Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. F. Benefits


There are important societal benefits associated with improving health information privacy. Confidentiality is a key component of trust between patients and providers, and some studies indicate that a lack of privacy may deter patients from obtaining preventive care and treatment. (52) For these reasons, traditional approaches to estimating the value of a commodity cannot fully capture the value of personal privacy. It may be difficult for individuals to assign value to privacy protection because most individuals view personal privacy as a right. Therefore, the benefits of the proposed regulation are impossible to estimate based on the market value of health information alone. However, it is possible to evaluate some of the benefits that may accrue to individuals as a result of proposed regulation, and these benefits, alone, suggest that the regulation is warranted. Added to these benefits is the intangible value of privacy, the security that individuals feel when personal information is kept confidential. This benefit is very real and very significant but there are no reliable means of measuring dollar value of such benefit.

As noted in the comment and response section, a number of commenters raised legitimate criticisms of the Department's approach to estimating benefits. The Department considered other approaches, including attempts to measure benefits in the aggregate rather than the specific examples set forth in the NPRM. However, we were unable to identify data or models that would provide credible measures. Privacy has not been studied empirically from an economic perspective, and therefore, we concluded that the approach taken in the NPRM is still the most useful means of illustrating that the benefits of the regulation are significant in relation to the economic costs.

Before beginning the discussion of the benefits, it is important to create a framework for how the costs and benefits may be viewed in terms of individuals rather than societal aggregates. We have estimated the value an insured individual would need to place on increased privacy to make the privacy regulation a net benefit to those who receive health insurance. Our estimates are derived from data produced by the 1998 Current Population Survey from the Census Bureau (the most recent available at the time of the analysis), which show that 220 million persons are covered by either private or public health insurance. Joining the Census Bureau data with the costs calculated in Section E, we have estimated the cost of the regulation to be approximately $6.25 per year (or approximately $0.52 per month) for each insured individual (including people in government programs). If we assume that individuals who use the health care system will be willing to pay more than this per year to improve health information privacy, the benefits of the proposed regulation will outweigh the cost.

This is a conservative estimate of the number of people who will benefit from the regulation because it assumes that only those individuals who have health insurance or are in government programs will use medical services or benefit from the provisions of the proposed regulation. Currently, there are 42 million Americans who do not have any form of health care coverage. The estimates do not include those who pay for medical care directly, without any insurance or government support. By lowering the number of users in the system, we have inflated our estimate of the per-person cost of the regulation; therefore, we assume that our estimate represents the highest possible cost for an individual.

An alternative approach to determining how people would have to value increased privacy for this regulation to be beneficial is to look at the costs divided by the number of encounters with health care professionals annually. Data from the Medical Expenditure Panel Survey (MEPS) produced by the Agency for Healthcare Policy Research (AHCPR) show approximately 776.3 million health care visits (e.g., office visits, hospital and nursing home stays, etc.) in the first year (2003). As with the calculation of average annual cost per insured patient, we divided the total cost of complying with the regulation by the total annual number of health care visits. The cost of instituting requirements of the proposed regulation is $0.19 per health care visit. If we assume that individuals would be willing to pay more than $0.19 per health care visit to improve health information privacy, the benefits of the proposed regulation outweigh the cost.