NRPM: Standards for Privacy of Individually Identifiable Health Information. IV. Preliminary Regulatory Impact Analysis


Section 804(2) of title 5, United States Code (as added by section 251 of Public Law 104-121), specifies that a “major rule” is any rule that the Office of Management and Budget finds is likely to result in-

  • An annual effect on the economy of $100 million or more;
  • A major increase in costs or prices for consumers, individual industries, Federal, State, or local government agencies, or geographic regions; or
  • Significant adverse effects in competition, employment, investment productivity, innovation, or on the ability of Unites States based enterprises to compete with foreign- based enterprises in domestic and export markets.

We estimate that the impact of this final rule will be over $1 billion in the first year of implementation. Therefore, this rule is a major rule as defined in Title 5, United States Code, section 804(2).

DHHS has examined the impacts of this proposed rule under Executive Order 12866. Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects; distributive impacts; and equity). According to Executive Order 12866, a regulatory action is “significant” if it meets any one of a number of specified conditions, including having an annual effect on the economy of $100 million or adversely affecting in a material way a sector of the economy, competition, or jobs or if it raises novel legal or policy issues. DHHS finds that this proposed rule is a significant regulatory action as defined by Executive Order 12866. Also in accordance with the provisions of Executive Order 12866, this proposed rule was reviewed by the Office of Management and Budget.

When this proposed rule becomes a final rule, in accordance with the Small Business Regulatory Enforcement and Fairness Act (Pub. L. 104-121), the Administrator of the Office of Information and Regulatory Affairs of the Office of Management and Budget (the Administrator) has determined that this proposed rule would be a major rule for the purpose of congressional review. A major rule for this purpose is defined in 5 U.S.C. 804(2) as one that the Administrator has determined has resulted or is likely to result in an annual effect on the economy of $100 million or more; a major increase in costs or prices for consumers, individual industries, federal State, or local government agencies, or geographic regions; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of U.S.-based enterprises to compete with foreign-based enterprises in domestic or export markets.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) projects a significant increase in the number of medical transactions that will be conducted or transmitted electronically. HIPAA notes the privacy needs that result when individually identifiable health information can be transmitted quickly through electronic information systems. While there is a compelling need to protect the privacy of health information in today’s health care system, the expected growth of electronic systems to aide medical diagnostics, claims processing and research makes it even more critical to improve privacy protections.

A fundamental assumption of this regulation is that the greatest benefits of improved privacy protection will be realized in the future as patients gain increasing trust in health care practitioners’ ability to maintain the confidentiality of their health information. Furthermore, our analysis rests on the principle that health information privacy is a right, and as such, cannot be valued solely by market costs. Because it is difficult to measure future benefits based on present data, our estimates of the costs and benefits of this regulation are based on the current business environment and do not include projections beyond five years. As a result, we cannot accurately account for all of the regulation’s future costs and benefits, but the Department is confident that future benefits will be higher than those stated in this analysis.

In order to achieve a reasonable level of privacy protection, we have three objectives for the proposed rule: 1) to establish baseline standards for health care privacy protection, 2) to establish protection for all health information maintained or transmitted by covered entities, and 3) to protect the privacy of health information that is maintained in electronic form, as well as health information generated by electronic systems.

Establishing minimum standards for health care privacy protection is an attempt to create a baseline level of privacy protection for patients across States. The Health Privacy Project’s report, The State of Health Privacy: An Uneven Terrain 1 makes it clear that under the current system of state laws, privacy protection is extremely variable. Our statutory authority under HIPAA allows us to preempt state laws when state law provides less stringent privacy protection than the regulation. Only in cases where state law does not protect the patient’s health information as stringently as in this proposed rule, or when state law is more restrictive of a patient’s right to access their own health care information, will our rule preempt state law. We discuss preemption in greater detail in other parts of the preamble (see the effects of the rule on state laws, section 2 below).

Our second objective is to establish a uniform base of protection for all health information maintained or transmitted by covered entities. As discussed in the preamble, HIPAA restricts the type of entities covered by the proposed rule to three broad categories: health care providers, health care clearinghouses, and health plans. However, there are similar public and private entities that we do not have the authority to regulate under HIPAA. For example, life insurance companies are not covered by this proposed rule but have access to a large amount of protected health information. State government agencies not directly linked to public health functions or health oversight may also have access to protected health information. Examples of this type of agency include the motor vehicle administration, which frequently maintains individual health information, and welfare agencies that routinely hold health information about their clients.

Our third objective is to protect the privacy of health information that is maintained in electronic form, as well as health information generated by electronic systems. Health information is currently stored and transmitted in multiple forms, including in electronic, paper, and oral formats. In order to provide consistent protection to information that has been electronically transmitted or maintained, we propose that this rule cover all personal, protected health information that has ever been maintained or transmitted electronically. This type of information includes output such as computer printouts, X-rays, magnetic tape, and other information that was originally maintained or transmitted electronically. For example, laboratory tests are often computer generated, printed out on paper, and then stored in a patient’s record. Because such lab results were originally maintained electronically, the post-electronic (i.e. printed) output of those lab results would also be covered under the proposed rule.

It is important to note that the use of electronic systems to maintain and transmit health information is growing among health care providers, and health plans. Faulkner and Gray report that provider use of electronically processed health transactions grew from 47 percent to 62 percent between 1994 and 1998. Payer use of electronic transactions grew 17 percent between 1996 and 1997. Once all of the HIPAA administrative simplification standards are implemented, we expect the number of electronic transactions processed by payers and providers to grow.

The variation in business practice regarding use of paper records versus electronic media for storing and transmitting health information is captured by comparing the percentage of providers that submit paper claims with those that submit electronic claims. Faulkner & Gray’s Health Data Directory 2 shows that only 40 percent of non-Medicare physician claims and 16 percent of dental claims were submitted electronically in 1998. In contrast, 88 percent of all pharmacy claims were submitted electronically.

We believe that most physicians either have, or will have in the near future, the capacity to submit claims electronically. Faulkner and Gray reported that in 1998, 81 percent of physicians with Medicare patients submitted their Medicare claims electronically. The difference in the percent of electronic clams submitted to Medicare suggests that the physicians’ decisions to submit claims electronically may be heavily influenced by the administrative requirements of the health plan receiving the claim. Since HIPAA requires all health plans to accept electronic transactions and, in order to compete in the technologically driven health care market, more health plans may require electronic claims submissions, physicians will conduct many more electronic transactions in the near future. Therefore, it is extremely important that adequate privacy protections are implemented now.