Standards for Privacy of Individually Identifiable Health Information

The modifications adopted in this rulemaking are intended to address the possible adverse effects of the final privacy standards on an individual's access to, or the quality of, health care. The modifications touch on five of the key policy areas addressed by the final regulatory impact analysis, including consent, research, marketing, notice, and business associates.

The Department received few comments on this section of the March 2002 proposal. Most of the comments on the cost implications of the modifications indicated a general belief that the costs would be higher than the Department estimated. None of commenters, however, provided sufficient specific information concerning costs to permit the Department to adjust its estimates. The public comment on each of the key policy areas is summarized in the following sections. However, the estimated cost impact of each area has not changed.

Under the December 2000 Privacy Rule, a covered health care provider with a direct treatment relationship with an individual must have obtained the individual's prior written consent for use or disclosure of protected health information for treatment, payment, or health care operations, subject to a limited number of exceptions. Other covered health care providers and health plans may have obtained such a consent if they so chose. The initial cost of the consent requirement was estimated in December 2000 to be $42 million. Based on assumptions for growth in the number of patients, the total costs for ten years was estimated to be $103 million. See 65 FR 82771 (December 28, 2000).²

The modifications eliminate the consent requirement. The consent requirement posed many difficulties for an individual's access to health care, and was problematic for operations essential for the quality of the health care delivery system. However, any health care provider or health plan may choose to obtain an individual's consent for treatment, payment, and health care operations. The elimination of the consent requirement reduces the initial cost of the privacy standards by $42 million in the first year and by $103 million over ten years.

As explained in detail in section III.D.1. above, the Department received many comments supporting the proposed elimination of the consent requirement on the ground that it created unintended barriers to timely provision of care, particularly with respect to use and disclosure of health information prior to a health care provider's first face-to-face contact with the individual. These and other barriers discussed above would have entailed costs not anticipated in the economic analyses in the Privacy Rule. These comments also revealed that the consent requirements create administrative burdens, for example, with respect to tracking the status and revocation of consents, that were not foreseen and thus not included in that economic analysis. Therefore, while the estimated costs of the consent provisions over a ten-year period were $103 million, the comments suggest that the costs would likely be much higher. If these comments are accurate, the cost savings associated with retracting the consent provisions would, therefore, also be significantly higher than $103 million over a ten-year period.

Comment: As discussed in section III.H. above, many commenters expressed support for the proposed requirement that certain health care providers make a good faith effort to obtain a written acknowledgment of receipt of the notice, as a workable alternative to the Rule's prior consent requirement. Many of these commenters conveyed support for the flexibility of the requirement, and most commenters agreed that eliminating the consent requirement would mean considerable savings.

Response: The Department received no public comment containing empirical, direct evidence on the estimates of financial impact that either supported or contradicted the Department's calculations. Therefore, our estimates remain unchanged.

Comment: Many other commenters confused the net savings associated with the Administrative Simplification provisions with cost savings associated with the Privacy Rule, and relied on this misinformation to argue in favor of retaining the consent provisions for treatment, payment, and health care operations.

Response: These commenters were essentially propounding a policy choice and not making a comment on the validity of the estimates for cost savings associated with the elimination of the consent requirement. The comments did not include any reliable estimation that would cause the Department to reevaluate its savings estimate.

In eliminating the consent requirement, the Department preserves the opportunity for a covered health care provider with a direct treatment relationship with an individual to engage in a meaningful communication about the provider's privacy practices and the individual's rights by strengthening the notice requirements. Under the Privacy Rule, these health care providers are required to distribute to individuals their notice of privacy practices no later than the date of the first service delivery after the compliance date. The modifications do not change this distribution requirement, but add a new documentation requirement. A covered health care provider with a direct treatment relationship is required to make a good faith effort to obtain the individual's acknowledgment of receipt of the notice provided at the first service delivery. The form of the acknowledgment is not prescribed and can be as unintrusive as retaining a copy of the notice initialed by the individual. If the provider's good faith effort fails, documentation of the attempt is all that is required. Since the modification does not require any change in the form of the notice or its distribution, the ten-year cost estimate of $391 million for these areas in the Privacy Rule's impact analysis remains the same. See 65 FR 82770.

However, the additional effort by direct treatment providers in obtaining and documenting the individual's acknowledgment of receipt of the notice adds costs. This new requirement attaches only to the initial provision of notice by a direct treatment provider to an individual after the compliance date. Under the modification, providers have considerable flexibility on how to achieve this. Some providers could choose to obtain the required written acknowledgment on a separate piece of paper, while others could take different approaches, such as an initialed check-off sheet or a signature line on the notice itself with the provider keeping a copy.

