[Federal Register: December 28, 2000 (Volume 65, Number 250)]
[Rules and Regulations]
[Page 82761-82810]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28de00-35]

[[pp. 82761-82810]] Standards for Privacy of Individually Identifiable Health
Information

[[Continued from page 82760]]

[[Page 82761]]

  Table 1.--The Cost of Complying With the Proposed Privacy Regulation
                              [In dollars]
------------------------------------------------------------------------
                                    Initial or    Average      Ten year
                                    first year  annual cost  cost (2003-
            Provision              cost (2003,   ($million,     2012)
                                    $million)   years 2-10)   ($million)
------------------------------------------------------------------------
Policy Development...............        597.7            0        597.7
Minimum Necessary................        926.2        536.7      5,756.7
Privacy Officials................        723.2        575.8      5,905.8
Disclosure Tracking/History......        261.5         95.9      1,125.1
Business Associates..............        299.7         55.6        800.3
Notice Distribution..............         50.8         37.8        391.0
Consent..........................        166.1          6.8        227.5
Inspection/Copying...............          1.3          1.7         16.8
Amendment........................          5.0          8.2         78.8
Requirements on Research.........         40.2         60.5        584.8
Training.........................        287.1         50.0        737.2
De-Identification of Information.        124.2        117.0      1,177.4
Employers with Insured Group              52.4            0         52.4
 Health Plans....................
Internal Complaints..............          6.6         10.7        103.2
                                  --------------------------------------
    Total *......................      3,242.0      1,556.9     17,554.7
                                  --------------------------------------
Net Present Value................      3,242.0        917.8    11,801.8
------------------------------------------------------------------------
* Note: Numbers may not add due to rounding.

C. Need for the Final Rule

    The need for a national health information privacy framework is
described in detail in Section I of the preamble above. In short,
privacy is a necessary foundation for delivery of high quality health
care--the entire health care system is built upon the willingness of
individuals to share the most intimate details of their lives with
their health care providers. At the same time, there is increasing
public concern about loss of privacy generally, and health privacy in
particular. The growing use of interconnected electronic media for
business and personal activities, our increasing ability to know an
individual's genetic make-up, and the increasing complexity of the
health care system each bring the potential for tremendous benefits to
individuals and society, but each also brings new potential for
invasions of our privacy.
    Concerns about the lack of attention to information privacy in the
health care industry are not merely theoretical. Section I of the
preamble, above, lists numerous examples of the kinds of deliberate or
accidental privacy violations that call for a national legal framework
of health privacy protections. Disclosure of health information about
an individual can have significant implications well beyond the
physical health of that person, including the loss of a job, alienation
of family and friends, the loss of health insurance, and public
humiliation. The answer to these concerns is not for consumers to
withdraw from the health care system, but for society to establish a
clear national legal framework for privacy.
    This section adds to the discussion in Section I, above, a
discussion of the market failures inherent in the current system which
create additional and compelling reasons to establish national health
information privacy standards. Market failures will arise to the extent
that privacy is less well protected than the parties would have agreed
to, if they were fully informed and had the ability to monitor and
enforce contracts. The chief market failures with respect to privacy of
health information concern information, negotiation, and enforcement
costs between the entity and the individual. The information costs
arise because of the information asymmetry between the company and the
patient--the company typically knows far more than the patient about
how the protected health information will be used by that company. A
health care provider or plan, for instance, knows many details about
how protected health information may be generated, combined with other
databases, or sold to third parties.
    Absent this regulation, patients face at least two layers of cost
in learning about how their information is used. First, as with many
aspects of health care, patients face the challenge of trying to
understand technical medical terminology and practices. A patient
generally will have difficulty understanding medical records and the
implications of transferring health information about them to a third
party. Second, in the absence of consistent national rules, patients
may face significant costs in trying to learn and understand the nature
of a company's privacy policies.
    The costs of learning about companies' policies are magnified by
the difficulty patients face in detecting whether companies, in fact,
are complying with those policies. Patients might try to adopt
strategies for monitoring whether companies have complied with their
announced policies. These sorts of strategies, however, are both costly
(in time and effort) and likely to be ineffective. In addition, modern
health care often requires protected health information to flow
legitimately among multiple entities for purposes of treatment,
payment, health care operations, and other necessary uses. Even if the
patient could identify the provider whose data ultimately leaked, the
patient could not easily tell which of those multiple entities had
impermissibly transferred her information. Therefore, the cost and
ineffectiveness of monitoring leads to less than optimal protection of
individually identifiable health information.
    The incentives facing a company that acquires individually
identifiable health information also discourage privacy protection. A
company gains the full benefit of using such information, including its
own marketing efforts or its ability to sell the information to third
parties. The company, however, does not suffer the losses from
disclosure of protected health information; the patient does. Because
of imperfect monitoring, customers often will not

