Section 804(2) of title 5, United States Code (as added by section 251 of Public Law 104-121), specifies that a “major rule” is any rule that the Office of Management and Budget finds is likely to result in-
We estimate that the impact of this final rule will be over $1 billion in the first year of implementation. Therefore, this rule is a major rule as defined in Title 5, United States Code, section 804(2).
DHHS has examined the impacts of this proposed rule under Executive Order 12866. Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects; distributive impacts; and equity). According to Executive Order 12866, a regulatory action is “significant” if it meets any one of a number of specified conditions, including having an annual effect on the economy of $100 million or adversely affecting in a material way a sector of the economy, competition, or jobs or if it raises novel legal or policy issues. DHHS finds that this proposed rule is a significant regulatory action as defined by Executive Order 12866. Also in accordance with the provisions of Executive Order 12866, this proposed rule was reviewed by the Office of Management and Budget.
When this proposed rule becomes a final rule, in accordance with the Small Business Regulatory Enforcement and Fairness Act (Pub. L. 104-121), the Administrator of the Office of Information and Regulatory Affairs of the Office of Management and Budget (the Administrator) has determined that this proposed rule would be a major rule for the purpose of congressional review. A major rule for this purpose is defined in 5 U.S.C. 804(2) as one that the Administrator has determined has resulted or is likely to result in an annual effect on the economy of $100 million or more; a major increase in costs or prices for consumers, individual industries, federal State, or local government agencies, or geographic regions; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of U.S.-based enterprises to compete with foreign-based enterprises in domestic or export markets.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) projects a significant increase in the number of medical transactions that will be conducted or transmitted electronically. HIPAA notes the privacy needs that result when individually identifiable health information can be transmitted quickly through electronic information systems. While there is a compelling need to protect the privacy of health information in today’s health care system, the expected growth of electronic systems to aide medical diagnostics, claims processing and research makes it even more critical to improve privacy protections.
A fundamental assumption of this regulation is that the greatest benefits of improved privacy protection will be realized in the future as patients gain increasing trust in health care practitioners’ ability to maintain the confidentiality of their health information. Furthermore, our analysis rests on the principle that health information privacy is a right, and as such, cannot be valued solely by market costs. Because it is difficult to measure future benefits based on present data, our estimates of the costs and benefits of this regulation are based on the current business environment and do not include projections beyond five years. As a result, we cannot accurately account for all of the regulation’s future costs and benefits, but the Department is confident that future benefits will be higher than those stated in this analysis.
In order to achieve a reasonable level of privacy protection, we have three objectives for the proposed rule: 1) to establish baseline standards for health care privacy protection, 2) to establish protection for all health information maintained or transmitted by covered entities, and 3) to protect the privacy of health information that is maintained in electronic form, as well as health information generated by electronic systems.
Establishing minimum standards for health care privacy protection is an attempt to create a baseline level of privacy protection for patients across States. The Health Privacy Project’s report, The State of Health Privacy: An Uneven Terrain (1) makes it clear that under the current system of state laws, privacy protection is extremely variable. Our statutory authority under HIPAA allows us to preempt state laws when state law provides less stringent privacy protection than the regulation. Only in cases where state law does not protect the patient’s health information as stringently as in this proposed rule, or when state law is more restrictive of a patient’s right to access their own health care information, will our rule preempt state law. We discuss preemption in greater detail in other parts of the preamble (see the effects of the rule on state laws, section 2 below).
Our second objective is to establish a uniform base of protection for all health information maintained or transmitted by covered entities. As discussed in the preamble, HIPAA restricts the type of entities covered by the proposed rule to three broad categories: health care providers, health care clearinghouses, and health plans. However, there are similar public and private entities that we do not have the authority to regulate under HIPAA. For example, life insurance companies are not covered by this proposed rule but have access to a large amount of protected health information. State government agencies not directly linked to public health functions or health oversight may also have access to protected health information. Examples of this type of agency include the motor vehicle administration, which frequently maintains individual health information, and welfare agencies that routinely hold health information about their clients.
Our third objective is to protect the privacy of health information that is maintained in electronic form, as well as health information generated by electronic systems. Health information is currently stored and transmitted in multiple forms, including in electronic, paper, and oral formats. In order to provide consistent protection to information that has been electronically transmitted or maintained, we propose that this rule cover all personal, protected health information that has ever been maintained or transmitted electronically. This type of information includes output such as computer printouts, X-rays, magnetic tape, and other information that was originally maintained or transmitted electronically. For example, laboratory tests are often computer generated, printed out on paper, and then stored in a patient’s record. Because such lab results were originally maintained electronically, the post-electronic (i.e. printed) output of those lab results would also be covered under the proposed rule.
It is important to note that the use of electronic systems to maintain and transmit health information is growing among health care providers, and health plans. Faulkner and Gray report that provider use of electronically processed health transactions grew from 47 percent to 62 percent between 1994 and 1998. Payer use of electronic transactions grew 17 percent between 1996 and 1997. Once all of the HIPAA administrative simplification standards are implemented, we expect the number of electronic transactions processed by payers and providers to grow.
The variation in business practice regarding use of paper records versus electronic media for storing and transmitting health information is captured by comparing the percentage of providers that submit paper claims with those that submit electronic claims. Faulkner & Gray’s Health Data Directory (2) shows that only 40 percent of non-Medicare physician claims and 16 percent of dental claims were submitted electronically in 1998. In contrast, 88 percent of all pharmacy claims were submitted electronically.
We believe that most physicians either have, or will have in the near future, the capacity to submit claims electronically. Faulkner and Gray reported that in 1998, 81 percent of physicians with Medicare patients submitted their Medicare claims electronically. The difference in the percent of electronic clams submitted to Medicare suggests that the physicians’ decisions to submit claims electronically may be heavily influenced by the administrative requirements of the health plan receiving the claim. Since HIPAA requires all health plans to accept electronic transactions and, in order to compete in the technologically driven health care market, more health plans may require electronic claims submissions, physicians will conduct many more electronic transactions in the near future. Therefore, it is extremely important that adequate privacy protections are implemented now.
Historically, Congress has recognized that privacy standards must accompany the electronic data interchange standards and that the increased ease of transmitting and sharing individually identifiable health information must be accompanied by an increase in the privacy and confidentiality. In fact, the majority of the bulk of the first Administrative Simplification section that was debated on the floor of the Senate in 1994 (as part of the Health Security Act) was made up of privacy provisions. Although the requirement for the issuance of concomitant privacy standards remained a part of the bill passed by the House of Representatives, the requirement for privacy standards was removed in conference. This section was moved from the standard-setting authority of Title XI (section 1173 of the Act) and placed in a separate section of HIPAA, section 264. Subsection (b) of section 264 required the Secretary of HHS to develop and submit to the Congress recommendations for:
(1) The rights that an individual who is a subject of individually identifiable health information should have.
(2) The procedures that should be established for the exercise of such rights.
(3) The uses and disclosures of such information that should be authorized or required.
The Secretary's Recommendations were submitted to the Congress on September 11, 1997, and are summarized below. Section 264(c)(1) provides that:
If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than [February 21, 2000]. Such regulations shall address at least the subjects described in subsection (b).
As the Congress did not enact legislation governing standards with respect to the privacy of individually identifiable health information prior to August 21, 1999, HHS has now, in accordance with this statutory mandate, developed proposed rules setting forth standards to protect the privacy of such information.
These privacy standards have been, and continue to be, an integral part of the suite of Administrative Simplification standards intended to simplify and improve the efficiency of the administration of our health care system.
The proposed rule should be considered along with all of the administrative simplification standards required by HIPAA. We assessed several strategies for determining the impact of this proposed rule. We considered whether it would be accurate to view the impact as a subset of the overall HIPAA standards or whether this privacy component should be viewed as an addition to the earlier impact analyses related to HIPAA. We decided that while this proposed rule is considered one of the HIPAA standards, any related costs or benefits should be viewed as an addition to earlier analyses. The original HIPAA analyses did not incorporate the expected costs and benefits of privacy regulation because, at the time of the original analyses, we did not know whether Congress would enact legislation or whether privacy would need to be addressed by regulation. Therefore, much of our cost analysis is based on the expected incremental costs above those related to other HIPAA regulations.
The Department has estimated the costs and benefits of the proposed rule based on several caveats. In general, it is difficult to estimate the costs and benefits of improved privacy protection. The ability to measure costs of the proposed regulation is limited because there is very little data currently available on the cost of privacy protection. The Department has not been able to estimate costs for a number of requirements of the proposed regulation that we know will impose some cost to covered entities. For those elements for which there are estimated costs, data and information limitations limit the precision of the Department’s estimates; for those reasons we have provided an overall range of costs in addition to point estimates, and welcome further information from the public as part of the comment process. Furthermore, the number of new privacy requirements that the regulation will introduce to the health care industry exacerbates difficulties estimating the benefits of privacy. Benefits are difficult to measure because we conceive of privacy primarily as a right and secondarily as a commodity. As discussed below, the significant benefits of the proposed regulation to individuals and society can be demonstrated by illustrating the serious privacy concerns raised by mental health, substance abuse, cancer screening, and HIV/AIDS patients and the benefits that may be derived from greater privacy.
The estimated cost of compliance with the proposed rule would be at least $3.8 billion over five years. The cost includes estimates for the majority of the requirements of the proposed regulation, but not all. These estimates include costs to federal, State, and local governments. Federal, and State and local costs are therefore a subset of total costs. Based on a plausible range of costs for the key components of the analysis, the cost of the regulation would likely be in the range $1.8 to $6.3 billion over five years (not including those elements of the regulation for which we could not make any cost estimates).
The compliance costs are in addition to Administrative Simplification estimates. The cost of complying with the privacy regulation represents about 0.09 percent of projected national health expenditures during the first year following the regulation’s enactment. The five-year cost of the proposed regulation also represents 1.0 percent of the increase in health care costs that will occur during the same five-year period (3).
The largest cost item is the amending and correcting of records, which would represent over one-half of total costs. Provider and plan notices, which we estimate would cost $439 million, is the second largest cost, and inspection and copying of records is estimated to be $405 million. The one-time costs for providers to develop policies and procedures represent somewhat less than 10 percent of the total cost, or $333 million. Plans would bear a substantially smaller cost--approximately $62 million. Other systems changes would cost about $90 million over the period. The cost of administering written authorizations would total approximately $271 million over five years.
The cost estimates include private- and public-sector costs. Many of the public- sector cost elements will be the same as those in the private market. However, privacy notices are likely to represent a smaller fraction of total public-sector costs, while systems compliance costs in the public sector may be higher than in the private sector due to oversight and administrative requirements.
The costs presented in this document are the Department’s best estimates of the cost of implementing the proposed regulation based on available information and data. Because of inadequate data, we have not made cost estimates for the following compnents of the regulation: the principle of minimum necessary disclosure; the requirement that entities monitor business partners with whom they share PHI; creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacy board; and additional requirements on research/optional disclosures that will be imposed by the regulation. The cost of these provisions may be significant in some cases, but it would be inaccurate to project costs for these requirements given the fact that several of these concepts are new to the industry, and there is little direct evidence on costs. We solicit comment regarding costs of the regulation that we have not quantified.
The privacy protections established by this regulation will provide major social benefits. Establishing privacy protection as a fundamental right is an important goal and will have significant, non-quantifiable social benefits. A well-designed privacy standard can be expected to build confidence among the public about the confidentiality of their health information. Increased confidence in the privacy of an individual’s health information can be expected to increase the likelihood that many people will seek treatment for particular classes of disease, particularly mental health conditions, sexually transmitted diseases such as HIV/AIDS, and earlier screening for certain cancers. The increased utilization of medical services that would result from increased confidence in privacy would lead to improved health for the individuals involved, reduced costs to society associated with delayed treatments, and improved public health attributable to reduced transmission of communicable diseases.
Table 1. The Cost of Complying with the Proposed Privacy Regulation, in Dollars |
|||
| Provision | Initial or First Year Cost (2000) | Annual Cost after the First Year | Five Year (2000-2004) Cost |
| Development of Policies and Procedures- Providers (totaling 871,294) | $333,000,000 | $333,000,000 | |
| Development of Policies and Procedures- Plans (totaling 18,225) | $62,000,000 | $62,000,000 | |
| System Changes- All Entities | $90,000,000 | $90,000,000 | |
| Notice Development Cost- All Entities | $20,000,000 | $30,000,000 | |
| Notice Issuance- Providers | $59,730,000 | $37,152,000 | $208,340,000 |
| Notice Issuance- Plans | $46,200,000 | $46,200,000 | $231,000,000 |
| Inspection/Copying | $81,000,000 | $81,000,000 | $405,000,000 |
| Amendment/Correction | $407,000,000 | $407,000,000 | $2,035,000,000 |
| Written Authorization | $54,300,000 | $54,300,000 | $271,500,000 |
| Paperwork/Training | $22,000,000 | $22,000,000 | $110,000,000 |
| Other Costs* | N/E** | N/E | N/E |
| Total | $1,165,230,000 | $647,652,000 | $3,775,840,000 |
|
*Other Costs include: minimum necessary disclosure; monitoring business partners with whom entities share PHI; creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacy board; additional requirements on research/optional disclosures that will be imposed by the regulation. **N/E = “Not estimated” |
|||
We promote the view that privacy protection is an important personal right, and suggest that the greatest of the benefits of the proposed regulation are impossible to estimate based on the market value of health information alone. However, it is possible to evaluate some of the benefits that may accrue to individuals as a result of proposed regulation, and these benefits, alone, demonstrate that the regulation is warranted.
These benefits are considered both qualitatively and quantitatively. As a framework for the discussion, the cost of the provisions in the regulation that have been quantified is $0.46 per health care encounter. Although the value of privacy cannot be fully calculated, it is worth noting that if individuals would be willing to pay more than $0.46 per health care encounter to improve health information privacy, the benefits of the proposed regulation would outweigh the cost.
Several qualitative examples illustrate the benefits of the proposed regulation. In one case, medical privacy concerns may prevent patients from obtaining early testing and screening for certain types of cancer. Of types of cancer for which screening is available, survival rates might increase to 95 percent diagnosed in the early stages (4). For HIV/AIDS patients, new treatments for patients who are diagnosed with HIV in the early stages may save $23,700 per quality-adjusted year of life saved (5). Later in this document, the potential to reduce illness and disability associated with sexually transmitted diseases is discussed.
We recognize that many of the costs and benefits of health information privacy are difficult to quantify, but we believe that our estimates represent a reasonable range of the economic costs and benefits associated with the regulation.
Privacy is a fundamental right. As such, it has to be viewed differently than any ordinary economic good. Although the costs and benefits of a regulation need to be considered as a means of identifying and weighing options, it is important not to lose sight of the inherent meaning of privacy: it speaks to our individual and collective freedom.
A right to privacy in personal information has historically found expression in American law. All fifty states today recognize in tort law a common law or statutory right to privacy. Many states specifically provide a remedy for public revelation of private facts. Some states, such as California and Tennessee, have a right to privacy as a matter of state constitutional law. The multiple historical sources for legal rights to privacy are traced in many places, including Chapter 13 of Alan Westin's Privacy and Freedom and in Ellen Alderman & Caroline Kennedy, The Right to Privacy (1995).
To take but one example, the Fourth Amendment to the United States Constitution guarantees that "the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated." By referring to the need for security of "persons" as well as "papers and effects" the Fourth Amendment suggests enduring values in American law that relate to privacy. The need for security of "persons" is consistent with getting patient consent before performing invasive medical procedures. The need for security in "papers and effects" underscores the importance of protecting information about the person, contained in sources such as personal diaries, medical records, or elsewhere. As is generally true for the right of privacy in information, the right is not absolute. The test instead is what constitutes an "unreasonable" search of the papers and effects.
The United States Supreme Court has specifically upheld the constitutional protection of personal health information. In Whalen v. Roe, 429 U.S. 589 (1977), the Court analyzed a New York statute that created a database of persons who obtained drugs for which there was both a lawful and unlawful market. The Court, in upholding the statute, recognized at least two different kinds of interests within the constitutionally protected "zone of privacy." "One is the individual interest in avoiding disclosure of personal matters," such as this proposed regulation principally addresses. This interest in avoiding disclosure, discussed in Whalen in the context of medical information, was found to be distinct from a different line of cases concerning "the interest in independence in making certain kinds of important decisions." In the recent case of Jaffee v. Redmond, 116 S.Ct. 1923 (1996), the Supreme Court held that statements made to a therapist during a counseling session were protected against civil discovery under the Federal Rules of Evidence. The Court noted that all fifty states have adopted some form of the psychotherapist-patient privilege. In upholding the federal privilege, the Supreme Court stated that it "serves the public interest by facilitating the appropriate treatment for individuals suffering the effects of a mental or emotional problem. The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance."
Many writers have urged a philosophical or common-sense right to privacy in one's personal information. Examples include Alan Westin, Privacy and Freedom (1967) and Janna Malamud Smith, Private Matters: In Defense of the Personal Life (1997). These writings emphasize the link between privacy and freedom and privacy and the "personal life," or the ability to develop one's own personality and self-expression. Smith, for instance, states:
The bottom line is clear. If we continually, gratuitously, reveal other people's privacies, we harm them and ourselves, we undermine the richness of the personal life, and we fuel a social atmosphere of mutual exploitation. Let me put it another way: Little in life is as precious as the freedom to say and do things with people you love that you would not say or do if someone else were present. And few experiences are as fundamental to liberty and autonomy as maintaining control over when, how, to whom, and where you disclose personal material. Id. at 240-241.
Individuals' right to privacy in information about themselves is not absolute. It does not, for instance, prevent reporting of public health information on communicable diseases or stop law enforcement from getting information when due process has been observed. But many people believe that individuals should have some right to control personal and sensitive information about themselves.
Among different sorts of personal information, health information is among the most sensitive. Many people believe that details about their physical self should not generally be put on display for neighbors, employers, and government officials to see. Informed consent laws place limits on the ability of other persons to intrude physically on a person's body. Similar concerns apply to intrusions on information about the person. Moving beyond these facts of physical treatment, there is likely a greater intrusion when the medical records reveal details about a person's mental state, such as during treatment for mental health. If, in Justice Brandeis' words, the "right to be let alone" means anything, then it likely applies to having outsiders have access to one's intimate thoughts, words, and emotions.