In its December 2000 analysis, the Department estimated that the consent cost would be $0.05 per page based on the fact that the consent had to be a stand alone document requiring a signature. This modification to the notice requirement provides greater flexibility and, therefore, greater opportunity to reduce costs compared to the consent requirement. Without knowing exactly how direct treatment providers will decide to exercise the flexibility provided, the Department cannot, with any precision, estimate the cost to implement this provision. In the NPRM, the Department estimated that the flexibility of the notice acknowledgment requirement would mean that the cost of the notice acknowledgment would be 20 percent less than the cost of the signed consent. The Department did not receive any comments on this estimate and, therefore, does not change it's estimate that the additional cost of the signature requirement, on average, is $0.03 per notice. Based on data obtained from the Medical Expenditure Panel Survey (MEPS), which estimate the number of patient visits in a year, the Department estimates that in the first year there would be 816 million notices distributed to which the new good faith acknowledgment requirement will attach. Over the next nine years, the Department estimates, again based on MEPS data, that there would be 5.3 billion visits to health care providers by new patients (established patients will not need to receive another copy of the notice). At $0.03 per document, the first year cost will be $24 million and the total cost over ten years will be $184 million.

Comment: As discussed in section III.H. above, a number of other commenters expressed concern over the administrative and financial burden the requirement to obtain a good faith acknowledgment of the notice would impose.

Response: The Department received no public comment containing empirical, direct evidence on the estimates of financial impact that either supported or contradicted the Department's calculations. Therefore, our estimates remain unchanged.

Comment: One commenter requested that model language for the notice be developed as a means of reducing the costs associated with Privacy Rule compliance.

Response: As stated in section III.H. above, in the final Rule, the Department sought to retain the maximum flexibility by requiring only that the acknowledgment be in writing and does not prescribe other details of the form that the acknowledgment must take or the process for obtaining the acknowledgment. This permits covered health care providers the discretion to design the acknowledgment process as best suited to their practices, including the option of obtaining an electronic acknowledgment regardless of whether the notice is provided electronically or on paper. Furthermore, there is no change to the substance of the notice and the commenter provided no empirical, direct benefit/cost data in support of their proposal.

Comment: The Department received comments expressing opposition to obtaining written acknowledgment of the receipt of the notice because it is too costly. Others commented that the acknowledgment increases the administrative burden as it would not replace a signed consent for uses and disclosures of health information when State law requires providers to obtain consent.

Response: The Department received no public comment containing empirical, direct evidence on the estimates of financial impact that either supported or contradicted the Department's calculations. Therefore, our estimates remain unchanged.

Comment: A number of commenters expressed concern over the perceived increase in liability that would arise from the discretionary standard of "good faith" efforts (i.e., risk of tort-based litigation for private right of action under State laws).

Response: The Department received no estimate of the impact of this perceived risk of liability. As no empirical, direct evidence on the estimates of financial impact that either supported or contradicted the Department's calculations was supplied, our estimates remain unchanged.

The Privacy Rule requires a covered entity to have a written contract, or other arrangement, that documents satisfactory assurances that a business associates will appropriately safeguard protected health information in order to disclose protected health information to the business associate. The regulatory impact analysis for the Privacy Rule provided cost estimates for two aspects of this requirement. In the Privacy Rule, $103 million in first-year costs was estimated for development of a standard business associate contract language. (There were additional costs associated with these requirements related to the technical implementation of new data transfer protocols, but these are not affected by the modification adopted here.) In addition, $197 million in first-year costs and $697 million in total costs over ten years were estimated in the Privacy Rule for the review and oversight of existing business associate contracts.