[[Page 82762]]

learn of, and thus not be able to take efficient action to prevent uses
or disclosures of sensitive information. Because the company
internalizes the gains from using the information, but does not bear a
significant share, if any, of the cost to patients (in terms of lost
privacy), it will have a systematic incentive to over-use individually
identifiable health information. In market failure terms, companies
will have an incentive to use individually identifiable health
information where the patient would not have freely agreed to such use.
    These difficulties are exacerbated by the third-party nature of
many health insurance and payment systems. Even where individuals would
wish to bargain for privacy, they may lack the legal standing to do so.
For instance, employers often negotiate the terms of health plans with
insurers. The employee may have no voice in the privacy or other terms
of the plan, facing a take-it-or-leave-it choice of whether to be
covered by insurance. The current system leads to significant market
failures in bargaining privacy protection. Many privacy-protective
agreements that patients would wish to make, absent barriers to
bargaining, will not be reached.
    The economic arguments become more compelling as the medical system
shifts from predominantly paper to predominantly electronic records.
Rapid changes in information technology should result in increased
market failures in the markets for individually identifiable health
information. Improvements in computers and networking mean that the
costs of gathering, analyzing, and disseminating electronic data are
plunging. Market forces are leading many health care providers and
health plans to shift from paper to electronic records, due both to
lower cost and the increased functionality provided by having
information in electronic form. These market changes will be
accelerated by the administrative simplification implemented by the
other regulations promulgated under HIPAA. A chief goal of
administrative simplification, in fact, is to create a more efficient
flow of medical information, where appropriate. This privacy regulation
is an integral part of the overall effort of administrative
simplification; it creates a framework for more efficient flows for
certain purposes, including treatment and payment, while restricting
flows in other circumstances except where appropriate institutional
safeguards exist.
    If the medical system shifts predominantly to electronic records in
the near future, accompanying privacy rules will become more critical
to prevent unanticipated, inappropriate, or unnecessary uses or
disclosures of individually identifiable health information without
patient consent and without effective institutional controls against
further dissemination. In terms of the market failure, it will become
more difficult for patients to know how their health provider or health
plan is using health information about them. It will become more
difficult to monitor the subsequent flows of individually identifiable
health information, as the number of electronic flows and possible
points of leakage both increase. Similarly, the costs and difficulties
of bargaining to get the patients' desired level of use will likely
rise due to the greater number and types of entities that receive
protected health information.
    As the benefits section, below, discusses in more detail, the
protection of privacy and correcting the market failure also have
practical implications. Where patients are concerned about lack of
privacy protections, they might fail to get medical treatment that they
would otherwise seek. This failure to get treatment may be especially
likely for certain conditions, including mental health, and HIV.
Similarly, patients who are concerned about lack of privacy protections
may report health information inaccurately to their providers when they
do seek treatment. For instance, they might decide not to mention that
they are taking prescription drugs that indicate that they have an
embarrassing condition. These inaccurate reports may lead to mis-
diagnosis and less-than-optimal treatment, including inappropriate
additional medications. In short, the lack of privacy safeguards can
lead to efficiency losses in the form of forgone or inappropriate
treatment.
    In summarizing the economic arguments supporting the need for this
regulation, the discussion here has emphasized the market failures that
will be addressed by this regulation. These arguments become
considerably stronger with the shift from predominantly paper to
predominantly electronic records. As discussed in the benefits section
below, the proposed privacy protections may prevent or reduce the risk
of unfair treatment or discrimination against vulnerable categories of
persons, such as those who are HIV positive, and thereby, foster better
health. The proposed regulation may also help educate providers, health
plans, and the general public about how protected health information is
used. This education, in turn, may lead to better information practices
in the future.

