Proposed Standards for Privacy and Individually Identifiable Health Information

IV. Preliminary Regulatory Impact Analysis

Section 804(2) of title 5, United States Code (as added by section 251 of Public Law 104-121), specifies that a “major rule” is any rule that the Office of Management and Budget finds is likely to result in-

• An annual effect on the economy of $100 million or more;
• A major increase in costs or prices for consumers, individual industries, Federal, State, or local government agencies, or geographic regions; or
• Significant adverse effects in competition, employment, investment productivity, innovation, or on the ability of Unites States based enterprises to compete with foreign- based enterprises in domestic and export markets.

We estimate that the impact of this final rule will be over $1 billion in the first year of implementation. Therefore, this rule is a major rule as defined in Title 5, United States Code, section 804(2).

DHHS has examined the impacts of this proposed rule under Executive Order 12866. Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects; distributive impacts; and equity). According to Executive Order 12866, a regulatory action is “significant” if it meets any one of a number of specified conditions, including having an annual effect on the economy of $100 million or adversely affecting in a material way a sector of the economy, competition, or jobs or if it raises novel legal or policy issues. DHHS finds that this proposed rule is a significant regulatory action as defined by Executive Order 12866. Also in accordance with the provisions of Executive Order 12866, this proposed rule was reviewed by the Office of Management and Budget.

When this proposed rule becomes a final rule, in accordance with the Small Business Regulatory Enforcement and Fairness Act (Pub. L. 104-121), the Administrator of the Office of Information and Regulatory Affairs of the Office of Management and Budget (the Administrator) has determined that this proposed rule would be a major rule for the purpose of congressional review. A major rule for this purpose is defined in 5 U.S.C. 804(2) as one that the Administrator has determined has resulted or is likely to result in an annual effect on the economy of $100 million or more; a major increase in costs or prices for consumers, individual industries, federal State, or local government agencies, or geographic regions; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of U.S.-based enterprises to compete with foreign-based enterprises in domestic or export markets.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) projects a significant increase in the number of medical transactions that will be conducted or transmitted electronically. HIPAA notes the privacy needs that result when individually identifiable health information can be transmitted quickly through electronic information systems. While there is a compelling need to protect the privacy of health information in today’s health care system, the expected growth of electronic systems to aide medical diagnostics, claims processing and research makes it even more critical to improve privacy protections.

A fundamental assumption of this regulation is that the greatest benefits of improved privacy protection will be realized in the future as patients gain increasing trust in health care practitioners’ ability to maintain the confidentiality of their health information. Furthermore, our analysis rests on the principle that health information privacy is a right, and as such, cannot be valued solely by market costs. Because it is difficult to measure future benefits based on present data, our estimates of the costs and benefits of this regulation are based on the current business environment and do not include projections beyond five years. As a result, we cannot accurately account for all of the regulation’s future costs and benefits, but the Department is confident that future benefits will be higher than those stated in this analysis.

In order to achieve a reasonable level of privacy protection, we have three objectives for the proposed rule: 1) to establish baseline standards for health care privacy protection, 2) to establish protection for all health information maintained or transmitted by covered entities, and 3) to protect the privacy of health information that is maintained in electronic form, as well as health information generated by electronic systems.

Establishing minimum standards for health care privacy protection is an attempt to create a baseline level of privacy protection for patients across States. The Health Privacy Project’s report, The State of Health Privacy: An Uneven Terrain (1) makes it clear that under the current system of state laws, privacy protection is extremely variable. Our statutory authority under HIPAA allows us to preempt state laws when state law provides less stringent privacy protection than the regulation. Only in cases where state law does not protect the patient’s health information as stringently as in this proposed rule, or when state law is more restrictive of a patient’s right to access their own health care information, will our rule preempt state law. We discuss preemption in greater detail in other parts of the preamble (see the effects of the rule on state laws, section 2 below).

Our second objective is to establish a uniform base of protection for all health information maintained or transmitted by covered entities. As discussed in the preamble, HIPAA restricts the type of entities covered by the proposed rule to three broad categories: health care providers, health care clearinghouses, and health plans. However, there are similar public and private entities that we do not have the authority to regulate under HIPAA. For example, life insurance companies are not covered by this proposed rule but have access to a large amount of protected health information. State government agencies not directly linked to public health functions or health oversight may also have access to protected health information. Examples of this type of agency include the motor vehicle administration, which frequently maintains individual health information, and welfare agencies that routinely hold health information about their clients.

Our third objective is to protect the privacy of health information that is maintained in electronic form, as well as health information generated by electronic systems. Health information is currently stored and transmitted in multiple forms, including in electronic, paper, and oral formats. In order to provide consistent protection to information that has been electronically transmitted or maintained, we propose that this rule cover all personal, protected health information that has ever been maintained or transmitted electronically. This type of information includes output such as computer printouts, X-rays, magnetic tape, and other information that was originally maintained or transmitted electronically. For example, laboratory tests are often computer generated, printed out on paper, and then stored in a patient’s record. Because such lab results were originally maintained electronically, the post-electronic (i.e. printed) output of those lab results would also be covered under the proposed rule.

It is important to note that the use of electronic systems to maintain and transmit health information is growing among health care providers, and health plans. Faulkner and Gray report that provider use of electronically processed health transactions grew from 47 percent to 62 percent between 1994 and 1998. Payer use of electronic transactions grew 17 percent between 1996 and 1997. Once all of the HIPAA administrative simplification standards are implemented, we expect the number of electronic transactions processed by payers and providers to grow.

The variation in business practice regarding use of paper records versus electronic media for storing and transmitting health information is captured by comparing the percentage of providers that submit paper claims with those that submit electronic claims. Faulkner & Gray’s Health Data Directory (2) shows that only 40 percent of non-Medicare physician claims and 16 percent of dental claims were submitted electronically in 1998. In contrast, 88 percent of all pharmacy claims were submitted electronically.

We believe that most physicians either have, or will have in the near future, the capacity to submit claims electronically. Faulkner and Gray reported that in 1998, 81 percent of physicians with Medicare patients submitted their Medicare claims electronically. The difference in the percent of electronic clams submitted to Medicare suggests that the physicians’ decisions to submit claims electronically may be heavily influenced by the administrative requirements of the health plan receiving the claim. Since HIPAA requires all health plans to accept electronic transactions and, in order to compete in the technologically driven health care market, more health plans may require electronic claims submissions, physicians will conduct many more electronic transactions in the near future. Therefore, it is extremely important that adequate privacy protections are implemented now.

A. Relationship of this Analysis to Analyses in Other HIPAA Regulations.

Historically, Congress has recognized that privacy standards must accompany the electronic data interchange standards and that the increased ease of transmitting and sharing individually identifiable health information must be accompanied by an increase in the privacy and confidentiality. In fact, the majority of the bulk of the first Administrative Simplification section that was debated on the floor of the Senate in 1994 (as part of the Health Security Act) was made up of privacy provisions. Although the requirement for the issuance of concomitant privacy standards remained a part of the bill passed by the House of Representatives, the requirement for privacy standards was removed in conference. This section was moved from the standard-setting authority of Title XI (section 1173 of the Act) and placed in a separate section of HIPAA, section 264. Subsection (b) of section 264 required the Secretary of HHS to develop and submit to the Congress recommendations for:

(1) The rights that an individual who is a subject of individually identifiable health information should have.

(2) The procedures that should be established for the exercise of such rights.

(3) The uses and disclosures of such information that should be authorized or required.

The Secretary's Recommendations were submitted to the Congress on September 11, 1997, and are summarized below. Section 264(c)(1) provides that:

If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than [February 21, 2000]. Such regulations shall address at least the subjects described in subsection (b).

