Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. B. Summary of Costs and Benefits


Measuring both the economic costs and benefits of health information privacy is difficult. Traditionally, privacy has been addressed by state laws, contracts, and professional practices and guidelines. Moreover, these practices have been evolving as computers have dramatically increased the potential use of medical data; the scope and form of health information is likely to be very different ten years from now than it is today. This final regulation is both altering current health information privacy practice and shaping its evolution as electronic uses expand.

To estimate costs, the Department used information from published studies, trade groups and associations, public comments to the proposed regulation, and fact-finding by staff. The analysis focused on the major policy areas in the regulation that would result in significant costs. Given the vast array of institutions affected by this regulation and the considerable variation in practices, the Department sought to identify the "typical" current practice for each of the major policy areas and estimate the cost of change resulting from the regulation. Because of the paucity of data and incomplete information on current practices, the Department has consistently made conservative assumptions (that is, given uncertainty, we have made assumptions that, if incorrect, are more likely to overstate rather than understate the true cost).

Benefits are difficult to measure because people conceive of privacy primarily as a right, not as a commodity. Furthermore, a wide gap appears to exist between what people perceive to be the level of privacy afforded health information about them and what actually occurs with the use of such information today. Arguably, the "cost" of the privacy regulation is the amount necessary to bring health information privacy to these perceived levels.

The benefits of enhanced privacy protections for individually identifiable health information are significant, even though they are hard to quantify. The Department solicited comments on this issue, but no commenters offered a better alternative. Therefore, the Department is essentially reiterating the analysis it offered in the proposed Privacy Rule. The illustrative examples set forth below, using existing data on mental health, cancer screening, and HIV/AIDS patients, suggest the level of economic and health benefits that might accrue to individuals and society. Moreover, the benefits of improved privacy protection are likely to increase in the future as patients gain trust in health care practitioners' ability to maintain the confidentiality of their health information.

The estimated cost of compliance with the final rule is $17.6 billion over the ten year period, 2003-2012. 34 This includes the cost of all the major requirements for the rule, including costs to federal, state and local governments. The net present value of the final rule, applying a 11.2 percent discount rate, 35 is $11.8 billion. 36

The first year estimate is $3.2 billion (this includes expenditures that may be incurred before the effective date in 2003). This represents about 0.23 percent of projected national health expenditures for 2003. 37 By 2008, seven years after the rule's effective date, the rule is estimated to cost 0.07 percent of projected national health expenditures.

The largest cost items are the requirement to have a privacy official, $5.9 billion over ten years, and the requirement that disclosures of protected health information only involve the minimum amount necessary, $5.8 billion over ten years (see Table 1). These costs reflect the change that affected organizations will have to undertake to implement and maintain compliance with the requirements of the rule and achieve enhanced privacy of protected health information.

Table 1. The Cost of Complying with the Proposed Privacy Regulation, in Dollars
Provision Initial or First Year Cost
(2003, $Million)
Average Annual Cost ($Million, Years 2-10) Ten Year Cost (2003-2012)
*Note: Numbers may not add due to rounding.
Policy Development $597.7 $0 $597.7
Minimum Necessary 926.2 536.7 5,756.7
Privacy Officials 723.2 575.8 5,905.8
Disclosure Tracking/History 261.5 95.9 1,125.1
Business Associates 299.7 55.6 800.3
Notice Distribution 50.8 37.8 391.0
Consent 166.1 6.8 227.5
Inspection/Copying 1.3 1.7 16.8
Amendment 5.0 8.2 78.8
Requirements on Research 40.2 60.5 584.8
Training 287.1 50.0 737.2
De-Identification of Information 124.2 117.0 1,177.4
Employers with Insured Group Health Plans 52.4 0 52.4
Internal Complaints 6.6 10.7 103.2
Total* 3,242.0 1,556.9 17,554.7
Net Present Value 3,242.0 917.8 11,801.8