D. Baseline Privacy Protections

    An analysis of the costs and benefits of the regulation requires a
baseline from which to measure the regulation's effects. For some
regulations, the baseline is relatively straightforward. For instance,
an industry might widely use a particular technology, but a new
regulation may require a different technology, which would not
otherwise have been adopted by the industry. In this example, the old
and widely used technology provides the baseline for measuring the
effects of the regulation. The costs and the benefits are the
difference between keeping the old technology and implementing the new
technology.
    Where the underlying technology and industry practices are rapidly
changing, however, it can be far more difficult to determine the
baseline and thereby measure the costs and benefits of a regulation.
There is no simple way to know what technology industry would have
chosen to introduce if the regulation had never existed, nor how
industry practices would have evolved.
    Today, the entities covered by the HIPAA privacy regulation are in
the midst of a shift from primarily paper records to electronic
records. As covered entities spend significant resources on hardware,
software, and other information technology costs, questions arise about
which of these costs are fairly attributable to the privacy regulations
as opposed to costs that would have been expended even in the absence
of the regulations. Industry practices generally are rapidly evolving,
as described in more detail in Part I of this preamble. New
technological or other measure taken to protect privacy are in part
attributable to the expected expense of shifting to electronic medical
records, rather than being solely attributable to the new regulations.
In addition, the existence of privacy rules in other sectors of the
economy help set a norm for what practices will be considered good
practices for health information. The level of privacy protection that
would exist in the health care sector, in the absence of regulations,
thus would likely be affected by regulatory and related developments in
other sectors. In short, it is therefore difficult to project a cost or
benefits baseline for this rule.
    The common security practice of using ``firewalls'' illustrates how
each of the three baselines might apply. Under the first baseline, the
full cost of implementing firewalls should be included in a Regulatory
Impact

[[Page 82763]]

Analysis for a rule that expects entities to have firewalls. Because
current law has not required firewalls, a new rule expecting this
security measure must include the full cost of creating firewalls. This
approach, however, would seem to overstate the cost of such a
regulation. Firewalls would seem to be an integral part of the decision
to move to an on-line, electronic system of records. Firewalls are also
being widely deployed by users and industries where no binding security
or privacy regulations have been proposed.
    Under the second baseline, the touchstone is the level of risk of
security breaches for individually identifiable health information
under current practices. There is quite possibly a greater risk of
breach for an electronic system of records, especially where such
records are accessible globally through the Internet, than for patient
records dispersed among various doctors' offices in paper form. Using
the second baseline, the costs of firewalls for electronic systems
should not be counted as a cost of the regulation except where
firewalls create greater security than existed under the previous,
paper-based system.
    Finally, the third baseline would require an estimate of the
typical level of firewall protections that covered entities would adopt
in the absence of regulation, and include in the Regulatory Impact
Analysis only the costs that exceed what would otherwise have been
adopted. For this analysis, the Department has generally assumed that
the status quo would otherwise exist throughout the ten-year period (in
a few areas we explicitly discuss likely changes). We made this
decision for two reasons. First, predicting the level of change that
would otherwise occur is highly problematic. Second, it is a
``conservative'' assumption--that is, any error will likely be an
overstatement of the true costs of the regulation.
    Privacy practices are most often shaped by professional
organizations that publish ethical codes of conduct and by state law.
On occasion, state laws defer to professional conduct codes. At
present, where professional organizations and states have developed
only limited guidelines for privacy practices, an entity may implement
privacy practices independently. However, it is worth noting that
changes in privacy protection continue to increase in various areas.
For example, European Union countries may only send individually
identifiable information to companies, including U.S. firms, that
comply with their privacy standards, and the growing use of health data
in other areas of commerce, such as finance and general commercial
marketing, have also increased the demand for privacy in ways that were
not of concern in the past.
1. Professional Codes of Ethics
    The Department examined statements issued by five major
professional groups, one national electronic network association and a
leading managed care association.\38\ There are a number of common
themes that all the organizations appear to subscribe to:
---------------------------------------------------------------------------