As the Congress did not enact legislation governing standards with respect to the privacy of individually identifiable health information prior to August 21, 1999, HHS has now, in accordance with this statutory mandate, developed proposed rules setting forth standards to protect the privacy of such information.

These privacy standards have been, and continue to be, an integral part of the suite of Administrative Simplification standards intended to simplify and improve the efficiency of the administration of our health care system.

The proposed rule should be considered along with all of the administrative simplification standards required by HIPAA. We assessed several strategies for determining the impact of this proposed rule. We considered whether it would be accurate to view the impact as a subset of the overall HIPAA standards or whether this privacy component should be viewed as an addition to the earlier impact analyses related to HIPAA. We decided that while this proposed rule is considered one of the HIPAA standards, any related costs or benefits should be viewed as an addition to earlier analyses. The original HIPAA analyses did not incorporate the expected costs and benefits of privacy regulation because, at the time of the original analyses, we did not know whether Congress would enact legislation or whether privacy would need to be addressed by regulation. Therefore, much of our cost analysis is based on the expected incremental costs above those related to other HIPAA regulations.

B. Summary of Costs and Benefits.

The Department has estimated the costs and benefits of the proposed rule based on several caveats. In general, it is difficult to estimate the costs and benefits of improved privacy protection. The ability to measure costs of the proposed regulation is limited because there is very little data currently available on the cost of privacy protection. The Department has not been able to estimate costs for a number of requirements of the proposed regulation that we know will impose some cost to covered entities. For those elements for which there are estimated costs, data and information limitations limit the precision of the Department’s estimates; for those reasons we have provided an overall range of costs in addition to point estimates, and welcome further information from the public as part of the comment process. Furthermore, the number of new privacy requirements that the regulation will introduce to the health care industry exacerbates difficulties estimating the benefits of privacy. Benefits are difficult to measure because we conceive of privacy primarily as a right and secondarily as a commodity. As discussed below, the significant benefits of the proposed regulation to individuals and society can be demonstrated by illustrating the serious privacy concerns raised by mental health, substance abuse, cancer screening, and HIV/AIDS patients and the benefits that may be derived from greater privacy.

The estimated cost of compliance with the proposed rule would be at least $3.8 billion over five years. The cost includes estimates for the majority of the requirements of the proposed regulation, but not all. These estimates include costs to federal, State, and local governments. Federal, and State and local costs are therefore a subset of total costs. Based on a plausible range of costs for the key components of the analysis, the cost of the regulation would likely be in the range $1.8 to $6.3 billion over five years (not including those elements of the regulation for which we could not make any cost estimates).

The compliance costs are in addition to Administrative Simplification estimates. The cost of complying with the privacy regulation represents about 0.09 percent of projected national health expenditures during the first year following the regulation’s enactment. The five-year cost of the proposed regulation also represents 1.0 percent of the increase in health care costs that will occur during the same five-year period (3).

The largest cost item is the amending and correcting of records, which would represent over one-half of total costs. Provider and plan notices, which we estimate would cost $439 million, is the second largest cost, and inspection and copying of records is estimated to be $405 million. The one-time costs for providers to develop policies and procedures represent somewhat less than 10 percent of the total cost, or $333 million. Plans would bear a substantially smaller cost--approximately $62 million. Other systems changes would cost about $90 million over the period. The cost of administering written authorizations would total approximately $271 million over five years.

The cost estimates include private- and public-sector costs. Many of the public- sector cost elements will be the same as those in the private market. However, privacy notices are likely to represent a smaller fraction of total public-sector costs, while systems compliance costs in the public sector may be higher than in the private sector due to oversight and administrative requirements.

The costs presented in this document are the Department’s best estimates of the cost of implementing the proposed regulation based on available information and data. Because of inadequate data, we have not made cost estimates for the following compnents of the regulation: the principle of minimum necessary disclosure; the requirement that entities monitor business partners with whom they share PHI; creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacy board; and additional requirements on research/optional disclosures that will be imposed by the regulation. The cost of these provisions may be significant in some cases, but it would be inaccurate to project costs for these requirements given the fact that several of these concepts are new to the industry, and there is little direct evidence on costs. We solicit comment regarding costs of the regulation that we have not quantified.

The privacy protections established by this regulation will provide major social benefits. Establishing privacy protection as a fundamental right is an important goal and will have significant, non-quantifiable social benefits. A well-designed privacy standard can be expected to build confidence among the public about the confidentiality of their health information. Increased confidence in the privacy of an individual’s health information can be expected to increase the likelihood that many people will seek treatment for particular classes of disease, particularly mental health conditions, sexually transmitted diseases such as HIV/AIDS, and earlier screening for certain cancers. The increased utilization of medical services that would result from increased confidence in privacy would lead to improved health for the individuals involved, reduced costs to society associated with delayed treatments, and improved public health attributable to reduced transmission of communicable diseases.

We promote the view that privacy protection is an important personal right, and suggest that the greatest of the benefits of the proposed regulation are impossible to estimate based on the market value of health information alone. However, it is possible to evaluate some of the benefits that may accrue to individuals as a result of proposed regulation, and these benefits, alone, demonstrate that the regulation is warranted.

These benefits are considered both qualitatively and quantitatively. As a framework for the discussion, the cost of the provisions in the regulation that have been quantified is $0.46 per health care encounter. Although the value of privacy cannot be fully calculated, it is worth noting that if individuals would be willing to pay more than $0.46 per health care encounter to improve health information privacy, the benefits of the proposed regulation would outweigh the cost.

Several qualitative examples illustrate the benefits of the proposed regulation. In one case, medical privacy concerns may prevent patients from obtaining early testing and screening for certain types of cancer. Of types of cancer for which screening is available, survival rates might increase to 95 percent diagnosed in the early stages (4). For HIV/AIDS patients, new treatments for patients who are diagnosed with HIV in the early stages may save $23,700 per quality-adjusted year of life saved (5). Later in this document, the potential to reduce illness and disability associated with sexually transmitted diseases is discussed.

We recognize that many of the costs and benefits of health information privacy are difficult to quantify, but we believe that our estimates represent a reasonable range of the economic costs and benefits associated with the regulation.

C. Need for the Proposed Action.

Privacy is a fundamental right. As such, it has to be viewed differently than any ordinary economic good. Although the costs and benefits of a regulation need to be considered as a means of identifying and weighing options, it is important not to lose sight of the inherent meaning of privacy: it speaks to our individual and collective freedom.

A right to privacy in personal information has historically found expression in American law. All fifty states today recognize in tort law a common law or statutory right to privacy. Many states specifically provide a remedy for public revelation of private facts. Some states, such as California and Tennessee, have a right to privacy as a matter of state constitutional law. The multiple historical sources for legal rights to privacy are traced in many places, including Chapter 13 of Alan Westin's Privacy and Freedom and in Ellen Alderman & Caroline Kennedy, The Right to Privacy (1995).

To take but one example, the Fourth Amendment to the United States Constitution guarantees that "the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated." By referring to the need for security of "persons" as well as "papers and effects" the Fourth Amendment suggests enduring values in American law that relate to privacy. The need for security of "persons" is consistent with getting patient consent before performing invasive medical procedures. The need for security in "papers and effects" underscores the importance of protecting information about the person, contained in sources such as personal diaries, medical records, or elsewhere. As is generally true for the right of privacy in information, the right is not absolute. The test instead is what constitutes an "unreasonable" search of the papers and effects.

