Federal Register /Vol. 65, No. 250/Thursday, December 28, … · 82762 Federal Register/Vol. 65,...

82761Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

TABLE 1.—THE COST OF COMPLYING WITH THE PROPOSED PRIVACY REGULATION

[In dollars]

Provision

Initial or firstyear cost

(2003,$million)

Average an-nual cost($million,

years 2–10)

Ten yearcost (2003–

2012)($million)

Policy Development ................................................................................................................................. 597.7 0 597.7Minimum Necessary ................................................................................................................................ 926.2 536.7 5,756.7Privacy Officials ....................................................................................................................................... 723.2 575.8 5,905.8Disclosure Tracking/History ..................................................................................................................... 261.5 95.9 1,125.1Business Associates ................................................................................................................................ 299.7 55.6 800.3Notice Distribution .................................................................................................................................... 50.8 37.8 391.0Consent .................................................................................................................................................... 166.1 6.8 227.5Inspection/Copying .................................................................................................................................. 1.3 1.7 16.8Amendment .............................................................................................................................................. 5.0 8.2 78.8Requirements on Research ..................................................................................................................... 40.2 60.5 584.8Training .................................................................................................................................................... 287.1 50.0 737.2De-Identification of Information ................................................................................................................ 124.2 117.0 1,177.4Employers with Insured Group Health Plans .......................................................................................... 52.4 0 52.4Internal Complaints .................................................................................................................................. 6.6 10.7 103.2

Total * ................................................................................................................................................ 3,242.0 1,556.9 17,554.7

Net Present Value ................................................................................................................................... 3,242.0 917.8 11,801.8

* Note: Numbers may not add due to rounding.

C. Need for the Final Rule

The need for a national healthinformation privacy framework isdescribed in detail in Section I of thepreamble above. In short, privacy is anecessary foundation for delivery ofhigh quality health care—the entirehealth care system is built upon thewillingness of individuals to share themost intimate details of their lives withtheir health care providers. At the sametime, there is increasing public concernabout loss of privacy generally, andhealth privacy in particular. Thegrowing use of interconnectedelectronic media for business andpersonal activities, our increasingability to know an individual’s geneticmake-up, and the increasing complexityof the health care system each bring thepotential for tremendous benefits toindividuals and society, but each alsobrings new potential for invasions of ourprivacy.

Concerns about the lack of attentionto information privacy in the health careindustry are not merely theoretical.Section I of the preamble, above, listsnumerous examples of the kinds ofdeliberate or accidental privacyviolations that call for a national legalframework of health privacyprotections. Disclosure of healthinformation about an individual canhave significant implications wellbeyond the physical health of thatperson, including the loss of a job,alienation of family and friends, the lossof health insurance, and publichumiliation. The answer to theseconcerns is not for consumers to

withdraw from the health care system,but for society to establish a clearnational legal framework for privacy.

This section adds to the discussion inSection I, above, a discussion of themarket failures inherent in the currentsystem which create additional andcompelling reasons to establish nationalhealth information privacy standards.Market failures will arise to the extentthat privacy is less well protected thanthe parties would have agreed to, if theywere fully informed and had the abilityto monitor and enforce contracts. Thechief market failures with respect toprivacy of health information concerninformation, negotiation, andenforcement costs between the entityand the individual. The informationcosts arise because of the informationasymmetry between the company andthe patient—the company typicallyknows far more than the patient abouthow the protected health informationwill be used by that company. A healthcare provider or plan, for instance,knows many details about howprotected health information may begenerated, combined with otherdatabases, or sold to third parties.

Absent this regulation, patients face atleast two layers of cost in learning abouthow their information is used. First, aswith many aspects of health care,patients face the challenge of trying tounderstand technical medicalterminology and practices. A patientgenerally will have difficultyunderstanding medical records and theimplications of transferring healthinformation about them to a third party.Second, in the absence of consistent

national rules, patients may facesignificant costs in trying to learn andunderstand the nature of a company’sprivacy policies.

The costs of learning aboutcompanies’ policies are magnified bythe difficulty patients face in detectingwhether companies, in fact, arecomplying with those policies. Patientsmight try to adopt strategies formonitoring whether companies havecomplied with their announcedpolicies. These sorts of strategies,however, are both costly (in time andeffort) and likely to be ineffective. Inaddition, modern health care oftenrequires protected health information toflow legitimately among multipleentities for purposes of treatment,payment, health care operations, andother necessary uses. Even if the patientcould identify the provider whose dataultimately leaked, the patient could noteasily tell which of those multipleentities had impermissibly transferredher information. Therefore, the cost andineffectiveness of monitoring leads toless than optimal protection ofindividually identifiable healthinformation.

The incentives facing a company thatacquires individually identifiable healthinformation also discourage privacyprotection. A company gains the fullbenefit of using such information,including its own marketing efforts orits ability to sell the information to thirdparties. The company, however, doesnot suffer the losses from disclosure ofprotected health information; thepatient does. Because of imperfectmonitoring, customers often will not

VerDate 11<MAY>2000 19:16 Dec 27, 2000 Jkt 194001 PO 00000 Frm 00301 Fmt 4701 Sfmt 4700 E:\FR\FM\28DER2.SGM pfrm08 PsN: 28DER2

82762 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

learn of, and thus not be able to takeefficient action to prevent uses ordisclosures of sensitive information.Because the company internalizes thegains from using the information, butdoes not bear a significant share, if any,of the cost to patients (in terms of lostprivacy), it will have a systematicincentive to over-use individuallyidentifiable health information. Inmarket failure terms, companies willhave an incentive to use individuallyidentifiable health information wherethe patient would not have freely agreedto such use.

These difficulties are exacerbated bythe third-party nature of many healthinsurance and payment systems. Evenwhere individuals would wish tobargain for privacy, they may lack thelegal standing to do so. For instance,employers often negotiate the terms ofhealth plans with insurers. Theemployee may have no voice in theprivacy or other terms of the plan,facing a take-it-or-leave-it choice ofwhether to be covered by insurance. Thecurrent system leads to significantmarket failures in bargaining privacyprotection. Many privacy-protectiveagreements that patients would wish tomake, absent barriers to bargaining, willnot be reached.

The economic arguments becomemore compelling as the medical systemshifts from predominantly paper topredominantly electronic records. Rapidchanges in information technologyshould result in increased marketfailures in the markets for individuallyidentifiable health information.Improvements in computers andnetworking mean that the costs ofgathering, analyzing, and disseminatingelectronic data are plunging. Marketforces are leading many health careproviders and health plans to shift frompaper to electronic records, due both tolower cost and the increasedfunctionality provided by havinginformation in electronic form. Thesemarket changes will be accelerated bythe administrative simplificationimplemented by the other regulationspromulgated under HIPAA. A chief goalof administrative simplification, in fact,is to create a more efficient flow ofmedical information, where appropriate.This privacy regulation is an integralpart of the overall effort ofadministrative simplification; it createsa framework for more efficient flows forcertain purposes, including treatmentand payment, while restricting flows inother circumstances except whereappropriate institutional safeguardsexist.

If the medical system shiftspredominantly to electronic records in

the near future, accompanying privacyrules will become more critical toprevent unanticipated, inappropriate, orunnecessary uses or disclosures ofindividually identifiable healthinformation without patient consent andwithout effective institutional controlsagainst further dissemination. In termsof the market failure, it will becomemore difficult for patients to know howtheir health provider or health plan isusing health information about them. Itwill become more difficult to monitorthe subsequent flows of individuallyidentifiable health information, as thenumber of electronic flows and possiblepoints of leakage both increase.Similarly, the costs and difficulties ofbargaining to get the patients’ desiredlevel of use will likely rise due to thegreater number and types of entities thatreceive protected health information.

As the benefits section, below,discusses in more detail, the protectionof privacy and correcting the marketfailure also have practical implications.Where patients are concerned about lackof privacy protections, they might fail toget medical treatment that they wouldotherwise seek. This failure to gettreatment may be especially likely forcertain conditions, including mentalhealth, and HIV. Similarly, patients whoare concerned about lack of privacyprotections may report healthinformation inaccurately to theirproviders when they do seek treatment.For instance, they might decide not tomention that they are takingprescription drugs that indicate thatthey have an embarrassing condition.These inaccurate reports may lead tomis-diagnosis and less-than-optimaltreatment, including inappropriateadditional medications. In short, thelack of privacy safeguards can lead toefficiency losses in the form of forgoneor inappropriate treatment.

In summarizing the economicarguments supporting the need for thisregulation, the discussion here hasemphasized the market failures that willbe addressed by this regulation. Thesearguments become considerablystronger with the shift frompredominantly paper to predominantlyelectronic records. As discussed in thebenefits section below, the proposedprivacy protections may prevent orreduce the risk of unfair treatment ordiscrimination against vulnerablecategories of persons, such as those whoare HIV positive, and thereby, fosterbetter health. The proposed regulationmay also help educate providers, healthplans, and the general public about howprotected health information is used.This education, in turn, may lead to

better information practices in thefuture.

D. Baseline Privacy ProtectionsAn analysis of the costs and benefits

of the regulation requires a baselinefrom which to measure the regulation’seffects. For some regulations, thebaseline is relatively straightforward.For instance, an industry might widelyuse a particular technology, but a newregulation may require a differenttechnology, which would not otherwisehave been adopted by the industry. Inthis example, the old and widely usedtechnology provides the baseline formeasuring the effects of the regulation.The costs and the benefits are thedifference between keeping the oldtechnology and implementing the newtechnology.

Where the underlying technology andindustry practices are rapidly changing,however, it can be far more difficult todetermine the baseline and therebymeasure the costs and benefits of aregulation. There is no simple way toknow what technology industry wouldhave chosen to introduce if theregulation had never existed, nor howindustry practices would have evolved.

Today, the entities covered by theHIPAA privacy regulation are in themidst of a shift from primarily paperrecords to electronic records. Ascovered entities spend significantresources on hardware, software, andother information technology costs,questions arise about which of thesecosts are fairly attributable to theprivacy regulations as opposed to coststhat would have been expended even inthe absence of the regulations. Industrypractices generally are rapidly evolving,as described in more detail in Part I ofthis preamble. New technological orother measure taken to protect privacyare in part attributable to the expectedexpense of shifting to electronic medicalrecords, rather than being solelyattributable to the new regulations. Inaddition, the existence of privacy rulesin other sectors of the economy help seta norm for what practices will beconsidered good practices for healthinformation. The level of privacyprotection that would exist in the healthcare sector, in the absence ofregulations, thus would likely beaffected by regulatory and relateddevelopments in other sectors. In short,it is therefore difficult to project a costor benefits baseline for this rule.

The common security practice ofusing ‘‘firewalls’’ illustrates how each ofthe three baselines might apply. Underthe first baseline, the full cost ofimplementing firewalls should beincluded in a Regulatory Impact



38 American Association of Health Plans, Code ofConduct; http:www.aahp.org.; American DentalAssociation, Principles of Ethics and ProfessionalConduct; http://www.ada.org.; American HospitalAssociation, ‘‘Disclosure of Medical RecordInformation,’’ Management Advisory: InformationManagement; 1990, AHA: Chicago, IL.; AmericanMedical Association, AMA Policy Finder—CurrentOpinions Council on Ethical and Judicial Affairs;several documents available through the PolicyFinder at http:www.ama-assn.org.; AmericanPsychiatric Association, ‘‘APA Outlines StandardsNeeded to Protect Patient’s Medical Record’’;Release No. 99–32, May 27, 1999;http:www.psych.org.

Analysis for a rule that expects entitiesto have firewalls. Because current lawhas not required firewalls, a new ruleexpecting this security measure mustinclude the full cost of creatingfirewalls. This approach, however,would seem to overstate the cost of sucha regulation. Firewalls would seem to bean integral part of the decision to moveto an on-line, electronic system ofrecords. Firewalls are also being widelydeployed by users and industries whereno binding security or privacyregulations have been proposed.

Under the second baseline, thetouchstone is the level of risk of securitybreaches for individually identifiablehealth information under currentpractices. There is quite possibly agreater risk of breach for an electronicsystem of records, especially wheresuch records are accessible globallythrough the Internet, than for patientrecords dispersed among variousdoctors’ offices in paper form. Using thesecond baseline, the costs of firewallsfor electronic systems should not becounted as a cost of the regulationexcept where firewalls create greatersecurity than existed under theprevious, paper-based system.

Finally, the third baseline wouldrequire an estimate of the typical levelof firewall protections that coveredentities would adopt in the absence ofregulation, and include in theRegulatory Impact Analysis only thecosts that exceed what would otherwisehave been adopted. For this analysis,the Department has generally assumedthat the status quo would otherwiseexist throughout the ten-year period (ina few areas we explicitly discuss likelychanges). We made this decision for tworeasons. First, predicting the level ofchange that would otherwise occur ishighly problematic. Second, it is a‘‘conservative’’ assumption—that is, anyerror will likely be an overstatement ofthe true costs of the regulation.

Privacy practices are most oftenshaped by professional organizationsthat publish ethical codes of conductand by state law. On occasion, statelaws defer to professional conductcodes. At present, where professionalorganizations and states have developedonly limited guidelines for privacypractices, an entity may implementprivacy practices independently.However, it is worth noting that changesin privacy protection continue toincrease in various areas. For example,European Union countries may onlysend individually identifiableinformation to companies, includingU.S. firms, that comply with theirprivacy standards, and the growing useof health data in other areas of

commerce, such as finance and generalcommercial marketing, have alsoincreased the demand for privacy inways that were not of concern in thepast.

1. Professional Codes of EthicsThe Department examined statements

issued by five major professionalgroups, one national electronic networkassociation and a leading managed careassociation.38 There are a number ofcommon themes that all theorganizations appear to subscribe to:

• The need to maintain and protectan individual’s health information;

• The development of policies toensure the confidentiality ofindividually identifiable healthinformation;

• A restriction that only theminimum necessary information shouldbe released to accomplish the purposefor which the information is sought.

Beyond these principles, the majorassociations differ with respect to themethods used to protect individuallyidentifiable health information. There isno common professional standardacross the health care field with respectto the protection of individuallyidentifiable health information. Onecritical area of difference is the extent towhich professional organizations shouldrelease individually identifiable healthinformation. A major mental healthassociation advocates the release ofidentifiable patient information ‘‘ * * *only when de-identified data areinadequate for the purpose at hand.’’ Amajor association of physicians counselsmembers who use electronicallymaintained and transmitted data torequire that they and their patientsknow in advance who has access toprotected patient data, and the purposesfor which the data will be used. Inanother document, the associationadvises physicians not to ‘‘sell’’ patientinformation to data collectioncompanies without fully informing theirpatients of this practice and receivingauthorization in advance to release ofthe information.

Only two of the five professionalgroups state that patients have the right

to review their medical records. Onegroup declares this as a fundamentalpatient right, while the secondassociation qualifies its position bystating that the physician has the finalword on whether a patient has access tohis or her health information. Thisassociation also recommends that itsmembers respond to requests for accessto patient information within ten days,and recommends that entities allow foran appeal process when patients aredenied access. The association furtherrecommends that when a patientcontests the accuracy of the informationin his or her record and the entityrefuses to accept the patient’s change,the patient’s statement should beincluded as a permanent part of thepatient’s record.

In addition, three of the fiveprofessional groups endorse themaintenance of audit trails that cantrack the history of disclosures ofindividually identifiable healthinformation.

The one set of standards that wereviewed from a health networkassociation advocated the protection ofindividually identifiable healthinformation from disclosure withoutpatient authorization and emphasizedthat encrypting information should be aprincipal means of protectingindividually identifiable healthinformation. The statements of a leadingmanaged care association, whileendorsing the general principles ofprivacy protection, were vague on therelease of information for purposesother than treatment. The associationsuggested allowing the use of protectedhealth information without the patient’sauthorization for what they term ‘‘healthpromotion.’’ It is possible that the use ofprotected health information for ‘‘healthpromotion’’ may be construed under therule as part of marketing activities.

Based on the review of the leadingassociation standards, we believe thatthe final rule embodies most or all of themajor principles expressed in thestandards. However, there are somemajor areas of difference between therule and the professional standardsreviewed. The final rule generallyprovides stronger, more consistent, andmore comprehensive guarantees ofprivacy for individually identifiablehealth information than the professionalstandards. The differences between therule and the professional codes includethe individual’s right of access to healthinformation in the covered entity’spossession, relationships betweencontractors and covered entities, and therequirement that covered entities maketheir privacy policies and practicesavailable to patients through a notice



39 Ibid, Goldman, p. 6.

40 ‘‘Practice Briefs,’’ Journal of AHIMA; HarryRhodes, Joan C. Larson, Association of HealthInformation Outsourcing Service; January 1999.

41 Ibid, Goldman, p. 20.42 Ibid, Goldman, p. 21.

and the ability to respond to questionsrelated to the notice. Because theregulation requires that (with a fewexceptions) patients have access to theirprotected health information that acovered entity possesses, large numbersof health care providers may have tomodify their current practices in orderto allow patient access, and to establisha review process if they deny a patientaccess. Also, none of the privacyprotection standards reviewed requirethat health care providers or healthplans prepare a formal statement ofprivacy practices for patients (althoughthe major physician association urgesmembers to inform patients about whowould have access to their protectedhealth information and how their healthinformation would be used). Only oneHMO association explicitly madereference to information released forlegitimate research purposes. Theregulation allows for the release ofprotected health information forresearch purposes without anindividual’s authorization, but only ifthe research where such authorization iswaived by an institutional researchboard or an equivalent privacy board.This research requirement may causesome groups to revise their disclosureauthorization standards.

2. State Laws

The second body of privacyprotections is found in a complex, andoften confusing, myriad of state lawsand requirements. To determinewhether or not the final rule wouldpreempt a state law, first we identifiedthe relevant laws, and second, weaddressed whether state or federal lawprovides individuals with greaterprivacy protection.

Identifying the Relevant StateStatutes: Health information privacyprovisions can be found in lawsapplicable to many issues includinginsurance, worker’s compensation,public health, birth and death records,adoptions, education, and welfare. Inmany cases, state laws were enacted toaddress a specific situation, such as thereporting of HIV/AIDS, or medicalconditions that would impair a person’sability to drive a car. For example,Florida has over 60 laws that apply toprotected health information. Accordingto the Georgetown Privacy Project,39

Florida is not unique. Every state haslaws and regulations covering someaspect of medical information privacy.For the purpose of this analysis, wesimply acknowledge the variation instate requirements.

We recognize that covered entitieswill need to learn the laws of their statesin order to comply with such laws thatare not contrary to the rule, or that arecontrary to and more stringent than therule. This analysis should be completedin the context of individual markets;therefore, we expect that professionalassociations or individual businesseswill complete this task.

Recognizing the limits of our ability toeffectively summarize state privacylaws, we discuss conclusions generatedby the Georgetown University PrivacyProject’s report, The State of HealthPrivacy: An Uneven Terrain. TheGeorgetown report is among the mostcomprehensive examination of statehealth privacy laws currently published,although it is not exhaustive. Thereport, which was completed in July1999, is based on a 50-state survey.

To facilitate discussion, we haveorganized the analysis into two sections:access to health information anddisclosure of health information. Ouranalysis is intended to suggest areaswhere the final rule appears to preemptvarious state laws; it is not designed tobe a definitive or wholly comprehensivestate-by-state comparison.

Access to Subject’s Information: Ingeneral, state statutes provideindividuals with some access to medicalrecords about them. However, only afew states allow individuals access tohealth information held by all theirhealth care providers and health plans.In 33 states, individuals may accesstheir hospital and health facilityrecords. Only 13 states guaranteeindividuals access to their HMOrecords, and 16 states provideindividuals access to their medicalinformation when it is held by insurers.Seven states have no statutory right ofpatient access; three states and theDistrict of Columbia have laws that onlyassure individuals’ right to access theirmental health records. Only one statepermits individuals access to recordsabout them held by health careproviders, but it excludes pharmacistsfrom the definition of provider. Thirteenstates grant individuals statutory right ofaccess to pharmacy records.

The amount that entities are allowedto charge for copying of individuals’records varies widely from state to state.A study conducted by the AmericanHealth Information ManagementAssociation 40 found considerablevariation in the amounts, structure, and

combination of fees for search andretrieval, and the copying of the record.

In 35 states, there are laws orregulations that set a basis for chargingindividuals inspecting and copying fees.Charges vary not only by state, but alsoby the purpose of the request and thefacility holding the health information.Also, charges vary by the number ofpages and whether the request is for X-rays or for standard medicalinformation.

Of the 35 states with laws regulatinginspection and copying charges, sevenstates either do not allow charges forretrieval of records or require that theentity provide the first copy free ofcharge. Some states may prohibithospitals from charging patients aretrieval and copying fee, but allowclinics to do so. Many states allow feestructures, while eleven states specifyonly that the record holder may charge‘‘reasonable/actual costs.’’

According to the report by theGeorgetown Privacy Project, amongstates that do grant access to patientrecords, the most common basis fordenying individuals access is concernfor the life and safety of the individualor others.

The amount of time an entity is givento supply the individual with his or herrecord varies widely. Many states allowindividuals to amend or correctinaccurate health information,especially information held by insurers.However, few states provide the right toinsert a statement in the recordchallenging the covered entity’sinformation when the individual andentity disagree.41

Disclosure of Health Information:State laws vary widely with respect todisclosure of individually identifiablehealth information. Generally, stateshave applied restrictions on thedisclosure of health information eitherto specific entities or for specific healthconditions. Only three state laws placebroad limits on disclosure ofindividually identifiable healthinformation without regard for policiesand procedures developed by coveredentities. Most states require patientauthorization before an entity maydisclose health information to certainrecipients, but the patient often does nothave an opportunity to object to anydisclosures.42

It is also important to point out thatnone of the states appear to offerindividuals the right to restrictdisclosure of their health informationfor treatment.



43 ‘‘Medical records and privacy: Empirical effectsof legislation; A memorial to Alice Hersh’’;McCarthy, Douglas B; Shatin, Deborah; et al. HealthService Research: April 1, 1999; No. 1, Vol. 34; p.417. The article details the effects of the Minnesotalaw conditioning disclosure of protected healthinformation on patient authorization.

44 Source Book of Health Insurance Data: 1997–1998, Health Insurance Association of America,1998. p. 33.

45 ‘‘Health plans,’’ for purposes of the regulatoryimpact and regulatory flexibility analyses, includelicensed insurance carriers who sell healthproducts; third party administrators that will haveto comply with the regulation for the benefit of theplan sponsor; and self-insured health plans that areat least partially administered by the plan sponsor.

State statutes often have exceptions torequiring authorization beforedisclosure. The most commonexceptions are for purposes oftreatment, payment, or auditing andquality assurance functions. Restrictionson re-disclosure of individuallyidentifiable health information also varywidely from state to state. Some statesrestrict the re-disclosure of healthinformation, and others do not. TheGeorgetown report cites state laws thatrequire providers to adhere toprofessional codes of conduct and ethicswith respect to disclosure and re-disclosure of protected healthinformation.

Most states have adopted specificmeasures to provide additionalprotections for health informationregarding certain sensitive conditions orillnesses. The conditions and illnessesmost commonly afforded added privacyprotection are:

• Information derived from genetictesting;

• Communicable and sexually-transmitted diseases;

• Mental health; and• Abuse, neglect, domestic violence,

and sexual assault.Some states place restrictions on

releasing condition-specific healthinformation for research purposes,while others allow release ofinformation for research without thepatient’s authorization. States frequentlyrequire that researchers studying geneticdiseases, HIV/AIDS, and other sexuallytransmitted diseases have differentauthorization and privacy controls thanthose used for other types of research.Some states require approval from anIRB or agreements that the data will bedestroyed or identifiers removed at theearliest possible time. Another approachhas been for states to require researchersto obtain sensitive, identifiableinformation from a state public healthdepartment. One state does not allowautomatic release of protected healthinformation for research purposeswithout notifying the subjects that theirhealth information may be used inresearch and allowing them anopportunity to object to the use of theirinformation.43

Comparing state statutes to the finalrule: The variability of state lawregarding privacy of individuallyidentifiable health information and thelimitations of the applicability of many

such laws demonstrates the need foruniformity and minimum standards forprivacy protection. This regulation isdesigned to meet these goals whileallowing stricter state laws to be enactedand remain effective. A comparison ofstate privacy laws with the finalregulation highlights several of therule’s key implications:

• No state law requires coveredentities to make their privacy and accesspolicies available to patients. Thus, allcovered entities that have direct contactwith patients will be required by thisrule to prepare a statement of theirprivacy protection and access policies.This necessarily assumes that entitieshave to develop procedures if they donot already have them in place.

• The rule will affect more entitiesthan are covered or encompassed undermany state laws.

• Among the three categories ofcovered entities, it appears that healthplans will be the most significantlyaffected by the access provisions of therule. Based on the Health InsuranceAssociation of America (HIAA) data44,there are approximately 94.7 millionnon-elderly persons with private healthinsurance in the 35 states that do notprovide patients a legal right to inspectand copy their records.

• Under the rule, covered entities willhave to obtain an individual’sauthorization before they could use ordisclose their information for purposesother than treatment, payment, andhealth care operations—except in thesituations explicitly defined asallowable disclosures withoutauthorization. Although the final rulewould establish a generally uniformdisclosure and re-disclosurerequirement for all covered entities, theentities that currently have the greatestability and economic incentives to useand disclose protected healthinformation for marketing services toboth patients and health care providerswithout individual authorization.

• While the final rule appears toencompass many of the requirementsfound in current state laws, it also isclear that within state laws, there aremany provisions that cover specificcases and health conditions. Certainly,in states that have no restrictions ondisclosure, the rule will establish abaseline standard. But in states that doplace conditions on the disclosure ofprotected health information, the rulemay place additional requirements oncovered entities.

3. Other Federal LawsThe relationship with other federal

statutes is discussed above in thepreamble.

E. CostsCovered entities will be implementing

the privacy final rules at the same timemany of the administrativesimplification standards are beingimplemented. As described in theoverall impact analysis for theTransactions Rule, the data handlingchange occurring due to the otherHIPAA standards will have both costsand benefits. To the extent the changesrequired for the privacy standards,implementation specifications, andrequirements can be made concurrentlywith the changes required by the otherregulations, costs for the combinedimplementation should be onlymarginally higher than for theadministrative simplification standardsalone. The extent of this incrementalcost is uncertain, in the same way thatthe costs associated with each of theindividual administrative simplificationstandards is uncertain.

The costs associated withimplementing the requirements underthis Privacy Rule will be directly relatedto the number of affected entities andthe number of affected transactions ineach entity. There are approximately12,200 health plans (including self-insured employer and governmenthealth plans that are at least partiallyself-administered)45, 6480 hospitals,and 630,000 non-hospital providers thatwill bear implementation costs underthe final rule.

The relationship between the HIPAAsecurity and privacy standards isparticularly relevant. On August 17,2000, the Secretary published a finalrule to implement the HIPAA standardson electronic transactions. That ruleadopted standards for eight electroniccode sets to be used for thosetransactions. The proposed rule forsecurity and electronic signaturestandards was published on August 12,1998. That proposal specified thesecurity requirements for coveredentities that transmit and storeinformation specified in Part C, Title IIof the Act. In general, that proposed ruleproposed administrative and technicalstandards for protecting ‘‘* * * anyhealth information pertaining to anindividual that is electronically



maintained or transmitted.’’ (63 FR43243). The final Security Rule willdetail the system and administrativerequirements that a covered entity mustmeet in order to assure itself and theSecretary that health information is safefrom destruction and tampering frompeople without authorization for itsaccess.

By contrast, the Privacy Ruledescribes the requirements that governthe circumstances under whichprotected health information must beused or disclosed with and withoutpatient involvement and when a patientmay have access to his or her protectedhealth information.

While the vast majority of health careentities are privately owned andoperated, we note that federal, state, andlocal government providers are reflectedin the total costs as well. Federal, state,and locally funded hospitals representapproximately 26 percent of hospitals inthe United States. This is a significantportion of hospitals, but it represents arelatively small proportion of allprovider entities. We estimated that thenumber of government providers whoare employed at locations other thangovernment hospitals is significantlysmaller (approximately two percent ofall providers). Weighting the relativenumber of government hospital andnon-hospital providers by the revenuethese types of providers generate, weestimate that health care servicesprovided directly by governmententities represent 3.4 percent of totalhealth care services. Indian HealthService and tribal facilities costs areincluded in the total, since theadjustments made to the original privateprovider data to reflect federal providersincluded them. In developing the rule,the Department consulted with states,representatives of the National Congressof American Indians, representatives ofthe National Indian Health Board, and arepresentative of the self-governancetribes. During the consultation wediscussed issues regarding theapplication of Title II of HIPAA to thestates and tribes.

The costs associated with this finalrule involve, for each provision,consideration of both the degree towhich covered entities must modifytheir existing records managementsystems and privacy policies under thefinal rule, and the extent to which thereis a change in behavior by both patientsand the covered entities as a result ofthe final rule. The following sectionsexamine these provisions as they applyto the various covered entities under thefinal rule. The major costs that coveredentities will incur are one-time costsassociated with implementation of the

final rules, and ongoing costs that resultin continuous requirements in the finalrule.

