HIPAA regs
HIPAA dvisory
HIPAAdvisory > HIPAAregs > Modified Final Privacy Rule Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Standards for Privacy of Individually Identifiable Health Information

V. Preliminary Regulatory Flexibility Analysis

The Department also examined the impact of this proposed Rule as required by the Small Business Regulatory Enforcement and Fairness Act (SBREFA) (5 U.S.C. 601, et seq.). SBREFA requires agencies to determine whether a rule will have a significant economic impact on a substantial number of small entities.

The law does not define the thresholds to use in implementing the law and the Small Business Administration discourages establishing quantitative criteria. However, the Department has long used two criteria--the number of entities affected and the impact on revenue and costs--for assessing whether a regulatory flexibility analysis is necessary. Department guidelines state that an impact of three to five percent should be considered a significant economic impact. Based on these criteria, the Department has determined that a regulatory flexibility analysis is not required.

As described in the December 2000 Regulatory Flexibility Analysis for the Privacy Rule, most covered entities are small businesses-- approximately 465,000. See Table A, 65 FR 82780 (December 28, 2000). Lessening the burden for small entities, consistent with the intent of protecting privacy, was an important consideration in developing these modifications. However, as discussed in the Final Regulatory Impact Analysis, above, the net affect of the modifications is an overall savings of approximately $100 million over ten years. Even if all of this savings were to accrue to small entities (an over estimation), the impact per small entity would be de minimis.

VI. Collection of Information Requirements

Under the Paperwork Reduction Act (PRA) of 1995, the Department is required to provide 30-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that the Department solicit comment on the following issues:

  • The need for the information collection and its usefulness in carrying out the proper functions of the agency;
  • The accuracy of the estimate of the information collection burden;
  • The quality, utility, and clarity of the information to be collected; and
  • Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

Section A below summarizes the proposed information collection requirements on which we explicitly seek, and will consider, public comment for 30 days. Due to the complexity of this regulation, and to avoid redundancy of effort, we are referring readers to Section V (Final Regulatory Impact Analysis published in the Federal Register on December 28, 2000), to review the detailed cost assumptions associated with these PRA requirements.

Section B below references the HIPAA Privacy Rule regulation sections published for 60-day public comment on November 3, 1999, and for 30-day public comment on December 28, 2000, in compliance with the PRA public comment process. These earlier publications contained the information collection requirements for these sections as required by the PRA. The portions of the Privacy Rule, included by reference only in Section B, have not changed subsequent to the two public comment periods. Thus, the Department has fulfilled its statutory obligation to solicit public comment on the information collection requirements for these provisions. The information in Section B is pending OMB PRA approval, but is not reopened for comment. However, for clarity purposes, we will upon this publication submit to OMB for PRA review and approval the entire set of information collection requirements required referenced in Secs. 160.204, 160.306, 160.310, 164.502, 164.504, 164.506, 164.508, 164.510, 164.512, 164.514, 164.520, 164.522, 164.524, 164.526, 164.528, and 164.530.

Section A

1. Section 164.506--Consent for Treatment, Payment, and Health Care Operations

Under the Privacy Rule, as issued in December 2000, a covered health care provider that has a direct treatment relationship with individuals would have had, except in certain circumstances, to obtain an individual's consent to use or disclose protected health information to carry out treatment, payment, and health care operations. The amended final Rule eliminates this requirement.

2. Section 164.520--Notice of Privacy Practices for Protected Health Information

The amended final Privacy Rule imposes a good faith effort on direct treatment providers to obtain an individual's acknowledgment of receipt of the entity's notice of privacy practices for protected health information, and to document such acknowledgment or, in the absence of such acknowledgment, the entity's good faith efforts to obtain it.

The underlying requirements for notice of privacy practices for protected health information are not changed. These requirements provide that, except in certain circumstances set forth in this section of the Rule, individuals have a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information. To comply with this requirement a covered entity must provide a notice, written in plain language, that includes the elements set forth at Sec. 164.520(b). For health plans, there will be an average of 160.2 million notices each year. We assume that the most efficient means of distribution for health plans will be to send them out annually as part of the materials they send to current and potential enrollees, even though it is not required by the regulation. The number of notices per health plan per year would be about 10,570. We further estimate that it will require each health plan, on average, only 10 seconds to disseminate each notice. The total annual burden associated with this requirement is calculated to be 267,000 hours.

Health care providers with direct treatment relationships would:

  • Provide a copy of the notice to an individual at the time of first service delivery to the individual;
  • Make the notice available at the service delivery site for individuals to request and take with them;
  • Whenever the content of the notice is revised, make it available upon request and post it, if required by this section, in a location where it is reasonable to expect individuals seeking services from the provider to be able to read the notice.