    \38\ American Association of Health Plans, Code of Conduct;
http:www.aahp.org.; American Dental Association, Principles of
Ethics and Professional Conduct; http://www.ada.org.; American
Hospital Association, ``Disclosure of Medical Record Information,''
Management Advisory: Information Management; 1990, AHA: Chicago,
IL.; American Medical Association, AMA Policy Finder--Current
Opinions Council on Ethical and Judicial Affairs; several documents
available through the Policy Finder at http:www.ama-assn.org.;
American Psychiatric Association, ``APA Outlines Standards Needed to
Protect Patient's Medical Record''; Release No. 99-32, May 27, 1999;
http:www.psych.org.
---------------------------------------------------------------------------

     The need to maintain and protect an individual's health
information;
     The development of policies to ensure the confidentiality
of individually identifiable health information;
     A restriction that only the minimum necessary information
should be released to accomplish the purpose for which the information
is sought.
    Beyond these principles, the major associations differ with respect
to the methods used to protect individually identifiable health
information. There is no common professional standard across the health
care field with respect to the protection of individually identifiable
health information. One critical area of difference is the extent to
which professional organizations should release individually
identifiable health information. A major mental health association
advocates the release of identifiable patient information `` * * * only
when de-identified data are inadequate for the purpose at hand.'' A
major association of physicians counsels members who use electronically
maintained and transmitted data to require that they and their patients
know in advance who has access to protected patient data, and the
purposes for which the data will be used. In another document, the
association advises physicians not to ``sell'' patient information to
data collection companies without fully informing their patients of
this practice and receiving authorization in advance to release of the
information.
    Only two of the five professional groups state that patients have
the right to review their medical records. One group declares this as a
fundamental patient right, while the second association qualifies its
position by stating that the physician has the final word on whether a
patient has access to his or her health information. This association
also recommends that its members respond to requests for access to
patient information within ten days, and recommends that entities allow
for an appeal process when patients are denied access. The association
further recommends that when a patient contests the accuracy of the
information in his or her record and the entity refuses to accept the
patient's change, the patient's statement should be included as a
permanent part of the patient's record.
    In addition, three of the five professional groups endorse the
maintenance of audit trails that can track the history of disclosures
of individually identifiable health information.
    The one set of standards that we reviewed from a health network
association advocated the protection of individually identifiable
health information from disclosure without patient authorization and
emphasized that encrypting information should be a principal means of
protecting individually identifiable health information. The statements
of a leading managed care association, while endorsing the general
principles of privacy protection, were vague on the release of
information for purposes other than treatment. The association
suggested allowing the use of protected health information without the
patient's authorization for what they term ``health promotion.'' It is
possible that the use of protected health information for ``health
promotion'' may be construed under the rule as part of marketing
activities.
    Based on the review of the leading association standards, we
believe that the final rule embodies most or all of the major
principles expressed in the standards. However, there are some major
areas of difference between the rule and the professional standards
reviewed. The final rule generally provides stronger, more consistent,
and more comprehensive guarantees of privacy for individually
identifiable health information than the professional standards. The
differences between the rule and the professional codes include the
individual's right of access to health information in the covered
entity's possession, relationships between contractors and covered
entities, and the requirement that covered entities make their privacy
policies and practices available to patients through a notice