In addition to these arguments based on the right to privacy in personal information, market failures will arise to the extent that privacy is less well protected than the parties would have agreed to, if they were fully informed and had the ability to monitor and enforce contracts. The chief market failures with respect to privacy concern information, negotiating, and enforcement costs. The information costs arise because of the information asymmetry between the company and the patient -- the company typically knows far more than the patient about how the information will be used by that company. A health care provider or plan, for instance, knows many details about how protected health information will be generated, combined with other databases, or sold to third parties.
Patients face at least two layers of cost in learning about how their information is used. First, as with many aspects of health care, patients face the challenge of trying to understand technical medical terminology and practices. It will often be difficult for a patient to understand the medical records and the implications of transferring various parts of such records to a third party. Second, especially in the absence of consistent national rules, patients may face significant costs in trying to learn and understand the nature of a company's privacy policies.
The costs of learning about companies' policies are magnified by the difficulty patients face in detecting whether companies in fact are complying with those policies. Patients might try to adopt strategies for monitoring whether companies have complied with their announced policies. For instance, if a person received health care from several providers that promised not to sell her name to third parties, she could report a different middle initial to each provider. She could then identify the provider that broke the agreement by noticing the middle initials that later appeared on an unsolicited marketing letter. These sorts of strategies, however, are both costly (in time and effort) and likely to be ineffective. A company using the patient's name, for instance, could cross-check her address with her real name, and thereby insert the correct middle initial. In addition, modern health care often requires protected health information to flow legitimately among multiple entities for purposes of treatment, payment, health care operations, and other necessary uses. Even if the patient could identify the provider whose data ultimately leaked, the patient could not easily tell which of those multiple entities had impermissibly transferred her information.
The cost and ineffectiveness of monitoring logically leads to less than optimal protection of health information. Consider the incentives facing a company that acquires protected health information. That company gains the full benefit of using the information, including in its own marketing efforts or in the fee it can receive when it sells the information to third parties. The company, however, does not suffer the full losses from disclosure of protected health information. Because of imperfect monitoring, customers often will not learn of, and thus not be able to enforce against, that unauthorized use. They will not be able to discipline the company efficiently in the marketplace for its less-than-optimal privacy practices. Because the company internalizes the gains from using the information, but does not bear a significant share of the cost to patients (in terms of lost privacy), it will have a systematic incentive to over-use protected health information. In market failure terms, companies will have an incentive to use protected health information where the patient would not have freely agreed to such use.
These difficulties in contract enforcement are made worse by the third-party nature of many health insurance and payment systems. Even where individuals would wish to bargain for privacy, they may lack the legal standing to do so. For instance, employers often negotiate the terms of health plans with insurers. The employee may have no voice in the privacy or other terms of the plan, facing a take-it-or-leave-it choice of whether to be covered by insurance. The incentive of employers may be contrary to the wishes of employees -- employers may in some cases inappropriately insist on having access to sensitive medical information in order to monitor employees' behavior and health status. In light of these complexities, there are likely significant market failures in the bargaining on privacy protection. Many privacy-protective agreements that patients would wish to make, absent barriers to bargaining, will not be reached.
The economic, legal and philosophical arguments become more compelling as the medical system shifts from predominantly paper to predominantly electronic records. From an economic perspective, market failures will arise to the extent that privacy is less well protected than the parties would have agreed to, if they were fully informed and had some equality of bargaining power. The chief market failures with respect to privacy concern information and bargaining costs. The information costs arise because of the information asymmetry between the company and the patient -- the company typically knows far more than the patient about how the information will be used by that company. A health care provider or plan, for instance, knows many details about how protected health information will be generated, combined with other databases, or sold to third parties.
Rapid changes in information technology mean that the size of the market failures will likely increase greatly in the markets for personal health information. Improvements in computers and networking mean that the costs of gathering, analyzing, and disseminating electronic data are plunging. Market forces are leading many medical providers and plans to shift from paper to electronic records, due both to lower cost and the increased functionality provided by having information in electronic form. These market changes will be accelerated by the administrative simplification implemented by the other regulations promulgated under HIPAA. A chief goal of administrative simplification, in fact, is to create a more efficient flow of medical information where appropriate. This proposed privacy regulation is an integral part of the overall effort of administrative simplification; it creates a framework for more efficient flows for certain purposes, including treatment and payment, while restricting flows in other circumstances except where appropriate institutional safeguards exist.
If the medical system shifts to predominantly electronic records in the near future, without use of accompanying privacy rules, then one can imagine a near future where clerical and medical workers all over the country may be able to pull up protected health information about individuals -- without meaningful patient consent and without effective institutional controls against further dissemination. In terms of the market failure, it will become more difficult for patients to know how their health provider or plan is using their personal health information. It will become more difficult to monitor the subsequent flows of protected health information, as the number of electronic flows and possible points of leakage both increase. Similarly, the costs and difficulties of bargaining to get the patients' desired level of use will likely rise due the greater number and types of entities that receive protected health information.
As the benefits section, below, discusses in more detail, the protection of privacy and correcting the market failure have practical implications. Where patients are concerned about lack of privacy protections, they might fail to get medical treatment that they would otherwise seek. This failure to get treatment may be especially likely for certain conditions, including mental health, substance abuse, and conditions such as HIV. Similarly, patients who are concerned about lack of privacy protections may report inaccurately to their providers when they do seek treatment. For instance, they might decide not to mention that they are taking prescription drugs that indicate that they have an embarrassing condition. These inaccurate reports may lead to mis-diagnosis and less- than-optimal treatment, including inappropriate additional medications. In short, the lack of privacy safeguards can lead to efficiency losses in the form of foregone or inappropriate treatment.
The shift from paper to electronic records, with the accompanying greater flows of sensitive health information, also strengthens the arguments for giving legal protection to the right to privacy in protected health information. In an earlier period where it was far more expensive to access and use medical records, the risk of harm to individuals was relatively low. In the potential near future, where technology makes it almost free to send lifetime medical records over the Internet, the risks may grow rapidly. It may become cost-effective, for instance, for companies to offer services that allow purchasers to obtain details of a person's physical and mental treatments. In addition to legitimate possible uses for such services, malicious or inquisitive persons may download medical records for purposes ranging from identity theft to embarrassment to prurient interest in the life of a celebrity or neighbor. Of additional concern, such services might extend to providing detailed genetic information about individuals, without their consent. Many persons likely believe that they have a right to live in society without having these details of their lives laid open to unknown and possibly hostile eyes. These technological changes, in short, may provide a reason for institutionalizing privacy protections in situations where the risk of harm did not previously justify writing such protections into law.
States have, to varying degrees, attempted to enhance confidentiality and correct the market problems by establishing laws governing at least some aspects of medical record privacy. This approach, though a step in the right direction, is inadequate. The states themselves have a patch quilt of laws that fail to provide a consistent or comprehensive policy, and there is considerable variation among the states in the scope of the protections provided. Moreover, health data is becoming increasingly “national”; as more information becomes available in electronic form, it can have value far beyond the immediate community where the patient resides. Neither private action nor state laws provide a sufficiently rigorous legal structure to correct the market failure now or in the future. Hence, a national policy with consistent rules is a vital step toward correcting the market failure that exists.
In summarizing the need for the proposed regulation, the discussion here has emphasized how the proposed regulation would address violations of a right to privacy in the information about oneself, market failures, and the need for a national policy. These arguments become considerably stronger with the shift from predominantly paper to predominantly electronic records. Other arguments could supplement these justifications. As discussed in the benefits section below, the proposed privacy protections may prevent or reduce the risk of unfair treatment or discrimination against vulnerable categories of persons, such as those who are HIV positive, and thereby, foster better health. The proposed regulation may also help educate providers, plans, and the general public about how protected health information is used. This education, in turn, may lead to better information practices in the future.
Clearly, the growing problem of protecting privacy is widely understood and a major public concern. Over 80 percent of persons surveyed in 1999 agreed with the statement that they had "lost all control over their personal information." A Wall Street Journal/NBC poll on September 16, 1999 asked Americans what concerned them most in the coming century. "Loss of personal privacy" topped the list, as the first or second concern of 29percent of respondents. Other issues such as terrorism, world war, and global warming had scores of 23percent or less. The regulation is a major step toward addressing this public concern.
Determining the impact of the rule on covered entities requires us to establish a baseline for current privacy policies. We must first determine current practices and requirements related to protected information -- specifically, practices related to disclosure and use, notification of individuals of information practices, inspection and copying, amendment and correction, administrative policies, procedures, and related documentation.
Privacy practices are most often shaped by professional organizations that publish ethical codes of conduct and by State law. On occasion, State laws defer to professional conduct codes. At present, where neither professional organizations nor States have developed guidelines for privacy practices, an entity may implement privacy practices independently.
Professional codes of conduct or ethical behavior generally can be found as opinions and guidelines developed by organizations such as the American Medical Association, the American Hospital Association, and the American Dental Association. These are generally issued though an organization’s governing body. The codes do not have the force of law, but providers often recognize them as binding rules.
State laws are another important means of protecting health information. While professional codes of conduct usually only have slight variations, State laws vary dramatically. Some States defer to the professional codes of conduct, others provide general guidelines for privacy protection, and others provide detailed requirements relating to the protection of information relating to specific diseases or to entire classes of information. In cases where neither State law nor professional ethical standards exist, the only privacy protection individuals have is limited to the policies and standards that the health care entity adopts.
Before we can attempt to determine the impact of the proposed rule on covered entities, we must make an effort to establish the present level of privacy protection. Current privacy protection practices are determined by the standards and practices that the professional associations have adopted for their members and by State laws.
We examined statements issued by five major professional groups, one national electronic network association and a leading managed care association. There are a number of common themes that all the organizations appear to subscribe to:
Beyond these principles, the major associations differ with respect to the methods used to protect health information. One critical area of difference is the extent to which professional organizations should release protected health information. A major mental health association advocates the release of identifiable patient information “. . .only when de-identified data are inadequate for the purpose at hand.” A major association of physicians counsels members who use electronically maintained and transmitted data to require that they and their patients know in advance who has access to protected patient data, and the purposes for which the data will be used. In another document, the association advises physicians not to “sell” patient information to data collection companies without fully informing their patients of this practice and receiving authorization in advance to release of the information.
Only two of the five professional groups state that patients have the right to review their medical records. One group declares this as a fundamental patient right, while the second association qualifies their position by stating that the physician has the final word on a patient’s access to their health information. This association also recommends that its members respond to requests for access to patient information within 10 days, and recommends that entities allow for an appeal process when patients are denied access. The association further recommends that when a patient contests the accuracy of the information in their record and the entity refuses to accept the patient’s change, the patient’s statement should be included as a permanent part of the patient’s record.
In addition, three of the five professional groups endorse the maintenance of audit trails that can track the history of disclosures of protected health information.
The one set of standards that we reviewed from a health network association advocated the protection of private health information from disclosure without patient authorization and emphasized that encrypting information should be a principal means of protecting patient information. The statements of a leading managed care association, while endorsing the general principles of privacy protection, were vague on the release of information for purposes other than treatment. They suggest allowing the use of protected health information without the patient’s authorization for what they term “health promotion.” It is possible that the use of protected health information for “health promotion” may be construed under the proposed rule as part of marketing activities.
Based on the review of the leading association standards, we believe that the proposed rule embodies all the major principles expressed in the standards. However, there are some major areas of difference between the proposed rule and the professional standards reviewed. These include the subject individual’s right of access to health information in the covered entity’s possession, relationships between contractors and covered entities, and the requirement that covered entities make their privacy policies and practices available to patients through a notice and the ability to respond to questions related to the notice. Because the proposed regulation would require that (with a few exceptions) patients have access to their health information that a covered entity possesses, large numbers of providers may have to modify their current practices in order to allow patient access, and to establish a review process if they deny a patient access. Also, none of the privacy protection standards reviewed require that providers or plans prepare a formal statement of privacy practices for patients (although the major physician association urges members to inform patients about who would have access to their protected health information and how their health information would be used). Only one HMO association explicitly made reference to information released for legitimate research purposes, and none of the other statements we reviewed discuss release of information for research purposes. The proposed rule allows for the release of protected health information for research purposes without an individual’s authorization, but only for research that is supervised by an institutional research board or an equivalent privacy board. This research requirement may cause some groups to revise their disclosure authorization standards.
The second body of privacy protections is found in a myriad of State laws and requirements. To determine whether or not the proposed rule would preempt a State law, we first identified the relevant laws, and second, determined whether state or federal law provides individuals with greater privacy protection.
Identifying the relevant state statutes: Health privacy statutes can be found in laws applicable to many issues including insurance, worker’s compensation, public health, birth and death records, adoptions, education, and welfare. For example, Florida has over 60 laws that apply to protected health information. According to the Georgetown Privacy Project (6), Florida is not unique. Every State has laws and regulations covering some aspect of medical information privacy. In many cases, State laws were enacted to address a specific situation, such as the reporting of HIV/AIDS, or medical conditions that would impair a person’s ability to drive a car. Identifying every State statute, regulation, and court case that interprets statutes and regulations dealing with patient medical privacy rights is an important task but cannot be completed in this discussion. For the purpose of this analysis, we simply acknowledge the complexity of State requirements surrounding privacy issues.
Lastly, we recognize that the private sector will need to complete a State-by-State analysis to comply with the notice and administrative procedures portion of this proposed rule. This comparison should be completed in the context of individual markets; therefore it is more efficient for professional associations or individual businesses to complete this task.
Recognizing limits of our ability to effectively summarize State privacy laws and our difficulty in determining preemption at the outset, we discuss conclusions generated by the Georgetown University Privacy Project in Janlori Goldman’s report, The State of Health Privacy: An Uneven Terrain. We consider Georgetown’s report the best and most comprehensive examination of State privacy laws currently published. The report, which was completed in July 1999, is based on a 50-state survey. However, the author is quick to point out that this study is not exhaustive.
The following analysis of State privacy statutes and our attempt to compare State laws to the proposed rule is limited as a result of the large amount of State-specific data available. To facilitate discussion, we have organized the analysis into two sections: access to medical information and disclosure of medical information. Our analysis is intended to suggest areas where the proposed rule appears to preempt various State laws; it is not designed to be a definitive or wholly comprehensive State-by-State comparison.
Access to Subject’s Information: In general, State statutes provide individuals with access to their own medical records. However, only a few States allow individuals access to virtually all entities that hold health information. In 33 States, individuals may access their hospital and health facility records. Only 13 States guarantee individuals access to their HMO records, and 16 States provide individuals access to their medical information when it is held by insurers. Seven states have no statutory right of patient access; three States and the District of Columbia have laws that only assure individuals’ right to access their mental health records. Only one State permits individuals access to records held by providers, but it excludes pharmacists from the definition of provider. Thirteen States grant individuals statutory right of access to pharmacy records.
The amount that entities are allowed to charge for copying of individuals’ records varies widely from State to State. A study conducted by the American Health Information Management Association (7) found considerable variation in the amounts, structure, and combination of fees for search and retrieval, and the copying of the record.
In 35 States, there are laws or regulations that set a basis for charging individuals inspecting and copying fees. Charges vary not only by State, but also by whether the request is related to a worker’s compensation case or a patient-initiated request. Charges also vary according to the setting. For example, States differentiate most often between clinics and hospitals. Also, charges vary by the number of pages and whether the request is for X-rays or for standard medical information.
Of the 35 States with laws regulating inspection and copying charges, seven States either do not allow charges for retrieval of records or require that the entity provide the first copy free of charge. Some States may prohibit hospitals from charging patients a retrieval and copying fee, but allow clinics to do so. It is noteworthy that some States that do not permit charges for retrieval sometimes allow entities to charge per-page rates ranging between $0.50 and $0.75. In States that do allow a retrieval charge, the per-page charge is usually $0.25. Eleven states specify only that the record holder may charge “reasonable/actual costs.”
Of the States that allow entities to charge for record retrieval and copying, charges range from a flat amount of $1.00 to $20.00. Other States allow entities to charge varying rates depending on the amount of material copied. For example, an entity may charge $5.00 for the first five pages and then a fixed amount per page. In those cases, it appears that retrieval and copying costs were actually combined. The remaining States have a variety of cost structures: One State allows $0.25 per page plus postage plus a $15.00 retrieval charge. Another State allows a $1.00 charge per page for the first 25 pages and $0.25 for each page above 25 pages plus a $1.00 annual retrieval charge. A third state allows a $1.00 per page charge for the first 100 pages and $0.25 for each page thereafter.
According to the report by the Georgetown Privacy Project, among States that do grant access to patient records, the most common basis for denying individuals access is concern for the life and safety of the individual or others. This proposed rule considers the question of whether to deny patient access on the basis of concern for the individual’s life or safety, concluding that the benefits of patient access most often outweigh harm to the individual. This issue, which is discussed in greater detail in other sections, has been resolved in favor of promoting patient access.
The amount of time an entity is given to supply the individual with his or her record varies widely. Many States allow individuals to amend or correct inaccurate health information, especially information held by insurers. However, few States provide the right to insert a statement in the record challenging the covered entity’s information when the individual and entity disagree. (8)
Disclosure of Health Information: State laws vary widely with respect to disclosure of identifiable health information. Generally, States have applied restrictions on the disclosure of health information either to specific entities or to specific health conditions. Just two states place broad limits on disclosure of protected health information without regard for policies and procedures developed by covered entities. Most States require patient authorization before an entity may disclose health information, but as the Georgetown report points out, “In effect, the authorization may function more as a waiver of consent -- the patient may not have an opportunity to object to any disclosures. (9)
It is also important to point out that none of the States appear to offer individuals the right to restrict disclosure of their protected health information for treatment. Thus, the provision of the proposed rule that allows patients to restrict disclosure of the their protected information is not currently included in any State law. Because the ability to restrict disclosure currently is not a standard practice, the proposed rule would require entities to add these capabilities to their information systems.