The United States Supreme Court has specifically upheld the constitutional protection of personal health information. In Whalen v. Roe, 429 U.S. 589 (1977), the Court analyzed a New York statute that created a database of persons who obtained drugs for which there was both a lawful and unlawful market. The Court, in upholding the statute, recognized at least two different kinds of interests within the constitutionally protected "zone of privacy." "One is the individual interest in avoiding disclosure of personal matters," such as this proposed regulation principally addresses. This interest in avoiding disclosure, discussed in Whalen in the context of medical information, was found to be distinct from a different line of cases concerning "the interest in independence in making certain kinds of important decisions." In the recent case of Jaffee v. Redmond, 116 S.Ct. 1923 (1996), the Supreme Court held that statements made to a therapist during a counseling session were protected against civil discovery under the Federal Rules of Evidence. The Court noted that all fifty states have adopted some form of the psychotherapist-patient privilege. In upholding the federal privilege, the Supreme Court stated that it "serves the public interest by facilitating the appropriate treatment for individuals suffering the effects of a mental or emotional problem. The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance."

Many writers have urged a philosophical or common-sense right to privacy in one's personal information. Examples include Alan Westin, Privacy and Freedom (1967) and Janna Malamud Smith, Private Matters: In Defense of the Personal Life (1997). These writings emphasize the link between privacy and freedom and privacy and the "personal life," or the ability to develop one's own personality and self-expression. Smith, for instance, states:

The bottom line is clear. If we continually, gratuitously, reveal other people's privacies, we harm them and ourselves, we undermine the richness of the personal life, and we fuel a social atmosphere of mutual exploitation. Let me put it another way: Little in life is as precious as the freedom to say and do things with people you love that you would not say or do if someone else were present. And few experiences are as fundamental to liberty and autonomy as maintaining control over when, how, to whom, and where you disclose personal material. Id. at 240-241.

Individuals' right to privacy in information about themselves is not absolute. It does not, for instance, prevent reporting of public health information on communicable diseases or stop law enforcement from getting information when due process has been observed. But many people believe that individuals should have some right to control personal and sensitive information about themselves.

Among different sorts of personal information, health information is among the most sensitive. Many people believe that details about their physical self should not generally be put on display for neighbors, employers, and government officials to see. Informed consent laws place limits on the ability of other persons to intrude physically on a person's body. Similar concerns apply to intrusions on information about the person. Moving beyond these facts of physical treatment, there is likely a greater intrusion when the medical records reveal details about a person's mental state, such as during treatment for mental health. If, in Justice Brandeis' words, the "right to be let alone" means anything, then it likely applies to having outsiders have access to one's intimate thoughts, words, and emotions.

In addition to these arguments based on the right to privacy in personal information, market failures will arise to the extent that privacy is less well protected than the parties would have agreed to, if they were fully informed and had the ability to monitor and enforce contracts. The chief market failures with respect to privacy concern information, negotiating, and enforcement costs. The information costs arise because of the information asymmetry between the company and the patient -- the company typically knows far more than the patient about how the information will be used by that company. A health care provider or plan, for instance, knows many details about how protected health information will be generated, combined with other databases, or sold to third parties.

Patients face at least two layers of cost in learning about how their information is used. First, as with many aspects of health care, patients face the challenge of trying to understand technical medical terminology and practices. It will often be difficult for a patient to understand the medical records and the implications of transferring various parts of such records to a third party. Second, especially in the absence of consistent national rules, patients may face significant costs in trying to learn and understand the nature of a company's privacy policies.

The costs of learning about companies' policies are magnified by the difficulty patients face in detecting whether companies in fact are complying with those policies. Patients might try to adopt strategies for monitoring whether companies have complied with their announced policies. For instance, if a person received health care from several providers that promised not to sell her name to third parties, she could report a different middle initial to each provider. She could then identify the provider that broke the agreement by noticing the middle initials that later appeared on an unsolicited marketing letter. These sorts of strategies, however, are both costly (in time and effort) and likely to be ineffective. A company using the patient's name, for instance, could cross-check her address with her real name, and thereby insert the correct middle initial. In addition, modern health care often requires protected health information to flow legitimately among multiple entities for purposes of treatment, payment, health care operations, and other necessary uses. Even if the patient could identify the provider whose data ultimately leaked, the patient could not easily tell which of those multiple entities had impermissibly transferred her information.

The cost and ineffectiveness of monitoring logically leads to less than optimal protection of health information. Consider the incentives facing a company that acquires protected health information. That company gains the full benefit of using the information, including in its own marketing efforts or in the fee it can receive when it sells the information to third parties. The company, however, does not suffer the full losses from disclosure of protected health information. Because of imperfect monitoring, customers often will not learn of, and thus not be able to enforce against, that unauthorized use. They will not be able to discipline the company efficiently in the marketplace for its less-than-optimal privacy practices. Because the company internalizes the gains from using the information, but does not bear a significant share of the cost to patients (in terms of lost privacy), it will have a systematic incentive to over-use protected health information. In market failure terms, companies will have an incentive to use protected health information where the patient would not have freely agreed to such use.

These difficulties in contract enforcement are made worse by the third-party nature of many health insurance and payment systems. Even where individuals would wish to bargain for privacy, they may lack the legal standing to do so. For instance, employers often negotiate the terms of health plans with insurers. The employee may have no voice in the privacy or other terms of the plan, facing a take-it-or-leave-it choice of whether to be covered by insurance. The incentive of employers may be contrary to the wishes of employees -- employers may in some cases inappropriately insist on having access to sensitive medical information in order to monitor employees' behavior and health status. In light of these complexities, there are likely significant market failures in the bargaining on privacy protection. Many privacy-protective agreements that patients would wish to make, absent barriers to bargaining, will not be reached.

The economic, legal and philosophical arguments become more compelling as the medical system shifts from predominantly paper to predominantly electronic records. From an economic perspective, market failures will arise to the extent that privacy is less well protected than the parties would have agreed to, if they were fully informed and had some equality of bargaining power. The chief market failures with respect to privacy concern information and bargaining costs. The information costs arise because of the information asymmetry between the company and the patient -- the company typically knows far more than the patient about how the information will be used by that company. A health care provider or plan, for instance, knows many details about how protected health information will be generated, combined with other databases, or sold to third parties.

Rapid changes in information technology mean that the size of the market failures will likely increase greatly in the markets for personal health information. Improvements in computers and networking mean that the costs of gathering, analyzing, and disseminating electronic data are plunging. Market forces are leading many medical providers and plans to shift from paper to electronic records, due both to lower cost and the increased functionality provided by having information in electronic form. These market changes will be accelerated by the administrative simplification implemented by the other regulations promulgated under HIPAA. A chief goal of administrative simplification, in fact, is to create a more efficient flow of medical information where appropriate. This proposed privacy regulation is an integral part of the overall effort of administrative simplification; it creates a framework for more efficient flows for certain purposes, including treatment and payment, while restricting flows in other circumstances except where appropriate institutional safeguards exist.

If the medical system shifts to predominantly electronic records in the near future, without use of accompanying privacy rules, then one can imagine a near future where clerical and medical workers all over the country may be able to pull up protected health information about individuals -- without meaningful patient consent and without effective institutional controls against further dissemination. In terms of the market failure, it will become more difficult for patients to know how their health provider or plan is using their personal health information. It will become more difficult to monitor the subsequent flows of protected health information, as the number of electronic flows and possible points of leakage both increase. Similarly, the costs and difficulties of bargaining to get the patients' desired level of use will likely rise due the greater number and types of entities that receive protected health information.

