Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Business Associates


The final rule requires a covered entity to have a written contract or other arrangement that documents satisfactory assurance that business associate will appropriately safeguard protected health information in order to disclose it to a business associate based on such an arrangement. The Department expects business associate contracts to be fairly standardized, except for language that will have to be tailored to the specific arrangement between the parties, such as the allowable uses and disclosures of information. The Department assumes the standard language initially will be developed by trade and professional associations for their members. Small providers are likely to simply adopt the language or make minor modifications, while health plans and hospitals may start with the prototype language but may make more specific changes to meet their institutional needs. The regulation includes a requirement that the covered entity take steps to correct, and in some cases terminate, a contract, if necessary, if they know of violations by a business associate. This oversight requirement is consistent with standard oversight of a contract.

The Department could not derive a per entity cost for this work directly. In lieu of this, we have assumed that the trade and professional associations' work plus any minor tailoring of it by a covered entity would amount to one hour per non-hospital provider and two hours for hospitals and health plans. The larger figure for hospitals and health plans reflects the fact that they are likely to have a more extensive array of relationships with business associates.

The cost for the changes in business associate contracts is estimated to be $103 million. This will be an initial year cost only because the Department assumes that this contract language will become standard in future contracts.

In addition, the Department has estimated the cost for business associates to comply with the minimum necessary provisions. As part of the minimum necessary provisions, covered entities will have to establish policies to ensure that only the minimum necessary protected health information is shared with business associates. To the extent that data are exchanged, covered entities will have to review the data and systems programs to assure compliance.

For non-hospital providers, we estimate that the first year will require an average of three hours to review existing agreements, and thereafter, they will require an additional hour to assure business associate compliance. We estimate that hospitals will require an additional 200 hours the first year and 16 hours in subsequent years; health plans will require an additional 112 hours the first year and 8 hours in subsequent years. As in other areas, we have assumed a weighted average wage for the respective sectors.

The cost of the covered entities assuring business associates' complying with the minimum necessary is $197 million in the first year, and a total of $697 million over ten years. (These estimates include the both the cost for the covered entity and the business associates.)