The annual number of notices disseminated by all providers is 613 million. We further estimate that it will require each health care provider, on average, 10 seconds to disseminate each notice. This estimate is based upon the assumption that the required notice will be incorporated into and disseminated with other patient materials. The total annual burden associated with this requirement is calculated to be 1 million hours. However, the amended final Privacy Rule also imposes a good faith effort on direct treatment providers to obtain an individual's acknowledgment of receipt of the provider's notice, and to document such acknowledgment or, in the absence of such acknowledgment, the provider's good faith efforts to obtain it. The estimated burden for the acknowledgment of receipt of the notice is 10 seconds for each notice. This is based on the fact that the provider does not need to take elaborate steps to receive acknowledgment. Initialing a box on an existing form or some other simple means will suffice. With the annual estimate of 613,000,000 acknowledgment forms it is estimated that the acknowledgment burden is 1,000,000 hours.

A covered entity is also required to document compliance with the notice requirements by retaining copies of the versions of the notice issued by the covered entity, and a direct treatment provider is required to retain a copy of each individual's acknowledgment or documentation of the good faith effort as required by Sec. 164.530(j).

3. Appendix to Preamble--Sample Business Associate Contract Provisions

The Department also solicits public comments on the collection of information requirements associated with the model business associate contract language displayed in the Appendix to this preamble Rule. The language displayed has been changed in response to comments on the language that was published with the Notice of Proposed Rulemaking on March 27, 2002. The Department provided the model business associate contract provisions in response to numerous requests for guidance. These provisions were designed to help covered entities more easily comply with the business associate contract requirements of the Privacy Rule. However, use of these model provisions is not required for compliance with the Privacy Rule. Nor is the model language a complete contract. Rather, the model language is designed to be adapted to the business arrangement between the covered entity and the business associate and to be incorporated into a contract drafted by the parties.

Section B

As referenced above, the Department has complied with the public comment process as it relates to the information collection requirements contained in the sections of regulation referenced below. The Department is referencing this information solely for the purposes of providing an overview of the regulation sections containing information collection requirements established by the final Privacy Rule.

Section 160.204--Process for Requesting Exception Determinations

Section 160.306--Complaints to the Secretary

Section 160.310--Responsibilities of Covered Entities

Section 164.502--Uses and Disclosures of Protected Health Information: General Rules

Section 164.504--Uses and Disclosures--Organizational Requirements

Section 164.508--Uses and Disclosures for Which Individual Authorization Is Required

Section 164.510--Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object

Section 164.512--Uses and Disclosures for Which Consent, an Authorization, or Opportunity to Agree or Object is Not Required

Section 164.514--Other Procedural Requirements Relating to Uses and Disclosures of Protected Health Information

Section 164.522--Rights to Request Privacy Protection for Protected Health Information

Section 164.524--Access of Individuals to Protected Health Information

Section 164.526--Amendment of Protected Health Information

Section 164.528--Accounting for Disclosures of Protected Health Information

Section 164.530--Administrative Requirements

C. Comments on Information Collection Requirements in Section A

The Department has submitted a copy of these modifications to the Privacy Rule to OMB for its review and approval of the information collection requirements summarized in Section A above. If you comment on any of the modifications to the information collection and record keeping requirements in Secs. 164.506, 164.520, and/or the model business associate contract language please mail copies directly to the following:

Center for Medicaid and Medicare Services
Information Technology Investment Management Group
Division of CMS Enterprise Standards, Room C2-26-17
7500 Security Boulevard
Baltimore, MD 21244-1850
ATTN: John Burke, HIPAA Privacy

and

Office of Information and Regulatory Affairs
Office of Management and Budget, Room 10235
New Executive Office Building
Washington, DC 20503
ATTN: Brenda Aguilar, CMS Desk Officer

VII. Unfunded Mandates

Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies assess anticipated costs and benefits before issuing any rule that may result in an expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $110 million in a single year. A final cost-benefit analysis was published in the Privacy Rule of December 28, 2000 (65 FR 82462, 82794). In developing the final Privacy Rule, the Department adopted the least burdensome alternatives, consistent with achieving the Rule's goals. The Department does not believe that the amendments to the Privacy Rule would qualify as an unfunded mandate under the statute.

VIII. Environmental Impact

The Department has determined under 21 CFR 25.30(k) that this action is of a type that does not individually or cumulatively have a significant effect on the human environment. Therefore, neither an environmental assessment nor an environmental impact statement is required.

IX. Executive Order 13132: Federalism

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a rule that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. The Federalism implications of the Privacy Rule were assessed as required by Executive Order 13132 and published in the Privacy Rule of December 28, 2000 (65 FR 82462, 82797). The amendments with the most direct effect on Federalism principles concerns the clarifications regarding the rights of parents and minors under State law.

The amendments make clear the intent of the Department to defer to State law with respect to such rights. Therefore, the Department believes that the amended Privacy Rule would not significantly affect the rights, roles and responsibilities of States.

[Top of Page] [Previous] [Next: Sample BA Contract Provisions]