Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. E. Costs


Covered entities will be implementing the privacy final rules at the same time many of the administrative simplification standards are being implemented. As described in the overall impact analysis for the Transactions Rule, the data handling change occurring due to the other HIPAA standards will have both costs and benefits. To the extent the changes required for the privacy standards, implementation specifications, and requirements can be made concurrently with the changes required by the other regulations, costs for the combined implementation should be only marginally higher than for the administrative simplification standards alone. The extent of this incremental cost is uncertain, in the same way that the costs associated with each of the individual administrative simplification standards is uncertain.

The costs associated with implementing the requirements under this Privacy Rule will be directly related to the number of affected entities and the number of affected transactions in each entity. There are approximately 12,200 health plans (including self-insured employer and government health plans that are at least partially self-administered), 45 6480 hospitals, and 630,000 non-hospital providers that will bear implementation costs under the final rule.

The relationship between the HIPAA security and privacy standards is particularly relevant. On August 17, 2000, the Secretary published a final rule to implement the HIPAA standards on electronic transactions. That rule adopted standards for eight electronic code sets to be used for those transactions. The proposed rule for security and electronic signature standards was published on August 12, 1998. That proposal specified the security requirements for covered entities that transmit and store information specified in Part C, Title II of the Act. In general, that proposed rule proposed administrative and technical standards for protecting "...any health information pertaining to an individual that is electronically maintained or transmitted." (63 FR 43243). The final Security Rule will detail the system and administrative requirements that a covered entity must meet in order to assure itself and the Secretary that health information is safe from destruction and tampering from people without authorization for its access.

By contrast, the Privacy Rule describes the requirements that govern the circumstances under which protected health information must be used or disclosed with and without patient involvement and when a patient may have access to his or her protected health information.

While the vast majority of health care entities are privately owned and operated, we note that federal, state, and local government providers are reflected in the total costs as well. Federal, state, and locally funded hospitals represent approximately 26 percent of hospitals in the United States. This is a significant portion of hospitals, but it represents a relatively small proportion of all provider entities. We estimated that the number of government providers who are employed at locations other than government hospitals is significantly smaller (approximately two percent of all providers). Weighting the relative number of government hospital and non-hospital providers by the revenue these types of providers generate, we estimate that health care services provided directly by government entities represent 3.4 percent of total health care services. Indian Health Service and tribal facilities costs are included in the total, since the adjustments made to the original private provider data to reflect federal providers included them. In developing the rule, the Department consulted with states, representatives of the National Congress of American Indians, representatives of the National Indian Health Board, and a representative of the self-governance tribes. During the consultation we discussed issues regarding the application of Title II of HIPAA to the states and tribes.

The costs associated with this final rule involve, for each provision, consideration of both the degree to which covered entities must modify their existing records management systems and privacy policies under the final rule, and the extent to which there is a change in behavior by both patients and the covered entities as a result of the final rule. The following sections examine these provisions as they apply to the various covered entities under the final rule. The major costs that covered entities will incur are one-time costs associated with implementation of the final rules, and ongoing costs that result in continuous requirements in the final rule.

The Department has quantified the costs imposed by the final regulation to the extent possible. The cost of many provisions were estimated by first using data from the Census Bureau's Statistics of U.S. Business to identify the number of non-hospital health care providers, hospitals and health plans. Then, using the Census Bureau's Current Population Survey (CPS) wage data for the classes of employees affected by the rule, the Department identified the hourly wage of the type of employee assumed to be mostly likely responsible for compliance with a given provision. Where the Department believed a number of different types of employees might be responsible for complying with a certain provision, as is often expected to be the case, the Department established a weighted-average wage based on the types of employees involved. Finally, the Department made assumptions regarding the number of person-hours per institution required to comply with the rule.

The Department cannot determine precisely how many person-hours per institution will be required to comply with a given provision, however, the Department attempted to establish reasonable estimates based on fact-finding discussions with private sector health care providers, the advice of the Department's consultants, and the Department's own best judgement of the level of burden required to comply with a given provision. Moreover, the Department recognizes that the number of hours required to comply with a given requirement of the rule will vary from provider to provider and health plan to health plan, particularly given the flexibility and scalability permitted under the rule. Therefore, the Department considers the estimates to be averages across the entire class of health care providers, hospitals, or health plans in question.