The modifications do not change the standards for business associate contracts or the implementation specifications with respect to the covered entity's responsibilities for managing the contracts. However, the Department includes sample business associate contract language as part of the preamble to this rulemaking. This sample language is only suggested language and is not a complete contract. The sample language is designed to be adapted to the business arrangement between the covered entity and the business associate and to be incorporated into a contract drafted by the parties. Certain provisions of the sample language have been revised, as described in more detail below, based on the public comment received on the proposal. The December 2000 regulatory impact analysis assumed the development of such standard language by trade and professional associations. While this has occurred to some degree, the Department received b public comment supporting the for sample contract language. The Department expects that trade and professional associations will continue to provide assistance to their members. However, the sample contract language in this rulemaking will simplify their efforts by providing a base from which they can develop language. The Department had estimated $103 million in initial year costs for this activity based on the assumption it would require one hour per non-hospital provider and two hours for hospitals and health plans to develop contract language and to tailor the language to the particular needs of the covered entity. The additional time for hospitals and health plans reflected the likelihood that these covered entities would have a more extensive number of business associate relationships. Because there will be less effort expended than originally estimated in the Privacy Rule, the Department estimates a reduction in contract development time by one- third because of the availability of the model language. Thus, the Department now estimates that this activity will take 40 minutes for non-hospital providers and 80 minutes for hospitals and health plans. The Department estimates that the savings from the proposed business associate contract language would be approximately $35 million in the first year. The changes being adopted to the sample contract language do not affect these cost estimates.

The Department, in this rulemaking, also gives most covered entities additional time to conform written contracts to the privacy standards. Under the modification, a covered entity's written business associate contracts, existing at the time the modifications become effective, are deemed to comply with the privacy standards until such time as the contracts are renewed or modified, or until April 14, 2004, whichever is earlier. The effect of this proposal is to spread first- year costs over an additional year, with a corresponding postponement of the costs estimated for the out years. However, the Department has no reliable information as to the number of contracts potentially affected by the modification or the average delay that will occur. Therefore, the Department is uncertain about the extent of the cost savings attributable to this modification.

Comment: While many commenters supported the business associate transition provisions as helpful to reducing the administrative burden and cost of compliance, commenters argued that the business associate provisions would still be very burdensome and costly to implement, especially for small and solo businesses.

Response: The Department acknowledges that there are compliance costs associated with the business associate standards. However, no commenters supplied empirical, direct evidence in support of or contradictory to the Department's estimates of the cost savings associated with the business associate transition provisions. Therefore, our estimates remain unchanged.

Comment: Some commenters disputed the estimated costs of complying with the business associate requirements based on the quantity of contracts (with suppliers, physicians, local agencies and national concerns), and the number of hours necessary to individually tailor and renegotiate all of these contracts.

Response: These comments address the underlying costs of the business associate requirements and do not address the reduction in costs afforded through the sample business associate agreement language. Moreover, no empirical, direct evidence, based on accomplished workload rather than extrapolations of singular events, were provided to contradict the Department's calculations. Therefore, our estimates remain unchanged.

Under Sec. 164.514(e) of the December 2000 Privacy Rule, certain health-related communications were subject to special conditions on marketing communications, if they also served to promote the use or sale of a product or service. These marketing conditions required that particular disclosures be made as part of the marketing materials sent to individuals. Absent these disclosures, protected health information could only be used or disclosed in connection with such marketing communications with the individual's authorization. The Department is aware that the Privacy Rule's Sec. 164.514(e) conditions for health- related communications created a potential burden on covered entities to make difficult assessments regarding many of their communications. The modifications to the marketing provisions relieve the burden on covered entities by making most marketing subject to an authorization requirement (see Sec. 164.508(a)(3)), making clear that necessary treatment and health care operations activities were not marketing, and eliminating the Sec. 164.514(e) conditions on marketing communications.

In developing the December 2000 impact analysis for the Privacy Rule, the Department was unable to estimate the cost of the marketing provisions. There was too little data and too much variation in current practice to estimate how the Privacy Rule might affect marketing. The same remains true today. However, the modifications relieve burden on the covered entities in making communications for treatment and certain health care operations relative to the requirements in the Privacy Rule. Although the Department cannot provide a quantifiable estimate, the effect of these modifications is to lower the costs associated with the Privacy Rule.

Comment: Many providers, especially mental health providers, opposed the changes to marketing and consent as they fear increased access to individually identifiable health information would cause patients to refrain from seeking treatment. By not seeking timely treatment, the medical conditions could worsen, and result in increased or additional costs to society.

Response: The commenters did not attempt to segment out the cost attributed to marketing alone. In fact, no empirical, direct evidence on the estimates of financial impact that either supported or contradicted the Department's calculations was provided. Therefore, our estimates remain unchanged.

In the final impact analysis of the December 2000 Privacy Rule, the Department estimated the total cost of the provisions requiring documentation of an Institutional Review Board (IRB) or Privacy Board waiver of individual authorization for the use or disclosure of protected health information for a research purpose as $40 million for the first year and $585 million for the ten-year period. The costs were estimated based on the time that an IRB or Privacy Board would need to consider a request for a waiver under the criteria provided in the Privacy Rule. See 65 FR 82770-82771 (December 28, 2000).