The Department has quantified thecosts imposed by the final regulation tothe extent possible. The cost of manyprovisions were estimated by first usingdata from the Census Bureau’s Statisticsof U.S. Business to identify the numberof non-hospital health care providers,hospitals and health plans. Then, usingthe Census Bureau’s Current PopulationSurvey (CPS) wage data for the classesof employees affected by the rule, theDepartment identified the hourly wageof the type of employee assumed to bemostly likely responsible forcompliance with a given provision.Where the Department believed anumber of different types of employeesmight be responsible for complying witha certain provision, as is often expectedto be the case, the Departmentestablished a weighted-average wagebased on the types of employeesinvolved. Finally, the Department madeassumptions regarding the number ofperson-hours per institution required tocomply with the rule.

The Department cannot determineprecisely how many person-hours perinstitution will be required to complywith a given provision, however, theDepartment attempted to establishreasonable estimates based on fact-finding discussions with private sectorhealth care providers, the advice of theDepartment’s consultants, and theDepartment’s own best judgement of thelevel of burden required to comply witha given provision. Moreover, theDepartment recognizes that the numberof hours required to comply with agiven requirement of the rule will varyfrom provider to provider and healthplan to health plan, particularly giventhe flexibility and scalability permittedunder the rule. Therefore, theDepartment considers the estimates tobe averages across the entire class ofhealth care providers, hospitals, orhealth plans in question.

Underlying all annual cost estimatesare growth projections. For growth inthe number of patients, the Departmentused data from the National AmbulatoryMedical Care Survey, the NationalHospital Ambulatory Medical CareSurvey, the National Home and HospiceSurvey, the National Nursing HomeSurvey, and information from theAmerican Hospital Association. Forgrowth in the number of health careworkers, the Department used data fromthe Bureau of Health Professions in theDepartment’s Health Resources ServicesAdministration (HRSA). For insurancecoverage growth (private and militarycoverage), we used a five-year average

annual growth rate in employer-sponsored, individual, military, andoverall coverage growth from the CensusBureau’s CPS, 1995–1999. To estimategrowth in the number of Medicare andMedicaid enrollees, the Departmentused the enrollment projections of theHealth Care Financing Administration’sOffice of the Actuary. For growth in thenumber of hospitals, health careproviders and health plans, trend rateswere derived from the Census Bureau’sStatistics of U.S. Businesses, using SICcode-specific five-year annual averagegrowth rate from 1992–1997 (the mostrecent data available). For wage growth,the Department used the sameassumptions made in the MedicareTrustees’ Hospital Insurance Trust Fundreport for 2000.

In some areas, the Department wasable to obtain very reliable data, such assurvey data from the Statistics of U.S.Businesses and the MedicalExpenditures Panel Survey (MEPS). Innumerous areas, however, there was toolittle information or data to supportquantitative estimates. As a result, theDepartment relied on data provided inthe public comments or subsequent fact-finding to provide a basis for makingkey assumptions. We were able toprovide a reasonable cost estimate forvirtually all aspects of the regulation,except law enforcement. In this latterarea, the Department was unable toobtain sufficient data about currentpractices (e.g., the number of criminaland civil investigations that mayinvolve requests for protected healthinformation, the number of subpoenasfor protected health information, etc.) todetermine the marginal effects of theregulation. As discussed more fullybelow, the Department believes theeffects of the final rule are marginalbecause the policies adopted in the finalrule appear to largely reflect currentpractice.

The NPRM included an estimate of$3.8 billion for the privacy proposal.The estimate for the final rule is $18.0billion. Much of the difference can beexplained by two factors. First, theNPRM estimate was for five years; thefinal rule estimate is for ten years. TheDepartment chose the longer period forthe final rule because ten years was alsothe period of analysis in theTransactions Rule RIA, and we wantedto facilitate comparisons, given that thenet benefits and costs of theadministrative simplification rulesshould be considered together. Second,the final impact analysis includes costestimates for a number of key provisionsthat were not estimated in the NPRMbecause the Department did not haveadequate information at the time.



46 Health Care Finance Administration, Office ofthe Actuary, 2000. Estimates for the national healthcare expenditure accounts are only availablethrough 2008; hence, we are only able to make thecomparison through that year.

47 These estimates were, in part, derived from areport prepared for the Department by the GartnerGroup, consultants in health care informationtechnology: ‘‘Gartner DHHS Privacy RegulationStudy,’’ by Jim Klein and Wes Rishel, submitted tothe Office of the Assistant Secretary for Policy andEvaluation on October 20, 2000.

Although we received little useable datain the public comments (see commentand response section), the Departmentwas able to undertake more extensivefact-finding and collect sufficientinformation to make informedassumptions about the level of effortand time various provisions of the finalrule are likely to impose on differenttypes of affected entities.

The estimate of $18.0 billionrepresents a gross cost, not a net cost. Asdiscussed more fully below in thebenefits section, the benefits ofenhanced privacy and confidentiality ofpersonal health information are verysignificant. If people believe theirinformation will be used properly andnot disseminated beyond certain boundswithout their knowledge and consent,they will be much more likely to seekproper health care, provide all relevanthealth information, and abide by theirproviders’ recommendations. Inaddition, more confidence byindividuals and covered entities thatprivacy will be maintained will lead toan increase in electronic transactionsand the efficiencies and cost savingsthat stem from such action. The benefitssection quantifies some examples ofbenefits. The Department was not ableto identify data sources or models thatwould permit us to measure benefitsmore broadly or accurately. Theinability to quantify benefits, however,does not lessen the importance or valuethat is ultimately realized by having anational standard for health informationprivacy.

The largest initial costs resulting fromthe final Privacy Rule stem primarilyfrom the requirement that coveredentities use and disclose only theminimum necessary protected healthinformation, that covered entitiesdevelop policies and codify theirprivacy procedures, and that coveredentities designate a privacy official andtrain all personnel with access toindividually identifiable healthinformation. The largest ongoing costswill result from the minimum necessaryprovisions pertaining internal uses ofindividually identifiable healthinformation, and the cost of a privacyofficial. In addition, covered entitieswill have recurring costs for training,disclosure tracking and noticerequirements. A smaller number of largeentities may have significant costs forde-identification of protected healthinformation and additionalrequirements for research.

The privacy costs are in addition tothe Transactions Rule estimates. Thecost of complying with the regulationrepresents approximately 0.23 percentof projected national health

expenditures the first year theregulation is enacted. The costs for thefirst eight years of the final regulationrepresents 0.07 percent of the increasein national health care costsexperienced over the same period.46

Minimum NecessaryThe ‘‘minimum necessary’’ policy in

the final rule has essentially threecomponents: first, it does not pertain tocertain uses and disclosures includingtreatment-related exchange ofinformation among health careproviders; second, for disclosures thatare made on a routine and recurringbasis, such as insurance claims, acovered entity is required to havepolicies and procedures for governingsuch exchanges (but the rule does notrequire a case-by-case determination);and third, providers must have aprocess for reviewing non-routinerequests on a case-by-case basis toassure that only the minimum necessaryinformation is disclosed.

Based on public comments andsubsequent fact-finding, the Departmenthas concluded that the requirements ofthe final rule are generally similar to thecurrent practice of most providers. Forstandard disclosure requests, forexample, providers generally haveestablished procedures for determininghow much health information isreleased. For non-routine disclosures,providers have indicated that theycurrently ask questions to discern howmuch health information is necessaryfor such disclosure. Under the final rule,we anticipate providers will have to bemore thorough in their policies andprocedures and more vigilant in theiroversight of them; hence, the costs ofthis provision are significant.

To make the final estimates for thisprovision, the Department consideredthe minimum necessary requirement intwo parts. First, providers, hospitals,and health plans will need to establishpolicies and procedures which governuses and disclosures of protected healthinformation. Next, these entities willneed to adjust current practices that donot comply with the rule, such asupdating passwords and makingrevisions to software.

To determine the policies andprocedures for the minimum necessaryrequirement, the Department assumedthat each hospital would spend 160hours, health plans would spend 107hours, and non-hospital providerswould spend 8 hours. As noted above,

the time estimates for this and otherprovisions of the rule are considered anaverage number of person-hours for theinstitutions involved. An underlyingassumption is that some hospitals, andto a lesser extent health plans, are partof chains or larger entities that will beable to prepare the basic materials at acorporate level for a number of coveredentities.

Once the policies and procedures areestablished, the Department estimatesthere will be costs resulting fromimplementing the new policies andprocedures to restrict internal uses ofprotected health information to theminimum necessary. Initially, this willrequire 560 hours for hospitals, 160hours for health plans, and 12 hours fornon-hospital providers.47 The wage forhealth care providers and hospitals isestimated at $47.28, a weighted averageof various health care professionalsbased on CPS data; the wage for healthplans is estimated to be $33.82, basedon average wages in the insuranceindustry (note that all wage assumptionsin this impact analysis assume a 39percent load for benefits, the standardBureau of Labor Statistics assumption).In addition, there will be time requiredon an annual basis to ensure that theimplemented practices continue to meetthe requirements of the rule. Therefore,the Department estimates that on anannual ongoing basis (after the firstyear), hospitals will require 320 hours,health plans 100 hours, and non-hospital providers 8 hours to complywith this provision.

The initial cost attributable to theminimum necessary provision is $926million. The total cost of the provisionis $5.757 billion. (These estimates arefor the cost of complying with theminimum necessary provisions thatrestrict internal uses to the minimumnecessary. The Department hasestimated in the business associatessection below the requirement limitingdisclosures outside the covered entity tothe minimum amount necessary.)

Privacy OfficialThe final rule requires entities to

designate a privacy official who will beresponsible for the development andimplementation of privacy policies andprocedures. In this cost analysis, theDepartment has estimated each of theprimary administrative requirements ofthe rule (e.g., training, policy and



48 ‘‘Top Compensation in the Healthcare Industry,1997’’, Coopers & Lybrand, New York, NY.,<http://www.pohly.com/salary/2.shtml>.

49 ‘‘A Unifif Survey of Compensation in FinancialServices: 2000,’’ July 2000, Unifi Network Surveyunit, PriceWaterhouseCoopers LLP and Global HRSolutions LLC, Westport, Ct., <http://public.wsj.com/careers/resources/documents/20000912-insuranceexecs-tab.htm>.

procedure development, etc), includingthe development and implementationcosts associated with each specificrequirement. These activities willcertainly involve the privacy official tosome degree; thus, some costs for theprivacy official, particularly in theinitial years, are subsumed in other costrequirements. Nonetheless, weanticipate that there will be additionalongoing responsibilities that the privacyofficial will have to address, such ascoordinating between departments,evaluating procedures and assuringcompliance. To avoid double-counting,the cost calculated in this section isonly for the ongoing, operationalfunctions of a privacy official (e.g.,clarifying procedures for staff) that arein addition to items discussed in othersections of this impact analysis.

The Department assumes the privacyofficial role will be an additionalresponsibility given to an existingemployee in the covered entity, such asan office manager in a small entity or acompliance official in a largerinstitution. Moreover, today anycovered entity that handles individuallyidentifiable health information has oneor more people with responsibility forhandling and protecting theconfidentiality of such information. Asa result of the specific requirement fora privacy official, the Departmentassumes covered entities will centralizethis function, but the overall effort is notlikely to increase significantly.Specifically, the Department hasassumed non-hospital providers willneed to devote, on average, anadditional 30 minutes per week of anofficial’s time (i.e., 26 hours per year) tocompliance with the final regulation forthe first two years and 15 minutes perweek for the remaining eight years (i.e.,13 hours per year). For hospitals andhealth plans, which are more likely tohave a greater diversity of activitiesinvolving privacy issues, we haveassumed three hours per week for thefirst two years (i.e., 156 hours per year),and 1.5 hours per week for theremaining eight years (i.e., 78 hours peryear).

For non-hospital providers, the timewas calculated at a wage of $34.13 perhour, which is the average wage formanagers of medicine and healthaccording to the CPS. For hospitals, weused a wage of $79.44, which is the ratefor senior planning officers.48 For healthplans, the Department assumed a wageof $88.42 based on the wage for top

claims executives.49 Althoughindividual hospitals and health plansmay not necessarily select theirplanning officers or claims executives tobe their privacy officials, we believethey will be of comparableresponsibility, and therefore comparablepay, in larger institutions.

The initial year cost for privacyofficials will be $723 million; the ten-year cost will be $5.9 billion.

Internal ComplaintsThe final rule requires each covered

entity to have an internal process toallow an individual to file a complaintconcerning the covered entity’scompliance with its privacy policiesand procedures. The requirementincludes designating a contact person oroffice responsible for receivingcomplaints and documenting thedisposition of them, if any. Thisfunction may be performed by theprivacy official, but because it is adistinct right under the final rule andmay be performed by someone else, weare costing it separately.

The covered entity only is required toreceive and document a complaint (noresponse is required), which we assumewill take, on average, ten minutes (thecomplaint can be oral or in writing). TheDepartment believes that suchcomplaints will be uncommon. We haveassumed that one in every thousandpatients will file a complaint, which isapproximately 10.6 million complaintsover ten years. Based on a weighted-average hourly wage of $47.28 at tenminutes per complaint, the cost of thispolicy is $6.6 million in the first year.Using wage growth and patient growthassumptions, the cost of this policy is$103 million over ten years.

Disclosure Tracking and HistoryThe final rule requires providers to be

able to produce a record of alldisclosures of protected healthinformation, except in certaincircumstances. The exceptions includedisclosures for treatment, payment,health care operations, or disclosures toan individual. This requirement willrequire a notation in the record(electronic or paper) of when, to whom,and what information was disclosed, aswell as the purpose of such disclosureor a copy of an individual’s writtenauthorization or request for a disclosure.

Based on information from severalhospital sources, the Department

assumes that all hospitals already trackdisclosures of individually identifiablehealth information and that 15 percentof all patient records held by a hospitalwill have an annual disclosure that willhave to be recorded in an individual’srecord. It was more difficult to obtain areliable estimate for non-hospitalproviders, though it appears that theyreceive many fewer requests. TheDepartment assumed a ten percent ratefor ambulatory care patients and fivepercent, for nursing homes, homehealth, dental and pharmacy providers.(It was difficult to obtain any reliabledata for these latter groups, but those wetalked to said that they had very few,and some indicated that they currentlykeep track of them in the records.)These estimated percentages representabout 63 million disclosures that willhave to be recorded in the first year,with each recording estimated to requiretwo minutes. At the average nurse’ssalary of $30.39 per hour, the cost in thefirst year is $25.7 million. For healthplans, the Department assumed thatdisclosures of protected healthinformation are more rare than forhealth care providers. Therefore, theDepartment assumed that there will bedisclosures of protected healthinformation for five percent of coveredlives. At the average wage for theinsurance industry of $33.82 per hour,the initial cost for health plans is $6.8million. Using our standard growth ratesfor wages, patients, and covered entities,the ten-year cost for providers andhealth plans is $519 million.

In addition, although hospitalsgenerally track patient disclosurestoday, the Department assumes thathospitals will seek to update softwaresystems to assure full compliance.Based on software upgrade costsprovided by the Department’s privatesector consultants with expertise in thearea (the Gartner Group), theDepartment assumed that each upgradewould cost $35,000 initially and $6,300annually thereafter, for a total cost of$572 million over ten years.

The final rule also requires coveredentities to provide individuals with anaccounting of disclosures upon request.The Department assumes that fewpatients will request a history ofdisclosures of their protected medicalinformation. Therefore, we estimate thatone in a thousand patients will requestsuch an accounting each year, which isapproximately 850,000 requests. If ittakes an average of five minutes to copyany disclosures and the work is done bya nurse, the cost for the first year willbe $2.1 million. The total ten-year costis $33.8 million.



50 The cost for policies for minimum necessary,because they will be distinct and extensive, arepresented separately, above.

51 ‘‘The Altman Weil 1999 Survey of Law FirmEconomics,’’ <http://www.altmanweil.com/publications/survey/sife99/standard.htm>.

De-Identification of Information

The rule allows covered entities todetermine that health information is de-identified (i.e., that it is not individuallyidentifiable health information) ifcertain conditions are met. Currently,some entities release de-identifiedinformation for research purposes. De-identified information may originatefrom automated systems (such asrecords maintained by pharmacy benefitmanagers) and non-automated systems(such as individual medical recordsmaintained by providers). As comparedwith current practice, the rule requiresthat an expanded list of identifiers beremoved for the data (such as driver’slicense numbers, and detailedgeographic and certain age information).For example, as noted in a number ofpublic comments, currently completebirth dates (day, month, and year) andzip codes are often included in de-identified information. The final rulerequires that only the year of birth(except in certain circumstances) andthe first three digits of the zip code canbe included in de-identifiedinformation.

These changes will not requireextensive change from current practice.Providers generally remove most of the19 identifiers listed in the final rule.The Department relied on GartnerGroup estimates that some additionalprogrammer time will be required bycovered entities that produce de-identified information to make revisionsin their procedures to eliminateadditional identifiers. Entities that de-identify information will have to reviewexisting and future data flows to assurecompliance with the final rule. Forexample, an automated system mayneed to be re-programmed to removeadditional identifiers from otherwiseprotected health information. (The costsof educating staff about the de-identification requirements are includedin the cost estimate for training staff onprivacy policies.)

The Department was not able toobtain any reliable information on thevolume of medical data that is currentlyde-identified. To provide some measureof the potential magnitude, we assumedthat health plans and hospitals wouldhave an average of two existingagreements that would need to bereviewed and modified. Based oninformation provided by ourconsultants, we estimate that theseagreements would require an average of152 hours by hospitals and 116 hours byhealth plans to review and reviseexisting agreements to conform to thefinal rule. Using the weighted averagewage of $47.28, the initial costs will be

$124 million. Using our standardgrowth rates for wages, patients, andcovered entities, the total cost of theprovision is $1.1 billion over ten years.

The Department expects that the finalrule and the increasing trend towardcomputerization of large record sets willresult over time in de-identificationbeing performed by relatively few firmsor associations. Whether the coveredentity is a small provider with relativelyfew files or a hospital or health planwith large record files, it will be moreefficient to contract with specialists inthese firms or associations (as ‘‘businessassociates’’ of the covered entity) to de-identify files. The process will bedifferent but the ultimate cost is likelyto be the same or only slightly higher,if at all, than the costs for de-identification today. The estimate is forthe costs required to conform existingand future agreements to the provisionsof the rule. The Department has notquantified the benefits that might arisefrom changes in the market for de-identified information because thecentralization and efficiency that willcome from it will not be fully realizedfor several years, and we do not have areliable means of estimating suchchanges.

Policy and Procedures DevelopmentThe final regulation imposes a variety

of requirements which collectively willnecessitate entities to develop policiesand procedures (henceforth in thissection to be referred to as policies) toestablish and maintain compliance withthe regulation. These include policiessuch as those for inspection andcopying, amending records, andreceiving complaints.50 In developingthe final regulations, simplifying theadministrative burden was a significantconsideration. To the extent practical,consistent with maintaining adequateprotection of protected healthinformation, the final rule is designed toencourage the development of policiesby professional associations and others,that will reduce costs and facilitategreater consistency across providers andother covered entities.

The development of policies willoccur at two levels: first, at theassociation or other large scale levels;and second, at the entity level. Becauseof the generic nature of many of thefinal rule’s provisions, the Departmentanticipates that trade, professionalassociations, and other groups servinglarge numbers of members or clientswill develop materials that can be used

broadly. These will likely include themodel privacy practice notice that allcovered entities will have to providepatients; general descriptions of theregulation’s requirements appropriatefor various types of health careproviders; checklists of steps entitieswill have to take to comply; trainingmaterials; and recommendedprocedures or guidelines. TheDepartment spoke with a number ofprofessional associations, and theyconfirmed that they would expect toprovide such materials for theirmembers at either the federal or statelevel.

Using Faulkner and Gray’s HealthData Directory 2000, we identified 216associations that would be likely toprovide guidance to members. Inaddition, we assume three organizations(i.e., one for hospitals, health plans, andother health care providers) in eachstate would also provide someadditional services to help coveredentities coordinate the requirements ofthis rule with state laws andrequirements. The Department assumedthat these associations would eachprovide 320 hours of legal analysis at$150 per hour, and 640 hours of senioranalysts time at $50 per hour. Thisequals $17.3 million. Hourly rates forlegal council are the average billing ratefor a staff attorney.51 The senior analystsrates are based on a salary of $75,000per year, plus benefits, which wasprovided by a major professionalassociation.

For larger health care entities such ashospitals and health plans, theDepartment assumed that thecomplexity of their operations wouldrequire them to seek more customizedassistance from outside council orconsultants. Therefore, the Departmentassumes that each hospital and healthplan (including self-administered, self-insured health plans) will, on average,require 40 hours of outside assistance.The resulting cost for external policydevelopment is estimated to be $112million.

All covered entities are expected torequire some time for internal policydevelopment beyond what is providedby associations or outside consultants.For most non-hospital providers, theexternal assistance will provide most ofthe necessary information. Therefore,we expect these health care providerswill need only eight hours to adaptthese policies for their specific use(training cost is estimated separately inthe impact analysis). Hospitals and



health plans, which employ moreindividuals and are involved in a widerarray of endeavors, are likely to requiremore specific policies tailored to theiroperations to comply with the final rule.For these entities, we assume an averageof 320 hours of policy development perinstitution. The total cost for internalpolicy development is estimated to be$468 million.

The total cost for policy, plan, andprocedures development for the finalregulation is estimated to be $598million. All of these costs are initialcosts.

TrainingThe final regulation’s requirements

provide covered entities withconsiderable flexibility in how to bestfulfill the necessary training of theirworkforce. As a result, the actualpractices may vary substantially basedon such factors as the number ofmembers of the workforce, the types ofoperations, worker turnover, andexperience of the workforce. Training isestimated to cost $737 million over tenyears. The Department estimates that atthe time of the effective date,approximately 6.7 million health careworkers will have to be trained, and inthe subsequent ten years, 7 million morewill have to be trained because ofworker turnover. The estimate ofemployee numbers are based on 2000CPS data regarding the number of healthcare workers who indicated theyworked for a health care institution. Toestimate a workforce turnover rate, theDepartment relied on a study submittedin the public comments which used aturnover rate of ten percent or less,depending on the labor category. To beconservative, the Department assumedten percent for all categories.

Covered entities will need to providemembers of the workforce with varyingamounts of training depending on theirresponsibilities, but on average, theDepartment estimates that each memberof the workforce who is likely to haveaccess to protected health informationwill require one hour of training in thepolicies and procedures of the coveredentity. The initial training cost estimateis based on teacher training with anaverage class size of ten. After the initialtraining, the Department expects sometraining (for example, new employees inlarger institutions) will be done byvideotape, video conference, orcomputer, all of which are likely to beless expensive. Training materials wereassumed to cost an average of $2 perworker. The opportunity cost for thetraining time is based on the averagewage for each health care labor categorylisted in the CPS, plus a 39 percent load

for benefits. Wages were increasedbased on the wage inflation factorutilized for the short-term assumptions(which covers ten years) in the MedicareTrustees’ Annual Report for 1999.

NoticeThis section describes only the cost

associated with the production andprovision of a notice. The cost ofdeveloping the policy stated in thenotice is covered under policies andprocedures, above.

Covered health care providers withdirect treatment relationships arerequired to provide a notice of privacypractices no later than the date of thefirst service delivery to individuals afterthe compliance date for the coveredhealth care provider. The Departmentassumed that for most types of healthcare providers (such as physicians,dentists, and pharmacists) one noticewould be distributed to each patientduring his or her first visit following thecompliance date for the coveredprovider, but not for subsequent visits.For hospitals, however, the Departmentassumed that a notice would beprovided at each admission, regardlessof how many visits an individual has ina given year. In subsequent years, theDepartment assumed that non-hospitalproviders would only provide notices totheir new patients, because it isassumed that providers can distinguishbetween new and old patients, althoughhospitals will continue to provide anotice for each admission. The totalnumber of notices provided in theinitial year is estimated to be 816million.

Under the final rule, only providersthat have direct treatment relationshipswith individuals are required to providenotices to them. To estimate the numberof visits that trigger a notice in theinitial year and in subsequent years, theDepartment relied on the MedicalExpenditure Panel Survey (MEPS, 1996data) conducted by the Department’sAgency for Healthcare Quality andResearch. This data set providesestimates for the number of total visitsto a variety of health care providers ina given year and estimates of thenumber of patients with at least onevisit to each type of each care provider.To estimate the number of new patientsin a given year, the Department used theNational Ambulatory Medical CareSurvey and the National HospitalAmbulatory Medical Care Survey,which indicate that for ambulatory carevisits to physician offices and hospitalambulatory care departments, 13percent of all patients are new. Thisdata was used as a proxy for other typesof providers, such as dentists and

nursing homes, because the Departmentdid not have estimates for new patientsfor other types of providers. The numberof new patients was increased over timeto account for growth in the patientpopulation. Therefore, the number ofnotices provided in years 2004 through2012 is estimated to be 5.3 billion.

For health plans, the Departmentestimated the number of notices bytrending forward the average annual rateof growth from 1995 through 1998 (themost recent data available) of privatepolicy holders using the CensusBureau’s Current Population Survey,and also by using Health Care FinancingAdministration Office of the Actuary’sestimates for growth in Medicare andMedicaid enrollment. It should be notedthat the regulation does not require thatthe notice be mailed to individuals.Therefore, the Department assumed thathealth plans would include theirprivacy policy in the annual mailingsthey make to members, such as byadding a page to an existing informationbooklet.

Since clinical laboratories generallydo not have direct contact with patients,they would not normally be required toprovide notices. However, there aresome laboratory services that involvedirect patient contact, such as patientswho have tests performed in alaboratory or at a health fair. We foundno data from which we could estimatethe number of such visits. Therefore, wehave assumed that labs would incur nocosts as a result of this requirement.

The printing cost of the policy isestimated to be $0.05, based on dataobtained from the Social SecurityAdministration, which does asignificant number of printings fordistribution. Some large bulk users,such as health plans, can probablyreproduce the document for less, andsmall providers simply may copy thenotice, which would also be less than$0.05. Nonetheless, at $0.05, the totalcost of the initial notice is $50.8 million.

Using our standard growth rate forpatients, the total cost for notices isestimated to be $391 million for the ten-year period.

Requirements on Use and Disclosure forResearch

The final regulation places certainrequirements on covered entities thatsupply individually identifiable healthinformation to researchers. As a result ofthese requirements, researchers whoseek such health information and theInstitutional Review Boards (IRBs) thatreview research projects will haveadditional responsibilities. Moreover, acovered entity doing research, oranother entity requesting disclosure of



protected health information forresearch that is not currently subject toIRB review (research that is 100 percentprivately funded and which takes placein institutions which do not have‘‘multiple project assurances’’) mayneed to seek IRB or privacy boardapproval if they want to avoid therequirement to obtain authorization foruse or disclosure of protected healthinformation for research, therebycreating the need for additional IRBsand privacy boards that do not currentlyexist.

To estimate the additionalrequirements placed on existing IRBs,the Department relied on a survey ofIRBs conducted by James BellAssociates on behalf of NIH and onestimates of the total number of existingIRBs provided by NIH staff. Based onthis information, the Departmentconcluded that of the estimated 4,000IRBs in existence, the median number ofinitial current research project reviewsis 133 per IRB, of which only tenpercent do not receive direct consent forthe use of protected health information.(Obtaining consent nullifies the need forIRB privacy scrutiny.) Therefore, in thefirst year of implementation, there willbe 76,609 initial reviews affected by theregulation, and the Department assumesthat the requirement to consider theprivacy protections in the researchprotocols under review will add anaverage of 1 hour to each review. Thecost to researchers for having to developprotocols which protect protectedhealth information is difficult toestimate, but the Department assumesthat each of the affected 76,609 studieswill require an average of an additional8 hours of time for protocoldevelopment and implementation. Atthe average medical scientist hourlywage of $46.61, the initial cost is $32.1million; the total ten-year cost of theserequirements is $468 million over tenyears.

As stated above, some privatelyfunded research not subject to any IRBreview currently may need to obtain IRBor privacy board approval under thefinal rule. Estimating how muchresearch exists which does not currentlygo through any IRB review is highlyspeculative, because the expertsconsulted by the Department all agreethat there is no data on the volume ofprivately funded research. Likewise,public comments on this subjectprovided no useful data. However, theDepartment assumed that most researchthat takes place today is subject to IRBreview, given that so much research hassome government funding and manylarge research institutions have multipleproject assurances. As a result, the

Department assumed that the totalvolume of non-IRB reviewed research isequal to 25 percent of all IRB-reviewedresearch, leading to 19,152 new IRB orprivacy board reviews in the first yearof the regulation. Using the sameassumptions as used above for wages,time spent developing privacyprotection protocols for researchers, andtime spent by IRB and privacy boardmembers, the total one-year cost for newIRB and privacy board reviews is $8million.

