Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Minimum Necessary


The "minimum necessary" policy in the final rule has essentially three components: first, it does not pertain to certain uses and disclosures including treatment-related exchange of information among health care providers; second, for disclosures that are made on a routine and recurring basis, such as insurance claims, a covered entity is required to have policies and procedures for governing such exchanges (but the rule does not require a case-by-case determination); and third, providers must have a process for reviewing non-routine requests on a case-by-case basis to assure that only the minimum necessary information is disclosed.

Based on public comments and subsequent fact-finding, the Department has concluded that the requirements of the final rule are generally similar to the current practice of most providers. For standard disclosure requests, for example, providers generally have established procedures for determining how much health information is released. For non-routine disclosures, providers have indicated that they currently ask questions to discern how much health information is necessary for such disclosure. Under the final rule, we anticipate providers will have to be more thorough in their policies and procedures and more vigilant in their oversight of them; hence, the costs of this provision are significant.

To make the final estimates for this provision, the Department considered the minimum necessary requirement in two parts. First, providers, hospitals, and health plans will need to establish policies and procedures which govern uses and disclosures of protected health information. Next, these entities will need to adjust current practices that do not comply with the rule, such as updating passwords and making revisions to software.

To determine the policies and procedures for the minimum necessary requirement, the Department assumed that each hospital would spend 160 hours, health plans would spend 107 hours, and non-hospital providers would spend 8 hours. As noted above, the time estimates for this and other provisions of the rule are considered an average number of person-hours for the institutions involved. An underlying assumption is that some hospitals, and to a lesser extent health plans, are part of chains or larger entities that will be able to prepare the basic materials at a corporate level for a number of covered entities.

Once the policies and procedures are established, the Department estimates there will be costs resulting from implementing the new policies and procedures to restrict internal uses of protected health information to the minimum necessary. Initially, this will require 560 hours for hospitals, 160 hours for health plans, and 12 hours for non-hospital providers. 47 The wage for health care providers and hospitals is estimated at $47.28, a weighted average of various health care professionals based on CPS data; the wage for health plans is estimated to be $33.82, based on average wages in the insurance industry (note that all wage assumptions in this impact analysis assume a 39 percent load for benefits, the standard Bureau of Labor Statistics assumption). In addition, there will be time required on an annual basis to ensure that the implemented practices continue to meet the requirements of the rule. Therefore, the Department estimates that on an annual ongoing basis (after the first year), hospitals will require 320 hours, health plans 100 hours, and non-hospital providers 8 hours to comply with this provision.

The initial cost attributable to the minimum necessary provision is $926 million. The total cost of the provision is $5.757 billion. (These estimates are for the cost of complying with the minimum necessary provisions that restrict internal uses to the minimum necessary. The Department has estimated in the business associates section below the requirement limiting disclosures outside the covered entity to the minimum amount necessary.)