Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Costs to the Federal Government


The rule will have a cost impact on various federal agencies that administer programs that require the use of individual health information. The federal costs of complying with the regulation and the costs when federal government entities are serving as providers are included in the regulation's total cost estimate outlined in the impact analysis. Federal agencies or programs clearly affected by the rule are those that meet the definition of a covered entity. However, non-covered agencies or programs that handle medical information, either under permissible exceptions to the disclosure rules or through an individual's expressed authorization, will likely incur some costs complying with provisions of this rule. A sample of federal agencies encompassed by the broad scope of this rule include the: Department of Health and Human Services, Department of Defense, Department of Veterans Affairs, Department of State, and the Social Security Administration.

The greatest cost and administrative burden on the federal government will fall to agencies and programs that act as covered entities, by virtue of being either a health plan or provider. Examples include the Medicare, Medicaid, Children's Health Insurance and Indian Health Service programs at the Department of Health and Human Services; the CHAMPVA health program at the Department of Veterans Affairs; and the TRICARE health program at the Department of Defense. These and other health insurance or provider programs operated by the federal government are subject to requirements placed on covered entities under this rule, including, but not limited to, those outlined in Section D of the impact analysis. While many of these federal programs already afford privacy protections for individual health information through the Privacy Act and standards set by the Departments and implemented through their contracts with providers, this rule is nonetheless expected to create additional requirements. Further, we anticipate that most federal health programs will, to some extent, need to modify their existing practices to comply fully with this rule. The cost to federal programs that function as health plans will be generally the same as those for the private sector.

A unique cost to the federal government will be in the area of enforcement. The Office for Civil Rights (OCR), located at the Department of Health and Human Services, has the primary responsibility to monitor and audit covered entities. OCR will monitor and audit covered entities in both the private and government sectors, will ensure compliance with requirements of this rule, and will investigate complaints from individuals alleging violations of their privacy rights. In addition, OCR will be required to recommend penalties and other remedies as part of their enforcement activities. These responsibilities represent an expanded role for OCR. Beyond OCR, the enforcement provisions of this rule may have additional costs to the federal government through increased litigation, appeals, and inspector general oversight.

Examples of other unique costs to the federal government may include such activities as public health surveillance at the Centers for Disease Control and Prevention, health research projects at the Agency for Healthcare Research and Quality, clinical trials at the National Institutes of Health, and law enforcement investigations and prosecutions by the Federal Bureau of Investigations. For these and other activities, federal agencies will incur some costs to ensure that protected health information is handled and tracked in ways that comply with the requirements of this title.

We estimate that federal costs under this rule will be approximately $196 million in 2003 and $1.8 billion over ten years. The ten-year federal cost estimate represents about 10.2 percent of the privacy regulation's total cost. This estimate was derived in two steps.

First, we assumed that the proportion of the privacy regulation's total cost accruing to the federal government in a given year will be equivalent to the proportion of projected federal costs as a percentage of national health expenditures for that year. To estimate these proportions, we used the Health Care Financing Administration's November 1998 National Health Expenditure projections (the most recent data available) of federal health expenditures as a percent of national health expenditures from 2003 through 2008, trended forward to 2012. We then adjusted these proportions to exclude Medicare and Medicaid spending, reflecting the fact that the vast majority of participating Medicare and Medicaid providers will not be able to pass through the costs of complying with this rule to the federal government because they are not reimbursed under cost-based payment systems. This calculation yields a partial federal cost of $166 million in 2003 and $770 million over ten years.

Second, we add the Medicare and federal Medicaid costs resulting from the privacy regulation that HCFA's Office of the Actuary project can be passed through to the federal government. These costs reflect the actuaries' assumption regarding how much of the total privacy regulation cost burden will fall on participating Medicare and Medicaid providers, based on the November 1998 National Health Expenditure data. Then the actuaries estimate what percentage of the total Medicare and federal Medicaid burden could be billed to the programs, assuming that 1) only 3 percent of Medicare providers and 5 percent of Medicaid providers are still reimbursed under cost-based payment systems, and 2) over time, some Medicaid costs will be incorporated into the state's Medicaid expenditure projections that are used to develop the federal cost share of Medicaid spending. The results of this actuarial analysis add another $30 million in 2003 and $1.0 billion over ten years to the federal cost estimate. Together, these three steps constitute the total federal cost estimate of $236 million in 2003 and $2.2 billion over ten years.