State statutes often have exceptions to requiring authorization before disclosure. The most common exceptions are for purposes of treatment, payment, or auditing and quality assurance functions -- which are similar to the definition we have established for health care operations, are therefore not subject to prior authorization requirements under the proposed rule. Restrictions on re-disclosure of protected health information also vary widely from State to State. Some States restrict the re-disclosure of health information, and others do not. The Georgetown report cites State laws that require providers to adhere to professional codes of conduct and ethics with respect to disclosure and re- disclosure of protected health information. What is not clear is the degree to which individual information is improperly released or used in the absence of specific legal sanctions.
Most States have adopted specific measures to provide additional protections with regard to certain conditions or illnesses that have clear social or economic consequences. Although the Georgetown study does not indicate the number of States that have adopted disease-specific measures to protect information related to sensitive conditions and illnesses, the analysis seems to suggest that nearly all States have adopted some form of additional protection. The conditions and illnesses most commonly afforded added privacy protection are:
We have included a specific discussion of disclosures for research purposes because if an entity decides to disclose information for research purposes, it will incur costs that otherwise would be associated with other disclosures under this rule. Some States place restrictions on releasing condition-specific health information for research purposes, while others allow release of information for research without the patient’s authorization. States frequently require that researchers studying genetic diseases, HIV/AIDS, and other sexually transmitted diseases have different authorization and privacy controls than those used for other types of research. Some States require approval from an IRB or agreements that the data will be destroyed or identifiers removed at the earliest possible time. Another approach has been for States to require researchers to obtain sensitive, identifiable information from a State public health department. One State does not allow automatic release of protected health information for research purposes without notifying the subjects that their health information may be used in research and allowing them opportunity to object to the use of their information. (10)
Comparing State statutes to the proposed rule: A comparison of State privacy laws with the proposed rule highlights several of the proposed rule’s key implications:
Federal agencies will be required to comply with both the Privacy Act of 1974 (5 U.S.C. § 552a) and the HIPAA regulation. The Privacy Act provides Federal agencies with a framework and scheme for protecting privacy, and the HIPAA regulation will not alter that scheme. Basic organizational and management features, such as the provision of safeguards to protect the privacy of health information and training for employees -- which are required by this proposed rule -- already are required by the Privacy Act.
The proposed rule has been designed so that individuals will not have fewer rights than they have now under the Privacy Act. It may require that agencies obtain individual authorization for some disclosures that they now make without authorization under routine uses.
Private-sector organizations with contracts to conduct personal data handling activities for the Federal government are subject to the Privacy Act by virtue of performing a function on behalf of a Federal agency. They too will be required to comply with both rules in the same manner as Federal agencies.
Organizations that operate specialized substance abuse treatment facilities and that either receive Federal assistance or are regulated by a Federal agency are subject to confi dentiality rules established by Section 543 of the Public Health Service Act (42 U.S.C. § 290dd-2) and implementing regulations at 42 C.F.R part 2.
These organizations will be subject both to that statute and to the HIPAA regula tion. The proposed rule should have little practical effect on the disclosure policies of these organizations, because the patient confidentiality statute governing information about substance abuse is generally more restrictive than this proposed rule. These organizations will continue to be subject to current restrictions on their disclosures. The substance abuse confidentiality statute does not address patient access to records; the proposed privacy rule makes clear that patient access is allowed.
Federal agencies are subject to these requirements, and currently they administer their records under both these requirements and the Privacy Act. The Department of Veterans Affairs is subject to its own substance abuse confidentiality statute, which is identical in substance to the one of more general applicability. It also covers information about HIV infection and sickle cell anemia (38 U.S.C. § 7332).
Health care delivered by covered entities conducting clinical trials typically are subject to both the proposed rule and to Federal regulations for protection of human re search subjects (The Federal Policy for the Protection of Human Subjects, codified for the Department of Health and Human Services in Title 45 C.F.R. part 46, and/or the Food and Drug Administration’s human subject regulations for research in support of medical product applications to the Food and Drug Administration, or regulated by that agency, at 21 C.F.R. parts 50 and 56).
Current human subjects rules impose no substantive restrictions on disclosure of patient information. Institutional review boards must consider the adequacy of confidenti ality protections for subjects, and researchers must tell subjects to what extent their confi dentiality will be protected. There should be no conflict between these requirements and the proposed rules. The proposed HIPAA regulation will expand on the current human subjects requirements by requiring a more detailed description of intended use of patient information. The proposed HIPAA rule also requires additional criteria for waiver of patient authorization.
States may use information they obtain in the process of administering Medicaid only for the purposes of administering the program, pursuant to a State plan condition in section 1902(a)(7) of the Social Security Act, 42 U.S.C. § 1396a(a)(7). The proposed HIPAA rule applies to State Medicaid programs, which under the rule are considered health plans. There will be no conflict in the substantive requirements of current rules and this proposed rule. Medicaid rules regarding disclosure of patient information are stricter than provisions of the proposed rule; therefore, Medicaid agencies simply will continue to follow the Medicaid rules.
ERISA (29 U.S.C. 1002) was enacted in 1974 to regulate pension and welfare employee benefit plans that are established by private-sector employers, unions, or both, to provide benefits to their workers and dependents. An employee welfare benefit plan provides benefits -- through insurance or otherwise -- such as medical, surgical benefits, as well as benefits to cover accidents, disability, death, or unemployment. In 1996, HIPAA amended ERISA to require portability, nondiscrimination, and renewability of health benefits provided by group health plans and group health insurance issuers. Many, although not all, ERISA plans are covered under the proposed rule as health plans. We believe that the proposed rule does not conflict with ERISA. Further discussion of ERISA can be found in the preamble for this proposed rule.
Affected entities will be implementing the privacy proposed rules at the same time many of the administrative simplification standards are being implemented. As described in the overall impact analysis for the administrative simplification standards in the Federal Register, Vol. 63, No. 88, May 7, 1998, page 25344, the data handling changes occurring due to the other HIPAA standards will have both costs and benefits. To the extent the changes required for the privacy standards implementations can be made concurrently with the changes required for the other standards, costs for the combined implementation should be only marginally higher than for the administrative simplification standards alone. The extent of this additional cost is uncertain, in the same way that the costs associated with each of the individual administrative simplification standards was uncertain.
The costs associated with implementing the privacy standards will be directly related to the number of affected entities and the number of affected transactions in each entity. (12) We chose to use the SBA data in the RFA because we wanted our analysis to be as consistent to SBA definitions as possible to give the greatest accuracy for the RFA purposes. As described in the overall administrative simplification impact estimates (Tables 1 and 2, page 25344), about 20,000 health plans (excluding non-self administered employer plans) (13) and hundreds of thousands of providers face implementation costs. In the administrative simplification analysis, the costs of provider system upgrades were expected to be $3.6 billion over the period 1998-2002, and plan system cost upgrades were expected to be $2.2 billion. (In the aggregate, this $5.8 billion cost is expected to be more than completely offset by $7.3 billion in savings during the 5 year period analyzed).
The relationship between the HIPAA security and privacy standards is particularly relevant. On August 12, 1998, the Secretary published a proposed rule to implement the HIPAA standards on security and electronic standards. That rule specified the security requirements for covered entities that transmit and store information specified in Part C, Title XI of the Act. In general, that rule would establish the administrative and technical standards for protecting “...any health information pertaining to an individual that is electronically maintained or transmitted.” (63 FR 43243). The security rule is intended to spell out the system and administrative requirements that a covered entity must meet in order to assure itself and the Secretary that the protected health information is safe from destruction and tampering from people without authorization for its access.
By contrast, the privacy rule describes the policies and procedures that would govern the circumstances under which protected health information may be used and released with and without patient authorization and when a patient may have access to his or her protected medical information. This rule assumes that a covered entity will have in place the appropriate security apparatus to successfully carry out and enforce the provisions contained in the security rule.
Although the vast majority of health care entities are privately owned and operated, Federal, State, and local government providers are reflected in the total costs. (14) Federal, state, and locally funded hospitals represent approximately 26 percent of hospitals in the United States. This is a significant portion of hospitals, but represents a relatively small proportion of all provider entities. The number of government providers who are employed at locations other than government hospitals is significantly smaller (approximately 2 percent of all providers). Weighting the relative number of government hospital and non-hospital providers by the revenue these types of providers generate, we estimate that health care services provided directly by government entities represent 3.4 percent of total health care services. IHS and Tribal facilities costs are included in the total, since the adjustments made to the original private provider data to reflect federal providers included them. In drafting the proposed rule the Department consulted with States, representatives of the National Congress of American Indians, representatives of the National Indian Health Board, and a representative of the self-governance tribes. During the consultation we discussed issues regarding the application of Title II of HIPAA to the States and Tribes.
Estimating the costs associated with the privacy proposed rule involves, for each provision, consideration of both the degree to which covered entities must modify their records management systems and privacy policies under the proposed rule, and the extent to which there is a change in behavior of both patients and the covered entities as a result of the proposed rule. In the following sections we will examine these provisions as they would apply to the various covered entities as they undertake to comply with the proposed rule. The major costs that covered entities will incur are one time costs associated with implementation of the proposed rules, and ongoing costs that result from changes in behavior that both the covered entities and patients would make in response to the new proposed rules.
We have quantified the costs imposed by the proposed regulation to the extent that we had adequate data. In some areas, however, there was too little data to support quantitative estimates. As a result, the RIA does not include cost estimates for all of the requirements of the regulation. The areas for which explicit cost estimates have not be made are: the principle of minimum necessary disclosure; the requirement that entities monitor business partners with whom they share PHI; creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacy board; and additional requirements on research/optional disclosures that will be imposed by the regulation. The cost of some of these provisions may be significant, but it would be inaccurate to project costs for these requirements given the fact that several of these concepts are new to the industry.
The one time costs are primarily in the area of development and codification of procedures. Specific activities include: (1) analysis of the significance of the federal regulations on covered entity operation; (2) development and documentation of policies and procedures (including new ones or modification of existing ones); (3) dissemination of such policies and procedures both inside and outside the organization; (4) changing existing records management systems or developing new systems; and (5) training personnel on the new policies and system changes.
Covered entities will also incur ongoing costs. These are likely to be the result of
(1) increased numbers of patient requests for access and copying of their own records;
(2) the need for covered entities to obtain patient authorization for uses of protected information that had not previously required an authorization;
(3) increased patient interest in limiting payer and provider access to their records;
(4) dissemination and implementation both internally and externally of changes in privacy policies, procedures, and system changes; and
(5) training on the changes.
Compliance with the proposed rule will cost $3.8 billion over five years. These costs are in addition to the administrative simplification estimates. The cost of complying with the regulation represents 0.09 percent of projected national health expenditures the first year the regulation is enacted. The five year costs of the proposed regulation also represents 1.0 percent of the increase in health care costs experienced over the same five- year period. (15) Because of the uncertainty of the data currently available, the Department has made estimates on “low” and “high” range assumptions of the key variables. These estimates show a range of $ 1.8 to $6.3 billion over five years. It is important to note that these estimates do not include the areas for which we have made no cost estimates (discussed above).
With respect to the initial costs for covered entities, the expectation that most of the required HIPAA procedures will be implemented as a package suggests that additional costs for the privacy standards should be small. Since the requirements for developing formal processes and documentation of procedures mirror what will already have been required under the security regulations, the additional costs should be small. The expectation is that national and state associations will develop guidelines or general sets of processes and procedures and that these will generally be adopted by individual member entities. Relatively few providers or entities are expected to develop their own procedures independently or to modify significantly those developed by their associations. Our estimates are based on assumed costs for providers ranging from $300 to $3000, with the weighted average being about $375. The range correlates to the size and complexity of the provider, and is a reasonable estimate of the cost of coordinating the policies and procedures outlined in the proposed regulation. With fewer than 1 million provider entities, the aggregate cost would be on the order of $300 million.For plans, our estimate assumes that the legal review and development of written policies will be more costly because of the scope of their operations. They are often dealing with a large number of different providers and may be dealing with requirements from multiple states. Again, we expect associations to do much of the basic legal analysis but plans are more likely to make individual adaptations. We believe this cost will range from $300 for smaller plans and $15,000 for the largest plans. Because there are very few large plans in relation to the number of small plans, the weighted average implementation costs will be about $3050.
The total cost of development of policies and procedures for providers and plans is estimated to be $395 million over five years.
With respect to revisions to electronic data systems, the specific refinements needed to fulfill the privacy obligations ought to be closely tied to the refinements needed for security obligations. The overall administrative simplification system upgrades (procedures, systems, and training) of $5.8 billion would certainly be disproportionately associated with the security standard, relative to the other 11 elements. If in privacy it constitutes 15 percent, then the security standard would represent about $900 million system cost. If the marginal cost of the privacy elements is another 10 percent, then the addition cost would be $90 million.
The recurrent costs may be more closely related to total numbers of persons with claims than to the number of covered entities. The number of individuals served by an entity will vary greatly. The number of persons with claims will give a closer approximation of how many people entities will have to interact with for various provisions.
No State laws or professional associations currently require entities to provide patients “notice” of their privacy policies. Thus, we expect that all entities will incur costs developing and disseminating privacy policy notices. Each entity will have a notice cost associated with each person to whom they provide services. Data from the 1996 Medical Expenditure Panel Survey shows that there are approximately 200 million ambulatory care encounters per year, nearly 20 million persons with a hospital episode, 7 million with home-health episodes, and over 170 million with prescription drug use (350 million total). For the remaining four years of the five year period, we have estimated that, on average, a quarter of the remaining population will enter the system, and thus receive a notice. If we account for growth in the number of people who may enter the health care system over the five year period of our analysis, we estimate that approximately 543 million patients will be seen at least once by one or more types of providers.
The development cost for notices is estimated to cost $30 million over five years, though most of this is likely to occur the first year. The first year cost of providing notices to patients, customers and plan enrollees would be $106 million. The total five year cost of providing new and subsequent copies to all provider patients and customers would be approximately $209 million.
The notice obligations of insurers apply on initial enrollment, with updated notices at least every 3 years. However, given enrollment changes and the sophistication of automation, we believe many plans would find it cheaper and more efficient to provide annual notices.
The 1998 National Health Interview Survey (NHIS) from the Census Bureau shows about 174.1 million persons are covered by private health insurance, on an unduplicated basis. NHIS calculates that persons who are privately insured hold approximately 1.3 policies per person. Based on information provided by several plans, we believe most plans would provide an independent mailing the first year, but in subsequent years would provide notices as an inclusion in other mailings. The cost for this would be $0.75 over five years. If we account for these duplicate policies and assume that the cost of sending the notices to a policyholder is $0.75, the total cost to plans would be $231 million over five years. This includes both public and private plans.
We request comments regarding our cost estimates for development and distribution of notices.
The costs for more careful internal operation of covered entities to execute their formal privacy procedures are highly dependent on the extent to which current practice tracks the future procedures. Entities that already have strict data sharing and confidentiality procedures will incur minimal costs, since their activities need not change much. Entities that have not developed explicit health information privacy policies may be compelled to obtain patient authorization in situations where they did not previously. These changes will generate ongoing costs as well as initial costs. We solicit comment with respect to the way current costs differ from those projected by the requirements of the proposed privacy rule. An example of such an area is “the minimum necessary disclosure principle” - because of differing current practices, we do not have data that reliably indicate how much this provision will cost.
The Georgetown report on State privacy laws indicates that 33 states currently give patients some right to access medical information. The most common right of access granted by State law is the right to inspect personal information held by physicians and hospitals. In the process of developing estimates for the cost of providing access and copying, we assumed that most providers currently have procedures for allowing patients to inspect and copying their own record. Thus, we expect that the economic impact of requiring entities to allow individuals to access and copy their records should be relatively small. Copying costs, including labor, should be a fraction of a dollar per page. We expect the cost to be passed on to the consumer.
There are few studies that address the cost of providing medical records to patients.
The most recent was a study in 1998 by the Tennessee Comtroller of the Treasury. It found an average cost of $9.96 per request, with an average of 31 pages per request. The total cost per page of providing copies was $0.32 per page. This study was performed on hospitals only. The cost per request may be lower for other types of providers, since those seeking hospital records are more likely to be sick and have more complicated records than those in a primary care or other type of office. An earlier report showed much higher costs than the Tennessee study. In 1992, Rose Dunn published a report based on her experience as a manager of medical records. She estimated a 10 page request would cost $5.32 in labor costs only, equaling labor cost per page of $0.53. However, this estimate appears to reflect costs before computerization. The expected time spent per search was 30.6 minutes; 85 percent of this time could be significantly reduced with computerization (this includes time taken for file retrieval, photocopying, and re- filing; file retrieval is the only time cost that would remain under computerization.) For subsequent estimates, we will use the Tennessee experience.
The proposed regulation states that entities may charge patients a reasonable fee to inspect and copy their health information. For this reason, we expect the cost of inspecting and copying an individual medical record to be passed on to consumers who request the service. Nonetheless, it is important to provide an estimate of the potential costs associated with inspection and copying. We assume that 1.5 percent of patients will request access to inspect and copy their medical record, and that the cost of accessing and copying a record is approximately $10 (as cited in the Tennessee study). The cost of inspection and copying is $81 million a year, or $405 million over five years. This cost is likely to be borne entirely by the consumer.
We have assumed that many providers make provisions to help patients expedite amendment and correction of their medical record where appropriate. However, as with inspection and copying, the right to request amendment and correction of an individual’s medical record is not guaranteed by all States. Based on these assumptions and our cost analysis, we conclude that the principal economic effect of the proposed rule would be to expand the right to request amendment and correction to plans and providers that are not covered by state laws or codes of conduct. In addition, we expect that the proposed rule may draw additional attention to the issue of record inaccuracies and stimulate patient demand for access, amendment, and correction of medical records.
Our cost calculations assume that persons who request an opportunity to amend or correct their record have already obtained a copy of their medical record. Therefore, the administrative cost of amending and correcting the patient’s record is completely separate from inspection and copying costs. In this section we have only addressed the cost of disputing a factual statement within the patient record, and do not calculate the cost of appeals or third party review.
Administrative review of factual statements contained within a patient’s record may be expensive. Most errors may be of a nature that a clerk or nurse can correct (e.g., the date of a procedure is incorrect) but some may require physician review. Thus, we have estimated that the average cost of amending and correcting a patient record may be $75 per instance.