As the benefits section, below, discusses in more detail, the protection of privacy and correcting the market failure have practical implications. Where patients are concerned about lack of privacy protections, they might fail to get medical treatment that they would otherwise seek. This failure to get treatment may be especially likely for certain conditions, including mental health, substance abuse, and conditions such as HIV. Similarly, patients who are concerned about lack of privacy protections may report inaccurately to their providers when they do seek treatment. For instance, they might decide not to mention that they are taking prescription drugs that indicate that they have an embarrassing condition. These inaccurate reports may lead to mis-diagnosis and less- than-optimal treatment, including inappropriate additional medications. In short, the lack of privacy safeguards can lead to efficiency losses in the form of foregone or inappropriate treatment.

The shift from paper to electronic records, with the accompanying greater flows of sensitive health information, also strengthens the arguments for giving legal protection to the right to privacy in protected health information. In an earlier period where it was far more expensive to access and use medical records, the risk of harm to individuals was relatively low. In the potential near future, where technology makes it almost free to send lifetime medical records over the Internet, the risks may grow rapidly. It may become cost-effective, for instance, for companies to offer services that allow purchasers to obtain details of a person's physical and mental treatments. In addition to legitimate possible uses for such services, malicious or inquisitive persons may download medical records for purposes ranging from identity theft to embarrassment to prurient interest in the life of a celebrity or neighbor. Of additional concern, such services might extend to providing detailed genetic information about individuals, without their consent. Many persons likely believe that they have a right to live in society without having these details of their lives laid open to unknown and possibly hostile eyes. These technological changes, in short, may provide a reason for institutionalizing privacy protections in situations where the risk of harm did not previously justify writing such protections into law.

States have, to varying degrees, attempted to enhance confidentiality and correct the market problems by establishing laws governing at least some aspects of medical record privacy. This approach, though a step in the right direction, is inadequate. The states themselves have a patch quilt of laws that fail to provide a consistent or comprehensive policy, and there is considerable variation among the states in the scope of the protections provided. Moreover, health data is becoming increasingly “national”; as more information becomes available in electronic form, it can have value far beyond the immediate community where the patient resides. Neither private action nor state laws provide a sufficiently rigorous legal structure to correct the market failure now or in the future. Hence, a national policy with consistent rules is a vital step toward correcting the market failure that exists.

In summarizing the need for the proposed regulation, the discussion here has emphasized how the proposed regulation would address violations of a right to privacy in the information about oneself, market failures, and the need for a national policy. These arguments become considerably stronger with the shift from predominantly paper to predominantly electronic records. Other arguments could supplement these justifications. As discussed in the benefits section below, the proposed privacy protections may prevent or reduce the risk of unfair treatment or discrimination against vulnerable categories of persons, such as those who are HIV positive, and thereby, foster better health. The proposed regulation may also help educate providers, plans, and the general public about how protected health information is used. This education, in turn, may lead to better information practices in the future.

Clearly, the growing problem of protecting privacy is widely understood and a major public concern. Over 80 percent of persons surveyed in 1999 agreed with the statement that they had "lost all control over their personal information." A Wall Street Journal/NBC poll on September 16, 1999 asked Americans what concerned them most in the coming century. "Loss of personal privacy" topped the list, as the first or second concern of 29percent of respondents. Other issues such as terrorism, world war, and global warming had scores of 23percent or less. The regulation is a major step toward addressing this public concern.

D. Baseline Privacy Protections.

Determining the impact of the rule on covered entities requires us to establish a baseline for current privacy policies. We must first determine current practices and requirements related to protected information -- specifically, practices related to disclosure and use, notification of individuals of information practices, inspection and copying, amendment and correction, administrative policies, procedures, and related documentation.

Privacy practices are most often shaped by professional organizations that publish ethical codes of conduct and by State law. On occasion, State laws defer to professional conduct codes. At present, where neither professional organizations nor States have developed guidelines for privacy practices, an entity may implement privacy practices independently.

Professional codes of conduct or ethical behavior generally can be found as opinions and guidelines developed by organizations such as the American Medical Association, the American Hospital Association, and the American Dental Association. These are generally issued though an organization’s governing body. The codes do not have the force of law, but providers often recognize them as binding rules.

State laws are another important means of protecting health information. While professional codes of conduct usually only have slight variations, State laws vary dramatically. Some States defer to the professional codes of conduct, others provide general guidelines for privacy protection, and others provide detailed requirements relating to the protection of information relating to specific diseases or to entire classes of information. In cases where neither State law nor professional ethical standards exist, the only privacy protection individuals have is limited to the policies and standards that the health care entity adopts.

Before we can attempt to determine the impact of the proposed rule on covered entities, we must make an effort to establish the present level of privacy protection. Current privacy protection practices are determined by the standards and practices that the professional associations have adopted for their members and by State laws.

1. Professional Codes of Conduct and the Protection of Health Information.

We examined statements issued by five major professional groups, one national electronic network association and a leading managed care association. There are a number of common themes that all the organizations appear to subscribe to:

• The need to maintain and protect an individual’s health information;
• Development of policies to ensure the confidentiality of protected health information;
• Only the minimum necessary information should be released to accomplish the purpose for which the information is sought.

Beyond these principles, the major associations differ with respect to the methods used to protect health information. One critical area of difference is the extent to which professional organizations should release protected health information. A major mental health association advocates the release of identifiable patient information “. . .only when de-identified data are inadequate for the purpose at hand.” A major association of physicians counsels members who use electronically maintained and transmitted data to require that they and their patients know in advance who has access to protected patient data, and the purposes for which the data will be used. In another document, the association advises physicians not to “sell” patient information to data collection companies without fully informing their patients of this practice and receiving authorization in advance to release of the information.

Only two of the five professional groups state that patients have the right to review their medical records. One group declares this as a fundamental patient right, while the second association qualifies their position by stating that the physician has the final word on a patient’s access to their health information. This association also recommends that its members respond to requests for access to patient information within 10 days, and recommends that entities allow for an appeal process when patients are denied access. The association further recommends that when a patient contests the accuracy of the information in their record and the entity refuses to accept the patient’s change, the patient’s statement should be included as a permanent part of the patient’s record.

In addition, three of the five professional groups endorse the maintenance of audit trails that can track the history of disclosures of protected health information.

The one set of standards that we reviewed from a health network association advocated the protection of private health information from disclosure without patient authorization and emphasized that encrypting information should be a principal means of protecting patient information. The statements of a leading managed care association, while endorsing the general principles of privacy protection, were vague on the release of information for purposes other than treatment. They suggest allowing the use of protected health information without the patient’s authorization for what they term “health promotion.” It is possible that the use of protected health information for “health promotion” may be construed under the proposed rule as part of marketing activities.

Based on the review of the leading association standards, we believe that the proposed rule embodies all the major principles expressed in the standards. However, there are some major areas of difference between the proposed rule and the professional standards reviewed. These include the subject individual’s right of access to health information in the covered entity’s possession, relationships between contractors and covered entities, and the requirement that covered entities make their privacy policies and practices available to patients through a notice and the ability to respond to questions related to the notice. Because the proposed regulation would require that (with a few exceptions) patients have access to their health information that a covered entity possesses, large numbers of providers may have to modify their current practices in order to allow patient access, and to establish a review process if they deny a patient access. Also, none of the privacy protection standards reviewed require that providers or plans prepare a formal statement of privacy practices for patients (although the major physician association urges members to inform patients about who would have access to their protected health information and how their health information would be used). Only one HMO association explicitly made reference to information released for legitimate research purposes, and none of the other statements we reviewed discuss release of information for research purposes. The proposed rule allows for the release of protected health information for research purposes without an individual’s authorization, but only for research that is supervised by an institutional research board or an equivalent privacy board. This research requirement may cause some groups to revise their disclosure authorization standards.

2. State Laws.

The second body of privacy protections is found in a myriad of State laws and requirements. To determine whether or not the proposed rule would preempt a State law, we first identified the relevant laws, and second, determined whether state or federal law provides individuals with greater privacy protection.