For estimating total ten-year costs, theDepartment used the Bell study, whichshowed an average annual growth rateof 3.7 percent in the number of studiesreviewed by IRBs. Using this growthrate, the total ten-year cost for the newresearch requirements is $117 million.

ConsentUnder the final rule, a covered health

care provider with direct treatmentrelationships must obtain anindividual’s consent for use ordisclosure of protected healthinformation for treatment, payment, orhealth care operations. Coveredproviders with indirect treatmentrelationships and health plans mayobtain such consent if they so choose.Providers and health plans that seekconsent under this rule can conditiontreatment or enrollment upon provisionof such consent. Based on publiccomments and discussions with a widearray of health care providers, it isapparent that most currently obtainwritten consent for use and disclosureof individually identifiable healthinformation for payment. Under thefinal rule, they will have to obtainconsent for treatment and health careoperations, as well, but this may entailonly minor changes in the language ofthe consent to incorporate these othercategories and to conform to the rule.

Although the Department was unableto obtain any systematic data, theanecdotal evidence suggests that mostnon-hospital providers and virtually allhospitals follow this practice. For thecost analysis, the Department assumesthat 90 percent of the non-hospitalproviders and all hospitals currentlyobtain some consent for use anddisclosure of individually identifiablehealth information. For providers thatcurrently obtain written consent, thereis only a nominal cost for changing thelanguage on the document to conform tothe rule. For this activity, we assumed$0.05 cost per document for revisingexisting consent documents.

For the ten percent of treatingproviders who currently do not obtainconsent, there is the cost of creatingconsent documents (which will be

standardized), which is also assumed tobe $0.05 per document. It is assumedthat all providers required to obtainconsent under the rule will do so uponthe first visit, so there will be no mailingcost. For non-hospital providers, weassume the consent will be maintainedin paper form, which is what mostproviders currently do (electronic form,if available, is cheaper to maintain).There is no new cost for recordsmaintenance because the consent willbe kept in active files (paper orelectronic).

The initial cost of the consentrequirement is estimated to be $166million. Using our standardassumptions for patient growth, the totalcosts for the ten years is estimated to be$227 million.

AuthorizationsPatient authorizations are required for

uses or disclosures of protected healthinformation that are not otherwiseexplicitly permitted under the final rulewith or without consent. In addition touses and disclosures of protected healthinformation for treatment, payment, andhealth care operations with or withoutconsent, the rule also permits certainuses of protected health information,such as fund-raising for the coveredentity and certain types of marketingactivity, without prior consent orauthorization. Authorizations aregenerally required if a covered entitywants to provide protected healthinformation to third party for use by thethird party for marketing or for researchthat is not approved by an IRB orprivacy board.

The requirement for obtainingauthorizations for use or disclosure ofprotected health information for mostmarketing activity will make directthird-party marketing more difficultbecause covered entities may not wantto obtain and track such authorizations,or they may obtain too few to make theeffort economically worthwhile.However, the final rule permits analternative arrangement: the coveredentity can engage in health-relatedmarketing on behalf of a third party,presumably for a fee. Moreover, thecovered entity could retain anotherparty, through a business associaterelationship, to conduct the actualhealth-related marketing, such asmailings or telemarketing, under thecovered entity’s name. The Departmentis unable to estimate the cost of thesechanges because there is no credibledata on the extent of current third partymarketing practices or the price thatthird party marketers currently pay forinformation from covered entities. Theeffect of the final rule is to change the



arrangement of practices to enhanceaccountability of protected healthinformation by the covered entity andits business associates; however, there isnothing inherently costly in thesechanges.

Examples of other circumstances inwhich authorizations are required underthe final rule include disclosure ofprotected health information to anemployer for an employment physical,pre-enrollment underwriting forinsurance, or the sharing of protectedhealth insurance information by aninsurer with an employer. TheDepartment assumes there is no newcost associated with these requirementsbecause providers have said thatobtaining authorization under suchcircumstances is current practice.

To use or disclose psychotherapynotes for most purposes (including fortreatment, payment, or health careoperations), a covered entity mustobtain specific authorization by theindividual that is distinct from anyauthorization for use and disclosure ofother protected health information. Thisis current practice, so there is no newcost associated with this provision.

Confidential Communications

The final rule permits individuals toreceive communications of protectedhealth information from a coveredhealth care provider or a health plan byan alternative means or at an alternativeaddress. A covered provider and ahealth plan must accommodatereasonable requests; however, a healthplan may require the individual to statethat disclosure of such information mayendanger the individual. A number ofproviders and health plans indicatedthat they currently provide this servicefor patients who request it. Forproviders and health plans withelectronic records system, maintainingseparate addresses for certaininformation is simple and inexpensive,requiring little or no change in thesystem. For providers with paperrecords, the cost may be higher becausethey will have to manually checkrecords to determine which informationmust be treated in accordance with suchrequests. Although some providerscurrently provide this service, theDepartment was unable to obtain anyreliable estimate of the number of suchrequests today or the number ofproviders who perform this service. Thecost attributable to this requirement tosend materials to alternate addressesdoes not appear to be significant.

Employers With Insured Group HealthPlans

Some group health plans will use ormaintain protected health information,particularly group health plans that areself-insured. Also, some plan sponsorsthat perform administrative functionson behalf of their group health plans,may need protected health information.The final rule permits a group healthplan, or a health insurance issuer orHMO that provides benefits on behalf ofthe group health plan, to discloseprotected health information to a plansponsor who performs administrativefunctions on its behalf for certainpurposes and if certain requirements aremet. The plan documents must beamended to: describe the permitted usesand disclosures of protected healthinformation by the plan sponsor; specifythat disclosure is permitted only uponreceipt of a certification by the plansponsor that the plan documents havebeen amended and the plan sponsoragrees to certain restrictions on the useof protected health information; andprovide for adequate firewalls to assureunauthorized personnel do not haveaccess to individually identifiablehealth information.

Some plan sponsors may needinformation, not to administer the grouphealth plan, but to amend, modify, orterminate the plan. ERISA case lawdescribes such activities as settlorfunctions. For example, a plan sponsormay want to change its contract from apreferred provider organization to ahealth maintenance organization(HMO). In order to obtain premiuminformation, the plan sponsor may needto provide the HMO with aggregateclaims information. Under the rule, theplan sponsor can obtain summaryinformation with certain identifiersremoved, in order to provide it to theHMO and receive a premium rate.

The Department assumes that mostplan sponsors who are small employers(those with 50 or fewer employees) willelect not to receive protected healthinformation because they will havelittle, if any, need for such data. Anyneeds that plan sponsors of small grouphealth plans may have for informationcan be accomplished by receiving theinformation in summary form. TheDepartment has assumed that only 5percent of plan sponsors of small grouphealth plans that provide coveragethrough a contract with an issuer willactually take the steps necessary toreceive protected health information.This is approximately 96,900 firms. Forthese firms, the Department assumes itwill take one hour to determineprocedural and organization issues and

an additional 1⁄3 hour of an attorney’stime to make plan document changes,which will be simple and essentiallystandardized. This will cost $7.1million.

Plan sponsors who are employers ofmedium (51–199 employees) and large(over 200 employees) firms that providehealth benefits through contracts withissuers are more likely to want access toprotected health information for planadministration, for example to use it toaudit claims or perform qualityassurance functions on behalf of thegroup health plan. The Departmentassumes that 25 percent of plansponsors of medium sized firms and 75percent of larger firms will want toreceive protected health information.This is approximately 38,000 mediumsize firms and 27,000 larger firms. Toprovide access to protected healthinformation by the group health plan, aplan sponsor will have to assess thecurrent flow of protected healthinformation from their issuer anddetermine what information isnecessary and appropriate. The plansponsors may then have to makeinternal organizational changes toassure adequate protection of protectedhealth information so that the relevantrequirements are met for the grouphealth plan. We assume that mediumsize firms will take 16 work hours tocomplete organizational changes, plusone hour of legal time to make changesto plan documents and certify to theinsurance carrier that the firm is eligibleto receive protected health information.We assume that larger firms will require32 hours of internal organizational workand one hour of legal time. This willcost $52.4 million and is a one-timeexpense.

Business AssociatesThe final rule requires a covered

entity to have a written contract or otherarrangement that documents satisfactoryassurance that business associate willappropriately safeguard protected healthinformation in order to disclose it to abusiness associate based on such anarrangement. The Department expectsbusiness associate contracts to be fairlystandardized, except for language thatwill have to be tailored to the specificarrangement between the parties, suchas the allowable uses and disclosures ofinformation. The Department assumesthe standard language initially will bedeveloped by trade and professionalassociations for their members. Smallproviders are likely to simply adopt thelanguage or make minor modifications,while health plans and hospitals maystart with the prototype language butmay make more specific changes to



meet their institutional needs. Theregulation includes a requirement thatthe covered entity take steps to correct,and in some cases terminate, a contract,if necessary, if they know of violationsby a business associate. This oversightrequirement is consistent with standardoversight of a contract.

The Department could not derive aper entity cost for this work directly. Inlieu of this, we have assumed that thetrade and professional associations’work plus any minor tailoring of it bya covered entity would amount to onehour per non-hospital provider and twohours for hospitals and health plans.The larger figure for hospitals andhealth plans reflects the fact that theyare likely to have a more extensive arrayof relationships with businessassociates.

The cost for the changes in businessassociate contracts is estimated to be$103 million. This will be an initial yearcost only because the Departmentassumes that this contract language willbecome standard in future contracts.

In addition, the Department hasestimated the cost for businessassociates to comply with the minimumnecessary provisions. As part of theminimum necessary provisions, coveredentities will have to establish policies toensure that only the minimumnecessary protected health informationis shared with business associates. Tothe extent that data are exchanged,covered entities will have to review thedata and systems programs to assurecompliance.

For non-hospital providers, weestimate that the first year will requirean average of three hours to reviewexisting agreements, and thereafter, theywill require an additional hour to assurebusiness associate compliance. Weestimate that hospitals will require anadditional 200 hours the first year and16 hours in subsequent years; healthplans will require an additional 112hours the first year and 8 hours insubsequent years. As in other areas, wehave assumed a weighted average wagefor the respective sectors.

The cost of the covered entitiesassuring business associates’ complyingwith the minimum necessary is $197million in the first year, and a total of$697 million over ten years. (Theseestimates include the both the cost forthe covered entity and the businessassociates.)

Inspection and CopyingIn the NPRM estimate, inspection and

copying were a major cost. Based ondata and information from the publiccomments and further fact-finding,however, the Department has re-

estimated these policies and found themto be much less expensive.

The public comments demonstratethat copying of records is wide-spreadtoday. Records are routinely copied, inwhole or in part, as part of treatment orwhen patients change providers. Inaddition, copying occurs as part of legalproceedings. The amount of inspectionand copying of medical records thatoccurs for these purposes is notexpected to change measurably as aresult of the final regulation.

The final regulation establishes theright of individuals to access, that is toinspect and obtain a copy of, protectedhealth information about them indesignated record sets. Although this isan important right, the Department doesnot expect it to result in dramaticincreases in requests from individuals.The Georgetown report on state privacylaws indicates that 33 states currentlygive patients some right to accessmedical information. The most commonright of access granted by state law isthe right to inspect personal informationheld by physicians and hospitals. In theprocess of developing estimates for thecost of providing access, we assumedthat most providers currently haveprocedures for allowing patients toinspect and obtain a copy ofindividually identifiable healthinformation about themselves. Theeconomic impact of requiring entities toallow individuals to access their recordsshould be relatively small. One publiccommenter addressed this issue andprovided specific data which supportsthis conclusion.

Few studies address the cost ofproviding medical records to patients.The most recent was a study in 1998 bythe Tennessee Comptroller of theTreasury. It found an average cost of$9.96 per request, with an average of 31pages per request. The cost per page ofproviding copies was $0.32 per page.This study was performed on hospitalsonly. The cost per request may be lowerfor other types of providers, since thoseseeking hospital records are more likelyto have more complicated records thanthose in a primary care or other typesof offices. An earlier report showedmuch higher costs than the Tennesseestudy. In 1992, Rose Dunn published areport based on her experience as amanager of medical records. Sheestimated a 10-page request would cost$5.32 in labor costs only, equaling laborcost per page of $0.53. However, thisestimate appears to reflect costs beforecomputerization. The expected timespent per search was 30.6 minutes; 85percent of this time could besignificantly reduced withcomputerization (this includes time

taken for file retrieval, photocopying,and re-filing; file retrieval is the onlytime cost that would remain undercomputerization).

In estimating the cost of copyingrecords, the Department relied on thepublic comment from a medical recordsoutsourcing industry representative,which submitted specific volume andcost data from a major firm thatprovides extensive medical recordcopying services. According to thesedata, 900 million pages of medicalrecords are copied each year in the U.S.,the average medical record is 31 pages,and copying costs are $0.50 per page. Inaddition, the commenter noted that only10 percent of all requests are madedirectly from patients, and of those, themajority are for purposes of continuingcare (transfer to another provider), notfor purposes of individual inspection.The Department assumed that 25percent of direct patient requests tocopy medical records are for purposes ofinspecting their accuracy (i.e., 2.5percent of all copy requests) or 850,000in 2003 if the current practice remainedunchanged.

To estimate the marginal increase incopying that might result from theregulation, the Department assumed thatas patients gained more awareness oftheir right to inspect and copy theirrecords, more requests will occur. As aresult, the Department assumed a tenpercent increase in the number ofrequests to inspect and copy medicalrecords over the current baseline, whichwould amount to a little over 85,000additional requests in 2003 at a cost of$1.3 million. Allowing for a 5.3 percentincrease in records based on theincrease in ambulatory care visits, thehighest growth rate among healthservice sectors (the NationalAmbulatory Medical Care Survey,1998), the total cost for the ten-yearperiod would be $16.8 million.

The final rule allows a provider todeny an individual the right to inspector obtain a copy of protected healthinformation in a designated record setunder certain circumstances, and itprovides, in certain circumstances, thatthe patient can request the denial to bereviewed by another licensed healthcare professional. The initial providercan choose a licensed health careprofessional to render the secondreview.

The Department assumes denials andsubsequent requests for reviews will beextremely rare. The Departmentestimates there are about 932,000annual requests for inspections (i.e.,base plus new requests resulting fromthe regulation), or approximately 11million over the ten-year period. If one-



tenth of one percent of these requestswere to result in a denial in accordancewith the rule, the result would be11,890 cases. Not all these cases wouldbe appealed. If 25 percent wereappealed, the result would be 2,972cases. If a second provider were tospend 15 minutes reviewing the case,the cost would be $6,000 in the firstyear and $86,360 over ten years.

Amendments to Protected HealthInformation

Many providers and health planscurrently allow patients to amend theinformation in their medical record,where appropriate. If an error exists,both the patient and the provider orhealth plan benefit from the correction.However, as with inspection andcopying, many states do not provideindividuals with the right to requestamendment to protected healthinformation about themselves. Based onthese assumptions, the Departmentconcludes that the principal economiceffect of the final rule would be toexpand the right to request amendmentsto protected health information held bya health plan or provider to those whoare not currently covered by amendmentrequirements under state laws or codesof conduct. In addition, the rule maydraw additional attention to the issue ofinaccuracies in information and maystimulate patient demand foramendment of medical records,including in those states that currentlyprovide a right to amend medicalrecords.

Under the final regulation, if a patientrequests an amendment to his or hermedical record, the provider must eitheraccept the amendment or provide theindividual with the opportunity tosubmit a statement disagreeing with thedenial. The provider must acknowledgethe request and inform the patient of hisaction.

The cost calculations assume thatindividuals who request an opportunityto amend their medical record havealready obtained a copy of it. Therefore,the administrative cost of amending thepatient’s record is completely separatefrom inspection and copying costs.

Based on fact-finding discussionswith a variety of providers, theDepartment assumes that 25 percent ofthe projected 850,000 people whorequest to inspect their records will seekto amend them. This number is theexisting demand plus the additionalrequests resulting from the rule. Overten years, the number of expectedamendment requests will be 2.7 million.Unlike inspections, which currentlyoccur in a small percentage of cases, ourfact-finding suggests that patients very

rarely seek to amend their records, butthat the establishment of this right inthe rule will spur more requests. The 25percent appears to be high based on ourdiscussions with providers but it isbeing used to avoid an underestimationof the cost.

As noted, the provider or health planis not required to evaluate anyamendment requests, only to append orotherwise link to the request in therecord. We expect the responses willvary: sometimes an assistant will onlymake the appropriate notation in therecord, requiring only a few minutes;other times a provider or manager willreview the request and make changes ifappropriate, which may require as muchas an hour. To be conservative in itsestimate, the Department has assumed,on average, 30 minutes for eachamendment request at a cost of $47.28per hour (2000 CPS).

The first-year cost for the amendmentpolicy is estimated to be $5 million. Theten-year cost of this provision is $78.8million.

Law Enforcement and Judicial andAdministrative Proceedings

The law enforcement provisions ofthe final rule allow disclosure ofprotected health information withoutpatient authorization under fourcircumstances: (1) Pursuant to legalprocess or as otherwise required by law;(2) to locate or identify a suspect,fugitive, material witness, or missingperson; (3) under specified conditionsregarding a victim of crime; and (4) andwhen a covered entity believes theprotected health information constitutesevidence of a crime committed on itspremises. As under current law andpractice, a covered entity may discloseprotected health information to a lawenforcement official if such official.

Based on our fact finding, we are notable to estimate any additional costsfrom the final rule regarding disclosuresto law enforcement officials. The finalrule makes clear that current courtorders and grand jury subpoenas willcontinue to provide a basis for coveredentities to disclose protected healthinformation to law enforcementofficials. The three-part test, whichcovered entities must use to decidewhether to disclose information inresponse to an administrative requestsuch as an administrative subpoena,represents a change from currentpractice. There will be only minimalcosts to draft the standard language forsuch subpoenas. We are unable toestimate other costs attributable to theuse of administrative subpoenas. Wehave not been able to discover anyspecific information about the costs to

law enforcement of establishing thepredicates for issuing the administrativesubpoena, nor have we been able toestimate the number of such subpoenasthat will likely be issued once the finalrule is implemented.

A covered entity may discloseprotected health information inresponse to an order in the course of ajudicial or administrative proceeding ifreasonable efforts have been made togive the individual, who is the subjectof the protected health information,notice of and an opportunity to object tothe disclosure or to secure a qualifiedprotective order.

The Department was unable toestimate any additional costs due tocompliance with the final rule’sprovisions regarding judicial andadministrative proceedings. Theprovision requiring a covered entity tomake efforts to notify an individual thathis or her records will be used inproceedings is similar to currentpractice; attorneys for plaintiffs anddefendants agreed that medical recordsare ordinarily produced after therelevant party has been notified. Withregard to protective orders, we believethat standard language for such orderscan be created at minimal cost. The costof complying with such protectiveorders will also likely be minimal,because attorney’s client files areordinarily already treated undersafeguards comparable to thosecontemplated under the qualifiedprotective orders. The Department wasunable to make an estimate of howmany such protective orders might becreated annually.

We thus do not make any estimate ofthe initial or ongoing costs for judicial,administrative, or law enforcementproceedings.

Costs to the Federal GovernmentThe rule will have a cost impact on

various federal agencies that administerprograms that require the use ofindividual health information. Thefederal costs of complying with theregulation and the costs when federalgovernment entities are serving asproviders are included in theregulation’s total cost estimate outlinedin the impact analysis. Federal agenciesor programs clearly affected by the ruleare those that meet the definition of acovered entity. However, non-coveredagencies or programs that handlemedical information, either underpermissible exceptions to the disclosurerules or through an individual’sexpressed authorization, will likelyincur some costs complying withprovisions of this rule. A sample offederal agencies encompassed by the



broad scope of this rule include the:Department of Health and HumanServices, Department of Defense,Department of Veterans Affairs,Department of State, and the SocialSecurity Administration.

The greatest cost and administrativeburden on the federal government willfall to agencies and programs that act ascovered entities, by virtue of beingeither a health plan or provider.Examples include the Medicare,Medicaid, Children’s Health Insuranceand Indian Health Service programs atthe Department of Health and HumanServices; the CHAMPVA health programat the Department of Veterans Affairs;and the TRICARE health program at theDepartment of Defense. These and otherhealth insurance or provider programsoperated by the federal government aresubject to requirements placed oncovered entities under this rule,including, but not limited to, thoseoutlined in Section D of the impactanalysis. While many of these federalprograms already afford privacyprotections for individual healthinformation through the Privacy Act andstandards set by the Departments andimplemented through their contractswith providers, this rule is nonethelessexpected to create additionalrequirements. Further, we anticipatethat most federal health programs will,to some extent, need to modify theirexisting practices to comply fully withthis rule. The cost to federal programsthat function as health plans will begenerally the same as those for theprivate sector.

A unique cost to the federalgovernment will be in the area ofenforcement. The Office for Civil Rights(OCR), located at the Department ofHealth and Human Services, has theprimary responsibility to monitor andaudit covered entities. OCR will monitorand audit covered entities in both theprivate and government sectors, willensure compliance with requirements ofthis rule, and will investigatecomplaints from individuals allegingviolations of their privacy rights. Inaddition, OCR will be required torecommend penalties and otherremedies as part of their enforcementactivities. These responsibilitiesrepresent an expanded role for OCR.Beyond OCR, the enforcementprovisions of this rule may haveadditional costs to the federalgovernment through increasedlitigation, appeals, and inspector generaloversight.

Examples of other unique costs to thefederal government may include suchactivities as public health surveillanceat the Centers for Disease Control and

Prevention, health research projects atthe Agency for Healthcare Research andQuality, clinical trials at the NationalInstitutes of Health, and lawenforcement investigations andprosecutions by the Federal Bureau ofInvestigations. For these and otheractivities, federal agencies will incursome costs to ensure that protectedhealth information is handled andtracked in ways that comply with therequirements of this title.

We estimate that federal costs underthis rule will be approximately $196million in 2003 and $1.8 billion over tenyears. The ten-year federal cost estimaterepresents about 10.2 percent of theprivacy regulation’s total cost. Thisestimate was derived in two steps.

First, we assumed that the proportionof the privacy regulation’s total costaccruing to the federal government in agiven year will be equivalent to theproportion of projected federal costs asa percentage of national healthexpenditures for that year. To estimatethese proportions, we used the HealthCare Financing Administration’sNovember 1998 National HealthExpenditure projections (the mostrecent data available) of federal healthexpenditures as a percent of nationalhealth expenditures from 2003 through2008, trended forward to 2012. We thenadjusted these proportions to excludeMedicare and Medicaid spending,reflecting the fact that the vast majorityof participating Medicare and Medicaidproviders will not be able to passthrough the costs of complying with thisrule to the federal government becausethey are not reimbursed under cost-based payment systems. Thiscalculation yields a partial federal costof $166 million in 2003 and $770million over ten years.

Second, we add the Medicare andfederal Medicaid costs resulting fromthe privacy regulation that HCFA’sOffice of the Actuary project can bepassed through to the federalgovernment. These costs reflect theactuaries’ assumption regarding howmuch of the total privacy regulation costburden will fall on participatingMedicare and Medicaid providers,based on the November 1998 NationalHealth Expenditure data. Then theactuaries estimate what percentage ofthe total Medicare and federal Medicaidburden could be billed to the programs,assuming that (1) only 3 percent ofMedicare providers and 5 percent ofMedicaid providers are still reimbursedunder cost-based payment systems, and(2) over time, some Medicaid costs willbe incorporated into the state’sMedicaid expenditure projections thatare used to develop the federal cost

share of Medicaid spending. The resultsof this actuarial analysis add another$30 million in 2003 and $1.0 billionover ten years to the federal costestimate. Together, these three stepsconstitute the total federal cost estimateof $236 million in 2003 and $2.2 billionover ten years.

Costs to State and Local GovernmentsThe rule will also have a cost effect

on various state and local agencies thatadminister programs requiring the useof individually identifiable healthinformation. State and local agencies orprograms clearly affected by the rule arethose that meet the definition of acovered entity. The costs whengovernment entities are serving asproviders are included in the total costestimates. However, non-coveredagencies or programs that handleindividually identifiable healthinformation, either under permissibleexceptions to the disclosure rules orthrough an individual’s expressedauthorization, will likely incur somecosts complying with provisions of thisrule. Samples of state and local agenciesor programs encompassed by the broadscope of this rule include: Medicaid,State Children’s Health InsurancePrograms, county hospitals, state mentalhealth facilities, state or local nursingfacilities, local health clinics, andpublic health surveillance activities,among others. We have included stateand local costs in the estimation of totalcosts in this section.

The greatest cost and administrativeburden on the state and localgovernment will fall to agencies andprograms that act as covered entities, byvirtue of being either a health plan orprovider, such as Medicaid, StateChildren’s Health Insurance Programs,and county hospitals. These and otherhealth insurance or provider programsoperated by state and local governmentare subject to requirements placed oncovered entities under this rule,including, but not limited to, thoseoutlined in this section (Section E) ofthe impact analysis. Many of these stateand local programs already affordprivacy protections for individuallyidentifiable health information throughthe Privacy Act. For example, stategovernments often become subject toPrivacy Act requirements when theycontract with the federal government.This rule is expected to createadditional requirements beyond thosecovered by the Privacy Act.Furthermore, we anticipate that moststate and local health programs will, tosome extent, need to modify theirexisting Privacy Act practices to fullycomply with this rule. The cost to state



52 Equifax-Harris Consumer Privacy Survey, 1994.

53 Consumer Privacy Survey, Harris-Equifax,1994, p vi.

54 Promoting Health: Protecting Privacy,California Health Care Foundation and ConsumersUnion, January 1999, p 12.

55 Health Information Survey, Harris-Equifax,1993, pp 49–50.

and local programs that function ashealth plans will be different than theprivate sector, much as the federal costsvary from private health plans.

A preliminary analysis suggests thatstate and local government costs will beon the order of $460 million in 2003 and$2.4 billion over ten years. We assumethat the proportion of the privacyregulation’s total cost accruing to stateand local governments in a given yearwill be equivalent to the proportion ofprojected state and local costs as apercentage of national healthexpenditures for that year. To estimatethese proportions, we used the HealthCare Financing Administration’sNovember 1998 National HealthExpenditure projections of state andlocal health expenditures as a percent ofnational health expenditures from 2003through 2008, trended forward to 2012.Based on this approach, we assume thatover the entire 2003 to 2012 period, 13.6percent, or $2.4 billion, of the privacyregulation’s total cost will accrue tostate and local governments. Of the $2.4billion state and local government cost,19 percent will be incurred in theregulation’s first year (2003). In each ofthe out-years (2004–2012), the averagepercent of the total cost incurred will beabout nine percent per year. These stateand local government costs are includedin the total cost estimates discussed inthe regulatory impact analysis.

F. Benefits

There are important societal benefitsassociated with improving healthinformation privacy. Confidentiality is akey component of trust between patientsand providers, and some studiesindicate that a lack of privacy may deterpatients from obtaining preventive careand treatment.52 For these reasons,traditional approaches to estimating thevalue of a commodity cannot fullycapture the value of personal privacy. Itmay be difficult for individuals to assignvalue to privacy protection becausemost individuals view personal privacyas a right. Therefore, the benefits of theproposed regulation are impossible toestimate based on the market value ofhealth information alone. However, it ispossible to evaluate some of the benefitsthat may accrue to individuals as aresult of proposed regulation, and thesebenefits, alone, suggest that theregulation is warranted. Added to thesebenefits is the intangible value ofprivacy, the security that individualsfeel when personal information is keptconfidential. This benefit is very realand very significant but there are no

reliable means of measuring dollar valueof such benefit.

As noted in the comment andresponse section, a number ofcommenters raised legitimate criticismsof the Department’s approach toestimating benefits. The Departmentconsidered other approaches, includingattempts to measure benefits in theaggregate rather than the specificexamples set forth in the NPRM.However, we were unable to identifydata or models that would providecredible measures. Privacy has not beenstudied empirically from an economicperspective, and therefore, weconcluded that the approach taken inthe NPRM is still the most useful meansof illustrating that the benefits of theregulation are significant in relation tothe economic costs.

Before beginning the discussion of thebenefits, it is important to create aframework for how the costs andbenefits may be viewed in terms ofindividuals rather than societalaggregates. We have estimated the valuean insured individual would need toplace on increased privacy to make theprivacy regulation a net benefit to thosewho receive health insurance. Ourestimates are derived from dataproduced by the 1998 CurrentPopulation Survey from the CensusBureau (the most recent available at thetime of the analysis), which show that220 million persons are covered byeither private or public healthinsurance. Joining the Census Bureaudata with the costs calculated in SectionE, we have estimated the cost of theregulation to be approximately $6.25 peryear (or approximately $0.52 per month)for each insured individual (includingpeople in government programs). If weassume that individuals who use thehealth care system will be willing to paymore than this per year to improvehealth information privacy, the benefitsof the proposed regulation willoutweigh the cost.