If amendment and correction requests are associated with two-thirds of requests for inspection and copying, and the cost of correcting (or noting the patient’s request for correction) is $75, the total cost of amending and correcting patient records will be $407 million annually, or $2 billion over five years. Comments on our estimate of amendment and correction costs would be helpful, particularly if they speak to current amendment and correction costs or frequency in the health care industry.
To our knowledge, no current State law or professional code requires providers and plans to maintain the capability to reconstruct a patient’s health information history. Therefore, the requirement in this rule to be able to reconstruct the disclosure history of protected health information is completely new. Although it is likely that some providers and plans have already developed this capability, we assume that all providers and plans would be required to invest in developing the capacity to generate disclosure histories.
With respect to reconstruction of disclosure history, two sets of costs would exist. On electronic records, fields for disclosure reason, information recipient, and date would have to be built into the data system. The fixed cost of the designing the system to include this would be a component of the $90 million additional costs discussed earlier. The ongoing cost would be the data entry time, which should be at de minimis levels. Comments would again be especially useful with respect to the extent to which recording the additional information goes beyond current practice.
Although many States have laws that require entities to obtain patient authorization before releasing individually identified health information to payers and other third parties, many of the authorization requirements either allow for blanket authorizations that deprive the patient of meaningful control over the release of their health information, or the authorization statutes are less stringent than the provisions of the proposed rule. Therefore, for purposes of estimating the economic impact of the NPRM, we are assuming that all providers and plans will have to develop new procedures to conform to the proposed rule.
Written patient authorization requirements will generate costs, to the extent covered entities are currently releasing information in the targeted circumstances without specific authority. Collecting such authorization should have costs on the order of those associated with providing access to records (not on a per page basis). The frequency of such collections is unknown. Since the requirement does not apply to treatment and payment, assuming 1 percent of the 543 million encounters over five years might be reasonable. At a cost of about $10 each, the aggregate cost would be about $54 million annually, or $271million over five years. Comments would be especially useful from entities currently following such procedures.
The ongoing costs associated with paperwork and training are likely to be minimal. Because training happens as a regular business practice, and employee certification connected to this training is also the norm, we estimate that the marginal cost of paperwork and training is likely to be small. We assume a cost of approximately $20 per provider office, and approximately $60-100 for health plans and hospitals. Thus, we estimate that the total cost of paperwork and training will be $22 million a year.
Overall, the five-year costs beyond those already shown in the administrative simplification estimates would be about $3.8 billion over five years, with an estimated range of $1.8 to $6.3 billion. Table 2 shows the components described above. The largest cost item is for amendment and correction, which is over half of the estimated total cost of the regulation. Inspection and copying, at $405 million over five years, and issuance of notices by providers and plans, at $439 million over five years, are the second biggest components. The one-time costs of development of policies and procedures by providers would represent approximately 10 percent of the total cost, or $333 million. Plans and clearinghouses would have a substantially smaller cost, about $62 million. Other systems changes are expected to cost about $90 million over the period. Finally, the estimates do not consider all of the costs imposed by the regulation.
Table 2. The Cost of Complying with the Proposed Privacy Regulation, in Dollars |
|||
| Provision | Initial or First Year Cost (2000) | Annual Cost after the First Year | Five Year (2000-2004) Cost |
| Development of Policies and Procedures- Providers (totaling 871,294) | $333,000,000 | $333,000,000 | |
| Development of Policies and Procedures- Plans (totaling 18,225) | $62,000,000 | $62,000,000 | |
| System Changes- All Entities | $90,000,000 | $90,000,000 | |
| Notice Development Cost—all entities | $20,000,000 | $30,000,000 | |
| Notice Issuance- Providers | $59,730,000 | $37,152,000 | $208,340,000 |
| Notice Issuance- Plans | $46,200,000 | $46,200,000 | $231,000,000 |
| Inspection/Copying | $81,000,000 | $81,000,000 | $405,000,000 |
| Amendment/Correction | $407,000,000 | $407,000,000 | $2,035,000,000 |
| Written Authorization | $54,300,000 | $54,300,000 | $271,500,000 |
| Paperwork/Training | $22,000,000 | $22,000,000 | $110,000,000 |
| Other Costs* | N/E** | N/E | N/E |
| Total | $1,165,230,000 | $647,652,000 | $3,775,840,000 |
|
*Other Costs include: minimum necessary disclosure; monitoring business partners with whom entities share PHI; creation of de-identified information; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacy board; additional requirements on research/optional disclosures that will be imposed by the regulation. **N/E = “Not estimated” |
|||
The proposed rule will have a cost impact on various federal agencies that administer programs that require the use of individual health information. Federal agencies or programs clearly affected by the rule are those that meet the definition of a covered entity. The costs when government entities are serving as providers are included in the total cost estimates. However, non-covered agencies or programs that handle medical information, either under permissible exceptions to the disclosure rules or through an individual’s expressed authorization, will likely incur some costs complying with provisions of this rule. A sample of federal agencies encompassed by the broad scope of this rule include the: Department of Health and Human Services, Department of Defense, Department of Veterans Affairs, Department of State, and the Social Security Administration.
The federal costs of complying with the regulation are included in the estimates of total costs. The greatest cost and administrative burden on the federal government will fall to agencies and programs that act as covered entities, by virtue of being either a health plan or provider. Examples include the Medicare, Medicaid, Children’s Health Insurance and Indian Health Service programs at the Department of Health and Human Services; the CHAMPVA health program at the Department of Veterans Affairs; and the TRICARE health program at the Department of Defense. These and other health insurance or provider programs operated by the federal government are subject to requirements placed on covered entities under this proposed rule, including, but not limited to, those outlined in Section D of the impact analysis. While many of these federal programs already afford privacy protections for individual health information through the Privacy Act, this rule is expected to create additional requirements beyond those covered by existing Privacy Act rule. Further, we anticipate that most federal health programs will, to some extent, need to modify their existing Privacy Act practices to fully comply with this rule.
The cost to federal programs that function as health plans will be generally the same as those for the private sector. The primary difference is the expectation that systems compliance costs may be higher due to the additional burden of compliance and oversight costs.
A unique cost to the federal government will be in the area of enforcement. The Office of Civil Rights (OCR), located at the Department of Health and Human Services, has the primary responsibility to monitor and audit covered entities. OCR will monitor and audit covered entities in both the private and government sectors, will ensure compliance with requirements of this rule, and will investigate complaints from individuals alleging violations of their privacy rights. In addition, OCR will be required to recommend penalties and other remedies as part of their enforcement activities. These responsibilities represent an expanded role for OCR. Beyond OCR, the enforcement provisions of this rule will have additional costs to the federal government through increased litigation, appeals, and inspector general oversight.
Examples of other unique costs to the federal government include such activities as public health surveillance at the Centers for Disease Control and Prevention, health research projects at the Agency for Health Care Policy and Research, clinical trials at the National Institutes of Health, and law enforcement investigations and prosecutions by the Federal Bureau of Investigations. For these and other activities, federal agencies will incur some costs to ensure that protected health information is handled and tracked in ways that comply with the requirements of this title. A preliminary analysis of these activities suggests that the federal cost will be on the order of $31 million. We are currently in the process of refining these estimates and will include better information on them in the final rule.
The proposed rule will also have a cost effect on various state agencies that administer programs that require the use of individual health information. State agencies or programs clearly affected by the rule are those that meet the definition of a covered entity. The costs when government entities are serving as providers are included in the total cost estimates. However, non-covered agencies or programs that handle medical information, either under permissible exceptions to the disclosure rules or through an individual’s expressed authorization, will likely incur some costs complying with provisions of this rule. Samples of state agencies encompassed by the broad scope of this rule include the: Medicaid, Children’s Health Insurance program at the Department of Health and Human Services.
We have included state costs in the estimation of total costs. The greatest cost and administrative burden on the state government will fall to agencies and programs that act as covered entities, by virtue of being either a health plan or provider. Examples include the Medicaid, Children’s Health Insurance program at the Department of Health and Human Services. These and other health insurance or provider programs operated by state government are subject to requirements placed on covered entities under this proposed rule, including, but not limited to, those outlined in Section D of the impact analysis. While many of these state programs already afford privacy protections for individual health information through the Privacy Act, this rule is expected to create additional requirements beyond those covered by existing Privacy Act rule. Further, we anticipate that most state health programs will, to some extent, need to modify their existing Privacy Act practices to fully comply with this rule.
The cost to state programs that function as health plans will be different than the private sector, much as the federal costs vary from private plans. A preliminary analysis suggests that state costs will be on the order of $90 million over five years. We will refine the estimates for the state government costs for enforcement, research and other distinct state government functions in the final rule. We welcome comment by state and local governments which will help the Department improve its analysis on these state costs.
As we have discussed in the preamble, there are important societal benefits associated with improving health information privacy. Confidentiality is a key component of trust between patients and providers, and some studies indicate that a lack of privacy may deter patients from obtaining preventive care and treatment (16). For these reasons, traditional approaches to estimating the value of a commodity cannot fully capture the value of personal privacy. It may be difficult for individuals to assign value to privacy protection because most individuals view personal privacy as a right. Because we promote the view that privacy protection is an important personal right, the benefits of the proposed regulation are impossible to estimate based on the market value of health information alone. However, it is possible to evaluate some of the benefits that may accrue to individuals as a result of proposed regulation, and these benefits, alone, suggest that the regulation is warranted. Added to these benefits is the intangible value of privacy, the personal security that we may feel when our records are confidential, which is very real and very significant but for which there is no economic value or proxy.
There are a number of ways to discuss the expected benefits of this proposed regulation. The first option is to discuss the benefits qualitatively. We believe that this is necessary to give the reader a basic understanding of how this proposed regulation will benefit society. The second option that we have used is to quantify the benefits of the proposed rule as they would apply to a few illness categories that may be particularly responsive to privacy concerns. This quantitative discussion is meant to be illustrative of the benefits rather than a comprehensive accounting of all of the benefits of the proposed rule. The combination of the two approaches clearly illustrates that the benefits of the regulation are significant in relation to the economic costs.
Before beginning our discussion of the benefits, it is important to create a framework for how the costs and benefits may be viewed in terms of individuals rather than societal aggregates. We have estimated the value an insured individual would need to place on increased privacy to make the proposed Privacy regulation a net benefit to those who receive health insurance. Our estimates are derived from data produced by the 1998 Current Population Survey from the Census Bureau, and report that 220 million persons are covered by either private or public health insurance. Joining the Census Bureau data with cost assumptions calculated in Section E, we have estimated the cost of the proposed regulation is $3.41 per insured individual. If we assume that individuals who use the health care system will be willing to pay more than $3.41 per year (or approximately $0.28 per month) to improve health information privacy, the benefits of the proposed regulation will outweigh the cost.
This is a conservative estimate of the number of people who will benefit from the regulation because it assumes that only those individuals who have health insurance will use medical services or benefit from the provisions of the proposed regulation. Currently, there are 44 million Americans who do not have any form of health care insurance. In addition, the estimates do not include those who pay for medical care directly, without any insurance or government support. By lowering the number of users in the system, we have inflated our estimate of the per-person cost of the regulation, therefore, we assume that our estimate represents the highest cost to an individual.
An alternative approach to determining how people would have to value increased privacy for this regulation to be beneficial is to look at the costs divided by the number of encounters with health care professionals annually. Data from the Medical Expenditure Panel Survey (MEPS) produced by the Agency for Health Care Policy Research (AHCPR) report approximately 1.62 billion health care visits, or encounters annually (e.g., office visits, hospital and nursing home stays, etc.). As with our calculation of average annual cost per insured patient, we have divided the total cost of complying with the regulation ($751 million per year) by the total annual number of health care encounters. The cost of instituting requirements of the proposed regulation is $0.46 per health care encounter. If we assume that individuals would be willing to pay more than $0.46 per health care encounter to improve health information privacy, the benefits of the proposed regulation will outweigh the cost.
A well designed privacy standard can be expected to build confidence among the public about the confidentiality of their medical records. The seriousness of public concerns about privacy in general are shown in the 1994 Equifax-Harris Consumer Privacy Survey, where “84 percent of Americans are either very or somewhat concerned about threats to their personal privacy. (17) A 1999 report, “Promoting Health and Protecting Privacy” notes “...many people fear their personal health information will be used against them: to deny insurance, employment, and housing, or to expose them to unwanted judgements and scrutiny." (18) These concerns would be partly allayed by the privacy standard. Further, increased confidence will increase the likelihood of some people seeking treatment for particular classes of disease. It will also change the dynamic of current payments. Insured patients currently paying out-of-pocket for confidentiality reasons will be more likely to file with their insurer. The increased utilization that would result from increased confidence in privacy could be beneficial under many circumstances. For many medical conditions, early treatment can lead to lower costs.
Fear of disclosure of treatment is an impediment to health care for many Americans. In the 1993 Harris-Equifax Health Information Privacy Survey, 7 percent of respondents said they or a member of their immediate family had chosen not to seek medical services due to fear of harm to job prospects or other life opportunities. About 2 percent reported having chosen not to file an insurance claim because of concerns with privacy or confidentiality. (19) Increased confidence on the part of patients that their privacy would be protected would lead to increased treatment among people who delay or never begin care, as well as among people who receive treatment but pay directly (to the extent that the ability to use their insurance benefits will reduce cost barriers to more complete treatment).
The following are four examples of areas where increased confidence in privacy would have significant benefits. They were chosen both because they are representative of widespread and serious health problems, and because they are areas where reliable and relatively complete data are available for this kind of analysis. The logic of the analysis, however, applies to any health condition. Even for relatively minor conditions, an individual still might be concerned with maintaining privacy, and even a person with no significant health problems is going to value privacy because of the possibility at some time they will have a condition that they want to keep private.
The societal burden of disease imposed by cancer is indisputable. Cancer is the second leading cause of death in the US (20), exceeded only by heart disease. In 1999, 1.38 million new cancer cases will be diagnosed, as well as 900,000 new basal and squamous skin cell cancers. (21) The National Cancer Institute estimates that the overall cost of cancer is $104 billion; $35 billion in direct medical cost, $12 billion for morbidity costs (cost of lost productivity) and $57 billion for mortality costs. (22)
Among the most important elements in the fight against cancer are screening, early detection and treatment of the disease. However, however, many patients are concerned that some screening procedures will make them vulnerable to discrimination by insurers or employers. These privacy concerns have been cited as a reason patients do not seek early treatment for diseases such as cancer. As a result of forgoing early screening, cancer patients may ultimately face a more severe illness. For example, half of new diagnoses occur among types of cancer for which screening is available. Based on this research, studies show that if Americans participated in regular cancer screening, the rate of survival among patients who have screening-accessible cancers could increase to 95 percent. (23)
Approximately 184,300 women will be diagnosed with breast cancer this year (24), and 25,000 women will be diagnosed with ovarian cancer (25). In the same year, almost 44,000 women will die of breast cancer, (26) and 14,500 will die from ovarian cancer. (27) Early detection of these cancers could have a significant impact on reducing loss due to disability and death. For example, only 24 percent of ovarian cancers are diagnosed in the early stages. Of these, approximately 90 percent of patients survive treatment. The survival rate of women who detect breast cancer early is similarly high; more than 90 percent of women who detect and treat breast cancer in its early stages will survive. (28)
Researchers have developed screening techniques to identify breast, ovarian, and colon cancers, and tests have been developed to identify the presence or absence of cellular abnormalities that may lead to cancer. Despite these technological advances, the principle of patient autonomy requires that patients must decide for themselves if they will submit to screening procedures. Many individuals fear that employers and insurers will use cancer screening to discriminate against them. Several studies illustrate that persons with and without cancer fear discrimination. Thus, despite the potential benefits that early identification of cancer may yield, many researchers find that patient concerns regarding the confidentiality of cancer screening may prevent them from requesting the test, and result in disability or loss of life.
Early detection is essential for the health and survival of an HIV (Human Immunodeficiency Virus) positive person. Concerns about the confidentiality of HIV status may prevent some people from getting tested. For this reason, each state has passed some sort of legislation regarding the confidentiality of HIV status. However, HIV status can be revealed indirectly through disclosure of HAART (Highly Active Anti- Retroviral Therapy) or similar HIV treatment drug use. In addition, since HIV/AIDS (Acquired Immune Deficiency Syndrome) is often the only specially protected condition, “blacked out” information on medical charts could indicate HIV positive status. (29) Strengthening privacy protections beyond this disease could increase confidence in privacy regarding HIV as well. Drug therapy for HIV positive persons has proven to be a life- extending, cost-effective tool. (30) A 1998 study showed that beginning treatment with HAART in the early asymptomatic stage is more cost-effective than beginning it late. After five years, only 15 percent of patients with early treatment are estimated to develop an ADE (AIDS-defining event), whereas 29 percent would if treatment began later. Early treatment with HAART prolongs survival (adjusted for quality of life) by 6.2 percent. The overall cost-effectiveness of early HAART treatment is estimated at $23,700 per quality- adjusted year of life saved. (31)
It is difficult to know how many people are avoiding testing for STDs despite having a sexually transmitted disease. A 1998 study by the Kaiser Family Foundation found that the incidence of disease was 15.3 million in 1996, though there is great uncertainty due to under-reporting. (32) For a potentially embarrassing disease such as an STD, seeking treatment requires trust in both the provider and the health care system for confidentiality. Greater trust should lead to more testing and greater levels of treatment. Earlier treatment for curable STDs can mean a decrease in morbidity and the costs associated with complications. These include expensive fertility problems, fetal blindness, ectopic pregnancies, and other reproductive complications. (33) In addition, there could be greater overall savings if earlier treatment translates into reduced spread of infections.
When individuals have a better understanding of the privacy practices that we are requiring in this proposed rule, some will be less reluctant to seek substance abuse and mental health treatment. One way that individuals will receive this information is through the notice requirement. Increased use of mental health services would be expected to be beneficial to the persons receiving the care, to their families, and to society at large. The individual direct benefit from treatment would include an improved quality of life, reduced disability associated with the mental conditions, and a reduced mortality rate. The benefit to families would include quality of life improvements and reduced medical costs for other family members associated with abusive behavior by the treated individual. The benefit to society would include reduced costs of crime and reduced future public program treatment costs.
