NRPM: Standards for Privacy of Individually Identifiable Health Information. Initial Costs:


Table C shows the results of our calculations of the cost of initial compliance. We calculated initial privacy policy costs separate from initial system compliance costs because we made different assumptions about the cost of each. To calculate initial privacy policy costs per small entity, we multiplied the estimated cost of developing privacy policies (per entity) by the number of establishments. We then averaged these costs and computed that the average cost of developing privacy policies is $334.31 per small entity. The average cost of implementing privacy policies is greater than the $300 cost we assume most health care provider offices will pay, because we assume that small health plans, hospitals, and nursing and patient care services will spend between $500-$1,000 to implement privacy policies. Calculating the cost of system compliance per entity required us to estimate the percent of total system costs that each type of entity would incur. We used the $90 million figure (cited in the RIA) as the basis for distributing system compliance costs across various types of entities affected by the proposed rule. We estimated how this cost would be divided between small and large entities, and among plans, providers and clearinghouses.

Our calculations regarding division of costs are based on two assumptions: 1) system costs are principally fixed costs associated with the purchase of hardware and software 10; and 2) large entities will continue to invest more heavily in hardware and software expenditures than small entities. We estimate that 80 percent of the system costs will be born by large entities. The remaining 20 percent of total systems costs will be absorbed by small entities. To calculate the effect on small businesses, we multiplied the system compliance costs cited in the RIA by the proportion of the costs we expect small entities to incur (20 percent of total). We then multiplied the total cost of system compliance for small entities by the percentage of health care revenue by industry and calculated a cost per entity.

We used HCFA’s estimate of total national health expenditures to calculate the percent of total health care business that is represented by types of health care entities. We calculated the proportion of business transacted by a type of health care entity (by SIC code) and multiplied this by the total expenditures ($1.084 billion total) 11. National expenditure data is a useful measure for allocating system compliance costs for two reasons. Even though system compliance costs are primarily fixed costs, we assume that they bear some relationship to the size and level of the activity of the entity. Similarly, national expenditures vary according to both size and level of activity. Second, in contrast to the annual receipts compiled by the Business Census Survey, national expenditure information compares its data to other sources in order to validate its results. Thus, we decided that the national expenditure data are a more reliable source of overall business activity for our purposes. Based on these assumptions, we believe that the total cost of system compliance for all small health care entities will be approximately $18 million. Dividing costs by the number of small entities suggests that the average cost of system compliance is $40.13 per entity.

The cost of notice development is approximately $21 per small entity. We assume that many small providers will receive assistance developing their notice policies from professional associations. Thus, the overall cost of developing compliant notices is significant, but the cost per entity is small. The cost to small entities of developing notices is based on the proportion of expenditures generated by small entities. We recognize that this may not adequately capture the costs of developing a provider or plan’s notice of their privacy policies, and invite comment on our approach.

We added the per-entity cost of privacy policy implementation to the cost of systems compliance to determine the total average cost of start-up compliance. Our figures indicate that initial compliance will cost an average of $396 per small entity. These costs vary across entity type (Table C). For example, small hospitals have a much higher cost of compliance than the average cost for all small entities, whereas dentists’ offices tend to have initial compliance costs that are lower than the average for small entities. Most small practitioner offices have low costs ($320 per dentist office), whereas small hospitals ($8,942 per entity) and small insurance companies have much higher costs ($3,144 per entity) than other health care entities.

Finally, we attempted to estimate the impact of compliance costs on small entities by comparing the cost of complying with the proposed rule to an entity’s annual expenditures (Table E). We computed the percent of small entity expenditures as a percent of national expenditures by calculating the proportion of small business receipts (from census data compiled for the SBA) that apply to segments of the health care market. Although we believe that the SBA data understates the amount of annual receipts, we assumed that the underestimates are consistent across all entities. Thus, although the dollar amounts reported by the SBA are incorrect, our assumption is that the proportion of small entity receipts relative to total annual receipts is correct.

Applying the percent of small entity receipts to the national expenditure data allows us to estimate the percent of national expenditures represented by small entities. We then considered the total compliance cost (initial and ongoing cost) as a percent of small business expenditures. Our estimates suggest that the cost of complying with the proposed rule represent approximately 0.12 percent of total annual expenditures for a small health care entity in the first year. The relative cost of complying with the proposed rule is substantially lower in subsequent years, representing 0.04 percent of an entity’s annual expenditures. The relative cost of complying with the proposed regulation cost of complying is highest for small health insurers (1.03 percent of expenditures). These costs will be higher due to the volume and complexity of health plan billing systems; health plans are required to implement more policies and procedures to protect health information because they handle so much personally identifiable information. Because health plan costs are higher and there is a smaller number of plans than other type of entities affected by the regulation, these costs result in a higher annual cost per small health plan. Table E further illustrates the cost impact by type of entity in the first year.

Industry Total Annual Initial and Ongoing Costs in the First Year, per Small Entity Annual Expenditure per Small Entity~ Compliance Cost as a Percentage of a Small Entity's Annual Expenditures
Table E. Small Entity Business Expenditures and Proportion of Annual Expenditures Represented by Initial and Ongoing Compliance Costs in the First Year*
Drug Stores & Proprietary Stores^ $1,480.03 $2,046,199 0.07%
Accident & Health Insurance & Medical Service Plans^ (Accident & Health Insurance and Hospital & Medical Service Plans) $3,602.41 $350,467 1.03%
Offices & Clinics Of Doctors Of Medicine $680.20 $695,560 0.10%
Offices & Clinics Of Dentists $531.94 $434,260 0.12%
Offices & Clinics Of Other Health Practitioners $612.94 $583,805 0.10%
Nursing & Personal Care Facilities $2,457.99 $1,629,755 0.15%
Hospitals $10,211.62 $2,660,215 0.38%
Home Health Care Services $877.49 $1,003,475 0.09%
Other Health Care Services including Lab Services $503.55 $351,146 0.14%
Average Cost $732.61 $625,992 0.12%

* The SBA defines small health care entities as those with annual revenue under $5,000,000.

** Total Initial Compliance Cost includes policy implementation and systems compliance costs

~ Based on the assumption that the proportion of revenue generated by small businesses approximates the proportion of expenditures faced by small businesses

^ Includes some entities not covered by this regulation. Pharmacies are the only component of Drug Stores and Proprietary Stores covered by the regulation. Accident and workers compensation insurance are not covered by the regulation.