[[Page 82764]]

and the ability to respond to questions related to the notice. Because
the regulation requires that (with a few exceptions) patients have
access to their protected health information that a covered entity
possesses, large numbers of health care providers may have to modify
their current practices in order to allow patient access, and to
establish a review process if they deny a patient access. Also, none of
the privacy protection standards reviewed require that health care
providers or health plans prepare a formal statement of privacy
practices for patients (although the major physician association urges
members to inform patients about who would have access to their
protected health information and how their health information would be
used). Only one HMO association explicitly made reference to
information released for legitimate research purposes. The regulation
allows for the release of protected health information for research
purposes without an individual's authorization, but only if the
research where such authorization is waived by an institutional
research board or an equivalent privacy board. This research
requirement may cause some groups to revise their disclosure
authorization standards.

2. State Laws

    The second body of privacy protections is found in a complex, and
often confusing, myriad of state laws and requirements. To determine
whether or not the final rule would preempt a state law, first we
identified the relevant laws, and second, we addressed whether state or
federal law provides individuals with greater privacy protection.
    Identifying the Relevant State Statutes: Health information privacy
provisions can be found in laws applicable to many issues including
insurance, worker's compensation, public health, birth and death
records, adoptions, education, and welfare. In many cases, state laws
were enacted to address a specific situation, such as the reporting of
HIV/AIDS, or medical conditions that would impair a person's ability to
drive a car. For example, Florida has over 60 laws that apply to
protected health information. According to the Georgetown Privacy
Project,\39\ Florida is not unique. Every state has laws and
regulations covering some aspect of medical information privacy. For
the purpose of this analysis, we simply acknowledge the variation in
state requirements.
---------------------------------------------------------------------------

    \39\ Ibid, Goldman, p. 6.
---------------------------------------------------------------------------

    We recognize that covered entities will need to learn the laws of
their states in order to comply with such laws that are not contrary to
the rule, or that are contrary to and more stringent than the rule.
This analysis should be completed in the context of individual markets;
therefore, we expect that professional associations or individual
businesses will complete this task.
    Recognizing the limits of our ability to effectively summarize
state privacy laws, we discuss conclusions generated by the Georgetown
University Privacy Project's report, The State of Health Privacy: An
Uneven Terrain. The Georgetown report is among the most comprehensive
examination of state health privacy laws currently published, although
it is not exhaustive. The report, which was completed in July 1999, is
based on a 50-state survey.
    To facilitate discussion, we have organized the analysis into two
sections: access to health information and disclosure of health
information. Our analysis is intended to suggest areas where the final
rule appears to preempt various state laws; it is not designed to be a
definitive or wholly comprehensive state-by-state comparison.
    Access to Subject's Information: In general, state statutes provide
individuals with some access to medical records about them. However,
only a few states allow individuals access to health information held
by all their health care providers and health plans. In 33 states,
individuals may access their hospital and health facility records. Only
13 states guarantee individuals access to their HMO records, and 16
states provide individuals access to their medical information when it
is held by insurers. Seven states have no statutory right of patient
access; three states and the District of Columbia have laws that only
assure individuals' right to access their mental health records. Only
one state permits individuals access to records about them held by
health care providers, but it excludes pharmacists from the definition
of provider. Thirteen states grant individuals statutory right of
access to pharmacy records.
    The amount that entities are allowed to charge for copying of
individuals' records varies widely from state to state. A study
conducted by the American Health Information Management Association
\40\ found considerable variation in the amounts, structure, and
combination of fees for search and retrieval, and the copying of the
record.
---------------------------------------------------------------------------