This is a conservative estimate of thenumber of people who will benefit fromthe regulation because it assumes thatonly those individuals who have healthinsurance or are in governmentprograms will use medical services orbenefit from the provisions of theproposed regulation. Currently, thereare 42 million Americans who do nothave any form of health care coverage.The estimates do not include those whopay for medical care directly, withoutany insurance or government support.By lowering the number of users in thesystem, we have inflated our estimate ofthe per-person cost of the regulation;therefore, we assume that our estimate

represents the highest possible cost foran individual.

An alternative approach todetermining how people would have tovalue increased privacy for thisregulation to be beneficial is to look atthe costs divided by the number ofencounters with health careprofessionals annually. Data from theMedical Expenditure Panel Survey(MEPS) produced by the Agency forHealthcare Policy Research (AHCPR)show approximately 776.3 millionhealth care visits (e.g., office visits,hospital and nursing home stays, etc.) inthe first year (2003). As with thecalculation of average annual cost perinsured patient, we divided the totalcost of complying with the regulation bythe total annual number of health carevisits. The cost of institutingrequirements of the proposed regulationis $0.19 per health care visit. If weassume that individuals would bewilling to pay more than $0.19 perhealth care visit to improve healthinformation privacy, the benefits of theproposed regulation outweigh the cost.

Qualitative DiscussionA well designed privacy standard can

be expected to build confidence amongthe public about the confidentiality oftheir medical records. The seriousnessof public concerns about privacy ingeneral are shown in the 1994 Equifax-Harris Consumer Privacy Survey, where‘‘84 percent of Americans are either veryor somewhat concerned about threats totheir personal privacy.’’ 53 A 1999report, ‘‘Promoting Health andProtecting Privacy’’ notes ‘‘* * * manypeople fear their personal healthinformation will be used against them:to deny insurance, employment, andhousing, or to expose them to unwantedjudgements and scrutiny.’’ 54 Theseconcerns would be partly allayed by theprivacy standard.

Fear of disclosure of treatment is animpediment to health care for manyAmericans. In the 1993 Harris-EquifaxHealth Information Privacy Survey,seven percent of respondents said theyor a member of their immediate familyhad chosen not to seek medical servicesdue to fear of harm to job prospects orother life opportunities. About twopercent reported having chosen not tofile an insurance claim because ofconcerns of lack of privacy orconfidentiality.55 Increased confidence



56 American Cancer Society. http://4a2z.com/cgi/rfr.cgi?4CANCER–2-http://www.cancer.org/frames.html

57 American Cancer Society. http://www3.cancer.org/cancerinfo/sitecenter.asp?ctid=8&scp= 0&scs= 0&scss= 0&scdoc = 40000.

58 Polednak, AP. ‘‘Estimating Prevalence ofCancer in the United States,’’ Cancer 1997; 8–:136–41

59 Martin Brown, ‘‘The Burden of Illness ofCancer: Economic Cost and Quality of Life.’’Annual Review of Public Health, 2001:22:91–113.

60 Disease-Specific Estimates of Direct andIndirect Costs of Illness and NIH Support: FiscalYear 2000 Update. Department of Health andHuman Services, Naitonal Institutes of Health,Office of the Director, February 2000.

61 DALY scores for 10 cancer sites are presentedin Brown, ‘‘The Burden of Illness of Cancer:Economic Cost and Quality of Life,’’ figure 1.

62 Breast Cancer Information Service. http://trfn.clpgh.org/bcis/FAQ/facts2.html

63 Jack S. Mandel, et al., ‘‘Reducing Mortalityfrom Colorectal Cancer by Screening for FecalOccult Blood,’’ The New England Journal ofMedicine, May 13, 1993, Vol, 328, No. 19.

on the part of patients that their privacywould be protected would lead toincreased treatment among people whodelay or never begin care, as well asamong people who receive treatmentbut pay directly (to the extent that theability to use their insurance benefitswill reduce cost barriers to morecomplete treatment). It will also changethe dynamic of current payments.Insured patients currently paying out-of-pocket to protect confidentiality will bemore likely to file with their insurer andto seek all necessary care. The increasedutilization that would result fromincreased confidence in privacy couldbe beneficial under manycircumstances. For many medicalconditions, early and comprehensivetreatment can lead to lower costs.

The following are four examples ofareas where increased confidence inprivacy would have significant benefits.They were chosen both because they arerepresentative of widespread andserious health problems, and becausethey are areas where reliable andrelatively complete data are available forthis kind of analysis. The logic of theanalysis, however, applies to any healthcondition, including relatively minorconditions. We expect that someindividuals might be concerned withmaintaining privacy even if they haveno significant health problems becauseit is likely that they will develop amedical condition in the future thatthey will want to keep private.

CancerThe societal burden of disease

imposed by cancer is indisputable.Cancer is the second leading cause ofdeath in the US,56 exceeded only byheart disease. In 2000, it is estimatedthat 1.22 million new cancer cases willbe diagnosed.57 The estimatedprevalence of cancer cases (both newand existing cases) in 1999 was 8.37million.58 In addition to mortality,incidence, and prevalence rates, theother primary methods of assessing theburden of disease are cost-of-illness andquality of life measures.59 Cost of illnessmeasures the economic costs associatedwith treating the disease (direct costs)and lost income associated withmorbidity and mortality (indirect costs).

The National Institutes of Healthestimates that the overall annual cost ofcancer in 1990 was $96.1 billion; $27.5billion in direct medical costs and $68.7billion for lost income due to morbidityand mortality.60 Health-related qualityof life measures integrate the mortalityand morbidity effects of disease toproduce health status scores for anindividual or population. For example,the Quality Adjusted Life Year (QALY)combines the pain, suffering, andproductivity loss caused by illness intoa single measure. The DisabilityAdjusted Life Year (DALY) is based onthe sum of life years lost to prematuremortality and years that are lived,adjusted for disability.61 The analysisbelow is based on the cost-of-illnessmeasure for cancer, which is moredeveloped than the quality of lifemeasure.

Among the most important elementsin the fight against cancer are screening,early detection and treatment of thedisease. However, many patients areconcerned that cancer detection andtreatment will make them vulnerable todiscrimination by insurers oremployers. These privacy concerns havebeen cited as a reason patients do notseek early treatment for diseases such ascancer. As a result of forgoing earlytreatment, cancer patients mayultimately face a more severe illnessand/or premature death.

Increasing people’s confidence in theprivacy of their medical informationwould encourage more people withcancer to seek cancer treatment earlier,which would increase cancer survivalrates and thus reduce the lost wagesassociated with cancer. For example,only 24 percent of ovarian cancers arediagnosed in the early stages. Of these,approximately 90 percent of patientssurvive treatment. The survival rate ofwomen who detect breast cancer early issimilarly high; more than 90 percent ofwomen who detect and treat breastcancer in its early stages will survive.62

We have attempted to estimate theannual savings in foregone wages thatwould result from earlier treatment dueto enhanced protection of the privacy ofmedical records. We do not assumethere would be increased medical costsfrom earlier treatment because the costsof earlier and longer cancer treatment

are probably offset by the costs oftreating late-stage cancer among peoplewho would otherwise not be treateduntil their cases had progressed.

Although figures on the number ofindividuals who avoid cancer treatmentdue to privacy concerns do not exist,some indirect evidence is available. A1993 Harris-Equifax Health InformationPrivacy Survey (noted earlier) foundthat seven percent of respondentsreported that they or a member of theirimmediate family had chosen not toseek services for a physical or mentalhealth condition due to fear of harm tojob prospects or other life opportunities.It should be noted that this survey issomewhat dated and represents onlyone estimate. Moreover, given thewording of the question, there are otherreasons aside from privacy concernsthat led these individuals to respondaffirmatively. However, for the purposesof this estimate, we assume that privacyconcerns were responsible for themajority of positive responses.

Based on the Harris-Equifax surveyestimate that seven percent of peopledid not seek services for physical ormental health conditions due to fearsabout job prospects or otheropportunities, we assume that theproportion of people diagnosed withcancer who did not seek earliertreatment due to these fears is alsoseven percent. Applying this sevenpercent figure to the estimated numberof total cancer cases (8.37 million) givesus an estimate of 586,000 people whodid not seek earlier cancer treatmentdue to privacy concerns. We estimateannual lost wages due to cancermorbidity and mortality per cancerpatient by dividing total lost wages($68.7 billion) by the number of cancerpatients (8.37 million), which rounds to$8,200. We then assume that cancerpatients who seek earlier treatmentwould achieve a one-third reduction incancer mortality and morbidity due toearlier treatment. The assumption of aone-third reduction in mortality andmorbidity is derived from a studyshowing a one-third reduction incolorectal cancer mortality due tocolorectal cancer screening.63 We couldhave chosen a lower or higher treatmentsuccess rate. By multiplying 586,000 by$8,200 by one-third, we calculate that$1.6 billion in lost wages could be savedeach year by encouraging more peopleto seek early cancer treatment throughenhanced privacy protections. Thisestimate illustrates the potential savings



64 Promoting Health: Protecting Privacy,California Health Care Foundation and ConsumersUnion, January 1999, p 13

65 For example, Roger Detels, M.D., et al., in‘‘Effectiveness of Potent Anti-retroviral Therapy.* * *’’ JAMA, 1998; 280:1497–1503 note theimpact of therapy on HIV persons with respect tolengthening the time to development of AIDS, notjust delaying death in persons who already haveAIDS.

66 John Hornberger et al., ‘‘Early treatment withhighly active anti-retroviral therapy (HAART) iscost-effective compared to delayed treatment,’’ 12thWorld AIDS conference, 1998.

67 Sexually Transmitted Diseases in America,Kaiser Family Foundation, 1998, p. 12.

68 Standard Medical information; see http://www.mayohealth.org for examples.

69 Substance Abuse and Mental Health ServicesAdministration. http://www.samhsa.gov/oas/srcbk/costs-02htm. Source of data: DP Rice, Costs ofMental Illness (unpublished data).

70 Department of Health and Human Services,Mental Health: A Report of the Surgeon General.Rockville, MD: 1999, page 408.

71 According to the Surgeon General’s Report, 28percent of the adult population have either a mentalor addictive disorder, whether or not they receiveservices: 19 percent have a mental disorder alone,6 percent have a substance abuse disorder alone,and 3 percent have both. Subtracting the 3 percentwho have both, about three-quarters of thepopulation with either a mental or addictivedisorder have a mental disorder and one-quarterhave a substance abuse disorder. We assume thatthis ratio (three-quarter to one-quarter) is the samefor the adult population with either a mental oraddictive disorder who do not receive services.

in lost wages due to cancer that couldbe achieved with greater privacyprotections.

HIV/AIDSEarly detection is essential for the

survival of a person with HIV (HumanImmunodeficiency Virus). Concernsabout the confidentiality of HIV statuswould likely deter some people fromgetting tested. For this reason, each statehas passed some sort of legislationregarding confidentiality of anindividual’s HIV status. However, HIVstatus can be revealed indirectlythrough disclosure of HAART (HighlyActive Anti-Retroviral Therapy) orsimilar HIV treatment drug use. Inaddition, since HIV/AIDS (AcquiredImmune Deficiency Syndrome) is oftenthe only specially protected condition,‘‘blacked out’’ information on medicalcharts could indicate HIV positivestatus.64 Strengthening privacyprotections beyond this disease couldincrease confidence in privacy regardingHIV as well. Drug therapy for HIVpositive persons has proven to be a life-extending, cost-effective tool.65 A 1998study showed that beginning treatmentwith HAART in the early asymptomaticstage is more cost-effective thanbeginning it late. After five years, only15 percent of patients with earlytreatment are estimated to develop anADE (AIDS-defining event), whereas 29percent would if treatment began later.Early treatment with HAART prolongssurvival (adjusted for quality of life) by6.2 percent. The overall cost of earlyHAART treatment is estimated at$23,700 per quality-adjusted year of lifesaved.66

Other Sexually Transmitted DiseasesIt is difficult to know how many

people are avoiding testing for STDsdespite having a sexually transmitteddisease. A 1998 study by the KaiserFamily Foundation found that theincidence of disease was 15.3 million in1996, though there is great uncertaintydue to under-reporting.67 For apotentially embarrassing disease such asan STD, seeking treatment requires trust

in both the provider and the health caresystem for confidentiality of suchinformation. Greater trust should lead tomore testing and greater levels oftreatment. Earlier treatment for curableSTDs can mean a decrease in morbidityand the costs associated withcomplications. These include expensivefertility problems, fetal blindness,ectopic pregnancies, and otherreproductive complications.68 Inaddition, there could be greater overallsavings if earlier treatment translatesinto reduced spread of infections.

Mental Health TreatmentWhen individuals have a better

understanding of the privacy practicesthat we are requiring in this proposedrule, some will be less reluctant to seekmental health treatment. One way thatindividuals will receive this informationis through the notice requirement.Increased use of mental health andservices would be expected to bebeneficial to the persons receiving thecare, to their families, and to society atlarge. The direct benefit to theindividual from treatment wouldinclude improved quality of life,reduced disability associated withmental conditions, reduced mortalityrate, and increased productivityassociated with reduced disability andmortality. The benefit to families wouldinclude quality of life improvementsand reduced medical costs for otherfamily members associated with abusivebehavior by the treated individual.

The potential economic benefitsassociated with improving privacy ofindividually identifiable healthinformation and thus encouraging someportion of individuals to seek initialmental health treatment or increaseservice use are difficult to quantify well.Nevertheless, using a methodologysimilar to the one used above toestimate potential savings in cancercosts, one can lay out a range of possiblebenefit levels to illustrate the possibilityof cost savings associated with anexpansion of mental health andtreatment to individuals who, due toprotections offered by the privacyregulation, might seek treatment thatthey otherwise would not have. Thiscan be illustrated by drawing uponexisting data on the economic costs ofmental illness and the treatmenteffectiveness of interventions.

The 1998 Substance Abuse andMental Health Statistics Source Bookfrom the Substance Abuse and MentalHealth Services Administration(SAMHSA) estimates that the economic

cost to society of mental illness in 1994was about $204.4 billion. About $91.7billion was due to the cost of treatmentand medical care and $112.6 billion(1994 dollars) was due to loss ofproductivity associated with morbidityand mortality and other related costs,such as crime.69 Evidence suggests thatappropriate treatment of mental healthdisorders can result in 50–80 percent ofindividuals experiencing improvementsin these types of conditions.Improvements in patient functioningand reduced hospital stays could resultin hundreds of millions of dollars incost savings annually.

Although figures on the number ofindividuals who avoid mental healthtreatment due to privacy concerns donot exist, some indirect evidence isavailable. As noted in the cancerdiscussion, the 1993 Harris-EquifaxHealth Information Privacy Surveyfound that 7 percent of respondentsreported that they or a member of theirimmediate family had chosen not toseek services for a physical or mentalhealth condition due to fear of harm tojob prospects or other life opportunities.(See above for limitations to this data).

We assume that the proportion ofpeople with a mental health disorderwho did not seek treatment due to fearsabout job prospects or otheropportunities is the same as theproportion in the Harris-Equifax surveysample who did not seek services forphysical or mental health conditionsdue to the same fears (7 percent). The1999 Surgeon General’s Report onMental Health estimates that 28 percentof the U.S. adult population has adiagnosable mental and/or substanceabuse disorder and 20 percent of thepopulation has a mental and/orsubstance abuse disorder for which theydo not receive treatment.70 Based on theSurgeon General’s Report, we estimatethat 15 percent of the adult populationhas a mental disorder for which they donot seek treatment.71 Assuming that 7



Thus, we assume that 15 percent of the populationhave an untreated mental disorder (three-quarters of20 percent) and 5 percent have an untreatedaddictive disorder (one-quarter of 20 percent).

72 According to the Population EstimatesProgram, Population Division, U.S. Census Bureau,the U.S. population age 20 and older is 197.1million on Sept. 1, 2000. This estimate of the adultpopulation is used throughout this section.

73 The number of adults with mental illness iscalculated by multiplying the U.S. Census Bureauestimate of the U.S. adult population—197.1million—by the percent of the adult populationwith mental illness—22 percent, according to theSurgeon General’s Report on Mental Health, whichsays that 19 percent of the population have a mentaldisorder alone and three percent have a mental andsubstance abuse disorder.

74 ‘‘Entities’’ and ‘‘establishments’’ aresynonymous in this analysis.

75 ‘‘Entities’’ and ‘‘establishments’’ are usedsynonymously in this RFA.

76 ‘‘Small governments’’ were not included in thisanalysis directly; rather we have included the kindsof institutions within those governments that arelikely to incur costs, such as government hospitalsand clinics.

77 Entities are the physical location where anenterprise conducts business. An enterprise mayconduct business in more than one establishment.

percent of those with mental disordersdid not seek treatment due to privacyconcerns, we estimate that 1.05 percentof the adult population 72 (15 percentmultiplied by 7 percent), or 2.07 millionpeople, did not seek treatment formental illness due to privacy fears.

The indirect (non-treatment)economic cost of mental illness perperson with mental illness is $2,590($112.6 billion divided by 43.4 millionpeople with mental illness).73 Thetreatment cost of mental illness perperson with mental illness is $2,110($91.7 billion divided by 43.4 millionindividuals). If we assume that indirecteconomic costs saved by encouragingmore individuals with mental illness toenter treatment are offset by theadditional treatment costs, the netsavings is about $480 per person.

As stated above, appropriatetreatment of mental health disorders canresult in 50-80 percent of individualsexperiencing improvements in thesetypes of conditions. Therefore, wemultiply the number of individuals withmental disorders who would seektreatment with greater privacyprotections (2.07 million) by thetreatment effectiveness rate by the netsavings per effective treatment ($480).Assuming a 50 percent success rate, thisequation yields annual savings of $497million. Assuming an 80 percentsuccess rate, this yields annual savingsof $795 million.

Given the existing data on the annualeconomic costs of mental illness and therates of treatment effectiveness for thesedisorders, coupled with assumptionsregarding the percentage of individualswho would seek mental healthtreatment with greater privacyprotections, the potential net economicbenefits could range from approximately$497 million to $795 million annually.

V. Final Regulatory Flexibility Analysis

A. Introduction

Pursuant to the Regulatory FlexibilityAct 5 U.S.C. 601 et seq., the Departmentmust prepare a regulatory flexibilityanalysis if the Secretary certifies that afinal rule would have a significanteconomic impact on a substantialnumber of small entities.74

This analysis addresses four issues:(1) The need for, and objective of, therule; (2) a summary of the publiccomments to the NPRM and theDepartment’s response; (3) a descriptionand estimate of the number of smallentities affected by the rule; and (4) adescription of the steps the agency hastaken to minimize the economic impacton small entities, consistent with thelaw and the intent of the rule. Thefollowing sections provide details oneach of these issues. A description ofthe projected reporting and recordkeeping requirements of the rule areincluded in Section IX, below.

B. Reasons for Promulgating the Rule

This proposed rule is beingpromulgated in response to a statutorymandate to do so under section 264 ofPublic Law 104–191. Additionalinformation on the reasons forpromulgating the rule can be found inearlier preamble discussions (seeSection I. B. above).

1. Objectives and Legal Basis

This information can be found inearlier preamble discussions (See I. C.and IV., above).

2. Relevant Federal Provisions

This information can be found inearlier preamble discussions (See I. C.,above).

C. Summary of Public Comments

The Department received only a fewcomments regarding the InitialRegulatory Flexibility Analysis (IRFA)contained in the NPRM. A number ofcommenters argued that the estimatesIRFA were too low or incomplete. Theestimates were incomplete to the extentthat a number of significant policyprovisions in the proposal were notestimated because of too littleinformation at the time. In the finalIRFA we have estimates for theseprovisions. As for the estimates beingtoo low, the Department has sought asmuch information as possible. Themethodology employed for allocatingcosts to the small business sectors isexplained in the following section.

Most of the other commentspertaining to the IRFA criticizedspecific estimates in the NPRM.

Generally, the commenters argued thatcertain cost elements were not includedin the cost estimates presented in theNPRM. The Department has expandedour description of our data andmethodology in both the final RIA andthis final RFA to try to clarify the dataand assumptions made and the rationalefor using them.

Finally, a number of commenterssuggested that small entities beexempted from coverage from the finalrule, or that they be given more time tocomply. As the Department hasexplained in the Response to Commentsection above, such changes wereconsidered but rejected. Small entitiesconstitute the vast majority of allentities that are covered; to exemptthem would essentially nullify thepurpose of the rule. Extensions werealso considered but rejected. The ruledoes not take effect for two years, whichis ample time for small entities to learnabout the rule and make the necessarychanges to come into compliance.

D. Economic Effects on Small Entities

1. Number and Types of Small EntitiesAffected

The Small Business Administrationdefines small businesses in the healthcare sector as those organizations withless than $5 million in annual revenues.Nonprofit organizations are alsoconsidered small entities;75 however,individuals and states are not includedin the definition of a small entity.Similarly, small governmentjurisdictions with a population of lessthan 50,000 are considered smallentities.76

Small business in the health caresector affected by this rule may includesuch businesses as: Nonprofit healthplans, hospitals, and skilled nursingfacilities (SNFs); small businessesproviding health coverage; smallphysician practices; pharmacies;laboratories; durable medical equipment(DME) suppliers; health careclearinghouses; billing companies; andvendors that supply softwareapplications to health care entities.

The U.S. Small BusinessAdministration reports that as of 1997,there were 562,916 small health careentities 77 classified within the SIC



78 Office of Advocacy, U.S. Small BusinessAdministration, from data provided by the Bureauof the Census, Statistics of U.S. Businesses, 1997.

79 Op.cit, 1997.

codes we have identified as beingcovered establishments (Table A).

These small businesses represent82.6% of all health care establishmentsexamined.78 Small businesses representa significant portion of the total numberof health care establishments but a smallportion of the revenue stream for allhealth care establishments. In 1997, the

small health care businesses representedgenerated approximately $430 billion inannual receipts, or 30.2% of the totalrevenue generated by health careestablishments (Table B).79 Thefollowing sections provide estimates ofthe number of small health care

establishments that will be required tocomply with the rule. Note, however,that the SBA’s published annualreceipts of health care industries differfrom the National Health Expendituredata that the Health Care FinancingAdministration (HCFA) maintains.



These data do not provide the specificrevenue data required for a RFA; onlythe SBA data has the requisite

establishment and revenue data for thisanalysis.



80 Office of Advocacy, U.S. Small BusinessAdministration, from data provided by the Bureauof the Census, Statistics of U.S. Businesses, 1997.

81 Op.cit., 1997.82 Health Care Financing Administration, OSCAR.

The Small Business Administrationreports that approximately 74 percent ofthe 18,000 medical laboratories anddental laboratories in the U.S. are smallentities.80 Furthermore, based on SBAdata, 55 percent of the 3,300 durablemedical equipment suppliers that arenot part of drug and proprietary storesin the U.S. are small entities. Over 90percent of health practitioner offices aresmall businesses.81 Doctor offices(90%), dentist offices (99%), osteopathy(97%) and other health practitioneroffices (97%) are primarily consideredsmall businesses.

There are also a number of hospitals,home health agencies, non-profitnursing facilities, and skilled nursingfacilities that will be affected by theproposed rule. According to theAmerican Hospital Association, thereare approximately 3,131 nonprofithospitals nationwide. Additionally,there are 2,788 nonprofit home healthagencies in the U.S. and the Health CareFinancing Administration reports thatthere are 591 nonprofit nursing facilitiesand 4,280 nonprofit skilled nursingfacilities.82

Some contractors that are not coveredentities but that work with coveredhealth care entities will be required toadopt policies and procedures to protectinformation. We do not expect that theadditional burden placed on contractorswill be significant. We have notestimated the effect of the proposed ruleon these entities because we cannotreasonably anticipate the number ortype of contracts affected by theproposed rule. We also do not know theextent to which contractors would berequired to modify their policy practicesas a result of the rule.

2. Activities and Costs Associated WithCompliance

This section summarizes specificactivities that covered entities mustundertake to comply with the rule’sprovisions and options considered bythe Department that would reduce theburden to small entities. In developingthis rule, the Department considered avariety of alternatives for minimizingthe economic burden that it will createfor small entities. We did not exemptsmall businesses from the rule becausethey represent such a large and criticalproportion of the health care industry(82.6 percent); a significant portion ofindividually identifiable health

information is generated or held bythese small businesses.

The guiding principle in ourconsiderations of how to address theburden on small entities has been tomake provisions performance ratherthan specification oriented—that is, therule states the standard to be achievedbut allows institutions flexibility todetermine how to achieve the standardwithin certain parameters. Moreover, tothe extent possible, we have allowedentities to determine the extent to whichthey will address certain issues. Thisability to adapt provisions to minimizeburden has been addressed in theregulatory impact analysis above, but itwill be briefly discussed again in thefollowing section.

Before discussing specific provisions,it is important to note some of thebroader questions that were addressedin formulating this rule. TheDepartment considered extending thecompliance period for small entities butconcluded that it did not have the legalauthority to do so (see discussionabove). The rule, pursuant to HIPAA,creates an extended compliance time of36 months (rather than 24 months) onlyfor small health plans and not for othersmall entities. The Department alsoconsidered giving small entities longerresponse times for time limits set forthin the rule, but decided to establishstandard time limits that we believe arereasonable for covered entities of allsizes, with the understanding that largerentities may not need as much time asthey have been allocated in certainsituations. This permits each coveredentity the flexibility to establish policiesregarding time limits that are consistentwith the entity’s current practices.

Although we considered the needs ofsmall entities during our discussions ofall provisions for this final rule, we arehighlighting the most significantdiscussions in the following sections:

ScalabilityWherever possible, the final rule

provides a covered entity withflexibility to create policies andprocedures that are best suited to theentity’s current practices in order tocomply with the standards,implementation specifications, andrequirements of the rule. This allows thecovered entity to assess its own needsin devising, implementing, andmaintaining appropriate privacypolicies, procedures, anddocumentation to address theseregulatory requirements. It also willallow a covered entity to take advantageof developments and methods forprotecting privacy that will evolve overtime in a manner that is best suited to

that institution. This approach allowscovered entities to strike a balancebetween protecting privacy ofindividually identifiable healthinformation and the economic cost ofdoing so within prescribed boundariesset forth in the rule. Health care entitiesmust consider both factors whendevising their privacy solutions. TheDepartment assumes that professionaland trade associations will provideguidance to their members inunderstanding the rule and providingguidance on how they can best achievecompliance. This philosophy is similarto the approach in the TransactionsRule.

The privacy standard must beimplemented by all covered entities,regardless of size. However, we believethat the flexible approach under thisrule is more efficient and appropriatethen a single approach to safeguardinghealth information privacy. Forexample, in a small physician practice,the office manager might be designatedto serve as the privacy official as one ofmany of her duties. In a large healthplan, the privacy official position mayrequire more time and greater privacyexperience, or the privacy official mayhave the regular support and advice ofa privacy staff or board. The entity candecide how to implement this privacyofficial requirement based on theentity’s structure and needs.

The Department decided to use thisscaled approach to minimize the burdenon all entities, with an emphasis onsmall entities. The varying needs andcapacities of entities should be reflectedin the policies and procedures adoptedby the organization and the overallapproach it takes to achieve compliance.

Minimum NecessaryThe ‘‘minimum necessary’’ policy in

the final rule has essentially threecomponents: first, it does not pertain tocertain uses and disclosures includingtreatment-related exchange ofinformation among health careproviders; second, for disclosures thatare made on a routine basis, such asinsurance claims, a covered entity isrequired to have policies andprocedures governing such exchanges(but the rule does not require a case-by-case determination in such cases); andthird, providers must have a process forreviewing non-routine requests on acase-by-case basis to assure that only theminimum necessary information isdisclosed. The final rule makes changesto the NPRM that reduce the burden ofcompliance on small businesses.

Based on public comments andsubsequent fact-finding, the Departmentsought to lessen the burden of this



provision. The NPRM proposedapplying the minimum necessarystandard to disclosures to providers fortreatment purposes and would haverequired individual review of all uses ofprotected health information. The finalrule exempts disclosures of protectedhealth information from a covered entityto a health care provider for treatmentfrom the minimum necessary provisionand eliminates the case-by-casedeterminations that would have beennecessary under the NPRM. TheDepartment has concluded that therequirements of the final rule are similarto the current practice of most healthcare providers. For standard disclosurerequests, for example, providersgenerally have established procedures.Under the final rule providers will haveto have policies and procedures todetermine the minimum amount ofprotected health information to disclosefor standard disclosure requests as well,but may need to review and reviseexisting procedures to make sure theyare consistent with the final rule. Fornon-routine disclosures, providers haveindicated that they currently askquestions to discern how muchinformation should be disclosed. Inshort, the minimum necessaryrequirements of this rule are similar tocurrent practice, particularly amongsmall providers.

Policy and ProceduresThe rule requires that covered entities

develop and document policies andprocedures with respect to protectedhealth information to establish andmaintain compliance with theregulation. Through the standards,requirements, and implementationspecifications, we are proposing aframework for developing anddocumenting privacy policies andprocedures rather than adopting a rigid,prescriptive approach to accommodateentities of different sizes, type ofactivities, and business practices. Smallproviders will be able to develop morelimited policies and procedures underthe rule, than will large providers andhealth plans, based on the volume ofprotected health information. We alsoexpect that provider and health planassociations will develop model policiesand procedures for their members,which will reduce the burden on smallbusinesses.