The 1998 Substance Abuse and Mental Health Statistics Source Book from SAMHSA reports cost-of-disease estimates from a range of studies, suggesting several hundred billion dollars of non-treatment costs associated with alcohol, drug, and mental (ADM) disorders. As an example of the magnitude of costs associated with mental health treatment, a 1997 National Institutes of Health report suggests that the total economic cost of mental health disorders such as anxiety, depressive (mood) disorders, eating disorders, and schizophrenia is approximately $115.5 billion annually (34). Evidence suggests that appropriate treatment of mental health disorders can result in 50-80 percent of individuals experiencing improvements in these types of conditions. Improvements in patient functioning and reduced hospital stays could result in hundreds of million of dollars in cost savings annually.
The potential additional economic benefits associated with improving patient confidentiality and thus encouraging some unknown portion of individuals to either seek initial mental health treatment or increase service use are difficult to quantify well. Nevertheless, one can lay out a range of possible benefit levels to illustrate the possibility of cost savings associated with an expansion of mental health treatment to individuals who, due to protections offered by the privacy regulation, might seek mental health treatment that they otherwise would not have absent this regulation. This can be illustrated by drawing upon existing data on both the economic costs of mental illness and the treatment effectiveness of mental health interventions.
Although figures on the number of individuals who avoid mental health treatment due to privacy concerns do not exist, some indirect evidence is available. A 1993 Harris- Equifax Health Information Privacy Survey (noted earlier) found that 7 percent of respondents reported that they or a member of their immediate family had chosen not to seek services for a physical or mental health condition due to fear of harm to job prospects or other life opportunities. It should be noted that this survey is somewhat dated and represents only one estimate. Moreover, given the wording of the question, there are other reasons aside from privacy concerns that led these individuals to respond positively.
For the purpose of an illustration, however, assumptions can been made about what proportion of the 7 percent responding affirmatively to this question may have avoided seeking mental health services due to privacy concerns. Given the proportion of mental health services that compromise total health care services in this country, a reasonable upper limit of the number of individuals avoiding mental health treatment due to privacy concerns might be 1.8 percent (i.e., 25 % of 7 %), while a reasonable lower limit might be 0.36 percent (i.e., 5% of 7%). Taking these figures as upper and lower limits, it is possible to estimate potential benefits by multiplying these figures by the annual economic cost reductions associated with treatment effectiveness rates. For example, using the upper limit of 1.8 percent, multiplying this by the annual economic costs of mental illness ($115.5 billion) and a treatment effectiveness rate of 80 percent, yields an estimate of potential annual benefits of $1,663,200,000. Similarly, using the upper limit of 1.8 percent coupled with a treatment effectiveness rate of 50 percent yields an estimate of potential annual benefits of $1,039,500,000. Assuming a lower limit of 0.36 percent more individuals seeking mental health treatment due to enhance privacy protections, coupled with a treatment effectiveness rate of 80% yields an estimate of potential annual benefits of $332,640,000. Similarly, using the lower limit of 0.36 percent coupled with a treatment effectiveness rate of 50 percent yields an estimate of potential annual benefits of $207,900,000. Therefore, given the existing data on the annual economic costs of mental illness and the rates of treatment effectiveness for these disorders, coupled with assumptions regarding the percentage of individuals who might seek mental health treatment under conditions of greater privacy protections, the potential additional economic benefit in this one treatment area could range from approximately $208 million to $1.67 billion annually.
Table 3. Potential Benefits of the Proposed Privacy Regulation from Cost Savings Due to Early Treatment of Mental Health Disorders |
||
| Illness | Total Annual Economic Cost of Illness (in billions) | Percent Net Cost Reduction if Additional Care is Received |
| Mental Health – Anxiety Disorders | $46.6 | 70-90% |
| Mental Health – Depressive (Mood) Disorders | $30.4 | 60-80% |
| Mental Health – Eating Disorders | $6.0 | 40-60% |
| Mental Health – Schizophrenia | $32.5 | 60-85% |
| Total | $115.5 | N/A |
We considered defining “individually identifiable health information” as any information that is not anonymous, that is, for which there is any possibility of identifying the subject. We rejected this option, for several reasons. First, the statute suggests a different approach. The term “individually identifiable health information” is defined in HIPAA as health information that:
... identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
By including the modifier “reasonable basis,” Congress appears to reject the absolute approach to defining “identifiable.” Covered entities would not always have the statistical sophistication to know with certainty when sufficient identifying information has been removed so that the record is no longer identifiable. We believe that covered entities need more concrete guidance as to when information will and will not be “identifiable” for purposes of this regulation.
Defining non-identifiable to mean anonymous would require covered entities to comply with the terms of this regulation with respect to information for which the probability of identification of the subject is very low. We want to encourage covered entities and others to remove obvious identifiers or encrypt them whenever possible; use of the absolute definition of “identifiable” would not promote this salutary result.
For these reasons, we propose at § 164.506(d)(2)(ii) that there be a presumption that, if specified identifying information is removed and if the holder has no reason to believe that the remaining information can be used by the reasonably anticipated recipients alone or in combination with other information to identify an individual, then the covered entity would be presumed to have created de-identified information.
At the same time, in proposed § 164.506(d)(2)(iii), we are leaving leeway for more sophisticated data users to take a different approach. We are including a “reasonableness” standard so that entities with sufficient statistical experience and expertise could remove or code a different combination of information, so long as the result is still a low probability of identification. With this approach, our intent is to provide certainty for most covered entities, while not limiting the options of more sophisticated data users.
In this rule we are proposing that covered entities and their business partners be permitted to use protected health information to create de-identified health information. Covered entities would be permitted to further use and disclose such de-identified information in any way, provided that they do not disclose the key or other mechanism that would enable the information to be re-identified, and provided that they reasonably believe that such use or disclosure of de-identified information will not result in the use or disclosure of protected health information. See proposed § 164.506(d)(1). This means that a covered entity could not disclose de-identified information to a person if the covered entity reasonably believes that the person would be able to re-identify some or all of that information, unless disclosure of protected health information to such person would be permitted under this proposed rule. In addition, a covered entity could not use or disclose the key to coded identifiers if this rule would not permit the use or disclosure of the identified information to which the key pertains. If a covered entity re-identifies the de-identified information, it may only use or disclose the re-identified information consistent with these proposed rules, as if it were the original protected health information.
We invite comment on the approach that we are proposing and on whether alternative approaches to standards for entities determining when health information can reasonably be considered no longer individually identifiable should be considered.
As a general rule, we are proposing that protected health information not be used or disclosed by covered entities except as authorized by the individual who is the subject of such information or as explicitly provided this rule. Under this proposal, most uses and disclosures of an individual’s protected health information would not require explicit authorization by the individual, but would be restricted by the provisions of the rule. Covered entities would be able to use or disclose an individual’s protected health information without authorization for treatment, payment and health care operations. See proposed § 164.506(a)(1)(i). Covered entities also would be permitted to use or disclose an individual’s protected health information for specified public and public policy-related purposes, including public health, research, health oversight, law enforcement, and use by coroners. Covered entities would be permitted by this rule to use and disclose protected health information when required to do so by other law, such as a mandatory reporting requirement under State law or pursuant to a search warrant. See proposed § 164.510. Covered entities would be required by this rule to disclose protected health information for only two purposes: to permit individuals to inspect and copy protected health information about them (see proposed § 164.514) and for enforcement of this rule (see proposed § 164.522(d)).
Covered entities of all types and sizes would be required to comply with the proposed privacy standards outlined below. The proposed standards would not impose particular mechanisms or procedures that covered entities must adopt to implement the standards. Instead, we would require that each affected entity assess its own needs and devise, implement, and maintain appropriate privacy policies, procedures, and documentation to address its business requirements. How each privacy standard would be satisfied would be a business decision that each entity would have to make. This permits the privacy standards to establish a stable baseline, yet remain flexible enough to take advantage of developments and methods for protecting privacy that will evolve over time.
Because the privacy standards would need to be implemented by all covered entities, from the smallest provider to the largest, multi-state health plan, a single approach to implementing these standards would be neither economically feasible nor effective in safeguarding health information privacy. For example, in a small physician practice the office manager might be designated to serve as the privacy official as one of many duties (see proposed § 164.518(a)) whereas at a large health plan, the privacy official may constitute a full time position and have the regular support and advice of a privacy staff or board.
In taking this approach, we intend to strike a balance between the need to maintain the confidentiality of protected health information and the economic cost of doing so. Health care entities must consider both aspects in devising their solutions. This approach is similar to the approach we proposed in the Notice of Proposed Rulemaking for the administrative simplification security and electronic signature standards.
We are proposing that, subject to limited exceptions for psychotherapy notes and research information unrelated to treatment discussed below, a covered entity be permitted to use or disclose protected health information without individual authorization for treatment, payment or health care operations.
We are not proposing to require individual authorizations of uses and disclosures for health care and related purposes, although such authorizations are routinely gathered today as a condition of obtaining health care or enrolling in a health plan. Although many current disclosures of health information are made pursuant to individual authorizations, these authorizations provide individuals with little actual control over their health information. When an individual is required to sign a blanket authorization at the point of receiving care or enrolling for coverage, that consent is often not voluntary because the individual must sign the form as a condition of treatment or payment for treatment. Individuals are also often asked to sign broad authorizations but are provided little or no information about how their health information would be or will in fact be used. Individuals cannot make a truly informed decision without knowing all the possible uses, disclosures and re-disclosures to which their information will be subject. In addition, since the authorization usually precedes creation of the record, the individual cannot predict all the information the record could contain and therefore cannot make an informed decision as to what would be released.
Our proposal is intended to make the exchange of protected health information relatively easy for health care purposes and more difficult for purposes other than health care. For individuals, health care treatment and payment are the core functions of the health care system. This is what they expect their health information will be used for when they seek medical care and present their proof of insurance to the provider. Consistent with this expectation, we considered requiring a separate individual authorization for every use or disclosure of information but rejected such an approach because it would not be realistic in an increasingly integrated health care system. For example, a requirement for separate patient authorization for each routine referral could impair care, by delaying consultation and referral as well as payment.
We therefore propose that covered entities be permitted to use and disclose protected health information without individual authorization for treatment and payment purposes, and for related purposes that we have defined as health care operations. For example, providers could maintain and refer to a medical record, disclose information to other providers or persons as necessary for consultation about diagnosis or treatment, and disclose information as part of referrals to other providers. Providers also could use a patient’s protected health information for payment purposes such as submitting a claim to a payer. In addition, providers could use a patient’s protected health information for health care operations, such as use for an internal quality oversight review. We would note that, in the case of an individual where the provider has agreed to restrictions on use or disclosure of the patient’s protected health information, the provider would be bound by such restrictions as provided in § 164.506(c).
We also propose to prohibit covered entities from seeking individual authorization for uses and disclosures for treatment, payment and health care operations unless required by State or other applicable law. As discussed above in section II.C, such authorizations could not provide meaningful privacy protections or individual control and could in fact cultivate in individuals erroneous understandings of their rights and protections.
The general approach that we are proposing is not new. Some existing State health confidentiality laws permit disclosures without individual authorization to other health care providers treating the individual, and the Uniform Health-Care Information Act permits disclosure “to a person who is providing health-care to the patient” (9 Part I, U.L.A. 475, 2-104 (1988 and Supp. 1998)). We believe that this approach would be the most realistic way to protect individual confidentiality in an increasingly data-driven, electronic and integrated health care system. We recognize, however, that particularly given the limited scope of the authority that we have under this proposed rule to reach some significant actors in the health care system, that other approaches could be of interest. We invite comments on whether other approaches to protecting individuals’ health information would be more effective.
We propose that, except as discussed below, a covered entity must make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure, taking into consideration technological limitations.
Under this proposal, covered entities generally would be required to establish policies and procedures to limit the amount of protected health care information used or disclosed to the minimum amount necessary to meet the purpose of the use or disclosure, and to limit access to protected health information only to those people who need access to the information to accomplish the use or disclosure. With respect to use, if an entity consists of several different components, the entity would be required to create barriers between components so that information is not used inappropriately. The same principle applies to disclosures.
A “minimum necessary” determination would need to be consistent with and directly related to the purpose of the use or disclosure and take into consideration the ability of a covered entity to delimit the amount of information used or disclosed and the relative burden imposed on the entity. The proposed minimum necessary requirement is based on a reasonableness standard: covered entities would be required to make reasonable efforts and to incur reasonable expense to limit the use and disclosure of protected health information as provided in this section.
In our discussions of the minimum necessary requirement, we considered whether or not this should apply to all entities and whether or not it should be applied to all protected health information. We decided that the principle of minimum necessary disclosure is critical to the protection of privacy and that because small entities represent 83 percent of the health care industry, we would not exempt them from this provision without undermining its effectiveness.
We understand that the requirements outlined in this section do not create a bright line test for determining the minimum necessary amount of protected health information appropriate for most uses or disclosures. Because of this lack of precision, we considered eliminating the requirement altogether. We also considered merely requiring covered entities to address the concept within their internal privacy procedures, with no further guidance as to how each covered entity would address the issue. These approaches were rejected because minimizing both the amount of protected health information used and disclosed within the health care system and the number of persons who have access to such information is vital if we are to successfully enhance the confidentiality of people’s personal health information. We invite comments on the approach that we have adopted and on alternative methods of implementing the minimum necessary principle.
We propose to permit in § 164.506(c) that individuals be able to request that a covered entity restrict further uses and disclosures of protected health information for treatment, payment, or health care operations, and if the covered entity agrees to the requested restrictions, the covered entity could not make uses or disclosures for treatment, payment or health care operations that are inconsistent with such restrictions, unless such uses or disclosures are mandated by law. This provision would not apply to health care provided to an individual on an emergency basis.
We should note that there is nothing in this proposed rule that would require a covered entity to agree to a request to restrict, or to treat or provide coverage to an individual requesting a restriction under this provision. Covered entities who do not wish to, or due to contractual obligations cannot, restrict further use or disclosure are not obligated to agree to a request under this provision.
We considered providing individuals substantially more control over their protected health information by requiring all covered entities to attempt to accommodate any restrictions on use and disclosure requested by patients. We rejected this option as unworkable. While industry groups have developed principles for requiring patient authorizations, we have not found widely accepted standards for implementing patient restrictions on uses or disclosures. Restrictions on information use or disclosure contained in patient consent forms are sometimes ignored because they may not be read or are lost in files. Thus, it seems unlikely that a requested restriction could successfully follow a patient’s information through the health care system -- from treatment to payment, through numerous operations, and potentially through certain permissible disclosures. Instead we would limit the provision to restrictions that have been agreed to by the covered entity.
We recognize that the approach that we are proposing could be difficult because of the systems limitations described above. However, we believe that the limited right for patients proposed in this proposed rule can be implemented because it only applies in instances in which the covered entity agrees to the restrictions. We assume that covered entities would not agree to restrictions that they are unable to implement.
We considered limiting the rights under this provision to patients who pay for their own health care (or for whom no payment was made by a health plan). Individuals and providers that engage in self-pay transactions have minimal effect on the rights or responsibilities or payers or other providers, and so there would be few instances when a restriction agreed to in such a situation would have negative implications for the interests of other health care actors. Limiting the right to restrict to self-pay patients also would reduce the number of requests that would be made under this provision. We rejected this approach, however, because the desire to restrict further uses and disclosures arises in many instances other than self-pay situations. For example, a patient could not want his or her records shared with a particular physician because that physician is a family friend. Or an individual could be seeking a second opinion and may not want his or her treating physician consulted. Individuals have a legitimate interest in restricting disclosures in these situations. We solicit comment on the appropriateness of limiting this provision to instances in which no health plan payment is made on behalf of the individual.
In § 164.506(e), we propose to require covered entities to take specific steps to ensure that protected health information disclosed to a business partner remains protected. We intend these provisions to allow customary business relationships in the health care industry to continue while providing privacy protections to the information shared in these relationships. Business partners would not be permitted to use or disclose protected health information in ways that would not be permitted of the covered entity itself under these rules.
Other than for purposes of consultation or referral for treatment, we would allow covered entities to disclose protected health information to business partners only pursuant to a written contract that would, among other specified provisions, limit the business partner’s uses and disclosures of protected health information to those permitted by the contract, and would impose certain security, inspection and reporting requirements on the business partner. We would hold the covered entity responsible for certain violations of this proposed rule made by their business partners, and require assignment of responsibilities when a covered entity acts as a business partner of another covered entity.
Under this proposed rule, a business partner would be acting on behalf of a covered entity, and we propose that its use or disclosure of protected health information be limited to the same extent that the covered entity for whom they are acting would be limited. Thus, a business partner could have no more authority to use or disclose protected health information than that possessed by the covered entity from which the business partner received the information. We would note that a business partner’s authority to use and disclose protected health information could be further restricted by its contract with a covered entity, as described below.
We are not proposing to require the business partners of covered entities to develop and distribute a notice of information practices, as provided in proposed § 164.512. A business partner would, however, be bound by the terms of the notice of the covered entity from which it obtains protected health information. See proposed § 164.506(e). We are proposing this approach so that individuals could rely on the notices that they receive from the covered entities to which they disclose protected health information. If the business partners of a covered entity were able to make wider use or make more disclosures than the covered entity, the patients or enrollees of the covered entity would have difficulty knowing how their information was being used and to whom it was being disclosed.
We are also proposing that a business partner’s use and disclosure of protected health information be limited by the terms of the business partner’s contractual agreement with the covered entity. We propose that a contract between a covered entity and a business partner could not grant the business partner authority to make uses or disclosures of protected health information that the covered entity itself would not have the authority to make. The contract between a covered entity and a business partner could further limit the business partner’s authority to use or disclose protected health information as agreed to by the parties. Further, the business partner would have to apply the same limitations to its subcontractors (or persons with similar arrangements) who assist with or carry out the business partner’s activities.
To help ensure that the uses and disclosures of business partners are limited to those recognized as appropriate by the covered entities from whom they receive protected health information, subject to the exception discussed below, we are proposing that covered entities be prohibited from disclosing protected health information to a business partner unless the covered entity has entered into a written contract with the business partner that meets the requirements of this subsection. See proposed § 164.506(e)(2)(i).