Identifying the relevant state statutes: Health privacy statutes can be found in laws applicable to many issues including insurance, worker’s compensation, public health, birth and death records, adoptions, education, and welfare. For example, Florida has over 60 laws that apply to protected health information. According to the Georgetown Privacy Project (6), Florida is not unique. Every State has laws and regulations covering some aspect of medical information privacy. In many cases, State laws were enacted to address a specific situation, such as the reporting of HIV/AIDS, or medical conditions that would impair a person’s ability to drive a car. Identifying every State statute, regulation, and court case that interprets statutes and regulations dealing with patient medical privacy rights is an important task but cannot be completed in this discussion. For the purpose of this analysis, we simply acknowledge the complexity of State requirements surrounding privacy issues.

Lastly, we recognize that the private sector will need to complete a State-by-State analysis to comply with the notice and administrative procedures portion of this proposed rule. This comparison should be completed in the context of individual markets; therefore it is more efficient for professional associations or individual businesses to complete this task.

Recognizing limits of our ability to effectively summarize State privacy laws and our difficulty in determining preemption at the outset, we discuss conclusions generated by the Georgetown University Privacy Project in Janlori Goldman’s report, The State of Health Privacy: An Uneven Terrain. We consider Georgetown’s report the best and most comprehensive examination of State privacy laws currently published. The report, which was completed in July 1999, is based on a 50-state survey. However, the author is quick to point out that this study is not exhaustive.

The following analysis of State privacy statutes and our attempt to compare State laws to the proposed rule is limited as a result of the large amount of State-specific data available. To facilitate discussion, we have organized the analysis into two sections: access to medical information and disclosure of medical information. Our analysis is intended to suggest areas where the proposed rule appears to preempt various State laws; it is not designed to be a definitive or wholly comprehensive State-by-State comparison.

Access to Subject’s Information: In general, State statutes provide individuals with access to their own medical records. However, only a few States allow individuals access to virtually all entities that hold health information. In 33 States, individuals may access their hospital and health facility records. Only 13 States guarantee individuals access to their HMO records, and 16 States provide individuals access to their medical information when it is held by insurers. Seven states have no statutory right of patient access; three States and the District of Columbia have laws that only assure individuals’ right to access their mental health records. Only one State permits individuals access to records held by providers, but it excludes pharmacists from the definition of provider. Thirteen States grant individuals statutory right of access to pharmacy records.

The amount that entities are allowed to charge for copying of individuals’ records varies widely from State to State. A study conducted by the American Health Information Management Association (7) found considerable variation in the amounts, structure, and combination of fees for search and retrieval, and the copying of the record.

In 35 States, there are laws or regulations that set a basis for charging individuals inspecting and copying fees. Charges vary not only by State, but also by whether the request is related to a worker’s compensation case or a patient-initiated request. Charges also vary according to the setting. For example, States differentiate most often between clinics and hospitals. Also, charges vary by the number of pages and whether the request is for X-rays or for standard medical information.

Of the 35 States with laws regulating inspection and copying charges, seven States either do not allow charges for retrieval of records or require that the entity provide the first copy free of charge. Some States may prohibit hospitals from charging patients a retrieval and copying fee, but allow clinics to do so. It is noteworthy that some States that do not permit charges for retrieval sometimes allow entities to charge per-page rates ranging between $0.50 and $0.75. In States that do allow a retrieval charge, the per-page charge is usually $0.25. Eleven states specify only that the record holder may charge “reasonable/actual costs.”

Of the States that allow entities to charge for record retrieval and copying, charges range from a flat amount of $1.00 to $20.00. Other States allow entities to charge varying rates depending on the amount of material copied. For example, an entity may charge $5.00 for the first five pages and then a fixed amount per page. In those cases, it appears that retrieval and copying costs were actually combined. The remaining States have a variety of cost structures: One State allows $0.25 per page plus postage plus a $15.00 retrieval charge. Another State allows a $1.00 charge per page for the first 25 pages and $0.25 for each page above 25 pages plus a $1.00 annual retrieval charge. A third state allows a $1.00 per page charge for the first 100 pages and $0.25 for each page thereafter.

According to the report by the Georgetown Privacy Project, among States that do grant access to patient records, the most common basis for denying individuals access is concern for the life and safety of the individual or others. This proposed rule considers the question of whether to deny patient access on the basis of concern for the individual’s life or safety, concluding that the benefits of patient access most often outweigh harm to the individual. This issue, which is discussed in greater detail in other sections, has been resolved in favor of promoting patient access.

The amount of time an entity is given to supply the individual with his or her record varies widely. Many States allow individuals to amend or correct inaccurate health information, especially information held by insurers. However, few States provide the right to insert a statement in the record challenging the covered entity’s information when the individual and entity disagree. (8)

Disclosure of Health Information: State laws vary widely with respect to disclosure of identifiable health information. Generally, States have applied restrictions on the disclosure of health information either to specific entities or to specific health conditions. Just two states place broad limits on disclosure of protected health information without regard for policies and procedures developed by covered entities. Most States require patient authorization before an entity may disclose health information, but as the Georgetown report points out, “In effect, the authorization may function more as a waiver of consent -- the patient may not have an opportunity to object to any disclosures. (9)

It is also important to point out that none of the States appear to offer individuals the right to restrict disclosure of their protected health information for treatment. Thus, the provision of the proposed rule that allows patients to restrict disclosure of the their protected information is not currently included in any State law. Because the ability to restrict disclosure currently is not a standard practice, the proposed rule would require entities to add these capabilities to their information systems.

State statutes often have exceptions to requiring authorization before disclosure. The most common exceptions are for purposes of treatment, payment, or auditing and quality assurance functions -- which are similar to the definition we have established for health care operations, are therefore not subject to prior authorization requirements under the proposed rule. Restrictions on re-disclosure of protected health information also vary widely from State to State. Some States restrict the re-disclosure of health information, and others do not. The Georgetown report cites State laws that require providers to adhere to professional codes of conduct and ethics with respect to disclosure and re- disclosure of protected health information. What is not clear is the degree to which individual information is improperly released or used in the absence of specific legal sanctions.

Most States have adopted specific measures to provide additional protections with regard to certain conditions or illnesses that have clear social or economic consequences. Although the Georgetown study does not indicate the number of States that have adopted disease-specific measures to protect information related to sensitive conditions and illnesses, the analysis seems to suggest that nearly all States have adopted some form of additional protection. The conditions and illnesses most commonly afforded added privacy protection are:

• Substance abuse;
• Information derived from genetic testing;
• Communicable and sexually-transmitted diseases;
• Mental health; and
• Abuse, neglect, domestic violence, and sexual assault.

We have included a specific discussion of disclosures for research purposes because if an entity decides to disclose information for research purposes, it will incur costs that otherwise would be associated with other disclosures under this rule. Some States place restrictions on releasing condition-specific health information for research purposes, while others allow release of information for research without the patient’s authorization. States frequently require that researchers studying genetic diseases, HIV/AIDS, and other sexually transmitted diseases have different authorization and privacy controls than those used for other types of research. Some States require approval from an IRB or agreements that the data will be destroyed or identifiers removed at the earliest possible time. Another approach has been for States to require researchers to obtain sensitive, identifiable information from a State public health department. One State does not allow automatic release of protected health information for research purposes without notifying the subjects that their health information may be used in research and allowing them opportunity to object to the use of their information. (10)

Comparing State statutes to the proposed rule: A comparison of State privacy laws with the proposed rule highlights several of the proposed rule’s key implications:

• No State law requires covered entities to make their privacy and access policies available to patients. Thus, all covered entities that have direct contact with patients will be required to prepare a statement of their privacy protection and access policies. This necessarily assumes that entities have to develop procedures if they do not already have them in place.