    \40\ ``Practice Briefs,'' Journal of AHIMA; Harry Rhodes, Joan
C. Larson, Association of Health Information Outsourcing Service;
January 1999.
---------------------------------------------------------------------------

    In 35 states, there are laws or regulations that set a basis for
charging individuals inspecting and copying fees. Charges vary not only
by state, but also by the purpose of the request and the facility
holding the health information. Also, charges vary by the number of
pages and whether the request is for X-rays or for standard medical
information.
    Of the 35 states with laws regulating inspection and copying
charges, seven states either do not allow charges for retrieval of
records or require that the entity provide the first copy free of
charge. Some states may prohibit hospitals from charging patients a
retrieval and copying fee, but allow clinics to do so. Many states
allow fee structures, while eleven states specify only that the record
holder may charge ``reasonable/actual costs.''
    According to the report by the Georgetown Privacy Project, among
states that do grant access to patient records, the most common basis
for denying individuals access is concern for the life and safety of
the individual or others.
    The amount of time an entity is given to supply the individual with
his or her record varies widely. Many states allow individuals to amend
or correct inaccurate health information, especially information held
by insurers. However, few states provide the right to insert a
statement in the record challenging the covered entity's information
when the individual and entity disagree.\41\
---------------------------------------------------------------------------

    \41\ Ibid, Goldman, p. 20.
---------------------------------------------------------------------------

    Disclosure of Health Information: State laws vary widely with
respect to disclosure of individually identifiable health information.
Generally, states have applied restrictions on the disclosure of health
information either to specific entities or for specific health
conditions. Only three state laws place broad limits on disclosure of
individually identifiable health information without regard for
policies and procedures developed by covered entities. Most states
require patient authorization before an entity may disclose health
information to certain recipients, but the patient often does not have
an opportunity to object to any disclosures.\42\
---------------------------------------------------------------------------

    \42\ Ibid, Goldman, p. 21.
---------------------------------------------------------------------------

    It is also important to point out that none of the states appear to
offer individuals the right to restrict disclosure of their health
information for treatment.

[[Page 82765]]

    State statutes often have exceptions to requiring authorization
before disclosure. The most common exceptions are for purposes of
treatment, payment, or auditing and quality assurance functions.
Restrictions on re-disclosure of individually identifiable health
information also vary widely from state to state. Some states restrict
the re-disclosure of health information, and others do not. The
Georgetown report cites state laws that require providers to adhere to
professional codes of conduct and ethics with respect to disclosure and
re-disclosure of protected health information.
    Most states have adopted specific measures to provide additional
protections for health information regarding certain sensitive
conditions or illnesses. The conditions and illnesses most commonly
afforded added privacy protection are:
     Information derived from genetic testing;
     Communicable and sexually-transmitted diseases;
     Mental health; and
     Abuse, neglect, domestic violence, and sexual assault.
    Some states place restrictions on releasing condition-specific
health information for research purposes, while others allow release of
information for research without the patient's authorization. States
frequently require that researchers studying genetic diseases, HIV/
AIDS, and other sexually transmitted diseases have different
authorization and privacy controls than those used for other types of
research. Some states require approval from an IRB or agreements that
the data will be destroyed or identifiers removed at the earliest
possible time. Another approach has been for states to require
researchers to obtain sensitive, identifiable information from a state
public health department. One state does not allow automatic release of
protected health information for research purposes without notifying
the subjects that their health information may be used in research and
allowing them an opportunity to object to the use of their
information.\43\
---------------------------------------------------------------------------

    \43\ ``Medical records and privacy: Empirical effects of
legislation; A memorial to Alice Hersh''; McCarthy, Douglas B;
Shatin, Deborah; et al. Health Service Research: April 1, 1999; No.
1, Vol. 34; p. 417. The article details the effects of the Minnesota
law conditioning disclosure of protected health information on
patient authorization.
---------------------------------------------------------------------------