The contract requirement that we are proposing would permit covered entities to exercise control over their business partners’ activities and provides documentation of the relationship between the parties, particularly the scope of the uses and disclosures of protected health information that business partners could make. The presence of a contract also would formalize the relationship, better assuring that key questions such as security, scope of use and disclosure, and access by subject individuals are adequately addressed and that the roles of the respective parties are clarified. Finally, a contract can bind the business partner to return any protected health information from the covered entity when the relationship is terminated.
In lieu of a contracting requirement, we considered imposing only affirmative duties on covered entities to ensure that their relationships with business partners conformed to the standards discussed in the previous paragraph. Such an approach could be considered less burdensome and restrictive, because we would be leaving it to the parties to determine how to make the standards effective. We rejected this approach primarily because we believe that in the vast majority of cases, the only way that the parties could establish a relationship with these terms would be through contract. We also determined that the value of making the terms explicit through a written contract would better enable the parties to know their roles and responsibilities, as well as better enable the Secretary to exercise her oversight role. In addition, we understand that most covered entities already enter into contracts in these situations and therefore this proposal would not disturb general business practice. We invite comment on whether there are other contractual or non-contractual approaches that would afford an adequate level of protection to individuals’ protected health information. We also invite comment on the specific provisions and terms of the proposed approach.
We are proposing one exception to the contracting requirement: when a covered entity consults with or makes a referral to another covered entity for the treatment of an individual, we would propose that the sharing of protected health information pursuant to that consultation or referral not be subject to the contracting requirement described above. See proposed § 164.506(e)(1)(i). Unlike most business partner relationships, which involve the systematic sharing of protected health information under a business relationship, consultation and referrals for treatment occur on a more informal basis among peers, and are specific to a particular individual. Such exchanges of information for treatment also appear to be less likely to raise concerns about further impermissible use or disclosure, because providers receiving such information are unlikely to have a commercial or other interest in using or disclosing the information. We invite comment on the appropriateness of this exception, and whether there are additional exceptions that should be included in the final regulation.
We note that covered health care providers receiving protected health information for consultation or referral purposes would still be subject to this rule, and could not use or disclose such protected health information for a purpose other than the purpose for which it was received (i.e., the consultation or referral). Further, we note that providers making disclosures for consultations or referrals should be careful to inform the receiving provider of any special limitations or conditions to which the disclosing provider has agreed to impose (e.g., the disclosing provider has provided notice to its patients that it will not make disclosures for research).
We are proposing that covered entities be accountable for the uses and disclosures of protected health information by their business partners. A covered entity would be in violation of this rule if the covered entity knew or reasonably should have known of a material breach of the contract by a business partner and it failed to take reasonable steps to cure the breach or terminate the contract. See proposed § 164.506(e)(2)(iii). A covered entity that is aware of impermissible uses and disclosures by a business partner would be responsible for taking such steps as are necessary to prevent further improper use or disclosures and, to the extent practicable, for mitigating any harm caused by such violations. This would include, for example, requiring the business partner to retrieve inappropriately disclosed information (even if the business partner must pay for it) as a condition of continuing to do business with the covered entity. A covered entity that knows or should know of impermissible use of protected health information by its business partner and fails to take reasonable steps to end the breach would be in violation of this rule.
We considered requiring covered entities to terminate relationships with business partners if the business partner committed a serious breach of contact terms required by this subpart or if the business partner exhibited a pattern or practice of behavior that resulted in repeated breaches of such terms. We rejected that approach because of the substantial disruptions in business relationships and customer service when terminations occur. We instead require the covered entity to take reasonable steps to end the breach and mitigate its effects. We would expect covered entities to terminate the arrangement if it becomes clear that a business partner cannot be relied upon to maintain the privacy of protected health information provided to it. We invite comments on our approach here and whether requiring automatic termination of business partner contracts would be warranted in any circumstances.
We also considered imposing more strict liability on covered entities for the actions of their business partners, just as principals are strictly liable for the actions of their agents under common law. We decided, however, that this could impose too great a burden on covered entities, particularly small providers. We are aware that, in some cases, the business partner will be larger and more sophisticated with respect to information handling than the covered entity. Therefore we instead opted to propose that covered entities monitor use of protected health information by business partners, and be held responsible only when they knew or should have known of improper use of protected health information.
Our intention in this section is to recognize the myriad of business relationships that currently exist and to ensure that when they involve the exchange of protected health information, the roles and responsibilities of the different parties with respect to the protected health information are clear. We do not propose to fundamentally alter the types of business relationships that exist in the health care industry or the manner in which they function. We request comments on the extent to which our proposal would disturb existing contractual or other arrangements among covered entities and business partners.
We are proposing that information otherwise protected by these regulations retain that protection for two years after the death of the subject of the information. The only exception that we are proposing is for uses and disclosures for research purposes.
HIPAA includes no temporal limitations on the application of the privacy protections. Although we have the authority to protect individually identifiable health information maintained by a covered entity indefinitely, we are proposing that the requirements of this rule generally apply for only a limited period, as discussed below. In traditional privacy law, privacy interests, in the sense of the right to control use or disclosure of information about oneself, cease at death. However, good arguments exist in favor both of protecting and not protecting information about the deceased. Considering that one of the underlying purposes of health information confidentiality is to encourage a person seeking treatment to be frank in the interest of obtaining care, there is good reason for protecting information even after death. Federal agencies and others sometimes withhold sensitive information, such as health information, to protect the privacy of surviving family members. At the same time, perpetual confidentiality has serious drawbacks. If information is needed for legitimate purposes, the consent of a living person legally authorized to grant such consent must be obtained, and the further from the date of death, the more difficult it may be to identify the person. The administrative burden of perpetual protection may eventually outweigh the privacy interests served.
While various State laws have been passed specifically addressing privacy of genetic information, there is currently no federal legislation that deals with these issues. We considered extending the two-year period for genetic and hereditary information, but were unable to construct criteria for protecting the possible privacy interests of living children without creating extensive burden for information holders and hampering health research. We invite comments on whether further action is needed in this area and what types of practical provisions may be appropriate to protect genetic and hereditary health information.
Covered entities would be required to obtain individual authorization to use individually identifiable health information for purposes other than those allowed under the rule. Activities requiring authorization include, for example, marketing. Costs will be ongoing for staffing and administrative activities related to obtaining authorization from individuals.
Our proposal is based on the precept that a combination of strict limits on how covered entities can use and disclose protected health information, adequate notice to individuals about how their information will be used, and guaranteeing individuals’ rights to inspect, copy and amend their health records will provide patients with better privacy protection and more effective control over their information than alternative approaches to privacy protection.
This section addresses the requirements that we are proposing when protected health information is disclosed pursuant to the individual's explicit authorization. The regulation would require that covered entities have authorization from individuals before using or disclosing their protected health information for any purpose not otherwise recognized by this regulation. Circumstances where an individual’s protected health information could be used or disclosed without authorization are discussed in connection with proposed §§164.510 and 164.522 below.
This section proposes different conditions governing such authorizations in two situations in which individuals commonly authorize covered entities to disclose information:
The requirements proposed in this section are not intended to interfere with normal uses and disclosures of information in the health care delivery or payment process, but only to allow control of uses extraneous to health care. The restrictions on disclosure that the regulation would apply to covered entities may mean that some existing uses and disclosures of information could take place only if the individual explicitly authorized them under this section.
We considered requiring a uniform set of requirements for all authorizations, but concluded that it would be appropriate to treat authorizations initiated by the individual differently from authorizations sought by covered entities. There are fundamental differences, in the uses of information and in the relationships and understandings among the parties, in these two situations. When individuals initiate authorizations, they are more likely to understand the purpose of the release and to benefit themselves from the use or disclosure. When a covered entity asks the individual to authorize disclosure, we believe the entity should make clear what the information will be used for, what the individual's rights are, and how the covered entity would benefit from the requested disclosure.
We are proposing several requirements that would have to be met in the authorization process when the individual has initiated the authorization. We understand that the requirements that we are imposing here would make it quite unlikely that an individual could actually initiate a completed authorization, because few individuals would know to include all of these elements in a request for information. In most instances, individuals authorize a use or disclosure by completing a form provided by a third party, either the ultimate recipient of the information (who may have a form authorizing them to obtain the records from the record holders) or a health care provider or health plan holding the records (who may have a form that documents a request for the release of records to a third party). For this reason, we do not believe that our proposal would create substantial new burdens on individuals or covered entities in cases when an individual is initiating an authorized release of information. We invite comment on whether we are placing new burdens on individuals or covered entities. We also invite comment on whether the approach that we have proposed provides sufficient protection to individuals who seek to have their protected health information used or disclosed.
We are proposing that when covered entities initiate the authorization by asking individuals to authorize disclosure, the authorization be required to include all of the items required above as well as several additional items. We are proposing additional requirements when covered entities initiate the request for authorization, because in many cases it could be the covered entity, and not the individual, that achieves the primary benefit of the disclosure. We considered permitting covered entities to request authorizations with only the basic features proposed for authorizations initiated by the individual, for the sake of simplicity and consistency. However, we believe that additional protections are merited when the entity that provides or pays for health care requests authorizations to avert possible coercion.
We also acknowledge that there will be costs related to moving away from a blanket authorization system. These costs will be discussed more explicitly in the sections on allowable disclosures (both with and without authorization).
Covered entities and third parties that wish to have information disclosed to them will prepare forms for individuals to use to authorize use or disclosure. A model authorization form is displayed in Appendix A to this proposed rule. We considered presenting separate model forms for the two different types of authorizations (initiated by the individual and not initiated by the individual). However, this approach could be subject to misuse and be confusing to covered entities and individuals, who may be unclear as to which form is appropriate in specific situations. The model in the appendix accordingly is a unitary model, which includes all of the requirements for both types of authorization. By following such a model, covered entities, particularly small entities, could avoid the legal and administrative expenses that would be necessary to develop an authorization form that complies with the rule’s requirements. The proposed rule does not prevent entities from developing or modifying their own authorization forms. The alternative to providing this model was to simply state that an authorization would be required and allow entities to develop the authorization independently. While we would specify some information required in the authorization in this alternative, we would not give an actual form. This was considered to be an unnecessary burden for entities.
Finally, we are proposing that an individual be permitted to revoke an authorization at any time except to the extent that action has been taken in reliance on the authorization. See proposed § 164.508(e).
This section describes uses and disclosures of protected health information that covered entities could make for purposes other than treatment, payment, and health care operations without individual authorization, and the conditions under which such uses and disclosures could be made. We propose to allow covered entities to use or disclose protected health information without individual authorization for such purposes if the use or disclosure would comply with the applicable requirements of this section.
Covered entities could need to reevaluate and modify their operating procedures to comply with the proposed rule’s prohibition on disclosing individually identifiable health information without patient authorization for any purpose other than treatment, payment, health care operations, or those situations explicitly identified as permissible disclosures under this proposed rule. Many entities could already do this. Entities that do not do this would need to alter information management systems and implement administrative policies and procedures to prevent inappropriate disclosures. Entities would also have to determine whether or not an authorization is necessary for each disclosure beyond treatment, payment, and health care operations that is not explicitly defined as a permissible disclosure under this proposed rule. It should be noted that the minimum necessary principle is an important component of the costs related to any disclosure. We expect that there would be significant initial and ongoing costs.
If an entity chooses to disclose protected health information without authorization from individuals, there would be a number of new provisions that it would have to comply with. For example, if a disclosure is to researchers outside of the organization, the entity must obtain written documentation indicating that the research has been approved by an institutional review board (IRB) or equivalent process by a privacy board. This requirement is associated with ongoing administrative costs. We note that any such costs are optional unless other requirements (state laws, mandatory reporting systems, etc.) mandate these disclosures. In order to minimize the burden of these costs for mandatory disclosures, we have tried to apply as few business partner requirements as possible in areas where these mandatory disclosures are possible. However, in cases where the disclosure is optional, entities would have higher costs if they choose to use these disclosures. We expect that entities would consider these costs before making any such disclosure and determine if the benefits to their business of disclosure are greater than the costs related to making the disclosure. Additionally, other than the new requirements for disclosures for research, most of the disclosures are simply recognizing current practices and would not require large new costs.
We considered permitting uses and disclosures only where law affirmatively requires the covered entity to use or disclose protected health information. However, because the activities described below are so important to the population as a whole, we decided to permit a covered entity to use or disclose information to promote those activities even when such activities are not legally mandated. In some cases, however, we would permit a use or disclosure only when such use or disclosure is authorized by other law. The requirements for verification of legal authority are discussed in section II.G.3.
Disclosures that are required by current law would only require minimal additional costs to entities. The only cost directly attributable to this proposed requirement would be the additional cost of noting these disclosures on the accounting of uses and disclosures.
However, disclosures required by this proposed regulation should be considered new costs. These mandatory disclosures would be extremely rare. For example, we expect that the Department would limit the number of compliance audits conducted. In these cases, some of the more expensive activities, including the minimum necessary principle and determining whether or not to make the disclosure, would not be applicable.
We would restrict the discussion of discretionary disclosures to the general principles behind such disclosures rather than a detailed description of each allowable disclosure. More elaborate discussion of options for individual classes of disclosures can be found in the preamble. These disclosures are optional disclosures and therefore, any costs related to making these disclosures would incur optional costs. We do not have a complete understanding of how often these disclosures are currently made, nor do we understand what procedures are currently in place. We also do not understand how often these disclosures would be made given the new costs associated with such disclosures. Note that the degree of new costs imposed if an entity opts to use a disclosure varies dramatically depending on the type of disclosure. For example, a disclosure of directory information in a hospital would probably not involve significant additional costs, while research that is not subject to the common could would have significant new costs involved. These disclosures, and thus these costs, are optional under this proposed rule. While they may be mandated under other law, such mandated disclosures are already being made, so there would be no additional costs. In this case there are only marginal new costs related to these disclosures.
The rights described below would apply with respect to protected health information held by health care providers and health plans. We are proposing that clearinghouses not be subject to all of these requirements. We believe that as business partners of covered plans and providers, clearinghouses would not usually initiate or maintain direct relationships with individuals. The contractual relationship between a clearinghouse (as a business partner) and a covered plan or provider would bind the clearinghouse to the notice of information practices developed by the plan or provider and it would include specific provisions regarding inspection, copying, amendment and correction. Therefore, we do not believe that clearinghouses should be required to provide a notice or provide access for inspection, copying, amendment or correction. We would require clearinghouses to provide an accounting of any disclosures for purposes other than treatment, payment and health care operations to individuals upon request. See proposed § 164.515. It is our understanding that the vast majority of the clearinghouse function falls within the scope of treatment, payment, and health care operations and therefore we do not believe providing this important right to individuals would impose a significant burden on the industry. We invite comment on whether or not we should require clearinghouses to comply with all of the provisions of the individual rights section.
We are proposing that individuals have a right to an adequate notice of the information practices of covered plans and providers. The notice would be intended to inform individuals about what is done with their protected health information and about any rights they may have with respect to that information. Federal agencies must adhere to a similar notice requirement pursuant to the Privacy Act of 1974 (5 U.S.C. 552a(e)(3)).
We are not proposing that business partners (including health care clearinghouses) be required to develop a notice of information practices because, under this proposed rule, they would be bound by the information practices of the health plan or health care provider with whom they are contracting.
The rule requires covered entities to prepare and make available a notice that informs patients about their privacy rights and the entity’s actions to protect privacy. Entities that do not already comply with the rule’s requirements would incur one-time legal and administrative costs in preparing and making the notice available. In addition, plans would incur ongoing costs related to the dissemination of the notice at least once every three years, and all covered entities would have ongoing costs related to preparation of new notices as disclosure practices change, dissemination to new individuals who receive services, and requests for copies of the notice. Entities would also incur ongoing costs related to answering questions stemming from the notice. In addition to requiring a basic notice, we considered requiring a longer more detailed notice, that would be available to individuals on request. However, we decided that making information available on request, and letting the covered entity decide how best to provide such information, is a more balanced approach. We felt that it would be overly burdensome to all entities, especially small entities, to require two notices.
We considered requiring covered plans or providers to obtain a signed copy of the notice form (or some other signed indication of receipt) when they give the form to individuals. There are advantages to including such a requirement. A signed acknowledgment would provide evidence that the notice form has been provided to the individual. Further, the request to the individual to formally acknowledge receipt would highlight the importance of the notice, providing additional encouragement for the individual to read it and ask questions about its content.
We are concerned, however, that requiring a signed acknowledgment would significantly increase the administrative and paperwork burden of this provision. We also are unsure of the best way for health plans to obtain a signed acknowledgment because plans often do not have face-to-face contact with enrollees. It may be possible to collect an acknowledgment at initial enrollment, for example by adding an additional acknowledgment to the enrollment form, but it is less clear how to obtain it when the form is revised. We solicit comment on whether we should require a signed acknowledgment. Comments that address the relative advantages and burdens of such a provision would be most useful. We also solicit comment on the best way to obtain signed acknowledgments from health plans if such a provision is included in the final rule. We also solicit comments on other strategies, not involving signed acknowledgments, to ensure that individuals are effectively informed about the information practices of covered plans or providers.
We believe that the proposed rule appropriately balances a patient’s need for information and assurances regarding privacy with the covered entities’ need for flexibility in describing their operations and procedures to protect patient privacy. Instead of a model notice, we have included a sample notice to guide the development of notices. We felt that this would be an appropriate way to reduce the burden on all entities including those classified as small.
In § 164.512, we propose the categories of information that would be required in each notice of information practices, the specific types of information that would have to be included in each category, and general guidance as to the presentation of written materials. A sample notice is provided at Appendix A of this preamble.
In a separate section of this proposed rule, we would require covered plans or providers to develop and document policies and procedures relating to use, disclosure, and access to protected health information. See proposed § 164.520. We intend for the documentation of policies and procedures to be a tool for educating the entity’s personnel about its policies and procedures. In addition, the documentation would be the primary source of information for the notice of information practices. We intend for the notice to be a tool for educating individuals served by the covered plan or provider about the information practices of that entity. The information contained in the notice would not be as comprehensive as the documentation, but rather would provide a clear and concise summary of relevant policies and procedures.
We considered prescribing specific language that each covered plan or provider would include in its notice. The advantages of this approach would be that the recipient would get exactly the same information from each covered plan or provider in the same format, and that it would be convenient for covered plans or providers to use a uniform model notice.