Privacy OfficialThe rule requires covered entities to

designate a privacy official who will beresponsible for the development andimplementation of privacy policies andprocedures. The implementation of thisrequirement may vary based on the size

of the entity. For example, a smallphysician’s practice might designate theoffice manager as the privacy official inaddition to her broader administrativeresponsibilities. Once the privacyofficial has been trained, the timerequired to accomplish the dutiesimposed on such person is not likely tobe much more than under currentpractice. Therefore, the requirementimposes a minimal burden on smallbusinesses.

Internal ComplaintsThe final rule requires covered

entities to have an internal process forindividuals to make complaintsregarding the covered entities’ privacypolicies and procedures required by therule and its compliance with suchpolicies. The requirement includesidentifying a contact person or officeresponsible for receiving complaintsand documenting all complaintsreceived and the disposition of suchcomplaints, if any. The covered entityonly is required to receive anddocument a complaint (the complaintcan be oral or in writing), which shouldtake a short amount of time. TheDepartment believes that complaintsabout a covered entity’s privacy policiesand procedures will be uncommon.Thus, the burden on small businessesshould be minimal.

TrainingIn developing the NPRM, the

Department considered a number ofalternatives for training, includingrequiring specific training materials,training certification, and periodicretraining. In the NPRM, the Departmentrecommended flexibility in thematerials and training method used, butproposed recertification every threeyears and retraining in the event ofmaterial changes in policy.

Based on public comment,particularly from small businesses, theDepartment has lessened the burden inthe final rule. As in the proposal, thefinal rule requires all employees whoare likely to have contact with protectedhealth information to be trained.Covered entities will have to trainemployees by the compliance datespecific to the type of covered entityand train new employees within areasonable time of initial employment.In addition, a covered entity will haveto train each member of its workforcewhose functions are affected by amaterial change in the policies orprocedures of such entity. However, thefinal rule leaves to the employer thedecisions regarding the nature andmethod of training to achieve thisrequirement. The Department expects a

wide variety of options to be madeavailable by associations, professionalgroups, and vendors. Methods mightinclude classroom instruction, videos,booklets, or brochures tailored toparticular levels of need of workers andemployers. Moreover, the recertificationrequirement of the NPRM has beendropped to ease the burden on smallentities.

ConsentThe NPRM proposed prohibiting

covered entities from requiringindividuals to provide written consentfor the use and disclosure of protectedhealth information for treatment,payment, and health care operationspurposes. The final rule requires certainhealth care providers to obtain writtenconsent before using or disclosingprotected health information fortreatment, payment, and health careoperations, with a few exceptions. Thisrequirement was included in the finalrule in response to comments that thisreflects current practice of health careproviders health care providers withdirect treatment relationships. Becauseproviders are already obtaining suchconsent, this requirement represents aminimal burden.

Notice of Privacy RightsThe rule requires covered entities to

prepare and make available a notice thatinforms individuals about uses anddisclosures of protected healthinformation that may be made by thecovered entity and that informs of theindividual’s rights and covered entity’slegal duties with respect to protectedhealth information. The final rule makeschanges to the NPRM that reduce theburden of this provision on coveredentities and allows flexibility. TheNPRM proposed that the notice describethe uses and disclosures of informationthat the entity expected to make withoutindividual authorization. The final ruleonly requires that the notice describeuses and disclosures that the entity ispermitted or required to make under therule without an individual’s writtenconsent or authorization. This changewill allow entities to use standardizednotice language within a given state,which will minimize the burden of eachcovered entity preparing a notice.Professional associations may developmodel language to assist entities indeveloping notices required by the rule.While the final rule specifies minimumnotice requirements, it allows entitiesflexibility to add more detail about acovered entity’s privacy policies.

The NPRM also proposed that healthplans distribute the notice every threeyears. The final rule reduced this



burden by requiring health plans (inaddition to providing notice toindividuals at enrollment and prior tothe compliance date of this rule) toinform individuals at least once everythree years about the availability of thenotice and how to obtain a copy ratherthan to distribute a copy of the notice.

In discussing the requirement forcovered entities to prepare and makeavailable a notice, we consideredexempting small businesses (83 percentof entities) or extremely small entities(fewer than 10 employees). TheDepartment decided that informingconsumers of their privacy rights and ofthe activities of covered entities withwhich they conduct business was tooimportant a goal of this rule to exemptany entities.

In addition to requiring a basic notice,we considered requiring a longer moredetailed notice that would be availableto individuals on request. However, wedecided that it would be overlyburdensome to all entities, especiallysmall entities, to require two notice.

We believe that the proposed ruleappropriately balances the benefits ofproviding individuals with informationabout uses and disclosures of protectedhealth information with coveredentities’ need for flexibility indescribing such information.

Access to Protected Health Information

The public comments demonstratethat inspection and copying ofindividually identifiable healthinformation is wide-spread today.Individuals routinely request copies ofsuch information, in whole or in part,for purposes that include providinghealth information to another healthcare provider or as part of legalproceedings. The amount of inspectionand copying of individually identifiablehealth information that occurs for thesepurposes is not expected to change as aresult of the final regulation.

The final regulation establishes theright of individuals to inspect and copyprotected health information aboutthem. Although this is an importantright, the Department does not expect itto result in dramatic increases inrequests from individuals. We assumethat most health care providerscurrently have procedures for allowingpatients to inspect and copy thisinformation. The economic impact onsmall businesses of requiring coveredentities to provide individuals withaccess to protected health informationshould be relatively small. Moreover,entities can recoup the costs of copyingsuch information by charging reasonablecost-based fees.

Amendments to Protected HealthInformation

Many health care providers andhealth plans currently make provisionsto help patients expedite amendmentsand corrections of their medical recordwhere appropriate. If an error exists,both the patient and the health careprovider on health plan benefit from thecorrection. However, as with inspectionand copying, a person’s right to requestamendment and correction ofindividually identifiable healthinformation about them is notguaranteed by all states. Based on theseassumptions, the Department concludesthat the principal economic effect of thefinal rule will be to expand the right torequest amendments to protected healthinformation held by health plans andcovered health care providers to thosewho are currently granted such right bystate law. In addition, the rule may drawadditional attention to the issue ofrecord inaccuracies and stimulatepatient demand for amendment ofmedical records.

Under the final regulation, if anindividual requests an amendment toprotected health information about himor her, the health care provider musteither accept the amendment or providethe individual with the opportunity tosubmit a statement disagreeing with thedenial. We expect the responses torequests will vary; sometimes anassistant will only make the appropriatenotation in the record, requiring only afew minutes; other times a health careprovider or manager will review therequest and make changes ifappropriate, which may require as muchas an hour.

Unlike inspections, which currentlyoccur in a small percentage of cases,fact-finding suggests that individualsrarely seek to amend their recordstoday, but the establishment of this rightin the rule may spur more requests,including among those who in the pastwould have only sought to inspect theirrecords. Nevertheless, we expect thatthe absolute number of additionalamendment requests caused by the ruleto be small (about 200,000 per perspread over more than 600,000 entities),which will impose only a minor burdenon small businesses.

Accounting for Disclosures

The rule grants individuals the rightto receive an accounting of disclosuresmade by a health care provider or planfor purposes other than treatment,payment, or health care operations, withcertain exceptions such as disclosures tothe individual. The individual mayrequest an accounting of disclosures

made up to six years prior to therequest. In order to fulfill such requests,covered health care providers andhealth plans may track disclosures bymaking a notation in the individual’smedical record regarding the (manual orelectronic) when a disclosure is made.We have learned through fact-findingthat some health care providerscurrently track various types ofdisclosures. Moreover, the Departmentdoes not expect many individuals willrequest an accounting of disclosures.Thus, this requirement will impose aminor burden on small businesses.

De-Identification of Information

In this rule, the Department allowscovered entities to determine that healthinformation is de-identified (i.e. that itis not individually identifiable healthinformation), if certain conditions aremet. Moreover, information that hasbeen de-identified in accordance withthe rule is not considered individuallyidentifiable information and may beused or disclosed without regard to therequirements of the regulation. Thecovered entity may assign a code orother means of record identification toallow de-identified information to be re-identified if requirements regardingderivation and security are met.

As with other components of thisrule, the approach used to removeidentifiers from data can be scaled to thesize of the entity. Individuallyidentifiable health information can bede-identified in one of two ways; byeither removing each of the identifierslisted in the rule or by engaging in astatistical and scientific analysis todetermine that information is veryunlikely to identify an individual. Smallentities without the resources toconduct such an analysis can create de-identified information by removing thefull list of possible identifiers set forthin this regulation. Unless the coveredentity knows that the information couldstill identify an individual, therequirement of this rule would befulfilled. However, larger, moresophisticated covered entities may closeto determine independently whatinformation needs to be removed basedon sophisticated statistical andscientific analysis.

Efforts to remove identifiers frominformation are optional. If a coveredentity can not use or disclose protectedhealth information for a particularpurpose but believes that removingidentifiers is excessively burdensome, itcan choose not to release the protectedhealth information, or it can seek anauthorization from individuals for theuse or disclosure of protected health



information including some or all of theidentifiers.

Finally, as discussed in theRegulatory Impact Analysis, theDepartment believes that very few smallentities engage in de-identificationcurrently. Fewer small entities areexpected to engage in such activity inthe future because the increasing trendtoward computerization of large recordsets will result in de-identification beingperformed by relatively few firms orassociations over time. We expect that asmall covered entity will find it moreefficient to contract with specialists inlarge firms to de-identify protectedhealth information. Larger entities aremore likely to have both the electronicsystems and the volume of records thatwill make them attractive for thisbusiness.

Monitoring Business AssociatesThe final rule requires a covered

entity with a business associate to havea written contract or other arrangementthat documents satisfactory assurancethat the business associate willappropriately safeguard protected healthinformation. The Department expectsbusiness associate contracts to be fairlystandardized, except for language thatwill have to be tailored to the specificarrangement between the parties, suchas the allowable uses and disclosures ofinformation. The Department assumesthe standard language initially will bedeveloped by trade and professionalassociations for their members. Smallhealth care providers are likely tosimply adopt the language or makeminor modifications. The regulationincludes a requirement that the coveredentity take steps to correct, and in somecases terminate, a contract, if necessary,if they know of violations by a businessassociate. This oversight requirement isconsistent with standard oversight of acontract. The Department expects thatmost entities, particularly smaller ones,will utilize standard language thatrestricts uses and disclosures ofindividually identifiable healthinformation their contracts withbusiness associates. This will limit theburden on small businesses.

The NPRM proposed that coveredentities be held accountable for the usesand disclosures of individuallyidentifiable health information by theirbusiness associates. An entity wouldhave been in violation of the rule if itknew of a breach in the contract by abusiness associate and failed to cure thebreach or terminate the contract. Thefinal rule reduces the extent to which anentity must monitor the actions of itsbusiness associates. The entity no longerhas to ‘‘ensure’’ that each business

associate complies with the rule’srequirements. Entities will be requiredto cure a breach or terminate a contractfor business associate actions only ifthey knew about a contract violation.The final rule is consistent with theoversight a business would provide forany contract, and therefore, the changesin the final rule will impose no newsignificant cost for small businesses inmonitoring their business associates’behavior.

Employers With Insured Group HealthPlans

Some group health plans will use ormaintain individually identifiablehealth information, particularly grouphealth plans that are self-insured. Also,some plan sponsors that performadministrative functions on behalf oftheir group health plans may needprotected health information. The finalrule permits a group health plan, or ahealth insurance issuer or HMO thatprovides benefits on behalf of the grouphealth plan, to disclose protected healthinformation to a plan sponsor whoperforms administrative functions on itsbehalf for certain purposes and if certainrequirements are met. The plandocuments must be amended to:describe the permitted uses anddisclosures of protected healthinformation by the plan sponsor; specifythat disclosure is permitted only uponreceipt of a certification by the plansponsor that the plan documents havebeen amended and the plan sponsoragrees to certain restrictions on the useof protected health information; andprovide for adequate firewalls to assureunauthorized personnel do not haveaccess to individually identifiablehealth information.

Some plan sponsors may needinformation, not to administer the grouphealth plan, but to amend, modify, orterminate the health plan. ERISA caselaw describes such activities as settlorfunctions. For example a plan sponsormay want to change its contract from apreferred provider organization to ahealth maintenance organization(HMO). In order to obtain premiuminformation, the health plan sponsormay need to provide the HMO withaggregate claims information. Under therule, the health plan sponsor can obtainsummary information with certainidentifiers removed, in order to provideit to the HMO and receive a premiumrate.

The Department assumes that mosthealth plan sponsors who are smallemployers (those with 50 or feweremployees) will elect not to receiveindividually identifiable healthinformation because they will have

little, if any, need for such data. Anyneeds that sponsors of small grouphealth plans may have for informationcan be accomplished by receiving theinformation in summary form from theirhealth insurance issuers.

3. The Burden on a Typical SmallBusiness

The Department expects small entitiesto face a cost burden as a result ofcomplying with the proposedregulation. We estimate that the burdenof developing privacy policies andprocedures is lower in dollar terms forsmall businesses than for largebusinesses, but we recognize that thecost of implementing privacy provisionscould be a larger burden to smallentities as a proportion of total revenue.Due to these concerns, we have reliedon the principle of scalabilitythroughout the rule, and have based ourcost estimates on the expectation thatsmall entities will develop lessexpensive and less complex privacymeasures that comply with the rule thanlarge entities.

In many cases, we have specificallyconsidered the impact that rule mayhave on solo practitioners or ruralhealth care providers. If a health careprovider only maintains paper recordsand does not engage in any electronictransactions, the regulation would notapply to such provider. We assume thatthose providers will be small health careproviders. For small health careproviders that are covered health careproviders, we expect that they will notbe required to change their businesspractices dramatically, because webased many of the standards,implementation specifications, andrequirements on current practice and wehave taken a flexible approach to allowscalability based on a covered entity’sactivities and size. In developingpolicies and procedures to comply withthe proposed regulation, scalabilityallows entities to consider their basicfunctions and the ways in whichprotected health information is used ordisclosed. All covered entities must takeappropriate steps to address privacyconcerns, and in determining the scopeand extent of their complianceactivities, businesses should weigh thecosts and benefits of alternativeapproaches and should scale theircompliance activities to their structure,functions, and capabilities within therequirements of the rule.

Cost AssumptionsTo determine the cost burden to small

businesses of complying with the finalrule, we used as a starting point theoverall cost of the regulation determined



in the regulatory impact analysis (RIA).Then we adopted a methodology thatapportions the costs found in the RIA tosmall business by using CensusBureau’s Statistics of U.S. Businesses.This Census Bureau survey containsdata on the number and proportion ofestablishments, by Standard IndustrialClassification Code (SIC code), that haverevenues of less than $5 million, whichmeets the Small BusinessAdministration’s definition of a smallbusiness in the health care sector. Thisdata permitted us to calculate theproportion of the cost of eachrequirement in the rule that isattributable to small businesses. Thismethodology used for the regulatoryflexibility analysis (RFA) section istherefore based on the methodologyused in the (RIA), which was discussedearlier.

The businesses accounted for in theSIC codes contain three groups ofcovered entities: non-hospital healthcare providers, hospitals, and healthplans. Non-hospital health careproviders include: drug stores, officesand clinics of doctors, dentists,osteopaths, and other healthpractitioners, nursing and personal carefacilities, medical and dentallaboratories, home health care services,miscellaneous health and alliedservices, and medical equipment rentaland leasing establishments. Healthplans include accident and healthinsurance and medical service plans.

Data AdjustmentsSeveral adjustments were made to the

SIC code data to more accuratelydetermine the cost to small and non-profit businesses. For health plans (SICcode 6320), we adjusted the SIC data toinclude self-insured, self-administeredhealth plans because these health plansare not included in any SIC code,though they are covered entities underthe rule. Similarly, we have addedthird-party administrators (TPAs) intothis SIC. Although they are not coveredentities, TPAs are likely to be businessassociates of covered entities. Forpurposes of the regulatory analyses, wehave assumed that TPAs would bearmany of the same costs of the healthplans to assure compliance for thecovered entity. To make thisadjustment, we assumed the self-insured/self administered health plansand TPAs have the average revenue ofthe health plans contained in the SICcode, and then added those assumedrevenues to the SIC code and to the totalof all health care expenditures.Moreover, we needed to account for thecost to non-profit institutions that mightreceive more than $5 million in

revenue, because all non-profitinstitutions are small businessesregardless of revenue. To make thisadjustment for hospitals, nursinghomes, and home health agencies, weused data on the number of non-profitinstitutions from industry sources andfrom data reported to HCFA. With thisdata, we assumed the current count ofestablishments in the SIC codesincludes these non-profit entities andthat non-profits have the samedistribution of revenues as allestablishments reported in theapplicable SIC codes. The proportionsdiscussed below, which determine thecost for small business, thereforeinclude these non-profit establishmentsin SIC codes 8030, 8060, and 8080.

The SIC code tables provided in thisRFA do not include several categories ofbusinesses that are included in the totalcost to small businesses. Claimsclearinghouses are not included in thetable because claims clearinghousesreport their revenues under the SIC7374 ‘‘Computer Processing and DataPreparation,’’ and the vast majority ofbusinesses in this SIC code are involvedin non-medical claims data processing.In addition, claims processing is oftenjust one business-line of companies thatmay be involved in multiple forms ofdata processing, and therefore, even ifthe claims processing line of thebusiness generates less than $5 millionin revenue, the company in total mayexceed the SBA definition for a smallbusiness (the total firm revenue, noteach line of business, is the standard forinclusion). Similarly, fully-insuredERISA health plans sponsored byemployers are not identified as aseparate category in the SIC code tablesbecause employers in virtually all SICcodes may sponsor fully-insured healthplans. We have identified the cost forsmall fully-insured ERISA health plansby using the Department of Labordefinition of a small ERISA plan, whichis a plan with fewer than 100 insuredparticipants. Using this definition, theinitial cost for small fully-insuredERISA health plans is $7.1 million.Finally, Institutional Review Boards(IRBs) will not appear in a separate SICcode because IRBs are not ‘‘businesses’’;rather, they are committees ofresearchers who work for institutionswhere medical research is conducted,such as universities or teachinghospitals. IRB members usually serve asa professional courtesy or as part oftheir employment duties and are notpaid separately for their IRB duties.Although IRBs are not ‘‘businesses’’ thatgenerate revenues, we have treated themas small business for illustrative

purposes in this RFA to demonstrate theadditional opportunity costs that will befaced by those researchers who sit onIRBs. Therefore, assuming IRBs aresmall businesses, the initial costs are$.089 million and ongoing costs areapproximately $84.2 million over 9years.

The Cost Model MethodologyThe RIA model employs two basic

methodologies to determine the costs tosmall businesses that are coveredentities. As stated above, the RFAdetermines the cost to small businessesby apportioning the total costs in theRIA using SIC code data. In placeswhere the cost of a given provision ofthe final rule is a function of the numberof covered entities, we determined theproportion of entities in each SIC codethat have less than $5 million inrevenues (see Table A). We thenmultiplied this proportion by the per-entity cost estimate of a given provisionas determined in the RIA. For example,the cost of the privacy official provisionis based on the fact that each coveredentity will need to have a privacyofficial. Therefore, we multiplied thetotal cost of the privacy official, asdetermined in the RIA, by theproportion of small businesses in eachSIC code to determine the smallbusiness cost. Using hospitals forillustrative purposes, because small andnon-profit hospitals account for 50percent of all hospitals, ourmethodology assigned 50 percent of thecost to small hospitals.

We used a second, though similar,method when the cost of a givenprovision in the RIA did not depend onthe number of covered entities. Forexample, the requirement to providenotice of the privacy policy is a directfunction of the number of patients in thehealth care system because the actualnumber of notices distributed dependson how many patients are seen.Therefore, for provisions like the noticerequirement, we used SIC code revenuedata in a two-step process. First, weapportioned the cost of each provisionamong sectors of the health careindustry by SIC code. For example,because hospital revenue accounts for27 percent of all health care revenue, wemultiplied the total cost of each suchprovision by 27 percent to determinethe cost for the hospital sector in total.Then to determine the cost for smallhospitals specifically, we calculated theproportion by the overall cost. Forexample, 45.1 percent of all hospitalrevenue is generated by small hospital,therefore, the cost to small hospitals wasassumed to account for 45.1 percent ofall hospital costs. Estimates, by nature



are inexact. However, we feel this is areasonable way to determine the smallbusiness costs attributable to thisregulation given the limited data fromwhich to work.

Total Costs and Costs Per Establishmentfor Small Business

Based on the methodology describedabove, the total cost of complying with

the final rule in the initial year of 2003is $1.9 billion. The ongoing costs tosmall business from 2004 to 2012 is $9.3billion. Table C presents the initial andongoing costs to small business by eachSIC code. According to this table, smalldoctors offices, small dentists officesand small hospitals will face the highestcost of complying with the final rule.

However, much of the reason for thehigher costs faced by these three groupsof small health care providers isexplained by the fact that there are asignificant number of health careproviders in these categories.BILLING CODE 4150–04–P





On a per-establishment basis, Table Ddemonstrates that the average cost forsmall business of complying with theproposed rule in the first year is $4,188per-establishment. The ongoing costs ofprivacy compliance are approximately$2,217 each year thereafter. We estimatethat the average cost of compliance inthe first year for each small non-hospital

health care provider is approximately0.6 percent of per-establishmentrevenues. In subsequent years, per-establishment costs about 0.3 percent ofper-establishment revenues. For smallhospitals and health plans, the per-establishment cost of compliance in thefirst year is 0.2 percent and 6.3 percentof per-establishment revenues

respectively. For subsequent years, thecost is only 0.1 percent and 2.9 percentof pre-establishment revenuesrespectively. These costs may be offsetin many firms by the savings realizedthrough requirements of theTransactions Rule.





Table E shows the cost to each SICcode of the major cost items of the finalrule. Listed are the top-five most costlyprovisions of the rule (to small business)

and then the cost of all other remainingprovisions. The costs of the mostexpensive five provisions represent 90percent of the cost of the ongoing costs

to small business, while the remainingprovisions only represent 7 percent.



Table E.—Average Annual Ongoing Cost to Small Business of Implementing Provisions of the Privacy Regulation,After the First Year 1





VI. Unfunded MandatesThe Unfunded Mandates Reform Act

of 1995 (Pub. L. 104–4) requires cost-benefit and other analyses for rules thatwould cost more than $100 million ina single year. The rule qualifies as asignificant rule under the statute. TheDepartment has carried out the cost-benefit analysis in sections D and E ofthis document, which includes adiscussion of unfunded costs to stateand local governments resulting fromthis regulation. In developing thisregulation, the Department adopted theleast burdensome alternatives,consistent with achieving the rule’sgoals.

A. Future CostsThe Department estimates some of the

future costs of the rule in Section E ofthe Preliminary Regulatory ImpactAnalysis of this document. Theestimates made include costs for the tenyears after the effective date. Asdiscussed in section E, state and localgovernment costs will be in the order of$460 million in 2003 and $2.4 billionover ten years. Estimates for later yearsare not practical. The changes intechnology are likely to alter the natureof medical record-keeping, and the usesof medical data are likely to varydramatically over this period. Therefore,any estimates for years beyond 2012 arenot feasible.

B. Particular Regions, Communities, orIndustrial Sectors

The rule applies to the health careindustry and would, therefore, affectthat industry disproportionately. Anylong-run increase in the costs of healthcare services would largely be passed onto the entire population of consumers.However, as discussed in theadministrative implication regulation,the Transactions Rule is estimated tosave the health care industry nearly $30billion over essentially the same timeperiod. This more than offsets the costsof the Privacy Rule; indeed, asdiscussed above, the establishment ofconsistent, national standards for theprotection of medical information isessential to fully realize the savingsfrom electronic transactions standardsand other advances that may be realizedthrough ‘‘e-health’’ over the nextdecade. Without strong privacy rules,patients and providers may be veryreluctant to fully participate inelectronic and e-health opportunities.

C. National Productivity and EconomicGrowth

The rule is not expected tosubstantially affect productivity oreconomic growth. It is possible that

productivity and growth in certainsectors of the health care industry couldbe slightly lower than otherwise becauseof the need to divert research anddevelopment resources to complianceactivities. The diversion of resources tocompliance activities would betemporary. Moreover, the Departmentanticipates that, because the benefits ofprivacy are large, both productivity andeconomic growth would be higher thanin the absence of the final rule. Insection I.A. of this document, theDepartment discusses its expectationthat this rule will increasecommunication among consumers,health plans, and providers and thatimplementation of privacy protectionswill lead more people to seek healthcare. The increased health of thepopulation will lead to increasedproductivity and economic growth.

D. Full Employment and Job CreationSome of the human resources devoted

to the delivery of health care serviceswill be redirected by rule. The rulecould lead to some short-run changes inemployment patterns as a result of thestructural changes within the healthcare industry. The growth ofemployment (job creation) for the rolestypically associated with health careprofession could also temporarilychange but be balanced by an increasedneed for those who can assist entitieswith complying with this rule.Therefore, while there could be atemporary slowing of growth intraditional health care professions, thatwill be offset by a temporary increase ingrowth in fields that may assist withcompliance with this rule (e.g. workertraining, and management consultants).

E. ExportsBecause the rule does not mandate

any changes in products, current exportproducts will not be required to changein any way.

The Department consulted with stateand local governments, and Tribalgovernments. See sections X and XI,below.

VII. Environmental ImpactThe Department has determined

under 21 CFR 25.30(k) that this actionis of a type of does not individually orcumulatively have a significant effect onthe human environment. Therefore,neither an environmental assessmentnor an environmental impact statementis required.

VIII. Collection of InformationRequirements

Under the Paperwork Reduction Actof 1995 PRA), agencies are required to

provide a 30-day notice in the FederalRegister and solicit public commentbefore a collection of informationrequirement is submitted to the Office ofManagement and Budget (OMB) forreview and approval. In order to fairlyevaluate whether an informationcollection should be approved by OMB,section 3506(c)(2)(A) of the PRArequires that we solicit comment on thefollowing issues:

• Whether the information collectionis necessary and useful to carry out theproper functions of the agency;

• The accuracy of the agency’sestimate of the information collectionburden;

• The quality, utility, and clarity ofthe information to be collected; and

• Recommendations to minimize theinformation collection burden on theaffected public, including automatedcollection techniques.

Under the PRA, the time, effort, andfinancial resources necessary to meetthe information collection requirementsreferenced in this section are to beconsidered. Due to the complexity ofthis regulation, and to avoidredundancy of effort, we are referringreaders to Section V (Final RegulatoryImpact Analysis) above, to review thedetailed cost assumptions associatedwith these PRA requirements. Weexplicitly seek, and will consider,public comment on our assumptions asthey relate to the PRA requirementssummarized in this section.

Section 160.204—Process forRequesting Exception Determinations

Section 160.204 would requirepersons requesting to except a provisionof state law from preemption under§ 160.203(a) to submit a written request,that meets the requirements of thissection, to the Secretary to except aprovision of state law from preemptionunder § 160.203. The burden associatedwith these requirements is the time andeffort necessary for a state to prepareand submit the written request for anexception determination to theSecretary for approval. On an annualbasis it is estimated that it will take 40states 16 hours each to prepare andsubmit a request. The total annualburden associated with this requirementis 640 hours. The Department solicitspublic comment on the number ofrequests and hours for others likely tosubmit requests.

Section 160.306—Complaints to theSecretary

A person who believes that a coveredentity is not complying with theapplicable requirements of part 160 orthe applicable standards, requirements,



and implementation specifications ofSubpart E of part 164 of this subchaptermay file a complaint with the Secretary.This requirement is exempt from thePRA as stipulated under 5 CFR1320.4(a)(2), an audit/administrativeaction exemption.

Section 160.310—Responsibilities ofCovered Entities

A covered entity must keep suchrecords and submit such compliancereports, in such time and manner andcontaining such information, necessaryto enable the Secretary to ascertainwhether the covered entity hascomplied or is complying with theapplicable requirements of part 160 andthe applicable standards, requirements,and implementation specifications ofsubpart E of part 164. Refer to § 164.530for discussion.

Section 164.502—Uses and Disclosuresof Protected Health Information:General Rules

A covered entity is permitted todisclose protected health information toan individual, and is required toprovide and individual with access toprotected health information, inaccordance with the requirements setforth under § 164.524. Refer to § 164.524for discussion.

Section 164.504—Uses andDisclosures—OrganizationalRequirements

Except for disclosures of protectedhealth information by a covered entitythat is a health care provider to anotherhealth care provider for treatmentpurposes, § 164.504 requires a coveredentity to maintain documentationdemonstrating that it meets therequirements set forth in this sectionand to demonstrate that it has obtainedsatisfactory assurance from businessassociates that meet the requirements ofthis part with each of its businessassociates. The burden is 5 minutes perentity times an annual average of764,799 entities for a total burden of63,733 burden hours.

