Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. IV. Final Regulatory Impact Analysis


5U.S.C. 804(2) (as added by section 251 of Public Law 104-21), specifies that a "major rule" is any rule that the Office of Management and Budget finds is likely to result in:

  • An annual effect on the economy of $100 million or more;
  • A major increase in costs or prices for consumers, individual industries, federal, state, or local government agencies, or geographic regions; or
  • Significant adverse effects in competition, employment, investment productivity, innovation, or on the ability of United States based enterprises to compete with foreign-based enterprises in domestic and export markets. The impact of this final rule will be over $1 billion in the first year of implementation. Therefore, this rule is a major rule as defined in 5 U.S.C. 804(2).

Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects; distributive impacts; and equity). According to Executive Order 12866, a regulatory action is "significant" if it meets any one of a number of specified conditions, including having an annual effect on the economy of $100 million or more adversely affecting in a material way a sector of the economy, competition, or jobs, or if it raises novel legal or policy issues. The purpose of the regulatory impact analysis is to assist decision-makers in understanding the potential ramifications of a regulation as it is being developed. The analysis is also intended to assist the public in understanding the general economic ramifications of a regulation, both in the aggregate as well as the major policy areas of a regulation and how they are likely to affect the major industries or sectors of the economy covered by it.

In accordance with the Small Business Regulatory Enforcement and Fairness Act (Pub. L. 104-121), the Administrator of the Office of Information and Regulatory Affairs of the Office of Management and Budget (OMB) has determined that this rule is a major rule for the purpose of congressional review.

The proposal for the privacy regulation included a preliminary regulatory impact analysis (RIA) which estimated the cost of the rule at $3.8 billion over five years. The preliminary analysis also noted that a number of significant areas were not included in the estimate due to inadequate information. The proposal solicited public comment on these and all other aspects of the analysis. In this preamble, the Department has summarized the public comments pertinent to the cost analysis and its response to them. However, because of the extensive policy changes incorporated in the final regulation, additional data collected from the public comments and the Department's fact-finding, and changes in the methodology underlying the estimates, the Department is setting forth in this section a more complete explanation of its revised estimates and how they were obtained. This will facilitate a better understanding by the public of how the estimates were developed and provide more insight into how the Department believes the regulation will ultimately affect the health care sector.

The impact analysis measures the effect of the regulation on current practices. In the case of privacy, as discussed in the preamble, there already exists considerable, though quite varied, efforts to protect the confidentiality of medical information. The RIA is measuring the change in these current practices and the cost of new and additional responsibilities that are required to conform to the new regulation.

To achieve a reasonable level of privacy protection, the Department defined three objectives for the final rule: 1) to establish national baseline standards, implementation specifications, and requirements for health information privacy protection, 2) to protect the privacy of individually identifiable health information maintained or transmitted by covered entities, and 3) to protect the privacy of all individually identifiable health information within covered entities, regardless of its form.

Establishing minimum standards, implementation specifications, and requirements for health information privacy protection creates a level baseline of privacy protection for patients across states. The Health Privacy Project's report, The State of Health Privacy: An Uneven Terrain 33 makes it clear that under the current system of state laws, privacy protection is extremely variable. The Department's statutory authority under HIPAA which allows the privacy regulation to preempt any state law if such law is contrary to and not more stringent than privacy protection pursuant to this regulation. This sets a floor, but permits a state to create laws that are more protective of privacy. We discuss preemption in greater detail in other parts of the preamble.

The second objective is to establish a uniform base of privacy protection for individually identifiable health information maintained or transmitted by covered entities. HIPAA restricts the type of entities covered by the rule to three broad categories: health care providers that transmit health information in HIPAA standard transactions, health plans, and health care clearinghouses. However, there are similar public and private entities that are not within the Department's authority to regulate under HIPAA. For example, life insurance companies are not covered by this rule but may have access to a large amount of individually identifiable health information.

The third objective is to protect the privacy of all individually identifiable health information held by covered entities, including their business associates. Health information is currently stored and transmitted in multiple forms, including electronic, paper, and oral forms. To provide consistent protection to information, and to avoid requiring covered entities from distinguishing between health information that has been transmitted or maintained electronically and that which has not, this rule covers all individually identifiable health information in any form maintained or transmitted by a covered entity.

For purposes of this cost analysis, the Department has assumed all health care providers will be affected by the rule. This results in an overestimation of costs because there are providers that do not engage in any HIPAA standard transactions, and therefore, are not affected. The Department could not obtain any reliable data on the number of such providers, but the available data suggest that there are very few such entities, and given the expected increase in all forms of electronic health care in the coming decade, the number of paper-only providers is likely to decrease.