• The proposed rule will affect more entities than are affected under many State laws. In the application of the proposed rule to providers, plans, and clearinghouses, the proposed rule will reach nearly all entities involved in delivering and paying for health care. Yet because HIPAA applies only to information that has been stored and transmitted electronically, the extent to which the proposed rule will reach information held by covered entities is unclear.

• State laws have not addressed the form in which health information is stored. We do not know whether covered entities will choose to treat information that never has been maintained or transmitted electronically in the same way that they treat post- electronic information. We also do not know what portion of information held in non- electronic formats has ever been electronically maintained or transmitted. Nevertheless, the proposed rule would establish a more level floor from which States could expand the privacy protections to include both electronic information and non-electronic information.

• Among the three categories of covered entities, it appears that plans will be the most significantly affected by the access provisions of the proposed rule. Based on the Health Insurance Association of America (HIAA) data (11), there are approximately 94.7 million non-elderly persons who purchase health insurance in the 35 States that do not provide patients a legal right to inspect and copy their records. We do not have information on how many of those people are in plans that grant patients inspection and copying rights although State law does not require them to do so. We discuss these points more fully in the cost analysis section.

• Although the proposed rule would establish a uniform disclosure and re- disclosure requirement for all covered entities, the groups most likely to be affected are health insurers, benefits management administrators, and managed care organizations. These groups have the greatest ability and economic incentives to use protected health information for marketing services to both patients and physicians without individual authorization. Under the proposed rule, covered entities would have to obtain the individual’s authorization before they could use or disclose their information for purposes other than treatment, payment, and health care operations -- except in the situations explicitly defined as allowable disclosures without authorization.

• While our proposed rule appears to encompass many of the requirements found in current State laws, it also is clear that within State laws, there are many provisions that cover specific cases and health conditions. Certainly, in States that have no research disclosure requirements, the proposed rule will establish a baseline standard. But in States that do place conditions on the disclosure of protected health information, the proposed rule may place additional requirements on covered entities.

• State privacy laws do not always apply to entities covered by the proposed rule. For example, State laws may provide strong privacy protection for hospitals and doctors but not for dentists or HMOs. State laws protecting particular types of genetic testing or conditions may be similarly problematic because they protect some types of sensitive information and not others. In some instances, a patient’s right to inspect his or her medical record may be covered under State laws and regulations when a physician has the medical information, but not under State requirements when the information being sought is held by a plan. Thus, the proposed rule would extend privacy requirements already applicable to some entities within a State to other entities that currently are not subject to State privacy requirements.

3. Federal Laws.

The Privacy Act of 1974

Federal agencies will be required to comply with both the Privacy Act of 1974 (5 U.S.C. § 552a) and the HIPAA regulation. The Privacy Act provides Federal agencies with a framework and scheme for protecting privacy, and the HIPAA regulation will not alter that scheme. Basic organizational and management features, such as the provision of safeguards to protect the privacy of health information and training for employees -- which are required by this proposed rule -- already are required by the Privacy Act.

The proposed rule has been designed so that individuals will not have fewer rights than they have now under the Privacy Act. It may require that agencies obtain individual authorization for some disclosures that they now make without authorization under routine uses.

Private-sector organizations with contracts to conduct personal data handling activities for the Federal government are subject to the Privacy Act by virtue of performing a function on behalf of a Federal agency. They too will be required to comply with both rules in the same manner as Federal agencies.

Substance Abuse Confidentiality Statute

Organizations that operate specialized substance abuse treatment facilities and that either receive Federal assistance or are regulated by a Federal agency are subject to confi dentiality rules established by Section 543 of the Public Health Service Act (42 U.S.C. § 290dd-2) and implementing regulations at 42 C.F.R part 2.

These organizations will be subject both to that statute and to the HIPAA regula tion. The proposed rule should have little practical effect on the disclosure policies of these organizations, because the patient confidentiality statute governing information about substance abuse is generally more restrictive than this proposed rule. These organizations will continue to be subject to current restrictions on their disclosures. The substance abuse confidentiality statute does not address patient access to records; the proposed privacy rule makes clear that patient access is allowed.

Federal agencies are subject to these requirements, and currently they administer their records under both these requirements and the Privacy Act. The Department of Veterans Affairs is subject to its own substance abuse confidentiality statute, which is identical in substance to the one of more general applicability. It also covers information about HIV infection and sickle cell anemia (38 U.S.C. § 7332).

Rules Regarding Protection of Human Subjects

Health care delivered by covered entities conducting clinical trials typically are subject to both the proposed rule and to Federal regulations for protection of human re search subjects (The Federal Policy for the Protection of Human Subjects, codified for the Department of Health and Human Services in Title 45 C.F.R. part 46, and/or the Food and Drug Administration’s human subject regulations for research in support of medical product applications to the Food and Drug Administration, or regulated by that agency, at 21 C.F.R. parts 50 and 56).

Current human subjects rules impose no substantive restrictions on disclosure of patient information. Institutional review boards must consider the adequacy of confidenti ality protections for subjects, and researchers must tell subjects to what extent their confi dentiality will be protected. There should be no conflict between these requirements and the proposed rules. The proposed HIPAA regulation will expand on the current human subjects requirements by requiring a more detailed description of intended use of patient information. The proposed HIPAA rule also requires additional criteria for waiver of patient authorization.

Medicaid

States may use information they obtain in the process of administering Medicaid only for the purposes of administering the program, pursuant to a State plan condition in section 1902(a)(7) of the Social Security Act, 42 U.S.C. § 1396a(a)(7). The proposed HIPAA rule applies to State Medicaid programs, which under the rule are considered health plans. There will be no conflict in the substantive requirements of current rules and this proposed rule. Medicaid rules regarding disclosure of patient information are stricter than provisions of the proposed rule; therefore, Medicaid agencies simply will continue to follow the Medicaid rules.

ERISA

ERISA (29 U.S.C. 1002) was enacted in 1974 to regulate pension and welfare employee benefit plans that are established by private-sector employers, unions, or both, to provide benefits to their workers and dependents. An employee welfare benefit plan provides benefits -- through insurance or otherwise -- such as medical, surgical benefits, as well as benefits to cover accidents, disability, death, or unemployment. In 1996, HIPAA amended ERISA to require portability, nondiscrimination, and renewability of health benefits provided by group health plans and group health insurance issuers. Many, although not all, ERISA plans are covered under the proposed rule as health plans. We believe that the proposed rule does not conflict with ERISA. Further discussion of ERISA can be found in the preamble for this proposed rule.

E. Costs.

Affected entities will be implementing the privacy proposed rules at the same time many of the administrative simplification standards are being implemented. As described in the overall impact analysis for the administrative simplification standards in the Federal Register, Vol. 63, No. 88, May 7, 1998, page 25344, the data handling changes occurring due to the other HIPAA standards will have both costs and benefits. To the extent the changes required for the privacy standards implementations can be made concurrently with the changes required for the other standards, costs for the combined implementation should be only marginally higher than for the administrative simplification standards alone. The extent of this additional cost is uncertain, in the same way that the costs associated with each of the individual administrative simplification standards was uncertain.