Section 164.506—Consent forTreatment, Payment, and Health CareOperations

Except in certain circumstances, acovered health care provider that has adirect treatment relationship mustobtain an individual’s consent for use ordisclosure of protected healthinformation for treatment, payment, orhealth care operations. While thisrequirement is subject to the PRA, webelieve that the burden associated withthis requirement is exempt from the

PRA as stipulated under 5 CFR1320.3(b)(2).

Section 164.508—Uses and Disclosuresfor Which Individual Authorization IsRequired

Under this section, a covered entitywill need to obtain a writtenauthorization from an individual, beforeit uses or discloses protected healthinformation of the individual if the useor disclosure is not otherwise permittedor required under the rule withoutauthorization. The burden associatedwith these requirements is the time andeffort necessary for a covered entity toobtain written authorization prior to thedisclosure of individually identifiablehealth information. On an annual basis,we estimate that it will take 764,799entities, an annual average burden perentity of one hour for a total annualburden of 764,799 burden hours.

Section 164.510—Uses and DisclosuresRequiring an Opportunity for theIndividual To Agree or To Object

Section 164.510 allows, but does notrequire, covered entities to use ordisclose protected health information:(1) for health care institutions,directories; and (2) to family members,close friends, or other persons assistingin an individual’s care, as well asgovernment agencies and disaster relieforganizations conducting disaster reliefactivities. This section of the ruleaddresses situations in which theinteraction between the covered entityand the individual is relativelyinformal, and agreements may be madeorally, without written authorizationsfor use or disclosure. In general, todisclose protected health informationfor these purposes, covered entitiesmust inform individuals in advance andmust provide a meaningful opportunityfor the individual to prevent or restrictthe disclosure. In certain circumstances,such as in an emergency, when thisinformal discussion cannot practicablyoccur, covered entities can makedecisions about disclosure or use, inaccordance with the requirements ofthis section based on their professionaljudgment of what is in the patient’s bestinterest. While these provisions aresubject to the PRA, we believe that theburden associated with this requirementis exempt from the PRA as stipulatedunder 5 CFR 1320.3(b)(2).

Section 164.512—Uses and Disclosuresfor Which Consent, IndividualAuthorization, or Opportunity To Agreeor Object Is Not Required

Section 164.1512 includes provisionsthat allow, but that do not require,covered entities to disclose protected

health information without individualauthorization for a variety of purposeswhich represent important nationalpriorities. Pursuant to § 164.512,covered entities may disclose protectedhealth information for specifiedpurposes as follows: as required by law;for public health activities; to publicofficials regarding victims of abuse,neglect, or domestic violence; for healthoversight; for judicial andadministrative proceedings; for lawenforcement; for specified purposesregarding decedents; for organ donationand transplantation; for research; toavert an imminent threat to health orsafety; for specialized governmentfunctions (such as for intelligence andnational security activities); and tocomply with workers’ compensationlaws. While these provisions are subjectto the PRA, we believe that the burdenassociated with this requirement isexempt from the PRA as stipulatedunder 5 CFR 1320.3(b)(2).

For research, if a covered entity wantsto use or disclose protected healthinformation without individualauthorization, it must obtaindocumentation that a waiver, in wholeor in part, of the individualauthorization required by § 164.508 foruse or disclosure of protected healthinformation has been approved by eitheran Institutional Review Board (IRB),established in accordance with 7 CFR1c.107, 10 CFR 745.107, 14 CFR1230.107, 15 CFR 27.107, 16 CFR1028.107, 21 CFR 56.107, 22 CFR225.107, 28 CFR 46.107, 32 CFR219.107, 34 CFR 97.107, 38 CFR 16.107,40 CFR 26.107, 45 CFR 46.107, 45 CFR690.107, or 49 CFR 11.107; or a privacyboard. The burden associated with theserequirements is the time and effortnecessary for a covered entity tomaintain documentation demonstratingthat they have obtained IRB or privacyboard approval, which meet therequirements of this section. On anannual basis it is estimated that theserequirements will affect 113,524 IRBreviews. We further estimate that it willtake an average of 5 minutes per reviewto meet these requirements on an annualbasis. Therefore, the total estimatedannual burden associated with thisrequirement is 9,460 hours.

Section 164.514—Other ProceduralRequirements Relating to Uses andDisclosures of Protected HealthInformation

Prior to any disclosure permitted bythis subpart, a covered entity mustverify the identity and authority ofpersons requesting protected healthinformation, if the identity or authorityof such person is not known to the



covered entity, and obtain anydocumentation, statements, orrepresentations from the personrequesting the protected healthinformation that is required as acondition of the disclosure. In addition,a covered entity must retain any signedconsent pursuant to § 164.506 and anysigned authorization pursuant to§ 164.508 for documentation purposesas required by § 164.530(j). Thisrequirement is exempt from the PRA asstipulated under 5 CFR 1320.4(a)(1) and(1)(2).

Section 164.520—Notice of PrivacyPractices for Protected HealthInformation

Except in certain circumstances setforth in this section, individuals have aright to adequate notice of the uses anddisclosures of protected healthinformation that may be made by thecovered entity, and of the individual’srights and the covered entity’s legalduties with respect to protected healthinformation. To comply with thisrequirement a covered entity mustprovide a notice, written in plainlanguage, that includes the elements setforth in this section. For health plans,there will be an average of 160.2 millionnotices each year. We assume that themost efficient means of distribution forhealth plans will be to send them outannually as part of the materials theysend to current and potential enrollees,even though it is not required by theregulation. The number of notices perhealth plan per year would be about10,570. We further estimate that it willrequire each health plan, on average,only 10 seconds to disseminate eachnotice. The total annual burdenassociated with this requirement iscalculated to be 267,000 hours. Healthcare providers with direct treatmentrelationships would provide a copy ofthe notice to an individual at the timeof first service delivery to theindividual, make the notice available atthe service delivery site for individualsto request and take with them,whenever the content of the notice isrevised, make the notice available uponrequest and post the notice, if requiredby this section, and post a copy of thenotice in a location where it isreasonable to expect individuals seekingservices from the provider to be able toread the notice. The annual number ofnotices disseminated by all providers is613 million. We further estimate that itwill require each health provider, onaverage, 10 seconds to disseminate eachnotice. This estimate is based upon theassumption that the required notice willbe incorporated into and disseminatedwith other patient materials. The total

annual burden associated with thisrequirement is calculated to be 1 millionhours.

In addition, a covered entity mustdocument compliance with the noticerequirements by retaining copies of thenotices issued by the covered entity.Refer to § 164.530 for discussion.

Section 164.522—Rights To RequestPrivacy Proteciton for Protected HealthInformation

Given that the burden associated withthe following information collectionrequirements will differ significantly, bythe type and size of health plan orhealth care provider, we are explicitlysoliciting comment on the burdenassociated with the followingrequirements; as outlined and requiredby this section, covered entities mustprovide individuals with theopportunity to request restrictionsrelated to the uses or disclosures ofprotected health information fortreatment, payment, or health careoperations. In addition, covered entitiesmust accommodate requests forconfidential communications in certainsituations.

Section 164.524—Access of Individualsto Protected Health Information

As set forth in this section, coveredentities must provide individuals withaccess to inspect and obtain a copy ofprotected health information about themin designated record sets, for so long asthe protected health information ismaintained in the designated recordsets. This includes such information ina business associate’s designated recordset that is not a duplicate of theinformation held by the health careprovider or health plan for so long asthe information is maintained. Wherethe request is denied in whole or inpart, the covered entity must providethe individual with a written statementof the basis for the denial and adescription of how the individual maycomplain to the covered entity pursuantto the complaint procedures establishedin § 164.530 or to the Secretary pursuantto the procedures established in§ 160.306 of this subpart. In certaincases, the covered entity must providethe individual the opportunity to haveanother health care professional reviewthe denial. Pursuant to public comment,we estimate that each disclosure willcontain 31 pages and that 150,000disclosures will be made on an annualbasis at three minutes per disclosure fora total burden of 7,500 hours. Refer tosection V.E. for detailed discussionrelated to the costs associated withmeeting these requirements.

Section 164.526—Amendment ofProtected Health Information

Given that burden associated with thefollowing information collectionrequirements will differ significantly, bythe type and size of health plan orhealth care provider, we are explicitlysoliciting comment on the burdenassociated with the followingrequirements: Individuals have the rightto request amendment of protectedhealth information about them indesignated record sets created by acovered entity. Where the request isdenied, a covered entity must providethe individual with a written statementof the basis for the denial and anexplanation of how the individual maypursue the matter, including how to filea complaint with the Secretary pursuantto § 160.306 of this subpart. Asappropriate, a covered entity mustidentify the protected healthinformation in the designated record setthat is the subject of the disputedamendment and append or otherwiselink the individual’s request for anamendment, the covered entity’s denialof the request, the individual’sstatement of disagreement, if any, andthe covered entity’s rebuttal, if any, tothe designated record set.

Section 164.528—Accounting forDisclosures of Protected HealthInformation

Based upon public comment it isassumed that it will take 5 minutes perrequest times 1,081,000 requests for anannual burden of 90,083 hours. Anindividual may request that a coveredentity provide an accounting fordisclosure for a period of time less thansix years from the date of theindividual’s request, as outlined in thissection.

Section 164.530—AdministrativeRequirements

A covered entity must maintain suchpolicies and procedures in written orelectronic form where policies orprocedures with respect to protectedhealth information are required by thissubpart. Where a communication isrequired by this subpart to be in writing,a covered entity must maintain suchwriting, or an electronic copy, asdocumentation; and where an action oractivity is required by this subpart to bedocumented, it must maintain a writtenor electronic record of such action oractivity. While these requirements aresubject to the PRA, we believe theburden associated with theserequirements is exempt from the PRA asstipulated under 5 CFR 1320.3(b)(2).



We have submitted a copy of this ruleto OMB for its review of the informationcollection requirements in §§ 160.204,160.306, 160.310, 164.502, 164.504,164.506, 164.508, 164.510, 164.512,164.514, 164.520, 164.522, 164.524,164.526, 164.528, and Sec. 164.530.These requirements are not effectiveuntil they have been approved by OMB.If you comment on any of theseinformation collection and recordkeeping requirements, please mailcopies directly to the following: HealthCare Financing Administration, Officeof Information Services, Division ofHCFA Enterprise Standards, Room N2–14–26, 7500 Security Boulevard,Baltimore, MD 21244–1850. ATTN: JohnBurke and to the Office of Informationand Regulatory Affairs, Office ofManagement and Budget, Room 10235,New Executive Office Building,Washington, DC 20503. ATTN: AllisonHerron Eydt, HCFA Desk Officer.

IX. Executive Order 13132: FederalismThe Department has examined the

effects of provisions in the final privacyregulation on the relationship betweenthe federal government and the states, asrequired by Executive Order 13132 on‘‘Federalism.’’ Our conclusion is thatthe final rule does have federalismimplications because the rule hassubstantial direct effects on states, onthe relationship between the nationalgovernment and states, and on thedistribution of power andresponsibilities among the variouslevels of government. The federalismimplications of the rule, however, flowfrom, and are consistent with theunderlying statute. The statute allows usto preempt state or local rules thatprovide less stringent privacy protectionrequirements than federal law isconsistent with this Executive Order.Overall, the final rule attempts tobalance both the autonomy of the stateswith the necessity to create a federalbenchmark to preserve the privacy ofpersonally identifiable healthinformation.

It is recognized that the statesgenerally have laws that relate to theprivacy of individually identifiablehealth information. The HIPAA statuedictates the relationship between statelaw and this final rule. Except for lawsthat are specifically exempted by theHIPAA statute, state laws continue to beenforceable, unless they are contrary toPart C of Title XI of the standards,requirements, or implementationspecifications adopted or pursuant tosubpart x. However, under section264(c)(2), not all contrary provisions ofstate privacy laws are preempted; rather,the law provides that contrary

provisions of state law relating to theprivacy of individually identifiablehealth information that are also ‘‘morestringent’’ than the federal regulatoryrequirements or implementationspecifications will continue to beenforceable.

Section 3(b) of Executive Order 13132recognizes that national action limitingthe policymaking discretion of stateswill be imposed ‘‘* * * only wherethere is constitutional and statutoryauthority for the action and the nationalactivity is appropriate in light of thepresence of a problem of nationalsignificance.’’ Personal privacy issuesare widely identified as a nationalconcern by virtue of the scope ofinterstate health commerce. HIPAA’sprovisions reflect this position. HIPAAattempts to facilitate the electronicexchange of financial andadministrative health plan transactionswhile recognizing challenges that local,national, and international informationsharing raise to confidentiality andprivacy of health information.

Section 3(d)(2) of the Executive Order13132 requires the federal governmentdefer to the states to establish standardswhere possible. HIPAA requires theDepartment to establish standards, andwe have done so accordingly. Thisapproach is a key component of thefinal Privacy Rule, and it adheres tosection 4(a) of Executive Order 13132,which expressly contemplatespreemption when there is a conflictbetween exercising state and federalauthority under federal statute. Section262 of HIPAA enacted Section 1178 ofthe Social Security Act, developing a‘‘general rule’’ that state laws orprovisions that are contrary to theprovisions or requirements of Part C ofTitle XI, or the standards orimplementation specifications adopted,or established thereunder arepreempted. Several exceptions to thisrule exist, each of which is designed tomaintain a high degree of stateautonomy.

Moreover, section 4(b) of theExecutive Order authorizes preemptionof state law in the federal rule makingcontext when there is ‘‘the exercise ofstate authority is directly conflicts withthe exercise of federal authority underfederal statute * * *.’’ Section 1178(a)(2)(B) of HIPAA specifically preemptsstate laws related to the privacy ofindividually identifiable healthinformation unless the state law is morestringent. Thus, we have interpretedstate and local laws and regulations thatwould impose less stringentrequirements for protection ofindividually identifiable healthinformation as undermining the

agency’s goal of ensuring that allpatients who receive medical servicesare assured a minimum level of personalprivacy. Particularly where the absenceof privacy protection undermines anindividual’s access to health careservices, both the personal and publicinterest is served by establishing federalrules.

The final rule would establishnational minimum standards withrespect to the collection, maintenance,access, use, and disclosure ofindividually identifiable healthinformation. The federal law willpreempt state law only where state andfederal laws are ‘‘contradictory’’ and thefederal regulation is judged to establish‘‘more stringent’’ privacy protectionsthan state laws.

As required by the previous ExecutiveOrder (E.O. 13132), states and localgovernments were given, through thenotice of proposed rule making, anopportunity to participate in theproceedings to preempt state and locallaws (section 4(e)). The Secretary alsoprovided a review of preemption issuesupon requests from states. In addition,anticipating the promulgation of theExecutive Order, appropriate officialsand organizations were consulted beforethis proposed action is implemented(Section 3(a) of Executive Order 13132).

The same section also includes somequalitative discussion of costs thatwould occur beyond that time period.Most of the costs of proposed rule,however, would occur in the yearsimmediately after the publication of afinal rule. Future costs beyond the tenyear period will continue but will not beas great as the initial compliance costs.

Finally, we have considered the costburden that this proposed rule wouldimpose on state and local health careprograms, such as Medicaid, countyhospitals, and other state health benefitsprograms. As discussed in Section E ofthe Regulatory Impact Analysis of thisdocument, we estimate state and localgovernment costs will be in the order of$460 million in 2003 and $2.4 billionover ten years.

The agency concludes that the policyin this final document has been assessedin light of the principles, criteria, andrequirements in Executive Order 13132;that this policy is not inconsistent withthat Order; that this policy will notimpose significant additional costs andburdens on the states; and that thispolicy will not affect the ability of thestates to discharge traditional stategovernmental functions.

During our consultation with thestates, representatives from various stateagencies and offices expressed concernthat the final regulation would preempt



all state privacy laws. As explained inthis section, the regulation would onlypreempt state laws where there is adirect conflict between state laws andthe regulation, and where the regulationprovides more stringent privacyprotection than state law. We discussedthis issue during our consultation withstate representatives, who generallyaccepted our approach to thepreemption issue. During theconsultation, we requested furtherinformation from the states aboutwhether they currently have lawsrequiring that providers have a ‘‘duty towarn’’ family members or third partiesabout a patient’s condition other than inemergency circumstances. Since theconsultation, we have not receivedadditional comments or questions fromthe states.

X. Executive Order 13086; Consultationand Coordination With Indian TribalGovernments

In drafting the proposed rule, theDepartment consulted withrepresentatives of the National Congressof American Indians and the NationalIndian Health Board, as well as with arepresentative of the self-governanceTribes. During the consultation, wediscussed issues regarding theapplication of Title II of HIPAA to theTribes, and potential variations basedon the relationship of each Tribe withthe IHS for the purpose of providinghealth services. Participants raisedquestions about the status of Tribal lawsregarding the privacy of healthinformation.

List of Subjects

45 CFR Part 160Electronic transactions, Employer

benefit plan, Health, Health care, Healthfacilities, Health insurance, Healthrecords, Medicaid, Medical research,Medicare, Privacy, Reporting and recordkeeping requirements.

45 CFR Part 164Electronic transactions, Employer

benefit plan, Health, Health care, Healthfacilities, Health insurance, Healthrecords, Medicaid, Medical research,Medicare, Privacy, Reporting and recordkeeping requirements.

Note: to reader: This final rule is one ofseveral proposed and final rules that arebeing published to implement theAdministrative Simplification provisions ofthe Health Insurance Portability andAccountability Act of 1996. 45 CFRsubchapter C consisting of Parts 160 and 162was added at 65 FR 50365, Aug. 17, 2000.Part 160 consists of general provisions, Part162 consists of the various administrativesimplification regulations relating to

transactions and identifiers, and new Part164 consists of the regulations implementingthe security and privacy requirements of thelegislation.

Dated: December 19, 2000.Donna Shalala,Secretary,

For the reasons set forth in thepreamble, 45 CFR Subtitle A,Subchapter C, is amended as follows:

1. Part 160 is revised to read asfollows:

PART 160—GENERALADMINISTRATIVE REQUIREMENTS

Subpart A—General Provisions

160.101 Statutory basis and purpose.160.102 Applicability.160.103 Definitions.160.104 Modifications.

Subpart B—Preemption of State Law

160.201 Applicability.160.202 Definitions.160.203 General rule and exceptions.160.204 Process for requesting exception

determinations.160.205 Duration of effectiveness of

exception determinations.

Subpart C—Compliance and Enforcement

160.300 Applicability.160.302 Definitions.160.304 Principles for achieving

compliance.160.306 Complaints to the Secretary.160.308 Compliance reviews.160.310 Responsibilities of covered entities.160.312 Secretarial action regarding

complaints and compliance reviews.

Authority: Sec. 1171 through 1179 of theSocial Security Act, (42 U.S.C. 1320d–1329d–8) as added by sec. 262 of Pub. L.104–191, 110 Stat. 2021–2031 and sec. 264 ofPub. L. 104–191 (42 U.S.C. 1320d–2(note)).


§ 160.101 Statutory basis and purpose.

The requirements of this subchapterimplement sections 1171 through 1179of the Social Security Act (the Act), asadded by section 262 of Public Law104–191, and section 264 of Public Law104–191.

§ 160.102 Applicability.

(a) Except as otherwise provided, thestandards, requirements, andimplementation specifications adoptedunder this subchapter apply to thefollowing entities:

(1) A health plan.(2) A health care clearinghouse.(3) A health care provider who

transmits any health information inelectronic form in connection with atransaction covered by this subchapter.

(b) To the extent required undersection 201(a)(5) of the Health Insurance

Portability Act of 1996, (Pub. L. 104–191), nothing in this subchapter shall beconstrued to diminish the authority ofany Inspector General, including suchauthority as provided in the InspectorGeneral Act of 1978, as amended (5U.S.C. App.).

§ 160.103 Definitions.Except as otherwise provided, the

following definitions apply to thissubchapter:

Act means the Social Security Act.ANSI stands for the American

National Standards Institute.Business associate: (1) Except as

provided in paragraph (2) of thisdefinition, business associate means,with respect to a covered entity, aperson who:

(i) On behalf of such covered entity orof an organized health care arrangement(as defined in § 164.501 of thissubchapter) in which the covered entityparticipates, but other than in thecapacity of a member of the workforceof such covered entity or arrangement,performs, or assists in the performanceof:

(A) A function or activity involvingthe use or disclosure of individuallyidentifiable health information,including claims processing oradministration, data analysis,processing or administration, utilizationreview, quality assurance, billing,benefit management, practicemanagement, and repricing; or

(B) Any other function or activityregulated by this subchapter; or

(ii) Provides, other than in thecapacity of a member of the workforceof such covered entity, legal, actuarial,accounting, consulting, data aggregation(as defined in § 164.501 of thissubchapter), management,administrative, accreditation, orfinancial services to or for such coveredentity, or to or for an organized healthcare arrangement in which the coveredentity participates, where the provisionof the service involves the disclosure ofindividually identifiable healthinformation from such covered entity orarrangement, or from another businessassociate of such covered entity orarrangement, to the person.

(2) A covered entity participating inan organized health care arrangementthat performs a function or activity asdescribed by paragraph (1)(i) of thisdefinition for or on behalf of suchorganized health care arrangement, orthat provides a service as described inparagraph (1)(ii) of this definition to orfor such organized health carearrangement, does not, simply throughthe performance of such function oractivity or the provision of such service,



become a business associate of othercovered entities participating in suchorganized health care arrangement.

(3) A covered entity may be a businessassociate of another covered entity.

Compliance date means the date bywhich a covered entity must complywith a standard, implementationspecification, requirement, ormodification adopted under thissubchapter.

Covered entity means:(1) A health plan.(2) A health care clearinghouse.(3) A health care provider who

transmits any health information inelectronic form in connection with atransaction covered by this subchapter.

Group health plan (also see definitionof health plan in this section) means anemployee welfare benefit plan (asdefined in section 3(1) of the EmployeeRetirement Income and Security Act of1974 (ERISA), 29 U.S.C. 1002(1)),including insured and self-insuredplans, to the extent that the planprovides medical care (as defined insection 2791(a)(2) of the Public HealthService Act (PHS Act), 42 U.S.C. 300gg–91(a)(2)), including items and servicespaid for as medical care, to employeesor their dependents directly or throughinsurance, reimbursement, or otherwise,that:

(1) Has 50 or more participants (asdefined in section 3(7) of ERISA, 29U.S.C. 1002(7)); or

(2) Is administered by an entity otherthan the employer that established andmaintains the plan.

HCFA stands for Health CareFinancing Administration within theDepartment of Health and HumanServices.

HHS stands for the Department ofHealth and Human Services.

Health care means care, services, orsupplies related to the health of anindividual. Health care includes, but isnot limited to, the following:

(1) Preventive, diagnostic,therapeutic, rehabilitative, maintenance,or palliative care, and counseling,service, assessment, or procedure withrespect to the physical or mentalcondition, or functional status, of anindividual or that affects the structure orfunction of the body; and

(2) Sale or dispensing of a drug,device, equipment, or other item inaccordance with a prescription.

Health care clearinghouse means apublic or private entity, including abilling service, repricing company,community health managementinformation system or communityhealth information system, and ‘‘value-added’’ networks and switches, thatdoes either of the following functions:

(1) Processes or facilitates theprocessing of health informationreceived from another entity in anonstandard format or containingnonstandard data content into standarddata elements or a standard transaction.

(2) Receives a standard transactionfrom another entity and processes orfacilitates the processing of healthinformation into nonstandard format ornonstandard data content for thereceiving entity.

Health care provider means aprovider of services (as defined insection 1861(u) of the Act, 42 U.S.C.1395x(u)), a provider of medical orhealth services (as defined in section1861(s) of the Act, 42 U.S.C. 1395x(s)),and any other person or organizationwho furnishes, bills, or is paid forhealth care in the normal course ofbusiness.

Health information means anyinformation, whether oral or recorded inany form or medium, that:

(1) Is created or received by a healthcare provider, health plan, public healthauthority, employer, life insurer, schoolor university, or health careclearinghouse; and

(2) Relates to the past, present, orfuture physical or mental health orcondition of an individual; theprovision of health care to anindividual; or the past, present, orfuture payment for the provision ofhealth care to an individual.

Health insurance issuer (as defined insection 2791(b)(2) of the PHS Act, 42U.S.C. 300gg–91(b)(2) and used in thedefinition of health plan in this section)means an insurance company, insuranceservice, or insurance organization(including an HMO) that is licensed toengage in the business of insurance ina State and is subject to State law thatregulates insurance. Such term does notinclude a group health plan.

Health maintenance organization(HMO) (as defined in section 2791(b)(3)of the PHS Act, 42 U.S.C. 300gg–91(b)(3)and used in the definition of health planin this section) means a federallyqualified HMO, an organizationrecognized as an HMO under State law,or a similar organization regulated forsolvency under State law in the samemanner and to the same extent as suchan HMO.

Health plan means an individual orgroup plan that provides, or pays thecost of, medical care (as defined insection 2791(a)(2) of the PHS Act, 42U.S.C. 300gg–91(a)(2)).

(1) Health plan includes thefollowing, singly or in combination:

(i) A group health plan, as defined inthis section.

(ii) A health insurance issuer, asdefined in this section.

(iii) An HMO, as defined in thissection.

(iv) Part A or Part B of the Medicareprogram under title XVIII of the Act.

(v) The Medicaid program under titleXIX of the Act, 42 U.S.C. 1396, et seq.

(vi) An issuer of a Medicaresupplemental policy (as defined insection 1882(g)(1) of the Act, 42 U.S.C.1395ss(g)(1)).

(vii) An issuer of a long-term carepolicy, excluding a nursing home fixed-indemnity policy.

(viii) An employee welfare benefitplan or any other arrangement that isestablished or maintained for thepurpose of offering or providing healthbenefits to the employees of two or moreemployers.

(ix) The health care program for activemilitary personnel under title 10 of theUnited States Code.

(x) The veterans health care programunder 38 U.S.C. chapter 17.

(xi) The Civilian Health and MedicalProgram of the Uniformed Services(CHAMPUS) (as defined in 10 U.S.C.1072(4)).

(xii) The Indian Health Serviceprogram under the Indian Health CareImprovement Act, 25 U.S.C. 1601, etseq.

(xiii) The Federal Employees HealthBenefits Program under 5 U.S.C. 8902,et seq.

(xiv) An approved State child healthplan under title XXI of the Act,providing benefits for child healthassistance that meet the requirements ofsection 2103 of the Act, 42 U.S.C. 1397,et seq.

(xv) The Medicare+Choice programunder Part C of title XVIII of the Act, 42U.S.C. 1395w–21 through 1395w–28.

(xvi) A high risk pool that is amechanism established under State lawto provide health insurance coverage orcomparable coverage to eligibleindividuals.

(xvii) Any other individual or groupplan, or combination of individual orgroup plans, that provides or pays forthe cost of medical care (as defined insection 2791(a)(2) of the PHS Act, 42U.S.C. 300gg–91(a)(2)).

(2) Health plan excludes:(i) Any policy, plan, or program to the

extent that it provides, or pays for thecost of, excepted benefits that are listedin section 2791(c)(1) of the PHS Act, 42U.S.C. 300gg–91(c)(1); and

(ii) A government-funded program(other than one listed in paragraph(1)(i)–(xvi) of this definition):

(A) Whose principal purpose is otherthan providing, or paying the cost of,health care; or



(B) Whose principal activity is:(1) The direct provision of health care

to persons; or(2) The making of grants to fund the

direct provision of health care topersons.

Implementation specification meansspecific requirements or instructions forimplementing a standard.

Modify or modification refers to achange adopted by the Secretary,through regulation, to a standard or animplementation specification.

Secretary means the Secretary ofHealth and Human Services or any otherofficer or employee of HHS to whom theauthority involved has been delegated.

Small health plan means a healthplan with annual receipts of $5 millionor less.

Standard means a rule, condition, orrequirement:

(1) Describing the followinginformation for products, systems,services or practices:

(i) Classification of components.(ii) Specification of materials,

performance, or operations; or(iii) Delineation of procedures; or(2) With respect to the privacy of

individually identifiable healthinformation.

Standard setting organization (SSO)means an organization accredited by theAmerican National Standards Institutethat develops and maintains standardsfor information transactions or dataelements, or any other standard that isnecessary for, or will facilitate theimplementation of, this part.

State refers to one of the following:(1) For a health plan established or

regulated by Federal law, State has themeaning set forth in the applicablesection of the United States Code forsuch health plan.

(2) For all other purposes, Statemeans any of the several States, theDistrict of Columbia, theCommonwealth of Puerto Rico, theVirgin Islands, and Guam.

Trading partner agreement means anagreement related to the exchange ofinformation in electronic transactions,whether the agreement is distinct or partof a larger agreement, between eachparty to the agreement. (For example, atrading partner agreement may specify,among other things, the duties andresponsibilities of each party to theagreement in conducting a standardtransaction.)

