permissible exceptions to the disclosure rules or through an individual’s expressed authorization, will likely incur some costs complying with provisions of this rule. Samples of state agencies encompassed by the broad scope of this rule include the: Medicaid, Children’s Health Insurance program at the Department of Health and Human Services.

We have included state costs in the estimation of total costs. The greatest cost and administrative burden on the state government will fall to agencies and programs that act as covered entities, by virtue of being either a health plan or provider. Examples include the Medicaid, Children’s Health Insurance program at the Department of Health and Human Services. These and other health insurance or provider programs operated by state government are subject to requirements placed on covered entities under this proposed rule, including, but not limited to, those outlined in Section D of the impact analysis. While many of these state programs already afford privacy protections for individual health information through the Privacy Act, this rule is expected to create additional requirements beyond those covered by existing Privacy Act rule. Further, we anticipate that most state health programs will, to some extent, need to modify their existing Privacy Act practices to fully comply with this rule.

The cost to state programs that function as health plans will be different than the private sector, much as the federal costs vary from private plans. A preliminary analysis suggests that state costs will be on the order of $90 million over five years. We will refine the estimates for the state government costs for enforcement, research and other distinct state government functions in the final rule. We welcome comment by state and local governments which will help the Department improve its analysis on these state costs.