The costs associated with implementing the privacy standards will be directly related to the number of affected entities and the number of affected transactions in each entity. (12) We chose to use the SBA data in the RFA because we wanted our analysis to be as consistent to SBA definitions as possible to give the greatest accuracy for the RFA purposes. As described in the overall administrative simplification impact estimates (Tables 1 and 2, page 25344), about 20,000 health plans (excluding non-self administered employer plans) (13) and hundreds of thousands of providers face implementation costs. In the administrative simplification analysis, the costs of provider system upgrades were expected to be $3.6 billion over the period 1998-2002, and plan system cost upgrades were expected to be $2.2 billion. (In the aggregate, this $5.8 billion cost is expected to be more than completely offset by $7.3 billion in savings during the 5 year period analyzed).

The relationship between the HIPAA security and privacy standards is particularly relevant. On August 12, 1998, the Secretary published a proposed rule to implement the HIPAA standards on security and electronic standards. That rule specified the security requirements for covered entities that transmit and store information specified in Part C, Title XI of the Act. In general, that rule would establish the administrative and technical standards for protecting “...any health information pertaining to an individual that is electronically maintained or transmitted.” (63 FR 43243). The security rule is intended to spell out the system and administrative requirements that a covered entity must meet in order to assure itself and the Secretary that the protected health information is safe from destruction and tampering from people without authorization for its access.

By contrast, the privacy rule describes the policies and procedures that would govern the circumstances under which protected health information may be used and released with and without patient authorization and when a patient may have access to his or her protected medical information. This rule assumes that a covered entity will have in place the appropriate security apparatus to successfully carry out and enforce the provisions contained in the security rule.

Although the vast majority of health care entities are privately owned and operated, Federal, State, and local government providers are reflected in the total costs. (14) Federal, state, and locally funded hospitals represent approximately 26 percent of hospitals in the United States. This is a significant portion of hospitals, but represents a relatively small proportion of all provider entities. The number of government providers who are employed at locations other than government hospitals is significantly smaller (approximately 2 percent of all providers). Weighting the relative number of government hospital and non-hospital providers by the revenue these types of providers generate, we estimate that health care services provided directly by government entities represent 3.4 percent of total health care services. IHS and Tribal facilities costs are included in the total, since the adjustments made to the original private provider data to reflect federal providers included them. In drafting the proposed rule the Department consulted with States, representatives of the National Congress of American Indians, representatives of the National Indian Health Board, and a representative of the self-governance tribes. During the consultation we discussed issues regarding the application of Title II of HIPAA to the States and Tribes.

Estimating the costs associated with the privacy proposed rule involves, for each provision, consideration of both the degree to which covered entities must modify their records management systems and privacy policies under the proposed rule, and the extent to which there is a change in behavior of both patients and the covered entities as a result of the proposed rule. In the following sections we will examine these provisions as they would apply to the various covered entities as they undertake to comply with the proposed rule. The major costs that covered entities will incur are one time costs associated with implementation of the proposed rules, and ongoing costs that result from changes in behavior that both the covered entities and patients would make in response to the new proposed rules.

We have quantified the costs imposed by the proposed regulation to the extent that we had adequate data. In some areas, however, there was too little data to support quantitative estimates. As a result, the RIA does not include cost estimates for all of the requirements of the regulation. The areas for which explicit cost estimates have not be made are: the principle of minimum necessary disclosure; the requirement that entities monitor business partners with whom they share PHI; creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacy board; and additional requirements on research/optional disclosures that will be imposed by the regulation. The cost of some of these provisions may be significant, but it would be inaccurate to project costs for these requirements given the fact that several of these concepts are new to the industry.

The one time costs are primarily in the area of development and codification of procedures. Specific activities include: (1) analysis of the significance of the federal regulations on covered entity operation; (2) development and documentation of policies and procedures (including new ones or modification of existing ones); (3) dissemination of such policies and procedures both inside and outside the organization; (4) changing existing records management systems or developing new systems; and (5) training personnel on the new policies and system changes.

Covered entities will also incur ongoing costs. These are likely to be the result of

(1) increased numbers of patient requests for access and copying of their own records;

(2) the need for covered entities to obtain patient authorization for uses of protected information that had not previously required an authorization;

(3) increased patient interest in limiting payer and provider access to their records;

(4) dissemination and implementation both internally and externally of changes in privacy policies, procedures, and system changes; and

(5) training on the changes.

Compliance with the proposed rule will cost $3.8 billion over five years. These costs are in addition to the administrative simplification estimates. The cost of complying with the regulation represents 0.09 percent of projected national health expenditures the first year the regulation is enacted. The five year costs of the proposed regulation also represents 1.0 percent of the increase in health care costs experienced over the same five- year period. (15) Because of the uncertainty of the data currently available, the Department has made estimates on “low” and “high” range assumptions of the key variables. These estimates show a range of $ 1.8 to $6.3 billion over five years. It is important to note that these estimates do not include the areas for which we have made no cost estimates (discussed above).

Initial Costs

Privacy Policies and Procedures

With respect to the initial costs for covered entities, the expectation that most of the required HIPAA procedures will be implemented as a package suggests that additional costs for the privacy standards should be small. Since the requirements for developing formal processes and documentation of procedures mirror what will already have been required under the security regulations, the additional costs should be small. The expectation is that national and state associations will develop guidelines or general sets of processes and procedures and that these will generally be adopted by individual member entities. Relatively few providers or entities are expected to develop their own procedures independently or to modify significantly those developed by their associations. Our estimates are based on assumed costs for providers ranging from $300 to $3000, with the weighted average being about $375. The range correlates to the size and complexity of the provider, and is a reasonable estimate of the cost of coordinating the policies and procedures outlined in the proposed regulation. With fewer than 1 million provider entities, the aggregate cost would be on the order of $300 million.For plans, our estimate assumes that the legal review and development of written policies will be more costly because of the scope of their operations. They are often dealing with a large number of different providers and may be dealing with requirements from multiple states. Again, we expect associations to do much of the basic legal analysis but plans are more likely to make individual adaptations. We believe this cost will range from $300 for smaller plans and $15,000 for the largest plans. Because there are very few large plans in relation to the number of small plans, the weighted average implementation costs will be about $3050.

The total cost of development of policies and procedures for providers and plans is estimated to be $395 million over five years.

System Compliance Costs

With respect to revisions to electronic data systems, the specific refinements needed to fulfill the privacy obligations ought to be closely tied to the refinements needed for security obligations. The overall administrative simplification system upgrades (procedures, systems, and training) of $5.8 billion would certainly be disproportionately associated with the security standard, relative to the other 11 elements. If in privacy it constitutes 15 percent, then the security standard would represent about $900 million system cost. If the marginal cost of the privacy elements is another 10 percent, then the addition cost would be $90 million.

Ongoing Costs

The recurrent costs may be more closely related to total numbers of persons with claims than to the number of covered entities. The number of individuals served by an entity will vary greatly. The number of persons with claims will give a closer approximation of how many people entities will have to interact with for various provisions.

Notice of Privacy Practices

No State laws or professional associations currently require entities to provide patients “notice” of their privacy policies. Thus, we expect that all entities will incur costs developing and disseminating privacy policy notices. Each entity will have a notice cost associated with each person to whom they provide services. Data from the 1996 Medical Expenditure Panel Survey shows that there are approximately 200 million ambulatory care encounters per year, nearly 20 million persons with a hospital episode, 7 million with home-health episodes, and over 170 million with prescription drug use (350 million total). For the remaining four years of the five year period, we have estimated that, on average, a quarter of the remaining population will enter the system, and thus receive a notice. If we account for growth in the number of people who may enter the health care system over the five year period of our analysis, we estimate that approximately 543 million patients will be seen at least once by one or more types of providers.

The development cost for notices is estimated to cost $30 million over five years, though most of this is likely to occur the first year. The first year cost of providing notices to patients, customers and plan enrollees would be $106 million. The total five year cost of providing new and subsequent copies to all provider patients and customers would be approximately $209 million.