Transaction means the transmissionof information between two parties tocarry out financial or administrativeactivities related to health care. Itincludes the following types ofinformation transmissions:(1) Health care claims or equivalent

encounter information.

(2) Health care payment and remittanceadvice.

(3) Coordination of benefits.(4) Health care claim status.(5) Enrollment and disenrollment in a

health plan.(6) Eligibility for a health plan.(7) Health plan premium payments.(8) Referral certification and

authorization.(9) First report of injury.(10) Health claims attachments.(11) Other transactions that the

Secretary may prescribe by regulation.Workforce means employees,

volunteers, trainees, and other personswhose conduct, in the performance ofwork for a covered entity, is under thedirect control of such entity, whether ornot they are paid by the covered entity.

§ 160.104 Modifications.(a) Except as provided in paragraph

(b) of this section, the Secretary mayadopt a modification to a standard orimplementation specification adoptedunder this subchapter no morefrequently than once every 12 months.

(b) The Secretary may adopt amodification at any time during the firstyear after the standard orimplementation specification is initiallyadopted, if the Secretary determines thatthe modification is necessary to permitcompliance with the standard orimplementation specification.

(c) The Secretary will establish thecompliance date for any standard orimplementation specification modifiedunder this section.

(1) The compliance date for amodification is no earlier than 180 daysafter the effective date of the final rulein which the Secretary adopts themodification.

(2) The Secretary may consider theextent of the modification and the timeneeded to comply with the modificationin determining the compliance date forthe modification.

(3) The Secretary may extend thecompliance date for small health plans,as the Secretary determines isappropriate.

Subpart B—Preemption of State Law

§ 160.201 Applicability.

The provisions of this subpartimplement section 1178 of the Act, asadded by section 262 of Public Law104–191.

§ 160.202 Definitions.For purposes of this subpart, the

following terms have the followingmeanings:

Contrary, when used to compare aprovision of State law to a standard,

requirement, or implementationspecification adopted under thissubchapter, means:

(1) A covered entity would find itimpossible to comply with both theState and federal requirements; or

(2) The provision of State law standsas an obstacle to the accomplishmentand execution of the full purposes andobjectives of part C of title XI of the Actor section 264 of Pub. L. 104–191, asapplicable.

More stringent means, in the contextof a comparison of a provision of Statelaw and a standard, requirement, orimplementation specification adoptedunder subpart E of part 164 of thissubchapter, a State law that meets oneor more of the following criteria:

(1) With respect to a use or disclosure,the law prohibits or restricts a use ordisclosure in circumstances underwhich such use or disclosure otherwisewould be permitted under thissubchapter, except if the disclosure is:

(i) Required by the Secretary inconnection with determining whether acovered entity is in compliance withthis subchapter; or

(ii) To the individual who is thesubject of the individually identifiablehealth information.

(2) With respect to the rights of anindividual who is the subject of theindividually identifiable healthinformation of access to or amendmentof individually identifiable healthinformation, permits greater rights ofaccess or amendment, as applicable;provided that, nothing in thissubchapter may be construed topreempt any State law to the extent thatit authorizes or prohibits disclosure ofprotected health information about aminor to a parent, guardian, or personacting in loco parentis of such minor.

(3) With respect to information to beprovided to an individual who is thesubject of the individually identifiablehealth information about a use, adisclosure, rights, and remedies,provides the greater amount ofinformation.

(4) With respect to the form orsubstance of an authorization or consentfor use or disclosure of individuallyidentifiable health information,provides requirements that narrow thescope or duration, increase the privacyprotections afforded (such as byexpanding the criteria for), or reduce thecoercive effect of the circumstancessurrounding the authorization orconsent, as applicable.

(5) With respect to recordkeeping orrequirements relating to accounting ofdisclosures, provides for the retention orreporting of more detailed informationor for a longer duration.



(6) With respect to any other matter,provides greater privacy protection forthe individual who is the subject of theindividually identifiable healthinformation.

Relates to the privacy of individuallyidentifiable health information means,with respect to a State law, that theState law has the specific purpose ofprotecting the privacy of healthinformation or affects the privacy ofhealth information in a direct, clear, andsubstantial way.

State law means a constitution,statute, regulation, rule, common law, orother State action having the force andeffect of law.

§ 160.203 General rule and exceptions.A standard, requirement, or

implementation specification adoptedunder this subchapter that is contrary toa provision of State law preempts theprovision of State law. This general ruleapplies, except if one or more of thefollowing conditions is met:

(a) A determination is made by theSecretary under § 160.204 that theprovision of State law:

(1) Is necessary:(i) To prevent fraud and abuse related

to the provision of or payment for healthcare;

(ii) To ensure appropriate Stateregulation of insurance and health plansto the extent expressly authorized bystatute or regulation;

(iii) For State reporting on health caredelivery or costs; or

(iv) For purposes of serving acompelling need related to publichealth, safety, or welfare, and, if astandard, requirement, orimplementation specification under part164 of this subchapter is at issue, if theSecretary determines that the intrusioninto privacy is warranted whenbalanced against the need to be served;or

(2) Has as its principal purpose theregulation of the manufacture,registration, distribution, dispensing, orother control of any controlledsubstances (as defined in 21 U.S.C. 802),or that is deemed a controlled substanceby State law.

(b) The provision of State law relatesto the privacy of health information andis more stringent than a standard,requirement, or implementationspecification adopted under subpart E ofpart 164 of this subchapter.

(c) The provision of State law,including State procedures establishedunder such law, as applicable, providesfor the reporting of disease or injury,child abuse, birth, or death, or for theconduct of public health surveillance,investigation, or intervention.

(d) The provision of State law requiresa health plan to report, or to provideaccess to, information for the purpose ofmanagement audits, financial audits,program monitoring and evaluation, orthe licensure or certification of facilitiesor individuals.

§ 160.204 Process for requestingexception determinations.

(a) A request to except a provision ofState law from preemption under§ 160.203(a) may be submitted to theSecretary. A request by a State must besubmitted through its chief electedofficial, or his or her designee. Therequest must be in writing and includethe following information:

(1) The State law for which theexception is requested;

(2) The particular standard,requirement, or implementationspecification for which the exception isrequested;

(3) The part of the standard or otherprovision that will not be implementedbased on the exception or the additionaldata to be collected based on theexception, as appropriate;

(4) How health care providers, healthplans, and other entities would beaffected by the exception;

(5) The reasons why the State lawshould not be preempted by the federalstandard, requirement, orimplementation specification, includinghow the State law meets one or more ofthe criteria at § 160.203(a); and

(6) Any other information theSecretary may request in order to makethe determination.

(b) Requests for exception under thissection must be submitted to theSecretary at an address that will bepublished in the Federal Register. Untilthe Secretary’s determination is made,the standard, requirement, orimplementation specification under thissubchapter remains in effect.

(c) The Secretary’s determinationunder this section will be made on thebasis of the extent to which theinformation provided and other factorsdemonstrate that one or more of thecriteria at § 160.203(a) has been met.

§ 160.205 Duration of effectiveness ofexception determinations.

An exception granted under thissubpart remains in effect until:

(a) Either the State law or the federalstandard, requirement, orimplementation specification thatprovided the basis for the exception ismaterially changed such that the groundfor the exception no longer exists; or

(b) The Secretary revokes theexception, based on a determinationthat the ground supporting the need forthe exception no longer exists.

Subpart C—Compliance andEnforcement

§ 160.300 Applicability.This subpart applies to actions by the

Secretary, covered entities, and otherswith respect to ascertaining thecompliance by covered entities with andthe enforcement of the applicablerequirements of this part 160 and theapplicable standards, requirements, andimplementation specifications ofsubpart E of part 164 of this subchapter.

§ 160.302 Definitions.As used in this subpart, terms defined

in § 164.501 of this subchapter have thesame meanings given to them in thatsection.

§ 160.304 Principles for achievingcompliance.

(a) Cooperation. The Secretary will, tothe extent practicable, seek thecooperation of covered entities inobtaining compliance with theapplicable requirements of this part 160and the applicable standards,requirements, and implementationspecifications of subpart E of part 164 ofthis subchapter.

(b) Assistance. The Secretary mayprovide technical assistance to coveredentities to help them comply voluntarilywith the applicable requirements of thispart 160 or the applicable standards,requirements, and implementationspecifications of subpart E of part 164 ofthis subchapter.

§ 160.306 Complaints to the Secretary.(a) Right to file a complaint. A person

who believes a covered entity is notcomplying with the applicablerequirements of this part 160 or theapplicable standards, requirements, andimplementation specifications ofsubpart E of part 164 of this subchaptermay file a complaint with the Secretary.

(b) Requirements for filingcomplaints. Complaints under thissection must meet the followingrequirements:

(1) A complaint must be filed inwriting, either on paper orelectronically.

(2) A complaint must name the entitythat is the subject of the complaint anddescribe the acts or omissions believedto be in violation of the applicablerequirements of this part 160 or theapplicable standards, requirements, andimplementation specifications ofsubpart E of part 164 of this subchapter.

(3) A complaint must be filed within180 days of when the complainant knewor should have known that the act oromission complained of occurred,unless this time limit is waived by theSecretary for good cause shown.



(4) The Secretary may prescribeadditional procedures for the filing ofcomplaints, as well as the place andmanner of filing, by notice in theFederal Register.

(c) Investigation. The Secretary mayinvestigate complaints filed under thissection. Such investigation may includea review of the pertinent policies,procedures, or practices of the coveredentity and of the circumstancesregarding any alleged acts or omissionsconcerning compliance.

§ 160.308 Compliance reviews.The Secretary may conduct

compliance reviews to determinewhether covered entities are complyingwith the applicable requirements of thispart 160 and the applicable standards,requirements, and implementationspecifications of subpart E of part 164 ofthis subchapter.

§ 160.310 Responsibilities of coveredentities.

(a) Provide records and compliancereports. A covered entity must keepsuch records and submit suchcompliance reports, in such time andmanner and containing suchinformation, as the Secretary maydetermine to be necessary to enable theSecretary to ascertain whether thecovered entity has complied or iscomplying with the applicablerequirements of this part 160 and theapplicable standards, requirements, andimplementation specifications ofsubpart E of part 164 of this subchapter.

(b) Cooperate with complaintinvestigations and compliance reviews.A covered entity must cooperate withthe Secretary, if the Secretaryundertakes an investigation orcompliance review of the policies,procedures, or practices of a coveredentity to determine whether it iscomplying with the applicablerequirements of this part 160 and thestandards, requirements, andimplementation specifications ofsubpart E of part 164 of this subchapter.

(c) Permit access to information. (1) Acovered entity must permit access bythe Secretary during normal businesshours to its facilities, books, records,accounts, and other sources ofinformation, including protected healthinformation, that are pertinent toascertaining compliance with theapplicable requirements of this part 160and the applicable standards,requirements, and implementationspecifications of subpart E of part 164 ofthis subchapter. If the Secretarydetermines that exigent circumstancesexist, such as when documents may behidden or destroyed, a covered entity

must permit access by the Secretary atany time and without notice.

(2) If any information required of acovered entity under this section is inthe exclusive possession of any otheragency, institution, or person and theother agency, institution, or person failsor refuses to furnish the information, thecovered entity must so certify and setforth what efforts it has made to obtainthe information.

(3) Protected health informationobtained by the Secretary in connectionwith an investigation or compliancereview under this subpart will not bedisclosed by the Secretary, except ifnecessary for ascertaining or enforcingcompliance with the applicablerequirements of this part 160 and theapplicable standards, requirements, andimplementation specifications ofsubpart E of part 164 of this subchapter,or if otherwise required by law.

§ 160.312 Secretarial action regardingcomplaints and compliance reviews.

(a) Resolution where noncomplianceis indicated. (1) If an investigationpursuant to § 160.306 or a compliancereview pursuant to § 160.308 indicates afailure to comply, the Secretary will soinform the covered entity and, if thematter arose from a complaint, thecomplainant, in writing and attempt toresolve the matter by informal meanswhenever possible.

(2) If the Secretary finds the coveredentity is not in compliance anddetermines that the matter cannot beresolved by informal means, theSecretary may issue to the coveredentity and, if the matter arose from acomplaint, to the complainant writtenfindings documenting the non-compliance.

(b) Resolution when no violation isfound. If, after an investigation orcompliance review, the Secretarydetermines that further action is notwarranted, the Secretary will so informthe covered entity and, if the matterarose from a complaint, the complainantin writing.

2. A new Part 164 is added to read asfollows:

PART 164—SECURITY AND PRIVACY


Sec.164.102 Statutory basis.164.104 Applicability.164.106 Relationship to other parts.

Subparts B–D—[Reserved]

Subpart E—Privacy of IndividuallyIdentifiable Health Information

164.500 Applicability.164.501 Definitions.

164.502 Uses and disclosures of protectedhealth information: General rules.

164.504 Uses and disclosures:Organizational requirements.

164.506 Consent for uses or disclosures tocarry out treatment, payment, and healthcare operations.

164.508 Uses and disclosures for which anauthorization is required.

164.510 Uses and disclosures requiring anopportunity for the individual to agree orto object.

164.512 Uses and disclosures for whichconsent, an authorization, or opportunityto agree or object is not required.

164.514 Other requirements relating to usesand disclosures of protected healthinformation.

164.520 Notice of privacy practices forprotected health information.

164.522 Rights to request privacy protectionfor protected health information.

164.524 Access of individuals to protectedhealth information.

164.526 Amendment of protected healthinformation.

164.528 Accounting of disclosures ofprotected health information.

164.530 Administrative requirements.164.532 Transition requirements.164.534 Compliance dates for initial

implementation of the privacy standards.

Authority: 42 U.S.C. 1320d–2 and 1320d–4, sec. 264 of Pub. L. 104–191, 110 Stat.2033–2034 (42 U.S.C. 1320(d–2(note)).


§ 164.102 Statutory basis.The provisions of this part are

adopted pursuant to the Secretary’sauthority to prescribe standards,requirements, and implementationstandards under part C of title XI of theAct and section 264 of Public Law 104–191.

§ 164.104 Applicability.Except as otherwise provided, the

provisions of this part apply to coveredentities: health plans, health careclearinghouses, and health careproviders who transmit healthinformation in electronic form inconnection with any transactionreferred to in section 1173(a)(1) of theAct.

§ 164.106 Relationship to other parts.In complying with the requirements

of this part, covered entities are requiredto comply with the applicableprovisions of parts 160 and 162 of thissubchapter.

Subpart B–D—[Reserved]

Subpart E—Privacy of IndividuallyIdentifiable Health Information

§ 164.500 Applicability.(a) Except as otherwise provided

herein, the standards, requirements, and



implementation specifications of thissubpart apply to covered entities withrespect to protected health information.

(b) Health care clearinghouses mustcomply with the standards,requirements, and implementationspecifications as follows:

(1) When a health care clearinghousecreates or receives protected healthinformation as a business associate ofanother covered entity, theclearinghouse must comply with:

(i) Section 164.500 relating toapplicability;

(ii) Section 164.501 relating todefinitions;

(iii) Section 164.502 relating to usesand disclosures of protected healthinformation, except that a clearinghouseis prohibited from using or disclosingprotected health information other thanas permitted in the business associatecontract under which it created orreceived the protected healthinformation;

(iv) Section 164.504 relating to theorganizational requirements for coveredentities, including the designation ofhealth care components of a coveredentity;

(v) Section 164.512 relating to usesand disclosures for which consent,individual authorization or anopportunity to agree or object is notrequired, except that a clearinghouse isprohibited from using or disclosingprotected health information other thanas permitted in the business associatecontract under which it created orreceived the protected healthinformation;

(vi) Section 164.532 relating totransition requirements; and

(vii) Section 164.534 relating tocompliance dates for initialimplementation of the privacystandards.

(2) When a health care clearinghousecreates or receives protected healthinformation other than as a businessassociate of a covered entity, theclearinghouse must comply with all ofthe standards, requirements, andimplementation specifications of thissubpart.

(c) The standards, requirements, andimplementation specifications of thissubpart do not apply to the Departmentof Defense or to any other federalagency, or non-governmentalorganization acting on its behalf, whenproviding health care to overseas foreignnational beneficiaries.

§ 164.501 Definitions.As used in this subpart, the following

terms have the following meanings:Correctional institution means any

penal or correctional facility, jail,

reformatory, detention center, workfarm, halfway house, or residentialcommunity program center operated by,or under contract to, the United States,a State, a territory, a politicalsubdivision of a State or territory, or anIndian tribe, for the confinement orrehabilitation of persons charged withor convicted of a criminal offense orother persons held in lawful custody.Other persons held in lawful custodyincludes juvenile offenders adjudicateddelinquent, aliens detained awaitingdeportation, persons committed tomental institutions through the criminaljustice system, witnesses, or othersawaiting charges or trial.

Covered functions means thosefunctions of a covered entity theperformance of which makes the entitya health plan, health care provider, orhealth care clearinghouse.

Data aggregation means, with respectto protected health information createdor received by a business associate in itscapacity as the business associate of acovered entity, the combining of suchprotected health information by thebusiness associate with the protectedhealth information received by thebusiness associate in its capacity as abusiness associate of another coveredentity, to permit data analyses thatrelate to the health care operations ofthe respective covered entities.

Designated record set means:(1) A group of records maintained by

or for a covered entity that is:(i) The medical records and billing

records about individuals maintained byor for a covered health care provider;

(ii) The enrollment, payment, claimsadjudication, and case or medicalmanagement record systems maintainedby or for a health plan; or

(iii) Used, in whole or in part, by orfor the covered entity to make decisionsabout individuals.

(2) For purposes of this paragraph, theterm record means any item, collection,or grouping of information that includesprotected health information and ismaintained, collected, used, ordisseminated by or for a covered entity.

Direct treatment relationship means atreatment relationship between anindividual and a health care providerthat is not an indirect treatmentrelationship.

Disclosure means the release, transfer,provision of access to, or divulging inany other manner of information outsidethe entity holding the information.

Health care operations means any ofthe following activities of the coveredentity to the extent that the activities arerelated to covered functions, and any ofthe following activities of an organized

health care arrangement in which thecovered entity participates:

(1) Conducting quality assessmentand improvement activities, includingoutcomes evaluation and developmentof clinical guidelines, provided that theobtaining of generalizable knowledge isnot the primary purpose of any studiesresulting from such activities;population-based activities relating toimproving health or reducing healthcare costs, protocol development, casemanagement and care coordination,contacting of health care providers andpatients with information abouttreatment alternatives; and relatedfunctions that do not include treatment;

(2) Reviewing the competence orqualifications of health careprofessionals, evaluating practitionerand provider performance, health planperformance, conducting trainingprograms in which students, trainees, orpractitioners in areas of health carelearn under supervision to practice orimprove their skills as health careproviders, training of non-health careprofessionals, accreditation,certification, licensing, or credentialingactivities;

(3) Underwriting, premium rating,and other activities relating to thecreation, renewal or replacement of acontract of health insurance or healthbenefits, and ceding, securing, orplacing a contract for reinsurance of riskrelating to claims for health care(including stop-loss insurance andexcess of loss insurance), provided thatthe requirements of § 164.514(g) are met,if applicable;

(4) Conducting or arranging formedical review, legal services, andauditing functions, including fraud andabuse detection and complianceprograms;

(5) Business planning anddevelopment, such as conducting cost-management and planning-relatedanalyses related to managing andoperating the entity, includingformulary development andadministration, development orimprovement of methods of payment orcoverage policies; and

(6) Business management and generaladministrative activities of the entity,including, but not limited to:

(i) Management activities relating toimplementation of and compliance withthe requirements of this subchapter;

(ii) Customer service, including theprovision of data analyses for policyholders, plan sponsors, or othercustomers, provided that protectedhealth information is not disclosed tosuch policy holder, plan sponsor, orcustomer.

(iii) Resolution of internal grievances;



(iv) Due diligence in connection withthe sale or transfer of assets to apotential successor in interest, if thepotential successor in interest is acovered entity or, following completionof the sale or transfer, will become acovered entity; and

(v) Consistent with the applicablerequirements of § 164.514, creating de-identified health information,fundraising for the benefit of thecovered entity, and marketing for whichan individual authorization is notrequired as described in § 164.514(e)(2).

Health oversight agency means anagency or authority of the United States,a State, a territory, a politicalsubdivision of a State or territory, or anIndian tribe, or a person or entity actingunder a grant of authority from orcontract with such public agency,including the employees or agents ofsuch public agency or its contractors orpersons or entities to whom it hasgranted authority, that is authorized bylaw to oversee the health care system(whether public or private) orgovernment programs in which healthinformation is necessary to determineeligibility or compliance, or to enforcecivil rights laws for which healthinformation is relevant.

Indirect treatment relationship meansa relationship between an individualand a health care provider in which:

(1) The health care provider delivershealth care to the individual based onthe orders of another health careprovider; and

(2) The health care provider typicallyprovides services or products, or reportsthe diagnosis or results associated withthe health care, directly to anotherhealth care provider, who provides theservices or products or reports to theindividual.

Individual means the person who isthe subject of protected healthinformation.

Individually identifiable healthinformation is information that is asubset of health information, includingdemographic information collected froman individual, and:

(1) Is created or received by a healthcare provider, health plan, employer, orhealth care clearinghouse; and

(2) Relates to the past, present, orfuture physical or mental health orcondition of an individual; theprovision of health care to anindividual; or the past, present, orfuture payment for the provision ofhealth care to an individual; and

(i) That identifies the individual; or(ii) With respect to which there is a

reasonable basis to believe theinformation can be used to identify theindividual.

Inmate means a person incarceratedin or otherwise confined to acorrectional institution.

Law enforcement official means anofficer or employee of any agency orauthority of the United States, a State,a territory, a political subdivision of aState or territory, or an Indian tribe, whois empowered by law to:

(1) Investigate or conduct an officialinquiry into a potential violation of law;or

(2) Prosecute or otherwise conduct acriminal, civil, or administrativeproceeding arising from an allegedviolation of law.

Marketing means to make acommunication about a product orservice a purpose of which is toencourage recipients of thecommunication to purchase or use theproduct or service.

(1) Marketing does not includecommunications that meet therequirements of paragraph (2) of thisdefinition and that are made by acovered entity:

(i) For the purpose of describing theentities participating in a health careprovider network or health plannetwork, or for the purpose ofdescribing if and the extent to which aproduct or service (or payment for suchproduct or service) is provided by acovered entity or included in a plan ofbenefits; or

(ii) That are tailored to thecircumstances of a particular individualand the communications are:

(A) Made by a health care provider toan individual as part of the treatment ofthe individual, and for the purpose offurthering the treatment of thatindividual; or

(B) Made by a health care provider orhealth plan to an individual in thecourse of managing the treatment of thatindividual, or for the purpose ofdirecting or recommending to thatindividual alternative treatments,therapies, health care providers, orsettings of care.

(2) A communication described inparagraph (1) of this definition is notincluded in marketing if:

(i) The communication is made orally;or

(ii) The communication is in writingand the covered entity does not receivedirect or indirect remuneration from athird party for making thecommunication.

Organized health care arrangementmeans:

(1) A clinically integrated care settingin which individuals typically receivehealth care from more than one healthcare provider;

(2) An organized system of health carein which more than one covered entityparticipates, and in which theparticipating covered entities:

(i) Hold themselves out to the publicas participating in a joint arrangement;and

(ii) Participate in joint activities thatinclude at least one of the following:

(A) Utilization review, in whichhealth care decisions by participatingcovered entities are reviewed by otherparticipating covered entities or by athird party on their behalf;

(B) Quality assessment andimprovement activities, in whichtreatment provided by participatingcovered entities is assessed by otherparticipating covered entities or by athird party on their behalf; or

(C) Payment activities, if the financialrisk for delivering health care is shared,in part or in whole, by participatingcovered entities through the jointarrangement and if protected healthinformation created or received by acovered entity is reviewed by otherparticipating covered entities or by athird party on their behalf for thepurpose of administering the sharing offinancial risk.

(3) A group health plan and a healthinsurance issuer or HMO with respect tosuch group health plan, but only withrespect to protected health informationcreated or received by such healthinsurance issuer or HMO that relates toindividuals who are or who have beenparticipants or beneficiaries in suchgroup health plan;

(4) A group health plan and one ormore other group health plans each ofwhich are maintained by the same plansponsor; or

(5) The group health plans describedin paragraph (4) of this definition andhealth insurance issuers or HMOs withrespect to such group health plans, butonly with respect to protected healthinformation created or received by suchhealth insurance issuers or HMOs thatrelates to individuals who are or havebeen participants or beneficiaries in anyof such group health plans.

Payment means:(1) The activities undertaken by:(i) A health plan to obtain premiums

or to determine or fulfill itsresponsibility for coverage andprovision of benefits under the healthplan; or

(ii) A covered health care provider orhealth plan to obtain or providereimbursement for the provision ofhealth care; and

(2) The activities in paragraph (1) ofthis definition relate to the individual towhom health care is provided andinclude, but are not limited to:



(i) Determinations of eligibility orcoverage (including coordination ofbenefits or the determination of costsharing amounts), and adjudication orsubrogation of health benefit claims;

(ii) Risk adjusting amounts due basedon enrollee health status anddemographic characteristics;

(iii) Billing, claims management,collection activities, obtaining paymentunder a contract for reinsurance(including stop-loss insurance andexcess of loss insurance), and relatedhealth care data processing;

(iv) Review of health care serviceswith respect to medical necessity,coverage under a health plan,appropriateness of care, or justificationof charges;

(v) Utilization review activities,including precertification andpreauthorization of services, concurrentand retrospective review of services;and

(vi) Disclosure to consumer reportingagencies of any of the followingprotected health information relating tocollection of premiums orreimbursement:

(A) Name and address;(B) Date of birth;(C) Social security number;(D) Payment history;(E) Account number; and(F) Name and address of the health

care provider and/or health plan.Plan sponsor is defined as defined at

section 3(16)(B) of ERISA, 29 U.S.C.1002(16)(B).

Protected health information meansindividually identifiable healthinformation:

(1) Except as provided in paragraph(2) of this definition, that is:

(i) Transmitted by electronic media;(ii) Maintained in any medium

described in the definition of electronicmedia at § 162.103 of this subchapter; or

(iii) Transmitted or maintained in anyother form or medium.

(2) Protected health informationexcludes individually identifiablehealth information in:

(i) Education records covered by theFamily Educational Right and PrivacyAct, as amended, 20 U.S.C. 1232g; and

(ii) Records described at 20 U.S.C.1232g(a)(4)(B)(iv).

Psychotherapy notes means notesrecorded (in any medium) by a healthcare provider who is a mental healthprofessional documenting or analyzingthe contents of conversation during aprivate counseling session or a group,joint, or family counseling session andthat are separated from the rest of theindividual’s medical record.Psychotherapy notes excludesmedication prescription and

monitoring, counseling session start andstop times, the modalities andfrequencies of treatment furnished,results of clinical tests, and anysummary of the following items:Diagnosis, functional status, thetreatment plan, symptoms, prognosis,and progress to date.

Public health authority means anagency or authority of the United States,a State, a territory, a politicalsubdivision of a State or territory, or anIndian tribe, or a person or entity actingunder a grant of authority from orcontract with such public agency,including the employees or agents ofsuch public agency or its contractors orpersons or entities to whom it hasgranted authority, that is responsible forpublic health matters as part of itsofficial mandate.

Required by law means a mandatecontained in law that compels a coveredentity to make a use or disclosure ofprotected health information and that isenforceable in a court of law. Requiredby law includes, but is not limited to,court orders and court-ordered warrants;subpoenas or summons issued by acourt, grand jury, a governmental ortribal inspector general, or anadministrative body authorized torequire the production of information; acivil or an authorized investigativedemand; Medicare conditions ofparticipation with respect to health careproviders participating in the program;and statutes or regulations that requirethe production of information,including statutes or regulations thatrequire such information if payment issought under a government programproviding public benefits.

Research means a systematicinvestigation, including researchdevelopment, testing, and evaluation,designed to develop or contribute togeneralizable knowledge.

Treatment means the provision,coordination, or management of healthcare and related services by one or morehealth care providers, including thecoordination or management of healthcare by a health care provider with athird party; consultation between healthcare providers relating to a patient; orthe referral of a patient for health carefrom one health care provider toanother.

Use means, with respect toindividually identifiable healthinformation, the sharing, employment,application, utilization, examination, oranalysis of such information within anentity that maintains such information.

§ 164.502 Uses and disclosures ofprotected health information: general rules.

(a) Standard. A covered entity maynot use or disclose protected healthinformation, except as permitted orrequired by this subpart or by subpart Cof part 160 of this subchapter.

(1) Permitted uses and disclosures. Acovered entity is permitted to use ordisclose protected health information asfollows:

(i) To the individual;(ii) Pursuant to and in compliance

with a consent that complies with§ 164.506, to carry out treatment,payment, or health care operations;

(iii) Without consent, if consent is notrequired under § 164.506(a) and has notbeen sought under § 164.506(a)(4), tocarry out treatment, payment, or healthcare operations, except with respect topsychotherapy notes;

(iv) Pursuant to and in compliancewith a valid authorization under§ 164.508;

(v) Pursuant to an agreement under, oras otherwise permitted by, § 164.510;and

(vi) As permitted by and incompliance with this section, § 164.512,or § 164.514(e), (f), and (g).