There are, however, several disadvantages to this approach. First, and most important, no model notice could fully capture the information practices of every covered plan or provider. Large entities would have different information practices than small entities. Some health care providers, for example academic teaching hospitals, may routinely disclose identifiable health information for research purposes. Other health care providers may rarely or never make such disclosures. To be useful to individuals, each entity’s notice of information practices should reflect its unique privacy practices.
Another disadvantage of prescribing specific language is that it would limit each covered plan or provider’s ability to distinguish itself in the area of privacy protections. We believe that if information on privacy protections were readily available, individuals might compare and select plans or providers based on their information practices. In addition, a uniform model notice could easily become outdated. As new communication methods or technologies are introduced, the content of the notices might need to reflect those changes.
In proposed § 164.512, we would require each covered plan and provider to include in the notice an explanation of how it uses and discloses protected health information. The explanation must be provided in sufficient detail as to put the individual on notice of the uses and disclosures expected to be made of his or her protected health information. As explained above in section II.C.7, covered plans and providers may only use and disclose protected health information for purposes stated in this notice.
We considered requiring the notice to include not only a discussion of the actual disclosure practices of the covered entity, but also a listing or discussion of all additional disclosures that are authorized by law. We considered this approach because, under this proposed rule, covered plans or providers would be permitted to change their information practices at any time, and therefore individuals would not be able to rely on the entity’s current policies alone to understand how their protected health information may be used in the future. We recognize that in order to be fully informed, individuals need to understand when their information could be disclosed.
We rejected this approach because we were concerned that a notice with such a large amount of information could be burdensome to both the individuals receiving the notices and the entities required to prepare and distribute them. There are a substantial number of required and permitted disclosures under State or other applicable law, and this rule generally would permit them to be made.
Alternatively, we considered requiring that the notice include all of the types of permissible disclosures under this rule (e.g., public health, research, next-of-kin). We rejected that approach for two reasons. First, we felt that providing people with notice of the intended or likely disclosures of their protected health information was more useful than describing all of the potential types of disclosures. Second, in many States and localities, different laws may affect the permissible disclosures that an entity may make, in which case a notice only discussing permissible disclosures under the federal rule would be misleading. While it would be possible to require covered plans or providers to develop notices that discuss or list disclosures that would be permissible under this rule and other law, we were concerned that such a notice may be very complicated because of the need to discuss the interplay of federal, State or other law for each type of permissible disclosure. We invite comments on the best approach to provide most useful information to the individuals without overburdening either covered plans or providers or the recipients of the notices.
In § 164.520, we are proposing to require all covered entities to develop and document policies and procedures for the use of protected health information. The notice would simply summarize those documented policies and procedures and therefore would entail little additional burden.
It is critical to the effectiveness of this proposed rule that individuals be given the notice often enough to remind them of their rights, but without overburdening covered plans or providers. We propose that all covered plans and providers would be required make their notice available to any individual upon request, regardless of whether the requestor is already a patient or enrollee. We believe that broad availability would encourage individuals or organizations to compare the privacy practices of plans or providers to assist in making enrollment or treatment choices. We also propose additional distribution requirements for updating notices, which would be different for health plans and health care providers. The requirements for health plans and health care providers are different because we recognize that they have contact with individuals at different points in time in the health care system.
We considered a variety of combinations of distribution practices for health plans and are proposing what we believe is the most reasonable approach. We would require health plans to distribute the notice by the effective date of the final rule, at enrollment, within 60 days of a material change to the plan’s information practices, and at least once every three years.
We considered requiring health plans to post the notice either in addition to or instead of distribution. Because most individuals rarely visit the office of their health plan, we do not believe that this would be an effective means of communication. We also considered either requiring distribution of the notice more or less frequently than every three years. As compared to most health care providers, we believe that health plans often are larger and have existing administrative systems to cost effectively provide notification to individuals. Three years was chosen as a compromise between the importance of reminding individuals of their plans’ information practices and the need to keep the burden on health plans to the minimum necessary to achieve this objective. We are soliciting comment on whether requiring a notice every three years is reasonable for health plans.
We propose to require that covered health care providers provide a copy of the notice to every individual served at the time of first service delivery, that they post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the provider to be able to read the notice, and that copies be available on-site for individuals to take with them. In addition, we propose to require that covered health care providers provide a copy of the notice to individuals they are currently serving at their first instances of service delivery within a year of the effective date of the final rule.
We would not require providers to mail or otherwise disseminate their notices after giving the notice to individuals at the time of the first service delivery. Providers’ patient lists may include individuals they have not served in decades. It would be difficult for providers to distinguish between “active” patients, those who are seen rarely, and those who have moved to different providers. While some individuals would continue to be concerned with the information practices of providers who treated them in the distant past, overall the burden of an active distribution requirement would not be outweighed by improved individual control and privacy protection.
If a provider wishes to make a material change in the information practices addressed in the notice, it would be required to revise its notice in advance. After making the revision, the provider would be required to post the new notice promptly. We believe that this approach creates the minimum burden for providers consistent with giving individuals a clear source of accurate information.
In § 164.514, we are proposing that, with very limited exceptions, individuals have a right to inspect and copy protected health information about them maintained by a covered health plan or health care provider in a designated record set. Individuals would also have a right of access to protected health information in a designated record set that is maintained by a business partner of a covered plan or provider when such information is not a duplicate of the information held by the plan or provider, including when the business partner is the only holder of the information or when the business partner has materially altered the protected health information that has been provided to it.
In § 164.506(e), we are proposing that covered plans and providers include specific terms in their contract with each business partner. One of the required terms would be that the business partner must provide for inspection and copying of protected health information as provided in this section. Because our authority is limited by HIPAA to the covered entities, we must rely upon covered plans and providers to ensure that all of the necessary protected health information provided by the individual to the plan or provider is available for inspection and copying. We would require covered plans and providers to provide access to information held in the custody of a business partner when it is different from information maintained by the covered plan or provider. We identified two instances where this seemed appropriate: when the protected health information is only in the custody of a business partner and not in the custody of the covered plan or provider; and when protected health information has been materially altered by a business partner. We are soliciting comment on whether there are other instances where access should be provided to protected health information in the custody of a business partner.
Other than in their capacity as business partners, we are not proposing to require clearinghouses to provide access for inspection and copying. As explained above in section II.C.5, clearinghouses would usually be business partners under this proposed rule and therefore they would be bound by the contract with the covered plan or provider. See proposed §164.506(e). We carefully considered whether to require clearinghouses to provide access for inspection and copying above and beyond their obligations as a business partner, but determined that the typical clearinghouse activities of translating record formats and batching transmissions do not involve setting up designated record sets on individuals. Although the data maintained by the clearinghouse is protected health information, it is normally not accessed by individual identifier and an individual’s records could not be found except at great expense. In addition, although clearinghouses process protected health information and discover errors, they do not create the data and make no changes in the original data. They, instead, refer the errors back to the source for correction. Thus, individual access to clearinghouse records provides no new information to the individual but could impose a significant burden on the industry.
We are proposing that covered plans and providers be required to provide access for as long as the entity maintains the protected health information. We considered requiring covered plans and providers to provide access for a specific period or defining a specific retention period. We rejected that approach because many laws and professional standards already designate specific retention periods and we did not want to create unnecessary confusion. In addition, we concluded that individuals should be permitted to have access for as long as the information is maintained by the covered plan or provider. We are soliciting comments on whether we should include a specific duration requirement in this proposed rule.
Proposed § 164.514 would permit denial of inspection and copying under very limited circumstances. The categories of denials would not be mandatory; the entity could always elect to provide all of the requested health information to the individual. For each request by an individual, the entity could provide all of the information requested or it could evaluate the requested information, consider the circumstances surrounding the individual’s request, and make a determination as to whether that request should be granted or denied. We intend to create narrow exceptions to the stated rule of open access and we would expect covered plans and providers to employ these exceptions rarely, if at all.
We considered whether entities should be permitted to deny access to information based on a number of factors. For more specific discussion of access denials, please refer to earlier preamble text. For the purposes of the economic impacts, it is important to note that these denials are optional and, therefore, any costs associated with utilizing these denials are optional.
In § 164.514(c) and (d), we are proposing that covered plans and providers be required to have procedures that enable individuals to exercise their rights to inspect and obtain a copy of protected health information as explained above.
We considered whether this proposed rule should include detailed procedures governing a individual’s request for inspection and copying. Because this proposed rule would affect such a wide range of entities, we concluded that it should only provide general guidelines and that each entity should have the discretion to develop procedures consistent with its own size, systems, and operations.
In § 164.514(d)(2), we are proposing that the covered plans and providers would take action upon the request as soon as possible but not later than 30 days following receipt of the request. We considered the possibility of not including a time limitation but rather imposing a “reasonableness” requirement on the covered plans or providers. We concluded that the individual is entitled to know when to expect a response. This is particularly important in the context of health information, where an individual could need access to his or her information in order to make decisions about care. Therefore, in order to determine what would be “reasonable,” we examined the time limitations provided in the Privacy Act, the Freedom of Information Act (FOIA), and several State laws.
The Privacy Act requires that upon receipt of a request for amendment (not access), the agency would send an acknowledgment to the individual within 10 working days. (5 U.S.C. 552a (d)(2)). We considered several options that included such an acknowledgment requirement. An acknowledgment would be valuable because it would assure the individual that their request was received. Despite the potential value of requiring an acknowledgment, we concluded that it could impose a significant administrative burden on some of the covered plans and providers. This proposed rule would cover a wide range of entities with varying capacities and therefore, we are reluctant to create requirements that would overwhelm smaller entities or interfere too much with procedures already in place. We would encourage plans and providers to have an acknowledgment procedure in place, but would not require it at this point. We are soliciting comment on whether this proposed rule should require such an acknowledgment.
We also considered whether to include specific procedures governing “urgent” or “emergency” requests. Such procedures would require covered plans and providers to respond in a shorter time frame. We recognize that circumstances could arise where an individual would request inspection and copying on an expedited basis and we encourage covered plans or providers to have procedures in place for handling such requests. We are not proposing additional regulatory time limitations to govern in those circumstances. The 30-day time limitation is intended to be an outside deadline, rather than an expectation. Rather, we would expect a plan or provider to always be attentive to the circumstances surrounding each request and respond in an appropriate time frame, not to exceed 30 days.
Finally, we considered including a section governing when and how an entity could have an extension for responding to a request for inspection and copying. For example, the FOIA provides that an agency could request additional time to respond to a request if the agency needs to search for and collect the requested records from facilities that are separate from the office processing the request; to search for, collect, and appropriately examine a voluminous amount of separate and distinct records; and to consult with another entity or component having a substantial interest in the determination of the request. We determined that the criteria established in the FOIA are tailored to government information systems and therefore could not be appropriate for plans and providers covered by this proposed rule. Furthermore, we determined that the 30-day time period would be sufficient for responding to requests for inspection and copying and that extensions should not be necessary. We are soliciting comments on whether a structured extension procedure should be included in this proposed rule.
In § 164.514(d)(3), we are proposing that covered plans or providers be required to notify the individual of the decision to provide access and of any steps necessary to fulfill the request. In addition we propose that the entity provide the information requested in the form or format requested if it is readily producible in such form or format. Finally, if the covered plan or provider accepts an individual’s request, it would be required to facilitate the process of inspection and copying.
In proposed § 164.514(d)(3)(iv), we would permit a covered plan or provider to charge a reasonable, cost-based fee for copying health information provided pursuant to this section. We considered whether we should follow the practice in the FOIA and include a structured fee schedule. We concluded that the FOIA was developed to reflect the relatively uniform government costs and that this proposed rule would apply to a broader range of entities. Depending on the size of the entity, copying costs could vary significantly. Therefore, we propose that the entity simply charge a reasonable, cost-based fee.
In § 164.514(d)(4), we propose that a covered plan or provider that denies an individual’s request for inspection and copying in whole or in part be required to provide the individual with a written statement in plain language explaining the reason for the denial. The statement could include a direct reference to the section of the regulation relied upon for the denial, but the regulatory citation alone would not sufficiently explain the reason for the denial. The statement would need to include the name and number of the contact person or office within the entity who is responsible for receiving complaints. In addition, the statement would need to include information regarding the submission of a complaint with the Department pursuant to § 164.522(b).
We considered proposing that covered plans and providers provide a mechanism for appealing a denial of inspection and copying. We believe, however, that the requirement proposed in § 164.518(d) that covered plans and providers have complaint procedures to address patient and enrollee privacy issues generally would allow the individual to raise the issue of a denial with the covered plan or provider. We would expect the complaint procedures to be scalable; for example, a large plan might develop a standard complaint process in each location where it operates whereas, a small practice might simply refer the original request and denial to the clinician in charge for review. We would encourage covered plans and providers to institute a system of appeals, but would not require it by regulation. In addition, the individual would be permitted to file a complaint with the Department pursuant to § 164.522(b).
In this proposed rule, we propose that individuals have a right to receive an accounting of all instances where protected health information about them is disclosed by a covered entity for purposes other than treatment, payment, and health care operations, subject to certain time-limited exceptions for disclosures to law enforcement and oversight agencies as discussed below. Providing such an accounting would allow individuals to understand how their health information is shared beyond the basic purposes of treatment, payment and health care operations.
We considered whether to require covered entities to account for all disclosures, including those for treatment, payment and health care operations. We rejected this approach because it would be burdensome and because it would not focus on the disclosures of most interest to individuals. Upon entering the health care system, individuals are generally aware that their information would be used and shared for the purpose of treatment, payment and health care operations. They have the greatest interest in an accounting of circumstances where the information was disclosed for other purposes that are less easy to anticipate. For example, an individual might not anticipate that his or her information would be shared with a university for a research project, or would be requested by a law enforcement agency.
We are not proposing that covered entities include uses and disclosures for treatment, payment and health care operations in the accounting. We believe that it is appropriate for covered entities to monitor all uses and disclosures for treatment, payment and health care operations, and they would be required to do so for electronically maintained information by the Security Standard. However, we do not believe that covered entities should be required to provide an accounting of the uses and disclosures for treatment payment and health care operations.
This proposed rule would not specify a particular form or format for the accounting. In order to satisfy the accounting requirement, a covered entity could elect to maintain a systematic log of disclosures or it could elect to rely upon detailed record keeping that would permit the entity to readily reconstruct the history when it receives a request from an individual. We would require that covered entities be able to respond to a request for accounting within a reasonable time period. In developing the form or format of the accounting, covered entities should adopt policies and procedures that would permit them to respond to requests within the 30-day time period in this proposed rule.
We also considered whether or not the disclosure history should be a formal document that is constantly maintained or whether we should give more flexibility to entities in this regard. We decided that since our ultimate goal is that individuals have access to a disclosure history of their records upon request, it would be reasonable to require only that they be able to do this. We are not prescribing how they fulfill the requirement. We also believe that it is less burdensome to require that they be able to create a disclosure history than to require that they have a specific format for maintaining a disclosure history.
We are proposing that the accounting include all disclosures for purposes other than treatment, payment, and health care operations, subject to certain exceptions for disclosures to law enforcement and oversight agencies, discussed below. This would also include disclosures that are authorized by the individual. The accounting would include the date of each disclosure; the name and address of the organization or person who received the protected health information; and a brief description of the information disclosed. For all disclosures that are authorized by the individual, we are proposing that the covered entity maintain a copy of the authorization form and make it available to the individual with the accounting.
We considered whether the accounting of disclosures should include the name of the person who authorized the disclosure of information. The proposed Security Standard would require covered entities to have an audit mechanism in place to monitor access by employees. We concluded that it would be unnecessary and inappropriate to require the covered entity to include this additional information in the accounting. If the individual identifies an improper disclosure by an entity, he or she should hold the entity – not the employee of the entity – accountable. It is the responsibility of the entity to train its workforce about its policies and procedures for the disclosure of protected health information and to impose sanctions if such policies and procedures are violated.
This proposed rule would provide an individual with the right to request a covered plan or provider to amend or correct protected health information relating to the individual. A covered plan or provider would be required to accommodate requests with respect to any information that the covered plan or provider determines to be erroneous or incomplete, that was created by the plan or provider, and that would be available for inspection and copying under proposed § 164.514.
We are concerned about the burden that requests for amendment or correction could place on covered plans and providers and have tried to limit the process to those situations where amendment or correction would appear to be most important. We invite comment on whether our approach reasonably balances burden with adequately protecting individual interests.
We propose to require a covered plan or provider to accommodate a request for amendment or correction if the plan or provider created the information in dispute. We considered requiring covered plans and providers to amend or correct any erroneous or incomplete information it maintains, regardless of whether it created the information. Under this approach, if the plan or provider did not create the information, then it would have been required to trace the information back to the original source to determine accuracy and completeness. We rejected this option because we concluded that it would not be appropriate to require the plan or provider that receives a request to be responsible for verifying the accuracy or completeness of information that it did not create. We also were concerned about the burden that would be imposed on covered plans and providers if they were required to trace the source of any erroneous or incomplete information transmitted to them.
We would rely on a combination of three other requirements to ensure that protected health information remains as accurate as possible as it travels through the health care system. First, we are proposing that a covered plan or provider that makes an amendment or correction be required to notify any relevant persons, organizations, or other entities of the change or addition. Second, we are proposing that other covered plans or providers that receive such a notification be required to incorporate the necessary amendment or correction. Finally, we are proposing that covered plans or providers require their business partners who receive such notifications to incorporate any necessary amendments or corrections. See the discussion in section II.F.4. We are soliciting comments whether this approach would effectively ensure that amendments and corrections are communicated appropriately.
We are proposing that covered plans and providers be required to accommodate requests for amendment or correction for as long as the entity maintains the protected health information. We considered requiring covered plans and providers to accommodate requests for a specific period or defining a specific retention period. We rejected that approach because many laws and professional standards already designate specific retention periods and we did not want to create confusion. In addition, we concluded that individuals should be permitted to request amendments or corrections for as long as the information is maintained by the covered plan or provider. We are soliciting comments on whether we should include a specific duration requirement in this proposed rule.