The notice obligations of insurers apply on initial enrollment, with updated notices at least every 3 years. However, given enrollment changes and the sophistication of automation, we believe many plans would find it cheaper and more efficient to provide annual notices.

The 1998 National Health Interview Survey (NHIS) from the Census Bureau shows about 174.1 million persons are covered by private health insurance, on an unduplicated basis. NHIS calculates that persons who are privately insured hold approximately 1.3 policies per person. Based on information provided by several plans, we believe most plans would provide an independent mailing the first year, but in subsequent years would provide notices as an inclusion in other mailings. The cost for this would be $0.75 over five years. If we account for these duplicate policies and assume that the cost of sending the notices to a policyholder is $0.75, the total cost to plans would be $231 million over five years. This includes both public and private plans.

We request comments regarding our cost estimates for development and distribution of notices.

The costs for more careful internal operation of covered entities to execute their formal privacy procedures are highly dependent on the extent to which current practice tracks the future procedures. Entities that already have strict data sharing and confidentiality procedures will incur minimal costs, since their activities need not change much. Entities that have not developed explicit health information privacy policies may be compelled to obtain patient authorization in situations where they did not previously. These changes will generate ongoing costs as well as initial costs. We solicit comment with respect to the way current costs differ from those projected by the requirements of the proposed privacy rule. An example of such an area is “the minimum necessary disclosure principle” - because of differing current practices, we do not have data that reliably indicate how much this provision will cost.

Inspection and Copying

The Georgetown report on State privacy laws indicates that 33 states currently give patients some right to access medical information. The most common right of access granted by State law is the right to inspect personal information held by physicians and hospitals. In the process of developing estimates for the cost of providing access and copying, we assumed that most providers currently have procedures for allowing patients to inspect and copying their own record. Thus, we expect that the economic impact of requiring entities to allow individuals to access and copy their records should be relatively small. Copying costs, including labor, should be a fraction of a dollar per page. We expect the cost to be passed on to the consumer.

There are few studies that address the cost of providing medical records to patients.

The most recent was a study in 1998 by the Tennessee Comtroller of the Treasury. It found an average cost of $9.96 per request, with an average of 31 pages per request. The total cost per page of providing copies was $0.32 per page. This study was performed on hospitals only. The cost per request may be lower for other types of providers, since those seeking hospital records are more likely to be sick and have more complicated records than those in a primary care or other type of office. An earlier report showed much higher costs than the Tennessee study. In 1992, Rose Dunn published a report based on her experience as a manager of medical records. She estimated a 10 page request would cost $5.32 in labor costs only, equaling labor cost per page of $0.53. However, this estimate appears to reflect costs before computerization. The expected time spent per search was 30.6 minutes; 85 percent of this time could be significantly reduced with computerization (this includes time taken for file retrieval, photocopying, and re- filing; file retrieval is the only time cost that would remain under computerization.) For subsequent estimates, we will use the Tennessee experience.

The proposed regulation states that entities may charge patients a reasonable fee to inspect and copy their health information. For this reason, we expect the cost of inspecting and copying an individual medical record to be passed on to consumers who request the service. Nonetheless, it is important to provide an estimate of the potential costs associated with inspection and copying. We assume that 1.5 percent of patients will request access to inspect and copy their medical record, and that the cost of accessing and copying a record is approximately $10 (as cited in the Tennessee study). The cost of inspection and copying is $81 million a year, or $405 million over five years. This cost is likely to be borne entirely by the consumer.

Amendment and Correction

We have assumed that many providers make provisions to help patients expedite amendment and correction of their medical record where appropriate. However, as with inspection and copying, the right to request amendment and correction of an individual’s medical record is not guaranteed by all States. Based on these assumptions and our cost analysis, we conclude that the principal economic effect of the proposed rule would be to expand the right to request amendment and correction to plans and providers that are not covered by state laws or codes of conduct. In addition, we expect that the proposed rule may draw additional attention to the issue of record inaccuracies and stimulate patient demand for access, amendment, and correction of medical records.

Our cost calculations assume that persons who request an opportunity to amend or correct their record have already obtained a copy of their medical record. Therefore, the administrative cost of amending and correcting the patient’s record is completely separate from inspection and copying costs. In this section we have only addressed the cost of disputing a factual statement within the patient record, and do not calculate the cost of appeals or third party review.

Administrative review of factual statements contained within a patient’s record may be expensive. Most errors may be of a nature that a clerk or nurse can correct (e.g., the date of a procedure is incorrect) but some may require physician review. Thus, we have estimated that the average cost of amending and correcting a patient record may be $75 per instance.

If amendment and correction requests are associated with two-thirds of requests for inspection and copying, and the cost of correcting (or noting the patient’s request for correction) is $75, the total cost of amending and correcting patient records will be $407 million annually, or $2 billion over five years. Comments on our estimate of amendment and correction costs would be helpful, particularly if they speak to current amendment and correction costs or frequency in the health care industry.

Reconstructing a history of disclosures (other than for treatment and payment)

To our knowledge, no current State law or professional code requires providers and plans to maintain the capability to reconstruct a patient’s health information history. Therefore, the requirement in this rule to be able to reconstruct the disclosure history of protected health information is completely new. Although it is likely that some providers and plans have already developed this capability, we assume that all providers and plans would be required to invest in developing the capacity to generate disclosure histories.

With respect to reconstruction of disclosure history, two sets of costs would exist. On electronic records, fields for disclosure reason, information recipient, and date would have to be built into the data system. The fixed cost of the designing the system to include this would be a component of the $90 million additional costs discussed earlier. The ongoing cost would be the data entry time, which should be at de minimis levels. Comments would again be especially useful with respect to the extent to which recording the additional information goes beyond current practice.

Authorizations

Although many States have laws that require entities to obtain patient authorization before releasing individually identified health information to payers and other third parties, many of the authorization requirements either allow for blanket authorizations that deprive the patient of meaningful control over the release of their health information, or the authorization statutes are less stringent than the provisions of the proposed rule. Therefore, for purposes of estimating the economic impact of the NPRM, we are assuming that all providers and plans will have to develop new procedures to conform to the proposed rule.

Written patient authorization requirements will generate costs, to the extent covered entities are currently releasing information in the targeted circumstances without specific authority. Collecting such authorization should have costs on the order of those associated with providing access to records (not on a per page basis). The frequency of such collections is unknown. Since the requirement does not apply to treatment and payment, assuming 1 percent of the 543 million encounters over five years might be reasonable. At a cost of about $10 each, the aggregate cost would be about $54 million annually, or $271million over five years. Comments would be especially useful from entities currently following such procedures.

Training

The ongoing costs associated with paperwork and training are likely to be minimal. Because training happens as a regular business practice, and employee certification connected to this training is also the norm, we estimate that the marginal cost of paperwork and training is likely to be small. We assume a cost of approximately $20 per provider office, and approximately $60-100 for health plans and hospitals. Thus, we estimate that the total cost of paperwork and training will be $22 million a year.

Conclusion

Overall, the five-year costs beyond those already shown in the administrative simplification estimates would be about $3.8 billion over five years, with an estimated range of $1.8 to $6.3 billion. Table 2 shows the components described above. The largest cost item is for amendment and correction, which is over half of the estimated total cost of the regulation. Inspection and copying, at $405 million over five years, and issuance of notices by providers and plans, at $439 million over five years, are the second biggest components. The one-time costs of development of policies and procedures by providers would represent approximately 10 percent of the total cost, or $333 million. Plans and clearinghouses would have a substantially smaller cost, about $62 million. Other systems changes are expected to cost about $90 million over the period. Finally, the estimates do not consider all of the costs imposed by the regulation.