(2) Required disclosures. A coveredentity is required to disclose protectedhealth information:

(i) To an individual, when requestedunder, and required by § 164.524 or§ 164.528; and

(ii) When required by the Secretaryunder subpart C of part 160 of thissubchapter to investigate or determinethe covered entity’s compliance withthis subpart.

(b) Standard: Minimum necessary. (1)Minimum necessary applies. Whenusing or disclosing protected healthinformation or when requestingprotected health information fromanother covered entity, a covered entitymust make reasonable efforts to limitprotected health information to theminimum necessary to accomplish theintended purpose of the use, disclosure,or request.

(2) Minimum necessary does notapply. This requirement does not applyto:

(i) Disclosures to or requests by ahealth care provider for treatment;

(ii) Uses or disclosures made to theindividual, as permitted underparagraph (a)(1)(i) of this section, asrequired by paragraph (a)(2)(i) of thissection, or pursuant to an authorizationunder § 164.508, except forauthorizations requested by the coveredentity under § 164.508(d), (e), or (f);

(iii) Disclosures made to the Secretaryin accordance with subpart C of part 160of this subchapter;



(iv) Uses or disclosures that arerequired by law, as described by§ 164.512(a); and

(v) Uses or disclosures that arerequired for compliance with applicablerequirements of this subchapter.

(c) Standard: Uses and disclosures ofprotected health information subject toan agreed upon restriction. A coveredentity that has agreed to a restrictionpursuant to § 164.522(a)(1) may not useor disclose the protected healthinformation covered by the restriction inviolation of such restriction, except asotherwise provided in § 164.522(a).

(d) Standard: Uses and disclosures ofde-identified protected healthinformation.

(1) Uses and disclosures to create de-identified information. A covered entitymay use protected health information tocreate information that is notindividually identifiable healthinformation or disclose protected healthinformation only to a business associatefor such purpose, whether or not the de-identified information is to be used bythe covered entity.

(2) Uses and disclosures of de-identified information. Healthinformation that meets the standard andimplementation specifications for de-identification under § 164.514(a) and (b)is considered not to be individuallyidentifiable health information, i.e., de-identified. The requirements of thissubpart do not apply to information thathas been de-identified in accordancewith the applicable requirements of§ 164.514, provided that:

(i) Disclosure of a code or other meansof record identification designed toenable coded or otherwise de-identifiedinformation to be re-identifiedconstitutes disclosure of protectedhealth information; and

(ii) If de-identified information is re-identified, a covered entity may use ordisclose such re-identified informationonly as permitted or required by thissubpart.

(e)(1) Standard: Disclosures tobusiness associates. (i) A covered entitymay disclose protected healthinformation to a business associate andmay allow a business associate to createor receive protected health informationon its behalf, if the covered entityobtains satisfactory assurance that thebusiness associate will appropriatelysafeguard the information.

(ii) This standard does not apply:(A) With respect to disclosures by a

covered entity to a health care providerconcerning the treatment of theindividual;

(B) With respect to disclosures by agroup health plan or a health insuranceissuer or HMO with respect to a group

health plan to the plan sponsor, to theextent that the requirements of§ 164.504(f) apply and are met; or

(C) With respect to uses or disclosuresby a health plan that is a governmentprogram providing public benefits, ifeligibility for, or enrollment in, thehealth plan is determined by an agencyother than the agency administering thehealth plan, or if the protected healthinformation used to determineenrollment or eligibility in the healthplan is collected by an agency otherthan the agency administering thehealth plan, and such activity isauthorized by law, with respect to thecollection and sharing of individuallyidentifiable health information for theperformance of such functions by thehealth plan and the agency other thanthe agency administering the healthplan.

(iii) A covered entity that violates thesatisfactory assurances it provided as abusiness associate of another coveredentity will be in noncompliance withthe standards, implementationspecifications, and requirements of thisparagraph and § 164.504(e).

(2) Implementation specification:documentation. A covered entity mustdocument the satisfactory assurancesrequired by paragraph (e)(1) of thissection through a written contract orother written agreement or arrangementwith the business associate that meetsthe applicable requirements of§ 164.504(e).

(f) Standard: Deceased individuals. Acovered entity must comply with therequirements of this subpart withrespect to the protected healthinformation of a deceased individual.

(g)(1) Standard: Personalrepresentatives. As specified in thisparagraph, a covered entity must, exceptas provided in paragraphs (g)(3) and(g)(5) of this section, treat a personalrepresentative as the individual forpurposes of this subchapter.

(2) Implementation specification:adults and emancipated minors. Ifunder applicable law a person hasauthority to act on behalf of anindividual who is an adult or anemancipated minor in making decisionsrelated to health care, a covered entitymust treat such person as a personalrepresentative under this subchapter,with respect to protected healthinformation relevant to such personalrepresentation.

(3) Implementation specification:unemancipated minors. If underapplicable law a parent, guardian, orother person acting in loco parentis hasauthority to act on behalf of anindividual who is an unemancipatedminor in making decisions related to

health care, a covered entity must treatsuch person as a personal representativeunder this subchapter, with respect toprotected health information relevant tosuch personal representation, exceptthat such person may not be a personalrepresentative of an unemancipatedminor, and the minor has the authorityto act as an individual, with respect toprotected health information pertainingto a health care service, if:

(i) The minor consents to such healthcare service; no other consent to suchhealth care service is required by law,regardless of whether the consent ofanother person has also been obtained;and the minor has not requested thatsuch person be treated as the personalrepresentative;

(ii) The minor may lawfully obtainsuch health care service without theconsent of a parent, guardian, or otherperson acting in loco parentis, and theminor, a court, or another personauthorized by law consents to suchhealth care service; or

(iii) A parent, guardian, or otherperson acting in loco parentis assents toan agreement of confidentiality betweena covered health care provider and theminor with respect to such health careservice.

(4) Implementation specification:Deceased individuals. If underapplicable law an executor,administrator, or other person hasauthority to act on behalf of a deceasedindividual or of the individual’s estate,a covered entity must treat such personas a personal representative under thissubchapter, with respect to protectedhealth information relevant to suchpersonal representation.

(5) Implementation specification:Abuse, neglect, endangermentsituations. Notwithstanding a State lawor any requirement of this paragraph tothe contrary, a covered entity may electnot to treat a person as the personalrepresentative of an individual if:

(i) The covered entity has a reasonablebelief that:

(A) The individual has been or may besubjected to domestic violence, abuse,or neglect by such person; or

(B) Treating such person as thepersonal representative could endangerthe individual; and

(ii) The covered entity, in the exerciseof professional judgment, decides that itis not in the best interest of theindividual to treat the person as theindividual’s personal representative.

(h) Standard: Confidentialcommunications. A covered health careprovider or health plan must complywith the applicable requirements of§ 164.522(b) in communicatingprotected health information.



(i) Standard: Uses and disclosuresconsistent with notice. A covered entitythat is required by § 164.520 to have anotice may not use or disclose protectedhealth information in a mannerinconsistent with such notice. Acovered entity that is required by§ 164.520(b)(1)(iii) to include a specificstatement in its notice if it intends toengage in an activity listed in§ 164.520(b)(1)(iii)(A)–(C), may not useor disclose protected health informationfor such activities, unless the requiredstatement is included in the notice.

(j) Standard: Disclosures bywhistleblowers and workforce membercrime victims.

(1) Disclosures by whistleblowers. Acovered entity is not considered to haveviolated the requirements of this subpartif a member of its workforce or abusiness associate discloses protectedhealth information, provided that:

(i) The workforce member or businessassociate believes in good faith that thecovered entity has engaged in conductthat is unlawful or otherwise violatesprofessional or clinical standards, orthat the care, services, or conditionsprovided by the covered entitypotentially endangers one or morepatients, workers, or the public; and

(ii) The disclosure is to:(A) A health oversight agency or

public health authority authorized bylaw to investigate or otherwise overseethe relevant conduct or conditions ofthe covered entity or to an appropriatehealth care accreditation organizationfor the purpose of reporting theallegation of failure to meet professionalstandards or misconduct by the coveredentity; or

(B) An attorney retained by or onbehalf of the workforce member orbusiness associate for the purpose ofdetermining the legal options of theworkforce member or business associatewith regard to the conduct described inparagraph (j)(1)(i) of this section.

(2) Disclosures by workforce memberswho are victims of a crime. A coveredentity is not considered to have violatedthe requirements of this subpart if amember of its workforce who is thevictim of a criminal act disclosesprotected health information to a lawenforcement official, provided that:

(i) The protected health informationdisclosed is about the suspectedperpetrator of the criminal act; and

(ii) The protected health informationdisclosed is limited to the informationlisted in § 164.512(f)(2)(i).

§ 164.504 Uses and disclosures:Organizational requirements.

(a) Definitions. As used in thissection:

Common control exists if an entity hasthe power, directly or indirectly,significantly to influence or direct theactions or policies of another entity.

Common ownership exists if an entityor entities possess an ownership orequity interest of 5 percent or more inanother entity.

Health care component has thefollowing meaning:

(1) Components of a covered entitythat perform covered functions are partof the health care component.

(2) Another component of the coveredentity is part of the entity’s health carecomponent to the extent that:

(i) It performs, with respect to acomponent that performs coveredfunctions, activities that would makesuch other component a businessassociate of the component thatperforms covered functions if the twocomponents were separate legal entities;and

(ii) The activities involve the use ordisclosure of protected healthinformation that such other componentcreates or receives from or on behalf ofthe component that performs coveredfunctions.

Hybrid entity means a single legalentity that is a covered entity and whosecovered functions are not its primaryfunctions.

Plan administration functions meansadministration functions performed bythe plan sponsor of a group health planon behalf of the group health plan andexcludes functions performed by theplan sponsor in connection with anyother benefit or benefit plan of the plansponsor.

Summary health information meansinformation, that may be individuallyidentifiable health information, and:

(1) That summarizes the claimshistory, claims expenses, or type ofclaims experienced by individuals forwhom a plan sponsor has providedhealth benefits under a group healthplan; and

(2) From which the informationdescribed at § 164.514(b)(2)(i) has beendeleted, except that the geographicinformation described in§ 164.514(b)(2)(i)(B) need only beaggregated to the level of a five digit zipcode.

(b) Standard: Health care component.If a covered entity is a hybrid entity, therequirements of this subpart, other thanthe requirements of this section, applyonly to the health care component(s) ofthe entity, as specified in this section.

(c)(1) Implementation specification:Application of other provisions. Inapplying a provision of this subpart,other than this section, to a hybridentity:

(i) A reference in such provision to a‘‘covered entity’’ refers to a health carecomponent of the covered entity;

(ii) A reference in such provision toa ‘‘health plan,’’ ‘‘covered health careprovider,’’ or ‘‘health careclearinghouse’’ refers to a health carecomponent of the covered entity if suchhealth care component performs thefunctions of a health plan, coveredhealth care provider, or health careclearinghouse, as applicable; and

(iii) A reference in such provision to‘‘protected health information’’ refers toprotected health information that iscreated or received by or on behalf ofthe health care component of thecovered entity.

(2) Implementation specifications:Safeguard requirements. The coveredentity that is a hybrid entity mustensure that a health care component ofthe entity complies with the applicablerequirements of this subpart. Inparticular, and without limiting thisrequirement, such covered entity mustensure that:

(i) Its health care component does notdisclose protected health information toanother component of the covered entityin circumstances in which this subpartwould prohibit such disclosure if thehealth care component and the othercomponent were separate and distinctlegal entities;

(ii) A component that is described byparagraph (2)(i) of the definition ofhealth care component in this sectiondoes not use or disclose protectedhealth information that is withinparagraph (2)(ii) of such definition forpurposes of its activities other thanthose described by paragraph (2)(i) ofsuch definition in a way prohibited bythis subpart; and

(iii) If a person performs duties forboth the health care component in thecapacity of a member of the workforceof such component and for anothercomponent of the entity in the samecapacity with respect to thatcomponent, such workforce membermust not use or disclose protectedhealth information created or receivedin the course of or incident to themember’s work for the health carecomponent in a way prohibited by thissubpart.

(3) Implementation specifications:Responsibilities of the covered entity. Acovered entity that is a hybrid entity hasthe following responsibilities:

(i) For purposes of subpart C of part160 of this subchapter, pertaining tocompliance and enforcement, thecovered entity has the responsibility tocomply with this subpart.

(ii) The covered entity has theresponsibility for complying with



§ 164.530(i), pertaining to theimplementation of policies andprocedures to ensure compliance withthis subpart, including the safeguardrequirements in paragraph (c)(2) of thissection.

(iii) The covered entity is responsiblefor designating the components that arepart of one or more health carecomponents of the covered entity anddocumenting the designation asrequired by § 164.530(j).

(d)(1) Standard: Affiliated coveredentities. Legally separate coveredentities that are affiliated may designatethemselves as a single covered entity forpurposes of this subpart.

(2) Implementation specifications:Requirements for designation of anaffiliated covered entity. (i) Legallyseparate covered entities may designatethemselves (including any health carecomponent of such covered entity) as asingle affiliated covered entity, forpurposes of this subpart, if all of thecovered entities designated are undercommon ownership or control.

(ii) The designation of an affiliatedcovered entity must be documented andthe documentation maintained asrequired by § 164.530(j).

(3) Implementation specifications:Safeguard requirements. An affiliatedcovered entity must ensure that:

(i) The affiliated covered entity’s useand disclosure of protected healthinformation comply with the applicablerequirements of this subpart; and

(ii) If the affiliated covered entitycombines the functions of a health plan,health care provider, or health careclearinghouse, the affiliated coveredentity complies with paragraph (g) ofthis section.

(e)(1) Standard: Business associatecontracts. (i) The contract or otherarrangement between the covered entityand the business associate required by§ 164.502(e)(2) must meet therequirements of paragraph (e)(2) or (e)(3)of this section, as applicable.

(ii) A covered entity is not incompliance with the standards in§ 164.502(e) and paragraph (e) of thissection, if the covered entity knew of apattern of activity or practice of thebusiness associate that constituted amaterial breach or violation of thebusiness associate’s obligation under thecontract or other arrangement, unlessthe covered entity took reasonable stepsto cure the breach or end the violation,as applicable, and, if such steps wereunsuccessful:

(A) Terminated the contract orarrangement, if feasible; or

(B) If termination is not feasible,reported the problem to the Secretary.

(2) Implementation specifications:Business associate contracts. A contractbetween the covered entity and abusiness associate must:

(i) Establish the permitted andrequired uses and disclosures of suchinformation by the business associate.The contract may not authorize thebusiness associate to use or furtherdisclose the information in a mannerthat would violate the requirements ofthis subpart, if done by the coveredentity, except that:

(A) The contract may permit thebusiness associate to use and discloseprotected health information for theproper management and administrationof the business associate, as provided inparagraph (e)(4) of this section; and

(B) The contract may permit thebusiness associate to provide dataaggregation services relating to thehealth care operations of the coveredentity.

(ii) Provide that the business associatewill:

(A) Not use or further disclose theinformation other than as permitted orrequired by the contract or as requiredby law;

(B) Use appropriate safeguards toprevent use or disclosure of theinformation other than as provided forby its contract;

(C) Report to the covered entity anyuse or disclosure of the information notprovided for by its contract of which itbecomes aware;

(D) Ensure that any agents, includinga subcontractor, to whom it providesprotected health information receivedfrom, or created or received by thebusiness associate on behalf of, thecovered entity agrees to the samerestrictions and conditions that apply tothe business associate with respect tosuch information;

(E) Make available protected healthinformation in accordance with§ 164.524;

(F) Make available protected healthinformation for amendment andincorporate any amendments toprotected health information inaccordance with § 164.526;

(G) Make available the informationrequired to provide an accounting ofdisclosures in accordance with§ 164.528;

(H) Make its internal practices, books,and records relating to the use anddisclosure of protected healthinformation received from, or created orreceived by the business associate onbehalf of, the covered entity available tothe Secretary for purposes ofdetermining the covered entity’scompliance with this subpart; and

(I) At termination of the contract, iffeasible, return or destroy all protectedhealth information received from, orcreated or received by the businessassociate on behalf of, the covered entitythat the business associate stillmaintains in any form and retain nocopies of such information or, if suchreturn or destruction is not feasible,extend the protections of the contract tothe information and limit further usesand disclosures to those purposes thatmake the return or destruction of theinformation infeasible.

(iii) Authorize termination of thecontract by the covered entity, if thecovered entity determines that thebusiness associate has violated amaterial term of the contract.

(3) Implementation specifications:Other arrangements. (i) If a coveredentity and its business associate are bothgovernmental entities:

(A) The covered entity may complywith paragraph (e) of this section byentering into a memorandum ofunderstanding with the businessassociate that contains terms thataccomplish the objectives of paragraph(e)(2) of this section.

(B) The covered entity may complywith paragraph (e) of this section, ifother law (including regulationsadopted by the covered entity or itsbusiness associate) containsrequirements applicable to the businessassociate that accomplish the objectivesof paragraph (e)(2) of this section.

(ii) If a business associate is requiredby law to perform a function or activityon behalf of a covered entity or toprovide a service described in thedefinition of business associate in§ 160.103 of this subchapter to a coveredentity, such covered entity may discloseprotected health information to thebusiness associate to the extentnecessary to comply with the legalmandate without meeting therequirements of this paragraph (e),provided that the covered entityattempts in good faith to obtainsatisfactory assurances as required byparagraph (e)(3)(i) of this section, and, ifsuch attempt fails, documents theattempt and the reasons that suchassurances cannot be obtained.

(iii) The covered entity may omit fromits other arrangements the terminationauthorization required by paragraph(e)(2)(iii) of this section, if suchauthorization is inconsistent with thestatutory obligations of the coveredentity or its business associate.

(4) Implementation specifications:Other requirements for contracts andother arrangements. (i) The contract orother arrangement between the coveredentity and the business associate may



permit the business associate to use theinformation received by the businessassociate in its capacity as a businessassociate to the covered entity, ifnecessary:

(A) For the proper management andadministration of the business associate;or

(B) To carry out the legalresponsibilities of the businessassociate.

(ii) The contract or other arrangementbetween the covered entity and thebusiness associate may permit thebusiness associate to disclose theinformation received by the businessassociate in its capacity as a businessassociate for the purposes described inparagraph (e)(4)(i) of this section, if:

(A) The disclosure is required by law;or

(B)(1) The business associate obtainsreasonable assurances from the personto whom the information is disclosedthat it will be held confidentially andused or further disclosed only asrequired by law or for the purpose forwhich it was disclosed to the person;and

(2) The person notifies the businessassociate of any instances of which it isaware in which the confidentiality ofthe information has been breached.

(f)(1) Standard: Requirements forgroup health plans. (i) Except asprovided under paragraph (f)(1)(ii) ofthis section or as otherwise authorizedunder § 164.508, a group health plan, inorder to disclose protected healthinformation to the plan sponsor or toprovide for or permit the disclosure ofprotected health information to the plansponsor by a health insurance issuer orHMO with respect to the group healthplan, must ensure that the plandocuments restrict uses and discloses ofsuch information by the plan sponsorconsistent with the requirements of thissubpart.

(ii) The group health plan, or a healthinsurance issuer or HMO with respect tothe group health plan, may disclosesummary health information to the plansponsor, if the plan sponsor requests thesummary health information for thepurpose of :

(A) Obtaining premium bids fromhealth plans for providing healthinsurance coverage under the grouphealth plan; or

(B) Modifying, amending, orterminating the group health plan.

(2) Implementation specifications:Requirements for plan documents. Theplan documents of the group healthplan must be amended to incorporateprovisions to:

(i) Establish the permitted andrequired uses and disclosures of such

information by the plan sponsor,provided that such permitted andrequired uses and disclosures may notbe inconsistent with this subpart.

(ii) Provide that the group health planwill disclose protected healthinformation to the plan sponsor onlyupon receipt of a certification by theplan sponsor that the plan documentshave been amended to incorporate thefollowing provisions and that the plansponsor agrees to:

(A) Not use or further disclose theinformation other than as permitted orrequired by the plan documents or asrequired by law;

(B) Ensure that any agents, includinga subcontractor, to whom it providesprotected health information receivedfrom the group health plan agree to thesame restrictions and conditions thatapply to the plan sponsor with respectto such information;

(C) Not use or disclose theinformation for employment-relatedactions and decisions or in connectionwith any other benefit or employeebenefit plan of the plan sponsor;

(D) Report to the group health planany use or disclosure of the informationthat is inconsistent with the uses ordisclosures provided for of which itbecomes aware;

(E) Make available protected healthinformation in accordance with§ 164.524;

(F) Make available protected healthinformation for amendment andincorporate any amendments toprotected health information inaccordance with § 164.526;

(G) Make available the informationrequired to provide an accounting ofdisclosures in accordance with§ 164.528;

(H) Make its internal practices, books,and records relating to the use anddisclosure of protected healthinformation received from the grouphealth plan available to the Secretary forpurposes of determining compliance bythe group health plan with this subpart;

(I) If feasible, return or destroy allprotected health information receivedfrom the group health plan that thesponsor still maintains in any form andretain no copies of such informationwhen no longer needed for the purposefor which disclosure was made, exceptthat, if such return or destruction is notfeasible, limit further uses anddisclosures to those purposes that makethe return or destruction of theinformation infeasible; and

(J) Ensure that the adequate separationrequired in paragraph (f)(2)(iii) of thissection is established.

(iii) Provide for adequate separationbetween the group health plan and the

plan sponsor. The plan documentsmust:

(A) Describe those employees orclasses of employees or other personsunder the control of the plan sponsor tobe given access to the protected healthinformation to be disclosed, providedthat any employee or person whoreceives protected health informationrelating to payment under, health careoperations of, or other matterspertaining to the group health plan inthe ordinary course of business must beincluded in such description;

(B) Restrict the access to and use bysuch employees and other personsdescribed in paragraph (f)(2)(iii)(A) ofthis section to the plan administrationfunctions that the plan sponsorperforms for the group health plan; and

(C) Provide an effective mechanismfor resolving any issues ofnoncompliance by persons described inparagraph (f)(2)(iii)(A) of this sectionwith the plan document provisionsrequired by this paragraph.

(3) Implementation specifications:Uses and disclosures. A group healthplan may:

(i) Disclose protected healthinformation to a plan sponsor to carryout plan administration functions thatthe plan sponsor performs onlyconsistent with the provisions ofparagraph (f)(2) of this section;

(ii) Not permit a health insuranceissuer or HMO with respect to the grouphealth plan to disclose protected healthinformation to the plan sponsor exceptas permitted by this paragraph;

(iii) Not disclose and may not permita health insurance issuer or HMO todisclose protected health information toa plan sponsor as otherwise permittedby this paragraph unless a statementrequired by § 164.520(b)(1)(iii)(C) isincluded in the appropriate notice; and(iv) Not disclose protected healthinformation to the plan sponsor for thepurpose of employment-related actionsor decisions or in connection with anyother benefit or employee benefit planof the plan sponsor.

(g) Standard: Requirements for acovered entity with multiple coveredfunctions.

(1) A covered entity that performsmultiple covered functions that wouldmake the entity any combination of ahealth plan, a covered health careprovider, and a health careclearinghouse, must comply with thestandards, requirements, andimplementation specifications of thissubpart, as applicable to the health plan,health care provider, or health careclearinghouse covered functionsperformed.



(2) A covered entity that performsmultiple covered functions may use ordisclose the protected healthinformation of individuals who receivethe covered entity’s health plan orhealth care provider services, but notboth, only for purposes related to theappropriate function being performed.

§ 164.506 Consent for uses or disclosuresto carry out treatment, payment, or healthcare operations.

(a) Standard: Consent requirement. (1)Except as provided in paragraph (a)(2)or (a)(3) of this section, a covered healthcare provider must obtain theindividual’s consent, in accordancewith this section, prior to using ordisclosing protected health informationto carry out treatment, payment, orhealth care operations.

(2) A covered health care providermay, without consent, use or discloseprotected health information to carryout treatment, payment, or health careoperations, if:

(i) The covered health care providerhas an indirect treatment relationshipwith the individual; or

(ii) The covered health care providercreated or received the protected healthinformation in the course of providinghealth care to an individual who is aninmate.

(3)(i) A covered health care providermay, without prior consent, use ordisclose protected health informationcreated or received under paragraph(a)(3)(i)(A)–(C) of this section to carryout treatment, payment, or health careoperations:

(A) In emergency treatment situations,if the covered health care providerattempts to obtain such consent as soonas reasonably practicable after thedelivery of such treatment;

(B) If the covered health care provideris required by law to treat theindividual, and the covered health careprovider attempts to obtain suchconsent but is unable to obtain suchconsent; or

(C) If a covered health care providerattempts to obtain such consent fromthe individual but is unable to obtainsuch consent due to substantial barriersto communicating with the individual,and the covered health care providerdetermines, in the exercise ofprofessional judgment, that theindividual’s consent to receivetreatment is clearly inferred from thecircumstances.

(ii) A covered health care providerthat fails to obtain such consent inaccordance with paragraph (a)(3)(i) ofthis section must document its attemptto obtain consent and the reason whyconsent was not obtained.

(4) If a covered entity is not requiredto obtain consent by paragraph (a)(1) ofthis section, it may obtain anindividual’s consent for the coveredentity’s own use or disclosure ofprotected health information to carryout treatment, payment, or health careoperations, provided that such consentmeets the requirements of this section.

(5) Except as provided in paragraph(f)(1) of this section, a consent obtainedby a covered entity under this section isnot effective to permit another coveredentity to use or disclose protected healthinformation.

(b) Implementation specifications:General requirements. (1) A coveredhealth care provider may conditiontreatment on the provision by theindividual of a consent under thissection.

(2) A health plan may conditionenrollment in the health plan on theprovision by the individual of a consentunder this section sought in conjunctionwith such enrollment.

(3) A consent under this section maynot be combined in a single documentwith the notice required by § 164.520.

(4)(i) A consent for use or disclosuremay be combined with other types ofwritten legal permission from theindividual (e.g., an informed consent fortreatment or a consent to assignment ofbenefits), if the consent under thissection:

(A) Is visually and organizationallyseparate from such other written legalpermission; and

(B) Is separately signed by theindividual and dated.

(ii) A consent for use or disclosuremay be combined with a researchauthorization under § 164.508(f).

(5) An individual may revoke aconsent under this section at any time,except to the extent that the coveredentity has taken action in reliancethereon. Such revocation must be inwriting.

(6) A covered entity must documentand retain any signed consent underthis section as required by § 164.530(j).

(c) Implementation specifications:Content requirements. A consent underthis section must be in plain languageand:

(1) Inform the individual thatprotected health information may beused and disclosed to carry outtreatment, payment, or health careoperations;

(2) Refer the individual to the noticerequired by § 164.520 for a morecomplete description of such uses anddisclosures and state that the individualhas the right to review the notice priorto signing the consent;

(3) If the covered entity has reservedthe right to change its privacy practicesthat are described in the notice inaccordance with § 164.520(b)(1)(v)(C),state that the terms of its notice maychange and describe how the individualmay obtain a revised notice;

(4) State that:(i) The individual has the right to

request that the covered entity restricthow protected health information isused or disclosed to carry out treatment,payment, or health care operations;

(ii) The covered entity is not requiredto agree to requested restrictions; and

(iii) If the covered entity agrees to arequested restriction, the restriction isbinding on the covered entity;

(5) State that the individual has theright to revoke the consent in writing,except to the extent that the coveredentity has taken action in reliancethereon; and

(6) Be signed by the individual anddated.

(d) Implementation specifications:Defective consents. There is no consentunder this section, if the documentsubmitted has any of the followingdefects:

(1) The consent lacks an elementrequired by paragraph (c) of this section,as applicable; or

(2) The consent has been revoked inaccordance with paragraph (b)(5) of thissection.

(e) Standard: Resolving conflictingconsents and authorizations. (1) If acovered entity has obtained a consentunder this section and receives anyother authorization or written legalpermission from the individual for adisclosure of protected healthinformation to carry out treatment,payment, or health care operations, thecovered entity may disclose suchprotected health information only inaccordance with the more restrictiveconsent, authorization, or other writtenlegal permission from the individual.

(2) A covered entity may attempt toresolve a conflict between a consent andan authorization or other written legalpermission from the individualdescribed in paragraph (e)(1) of thissection by:

(i) Obtaining a new consent from theindividual under this section for thedisclosure to carry out treatment,payment, or health care operations; or

(ii) Communicating orally or inwriting with the individual in order todetermine the individual’s preference inresolving the conflict. The coveredentity must document the individual’spreference and may only discloseprotected health information inaccordance with the individual’spreference.


Date post:	02-Jun-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Federal Register /Vol. 65, No. 250/Thursday, December 28, … · 82762 Federal Register/Vol. 65,...

Documents