In § 164.516, we are proposing that covered plans and providers be required to have procedures that enable individuals to exercise their rights to request amendment or correction, including a means by which individuals could request amendment or correction of protected health information about them. We considered whether this proposed rule should include detailed procedures governing an individual’s request. But as with the procedures for requesting inspection and copying, we are only providing a general requirement and permitting each plan or provider to develop procedures in accordance with its needs. Once the procedures are developed, the plan or provider would document them in accordance with section § 164.520 and include a brief explanation in the notice that is provided to individuals pursuant to section § 164.512.
We are proposing that the covered plan or provider would take action on a request for amendment or correction as quickly as the circumstances require, but not later than 60 days following the request. The justification for establishing a time limitation for amendment and correction is virtually identical to that provided for the time limitation for inspection and copying. We concluded that the entity should be provided with some additional flexibility in this context. Depending on the nature of the request, an amendment or correction could require significantly more time than a request for inspection and copying. If a covered plan or provider needed more than 30 days to make a decision, we would encourage, but not require, it to send an acknowledgment of receipt to the individual including an explanation of the reasons for the delay and a date when the individual couldexpect a final decision.
In § 164.516(c)(3), we are proposing that, upon accepting an amendment or correction, the covered plan or provider would be required to make reasonable efforts to notify relevant persons, organizations, or other entities of the change or addition. An entity would be required to notify such persons that the individual identifies, or that the covered plan or provider identifies as 1) a recipient of the erroneous or incomplete information, and 2) a person who:
We are concerned about the potential burden that this notification requirement would impose on covered plans and providers. We do not, however, anticipate that a significant number of requests would be submitted to any entity and therefore the need for such notifications would be rare. In addition, we determined that because health information can travel so quickly and efficiently in the modern health care system, the need for notification outweighed the potential burden. It is important to note that a reasonableness standard should be applied to the notification process -- if the recipient has not relied upon the erroneous or incomplete information to the detriment of the individual or if it is not foreseeable that the recipient would do so, then it would not be reasonable for the covered plan or provider to incur the time and expense of notification. If, however, if the incorrect information is reasonably likely to be used to the detriment of the individual, the entity should make every effort to notify the recipients of the information of the changes as quickly as possible.
We discussed a number of options regarding the notification of other entities. We considered only requiring that the entity provide the individual with a listing of who else could have received the information. This would place the burden of notification in the hands of the individual rather than the entity. Because individuals would not have the same contacts and relationship with other entities as the original covered entity, we decided that placing the burden on individuals would be more cumbersome for both individuals and the secondary entities receiving the requests. We also considered not including a notification requirement. However, this would mean that individuals would need to both figure out where the information had gone to and make separate requests for amendment or correction to every entity. This also appeared to be overly difficult. We believe that the option we are proposing is fair to both individuals and covered entities.
In proposed § 164.516(c)(4), we would require a covered plan or provider to provide the individual with a written statement in plain language of the reason for the denial and permit the individual to file a written statement of disagreement with the decision to deny the request.
If the individual chooses to file a statement of disagreement, then the covered plan or provider must retain a copy of the statement with the protected health information in dispute. The covered plan or provider could require that the statement be a reasonable length, provided that the individual has reasonable opportunity to state the nature of the disagreement and offer his or her version of accurate and complete information. In all subsequent disclosures of the information requested to be amended or corrected, the covered plan or provider would be required to include a copy of its statement of the basis for denial and, if provided by the individual, a copy of his or her statement of disagreement. If the statement submitted by the individual is unreasonably long, the covered plan or provider could include a summary in subsequent disclosures which reasonably explains the basis of the individual’s position. The covered plan or provider would also be permitted to provide a rebuttal to the individual’s statement of disagreement and include the rebuttal statement in any subsequent disclosures.
We considered requiring the covered plan or provider to provide a mechanism for appealing denials of amendment or correction but concluded that it would be too burdensome. We are soliciting comment on whether the approach we have adopted reasonably balances the burdens on covered plans or providers with the rights of individuals.
If a covered plan or provider receives a notification of erroneous or incomplete protected health information as provided in proposed § 164.516(d), we are proposing that the covered plan or provider or be required to make the necessary amendment or correction to protected health information in its custody that would be available for inspection and copying. This affirmative duty to incorporate amendments and corrections would be necessary to ensure that individuals’ protected health information is as accurate and complete as possible as it travels through the health care system.
We propose that covered entities be required to implement five basic administrative requirements to safeguard protected health information: designation of a privacy official, the provision of privacy training, establishment of safeguards, a complaint process, and establishment of sanctions. Implementation of these requirements would vary depending on a variety of different factors such as type of entity (e.g., provider or plan), size of entity (e.g., number of employees, number of patients), the level of automation within the entity (e.g., electronic medical records), and organization of the entity (e.g., existence of an office of information systems, affiliation with a medical school).
In proposed § 164.518(a), we would require covered entities to designate an employee or other person to serve as the official responsible for the development of policies and procedures for the use and disclosure of protected health information. The designation of an official would focus the responsibility for development of privacy policy.
We considered whether covered entities should be required to designate a single official or an entire board. We concluded that a single official would better serve the purposes of focusing the responsibility and providing accountability within the entity. The implementation of this requirement would depend on the size of the entity. For example, a small physician’s practice might designate the office manager as the privacy official, and he or she would assume this as one of his or her broader administrative responsibilities. A large entity might appoint a person whose sole responsibility is privacy policy, and he or she might choose to convene a committee representing several different components of the entity to develop and implement privacy policy.
In proposed § 164.518(b), we would require covered entities to provide training on the entities policies and procedures with respect to protected health information. Each entity would be required to provide initial training by the date on which this proposed rule becomes applicable. After that date, each covered entity would have to provide training to new members of the workforce within a reasonable time period after joining the entity. In addition, we are proposing that when a covered entity makes material changes in its privacy policies or procedures, it would be required to retrain those members of the workforce whose duties are directly affected by the change within a reasonable time of making the change.
The entities would be required to train all members of the workforce (e.g., all employees, volunteers, trainees, and other persons under the direct control of all persons working on behalf of the covered entity on an unpaid basis who are not business partners) who are likely to have contact with protected health information
Upon completion of the training, the person would be required to sign a statement certifying that he or she received the privacy training and would honor all of the entity’s privacy policies and procedures. Entities would determine the most effective means of communicating with their workforce. For example, in a small physician practice, the training requirement could be satisfied by providing each new member of the workforce with a copy of the practice’s information policies and requiring members of the workforce to acknowledge that they have reviewed the policies. A large health plan could provide for a training program with live instruction, video presentations or interactive software programs. The small physician practice’s solution would not protect the large plan’s data, and the plan’s solution would be neither economically feasible nor necessary for the small physician practice.
At least once every three years after the initial training, covered entities would be required to have each member of the workforce sign a new statement certifying that he or she would honor all of the entity’s privacy policies and procedures. The initial certification would be intended to make members of the workforce aware of their duty to adhere to the entity’s policies and procedures. By requiring a recertification every three years, they would be reminded of this duty.
We considered several different options for recertification. We considered proposing that members of the workforce be required to recertify every six months, but concluded that such a requirement would be too burdensome. We considered proposing that recertification be required annually consistent with the recommendations of The American Health Information Management Association (Brandt, Mary D., Release and Disclosure: Guidelines Regarding Maintenance and Disclosure of Health Information, 1997). We concluded that annual recertification could also impose a significant burden on covered entities.
We also considered requiring that the covered entity provide “refresher” training every three years in addition to the recertification. We concluded that our goals could be achieved by only requiring recertification once every three years, and retraining in the event of material changes in policy. We are soliciting comment on this approach.
In proposed § 164.518(c), we would require covered entities to put in place administrative, technical, and physical safeguards to protect against any reasonably anticipated threats or hazards to the privacy of the information, and unauthorized uses or disclosures of the information. We proposed similar requirements for certain electronic information in the Notice of Proposed Rulemaking entitled the Security and Electronic Signature Standards (HCFA-0049-P), which can be found at 63 FR 43241. We are proposing parallel and consistent requirements for safeguarding the privacy of protected health information.
As noted in section II.E., for many permitted disclosures the covered entity would be responding to a request for disclosure of protected health information. For most categories of permitted disclosures, when the request for disclosure of protected health information is from a person with whom the covered entity does not routinely do business, we would require the covered entity to verify the identity of the requestor. In addition, for certain categories of disclosures, covered entities would also be required to verify the requestor’s legal authority to make the request.
Under § 164.514, a covered entity would be required to give individuals access to protected health information about them (under most circumstances). The covered entity would also be required to take reasonable steps to verify the identity of the individual making the request for access. We do not propose to mandate particular identification requirements (e.g., drivers licence, photo ID, etc), but rather would leave this to the discretion of the covered entity.
We considered specifying the type of documentation or proof that would be acceptable, but decided that the burden of such specific regulatory requirements on covered entities would be unnecessary. Therefore, we propose only a general requirement for reasonable verification of identity and legal authority.
In proposed § 164.518(d), we would require covered plans and providers to have some mechanism for receiving complaints from individuals regarding the covered plan’s or provider’s compliance with the requirements of this proposed rule. The covered plan or provider would be required to accept complaints about any aspect of their practices regarding protected health information. We would not require that the entity develop a formal appeals mechanism, nor that “due process” or any similar standard be applied. We would not require that covered entities respond in any particular manner or time frame. We are proposing two basic requirements for the complaint process. First, the covered plan or provider would be required to identify a contact person or office in the notice of information practices for receiving complaints. This person or office could either be responsible for handling the complaints or could put the individual in touch with the appropriate person within the entity to handle the particular complaint. See proposed § 164.512. This person could, but would not have to be, the entity’s privacy official. See proposed §164.518(a)(2). Second, the covered plan or provider would be required to maintain a record of the complaints that are filed and a brief explanation of the resolution, if any.
We considered requiring covered plans and providers to provide a formal internal appeal mechanism, but rejected that option as too costly and burdensome for some entities. We also considered eliminating this requirement entirely, but rejected that option because a complaint process would give covered plans or providers a way to learn about potential problems with privacy policies or practices, or training issues. We also hope that providing an avenue for covered plans or providers to address complaints would lead to increased consumer satisfaction. We believe this approach strikes a reasonable balance between allowing covered plans or providers flexibility and accomplishing the goal of promoting attention to improvement in privacy practices. If an individual and a covered plan or provider are able to resolve the individual’s complaint, there could be no need for the individual to file a complaint with the Secretary under proposed § 164.522(b). However, an individual has the right to file a complaint with the Secretary at any time. An individual could file a complaint with the Secretary before, during, after, or concurrent with filing a complaint with the covered plan or provider or without filing a complaint with the covered plan or provider.
We are considering whether modifications of these complaint procedures for intelligence community agencies could be necessary to address the handling of classified information and solicit comment on the issue.
In proposed § 164.518(e), we would require all covered entities to develop and apply when appropriate sanctions for failure to comply with policies or procedures of the covered entity or with the requirements of this proposed rule. All members of the workforce who have regular contact with protected health information should be subject to sanctions, as would the entity’s business partners. Covered entities would be required to develop and impose sanctions appropriate to the nature of the issue. The type of sanction applied would vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicates a pattern or practice of improper use or disclosure of protected health information. Sanctions could range from a warning to termination.
We considered specifying particular sanctions for particular kinds of violations of privacy policy, but rejected this approach for several reasons. First, the appropriate sanction would vary with the entity’s particular policies. Because we cannot anticipate every kind of privacy policy in advance, we cannot predict the response that would be appropriate when that policy is violated. In addition, it is important to allow covered entities to develop the sanctions policies appropriate to their business and operations.
We expect that sanctions would be more formally described and consistently carried out in larger, more sophisticated entities. Smaller, less sophisticated entities would be given more latitude and flexibility. For such smaller entities and less sophisticated entities, we would not expect a prescribed sanctions policy, but would expect that actions be taken if repeated instances of violations occur.
We propose in §164.518(f) that covered entities be required to have procedures for mitigating, to the extent practicable, any deleterious effect of a use or disclosure of protected health information by their members of their workforce or business partners. With respect to business partners, we also propose that covered entities have an affirmative duty to take reasonable steps in response to breaches of contract terms.
In proposed § 164.520, we would require covered entities to develop and document their policies and procedures for implementing the requirements of this proposed rule. This requirement is intended as a tool to facilitate covered entities’ efforts to develop appropriate policies to implement this proposed rule, to ensure that the members of its workforce and business partners understand and carry out expected privacy practices, and to assist covered entities in developing a notice of information practices.
The scale of the policies developed should be consistent with the size of the covered entity. For example, a smaller employer could develop policies restricting access to health plan information to one designated employee, empowering that employee to deny release of the information to corporate executives and managers unless required for health plan administration. Larger employers could have policies that include using contractors for any function that requires access to protected health information or requiring all reports they receive for plan administration to be de-identified unless individual authorization is obtained.
We are proposing general guidelines for covered entities to develop and document their own policies and procedures. We considered a more uniform, prescriptive approach but concluded that a single approach would be neither effective in safeguarding protected health information nor appropriate given the vast differences among covered entities in size, business practices and level of sophistication. It is important that each covered entity’s internal policies and procedures for implementing the requirements of this regulation are tailored to the nature and number of its business arrangements, the size of its patient population, its physical plant and computer system, the size and characteristics of its workforce, whether it has one or many locations, and similar factors. The internal policies and procedures appropriate for a clearinghouse would not be appropriate for a physician practice; the internal policies and procedures appropriate for a large, multi-state health plan would not be appropriate for a smaller, local health plan.
After evaluating the requirements of federal, State, or other applicable laws, covered entities should develop policies and procedures that are appropriate for their size, type, structure, and business arrangements. Once a covered plan or provider has developed and documented all of the policies and procedures as required in this section, it would have compiled all of the information needed to develop the notice of information practices required in § 164.512. The notice is intended to include a clear and concise summary of many of the policies and procedures discussed in this section. Further, if an individual has any questions about the entity’s privacy policies that are not addressed by the notice, a representative of the entity could easily refer to the documented policies and procedures for additional information.
Before making a material change in a policy or procedure, the covered entity would, in most instances, be required to make the appropriate changes to the documentation required by this section before implementing the change. In addition, covered plans and providers would be required to revise their notice of information practices in advance. Where the covered entity determines that a compelling reason exists to take an action that is inconsistent with its documentation or notice before making the necessary changes, it could take such action if it documents the reasons supporting the action and makes the necessary changes within 30 days of taking such action.
In an attempt to ensure that large entities develop coordinated and comprehensive policies and procedures as required by this section, we considered proposing that entities with annual receipts greater than $5 million (35) be required to have a privacy board review and approve the documentation of policies and procedures. As originally conceived, the privacy board would only serve to review research protocols as described in § 164.510(j). We believe that such a board could also serve as “privacy experts” for the covered entity and could review the entity’s documented policies and procedures. In this capacity, the overriding objective of the board would be to foster development of up-to-date, individualized policies that enable the organization to protect health information without unnecessarily interfering with the treatment and payment functions or business needs. This type of review is particularly important for large entities who would have to coordinate policies and procedures among a large staff, but smaller organizations would be encouraged, but not required, to take a similar approach (i.e., have a widely representative group participate in the development and/or review of the organization’s internal privacy policies and the documentation thereof). We solicit comment on this proposal.
We also considered requiring the covered entity to make its documentation available to persons outside the entity upon request. We rejected this approach because covered entities should not be required to share their operating procedures with the public, or with their competitors.
We recognize that the documentation requirement in this proposed rule would impose some paperwork burden on covered plans and providers. However, we believe that it is necessary to ensure that covered plans and providers establish privacy policies and procedures in advance of any requests for disclosure, authorization, or subject access. It is also necessary to ensure that covered entities and members of their workforce have a clear understanding of the permissible uses and disclosures of protected health information and their duty to protect the privacy of such information under specific circumstances.
The rules proposed below at § 164.522 would establish several requirements designed to enable the Secretary to monitor and seek to ensure compliance with the provisions of this subpart. The general philosophy of this section is to provide a cooperative approach to obtaining compliance, including use of technical assistance and informal means to resolve disputes. However, in recognition of the fact that it would not always be possible to achieve compliance through cooperation, the section also would provide the Secretary with tools for carrying out her statutory mandate to achieve compliance.
Proposed § 164.522(a) would establish the principle that the Secretary would seek the cooperation of covered entities in obtaining compliance. Section 164.522(a)(2) provides that the Secretary could provide technical assistance to covered entities to help them come into compliance with this subpart. It is clearly in the interests of both the covered entities and the individuals they serve to minimize the costs of compliance with the privacy standards. To the extent that the Department could facilitate this by providing technical assistance, it would endeavor to do so.
(2) Health Data Directory, Faulkner & Gray; 1999 Edition, pp 22-23.
(3) Health Care Finance Administration, Office of the Actuary, 1997.
(4) American Cancer Society. http://www.cancer.org/statistics/97cff/97facts.html
We chose to use the Administrative Simplification estimates in the RIA because we wanted our analysis to be as consistent as possible with those regulations. We also believe that because the Administrative Simplification numbers are higher than those in the SBA data, it was the more conservative data source.
(15) Health Care Finance Administration, Office of the Actuary, 1997.
(16) Equifax-Harris Consumer Privacy Survey, 1994
(17) Consumer Privacy Survey, Harris-Equifax, 1994, p vi
(19) Health Information Privacy Survey, Harris-Equifax, 1993, pp 49-50
(21) American Cancer Society. http://www.cancer.org/statistics/97cff/97facts.html
(22) American Cancer Society. http://www.cancer.org/statistics/97cff/97facts.html
(23) American Cancer Society. http://www.cancer.org/statistics/97cff/97facts.html
(24) Avon’s Breast Cancer Crusade. http://www.pmedia.com/Avon/library/faq.html
(25) Ovarian Cancer National Alliance. http://www.ovariancancer.org/index.shtml
(27) Ovarian Cancer National Alliance. http://www.ovariancancer.org/index.shtml
(28) Breast Cancer Information Service. http://trfn.clpgh.org/bcis/FAQ/facts2.html
(32) Sexually Transmitted Diseases in America, Kaiser Family Foundation, 1998, p 12
(33) Standard Medical information; see http://www.mayohealth.org for examples.