Underlying all annual cost estimates are growth projections. For growth in the number of patients, the Department used data from the National Ambulatory Medical Care Survey, the National Hospital Ambulatory Medical Care Survey, the National Home and Hospice Survey, the National Nursing Home Survey, and information from the American Hospital Association. For growth in the number of health care workers, the Department used data from the Bureau of Health Professions in the Department's Health Resources Services Administration (HRSA). For insurance coverage growth (private and military coverage), we used a five-year average annual growth rate in employer-sponsored, individual, military, and overall coverage growth from the Census Bureau's CPS, 1995-1999. To estimate growth in the number of Medicare and Medicaid enrollees, the Department used the enrollment projections of the Health Care Financing Administration's Office of the Actuary. For growth in the number of hospitals, health care providers and health plans, trend rates were derived from the Census Bureau's Statistics of U.S. Businesses, using SIC code-specific five-year annual average growth rate from1992-1997 (the most recent data available). For wage growth, the Department used the same assumptions made in the Medicare Trustees' Hospital Insurance Trust Fund report for 2000.

In some areas, the Department was able to obtain very reliable data, such as survey data from the Statistics of U.S. Businesses and the Medical Expenditures Panel Survey (MEPS). In numerous areas, however, there was too little information or data to support quantitative estimates. As a result, the Department relied on data provided in the public comments or subsequent fact-finding to provide a basis for making key assumptions. We were able to provide a reasonable cost estimate for virtually all aspects of the regulation, except law enforcement. In this latter area, the Department was unable to obtain sufficient data about current practices (e.g., the number of criminal and civil investigations that may involve requests for protected health information., the number of subpoenas for protected health information., etc.) to determine the marginal effects of the regulation. As discussed more fully below, the Department believes the effects of the final rule are marginal because the policies adopted in the final rule appear to largely reflect current practice.

The NPRM included an estimate of $3.8 billion for the privacy proposal. The estimate for the final rule is $18.0 billion. Much of the difference can be explained by two factors. First, the NPRM estimate was for five years; the final rule estimate is for ten years. The Department chose the longer period for the final rule because ten years was also the period of analysis in the Transactions Rule RIA, and we wanted to facilitate comparisons, given that the net benefits and costs of the administrative simplification rules should be considered together. Second, the final impact analysis includes cost estimates for a number of key provisions that were not estimated in the NPRM because the Department did not have adequate information at the time. Although we received little useable data in the public comments (see comment and response section), the Department was able to undertake more extensive fact-finding and collect sufficient information to make informed assumptions about the level of effort and time various provisions of the final rule are likely to impose on different types of affected entities.

The estimate of $18.0 billion represents a gross cost, not a net cost. As discussed more fully below in the benefits section, the benefits of enhanced privacy and confidentiality of personal health information are very significant. If people believe their information will be used properly and not disseminated beyond certain bounds without their knowledge and consent, they will be much more likely to seek proper health care, provide all relevant health information, and abide by their providers' recommendations. In addition, more confidence by individuals and covered entities that privacy will be maintained will lead to an increase in electronic transactions and the efficiencies and cost savings that stem from such action. The benefits section quantifies some examples of benefits. The Department was not able to identify data sources or models that would permit us to measure benefits more broadly or accurately. The inability to quantify benefits, however, does not lessen the importance or value that is ultimately realized by having a national standard for health information privacy.

The largest initial costs resulting from the final Privacy Rule stem primarily from the requirement that covered entities use and disclose only the minimum necessary protected health information, that covered entities develop policies and codify their privacy procedures, and that covered entities designate a privacy official and train all personnel with access to individually identifiable health information. The largest ongoing costs will result from the minimum necessary provisions pertaining internal uses of individually identifiable health information, and the cost of a privacy official. In addition, covered entities will have recurring costs for training, disclosure tracking and notice requirements. A smaller number of large entities may have significant costs for de-identification of protected health information and additional requirements for research.

The privacy costs are in addition to the Transactions Rule estimates. The cost of complying with the regulation represents approximately 0.23 percent of projected national health expenditures the first year the regulation is enacted. The costs for the first eight years of the final regulation represents 0.07 percent of the increase in national health care costs experienced over the same period. 46