Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. External Studies


Comment: One commenter submitted a detailed analysis of privacy legislation that was pending and concluded that they might cost over $40 billion.

Response: The study did not analyze the policies in the proposal, and therefore, the estimates do not reflect the costs that would have been imposed by the proposed regulation. In fact, the analysis was prepared before the Administration's proposed privacy regulation was even published. As a result, the analysis is of limited relevance to the regulation actually proposed.

The following are examples of assumptions and costs in the analysis that do not match privacy policies or requirements stated in the proposed rule.

1. Authorizations: The study assumed rules requiring new authorizations from current subscribers to use their data for treatment, payment of claims, or other health plan operations. The proposed rule would have prohibited providers or plans from obtaining patient authorization to use data for treatment, payment or health care operations, and the final rule makes obtaining consent for these purposes voluntary for all health plans and for providers that do not have direct treatment relationships with individuals.

2. Disclosure History: The study assumes that providers, health plans, and clearinghouses would have to track all disclosures of health information. Under the NPRM and the final rule, plans, providers and clearinghouses are only required to account for disclosures that are not for treatment, payment, and health care operations, a small minority of all disclosures.

3. Inspection, Copying, and Amendment: The study assumed requirements to allow patients and their subscribers to inspect, copy, and amend all information that includes their name, social security number or other identifying feature (e.g. customer service calls, internal memorandum, claim runs). However, the study assumed broader access than provided in the rule, which requires access only to information in records used to make decisions about individuals, not all records with identifiable information.

4. Infrastructure development: The study attributed significant costs to infrastructure implementation of (computer systems, training, and other compliance costs). As explained below, the compliance requirements are much less extensive than assumed in this study. For example, many providers and plans will not be required to modify their privacy systems but will only be required to document their practices and notify patients of these practices, and others will be able to purchase low-cost, off-the-shelf software that will facilitate the new requirements. The final regulation will not require massive capital expenditures; we assumed, based on our consultants' work, that providers will rely on low-cost incremental adjustments initially, and as their technology becomes outdated, they will replace it with new systems that incorporate the HIPAA standard requirements.

Although many of the policy assumptions in the study are fundamentally different than those in the proposed or final regulation, the study did provide some assistance to the Department in preparing its final analysis. The Department compared data, methodologies and model assumptions, which helped us think more critically about our own analysis and enhanced the quality of our final work.

Comment: One commenter submitted a detailed analysis of the NPRM Regulatory Impact Analysis and concluded that it might cost over $64 billion over 5 years. This analysis provided an interesting framework for analyzing the provision for the rule. More precisely, the analysis generally attempted to identify the number of entities would be required to comply with each of the significant provision of the proposed rule, then estimated the numbers of hours required to comply per entity, and finally, estimated an hourly wage.

Response: HHS adopted this general structure for the final RIA because it provided a better framework for analysis than what the Department had done in the NPRM. However, HHS did not agree with many of the specific assumptions used by in this analysis, for several reasons. First, in some instances the assumptions were no longer relevant because the requirements of the NPRM were altered in the final rule. For other assumptions, HHS found more appropriate data sources for the number of covered entities, wages rates and trend rates or other factors affecting costs. In addition, HHS believes that in a few instances, this analysis over-estimated what is required of covered entities to comply. Based on public comments and its own factfinding, the Department believes many of its assumptions used in the final analysis more accurately reflect what is likely to be the real cost of the regulation.