The modifications simplify and reduce the number of criteria required for an IRB or Privacy Board to approve a waiver of authorization to better conform to the Common Rule's waiver criteria for informed consent to participate in the research study. The Department estimates that the net effect of these modifications is to reduce the time necessary to assemble the waivers and for an IRB or Privacy Board to consider and act on waiver requests by one quarter. The Department estimates these simplifications would reduce the expected costs first year costs by $10 million and the ten year costs by $146 million, relative to the December 2000 Privacy Rule. Although the Department requested information to better assess this cost savings, the public comment period failed to produce any sound data. Therefore, the Department's estimates have not changed.

The Department adopts three other modifications to simplify the Privacy Rule requirements to relieve the potential administrative burden on research. First, the modifications permit a covered entity to use and disclose protected health information in the form of a limited data set for research, public health, and health care operations. A limited data set does not contain any direct identifiers of individuals, but may contain any other demographic or health information needed for research, public health or health care operations purposes. The covered entity must obtain a data use agreement from the recipient of a limited data set pursuant to which the recipient agrees to restrict use and disclosure of the limited data set and not to identify or contact any individual. With a data use agreement, a researcher may access a limited data set without obtaining individual authorization or having to go through an IRB or a Privacy Board for a waiver of the authorization. (See discussion at III.G.2.) Second, the modifications simplify the accounting procedures for research disclosures by the covered entity by eliminating the need to account for disclosures which the individual has authorized or which are part of a limited data set, and by providing a simplified basis to account for a research disclosure involving 50 or more records. (See discussion at III.F.2.) Third, the modifications simplify the authorization process for research to facilitate the combining of the informed consent for participation in the research itself with an authorization required under the Privacy Rule. (See discussion at III.E.2.) Any cost savings attributed to the later two modifications would accrue primarily to the covered entity disclosing protected health information for research purposes and, therefore, would not affect the costs estimated here for the impact of the Privacy Rule on IRBs.

With regard to limited data sets, the Department anticipates that the modification will avoid IRBs having to review and approve researchers' requests for waiver of authorization for numerous studies that are undertaken today without IRB review and approval. For example, a researcher may not need IRB approval or waiver of informed consent to collect health information that is linked to the individual only by inclusion of the individual's zip code as this may not be personally identifying information under the Common Rule. However, this information would not be considered de-identified information under the Privacy Rule and it could not be disclosed to the researcher without the individual's authorization or an IRB waiver of that authorization. With the limited data set, research that does not require direct identifiers can continue to go on expeditiously without adding burden to IRBs and Privacy Boards. Similarly, limited data sets, similar to the Hospital Discharge Abstract data, will permit much useful information to be available for research, public health, and health care operations purposes.

Although there was broad support for limited data sets in the comments received by the Department, we do not have sufficient information to estimate the amount of research that currently occurs without IRB review or approval and which, but for the provision on limited data sets, would have had to involved the IRB to meet the use and disclosure requirements of the Privacy Rule. Nor did the comments supply information upon which the Department could reasonably rely in making a estimate of the cost savings. Therefore, the Department does not increase its estimated savings for research to reflect this modification, although we are confident that the overall impact of the Privacy Rule on research will be much lower based on the modifications adopted in this rulemaking.

Comment: The Department received a number of comments that argued that the Privacy Rule would increase costs and workloads for researchers and research institutions. One commenter delineated these issues as: (1) An increased difficulty in recruiting research participants; (2) the need for increased IRB scrutiny (and the associated resource costs); and (3) the additional paperwork and documentation required.

Response: The Department recognized the impact of the final Privacy Rule on researchers and research institutions and provided a cost estimate for this impact as part of the Final Rule. Likewise, the NPRM offered modifications, such as more closely aligning the Privacy and Common Rule criteria, to ease the burden and, correspondingly, estimated cost savings of these proposed modifications. The specific comments appear to dispute the research cost estimates in the final Rule, as their delineated issues are not reflective of the modifications and cost savings specified in the NPRM. In any event, no reliable empirical, direct information on the estimates of financial impact that either supported or contradicted the Department's calculations was provided. Therefore, our estimates remain unchanged.

Privacy Rule Modifications--Ten-Year Cost Estimates

[Table here]

¹ As noted above in the discussion on consent, while the estimated costs of the consent provisions were $103 million, comments have suggested that the costs were likely to be much higher. If these comments are accurate, the cost savings associated with retracting the consent provisions would, therefore, also be significantly higher than $103 million.