    Comparing state statutes to the final rule: The variability of
state law regarding privacy of individually identifiable health
information and the limitations of the applicability of many such laws
demonstrates the need for uniformity and minimum standards for privacy
protection. This regulation is designed to meet these goals while
allowing stricter state laws to be enacted and remain effective. A
comparison of state privacy laws with the final regulation highlights
several of the rule's key implications:
     No state law requires covered entities to make their
privacy and access policies available to patients. Thus, all covered
entities that have direct contact with patients will be required by
this rule to prepare a statement of their privacy protection and access
policies. This necessarily assumes that entities have to develop
procedures if they do not already have them in place.
     The rule will affect more entities than are covered or
encompassed under many state laws.
     Among the three categories of covered entities, it appears
that health plans will be the most significantly affected by the access
provisions of the rule. Based on the Health Insurance Association of
America (HIAA) data\44\, there are approximately 94.7 million non-
elderly persons with private health insurance in the 35 states that do
not provide patients a legal right to inspect and copy their records.
---------------------------------------------------------------------------

    \44\ Source Book of Health Insurance Data: 1997-1998, Health
Insurance Association of America, 1998. p. 33.
---------------------------------------------------------------------------

     Under the rule, covered entities will have to obtain an
individual's authorization before they could use or disclose their
information for purposes other than treatment, payment, and health care
operations--except in the situations explicitly defined as allowable
disclosures without authorization. Although the final rule would
establish a generally uniform disclosure and re-disclosure requirement
for all covered entities, the entities that currently have the greatest
ability and economic incentives to use and disclose protected health
information for marketing services to both patients and health care
providers without individual authorization.
     While the final rule appears to encompass many of the
requirements found in current state laws, it also is clear that within
state laws, there are many provisions that cover specific cases and
health conditions. Certainly, in states that have no restrictions on
disclosure, the rule will establish a baseline standard. But in states
that do place conditions on the disclosure of protected health
information, the rule may place additional requirements on covered
entities.
3. Other Federal Laws
    The relationship with other federal statutes is discussed above in
the preamble.

E. Costs

    Covered entities will be implementing the privacy final rules at
the same time many of the administrative simplification standards are
being implemented. As described in the overall impact analysis for the
Transactions Rule, the data handling change occurring due to the other
HIPAA standards will have both costs and benefits. To the extent the
changes required for the privacy standards, implementation
specifications, and requirements can be made concurrently with the
changes required by the other regulations, costs for the combined
implementation should be only marginally higher than for the
administrative simplification standards alone. The extent of this
incremental cost is uncertain, in the same way that the costs
associated with each of the individual administrative simplification
standards is uncertain.
    The costs associated with implementing the requirements under this
Privacy Rule will be directly related to the number of affected
entities and the number of affected transactions in each entity. There
are approximately 12,200 health plans (including self-insured employer
and government health plans that are at least partially self-
administered)\45\, 6480 hospitals, and 630,000 non-hospital providers
that will bear implementation costs under the final rule.
---------------------------------------------------------------------------

    \45\ ``Health plans,'' for purposes of the regulatory impact and
regulatory flexibility analyses, include licensed insurance carriers
who sell health products; third party administrators that will have
to comply with the regulation for the benefit of the plan sponsor;
and self-insured health plans that are at least partially
administered by the plan sponsor.
---------------------------------------------------------------------------

    The relationship between the HIPAA security and privacy standards
is particularly relevant. On August 17, 2000, the Secretary published a
final rule to implement the HIPAA standards on electronic transactions.
That rule adopted standards for eight electronic code sets to be used
for those transactions. The proposed rule for security and electronic
signature standards was published on August 12, 1998. That proposal
specified the security requirements for covered entities that transmit
and store information specified in Part C, Title II of the Act. In
general, that proposed rule proposed administrative and technical
standards for protecting ``* * * any health information pertaining to
an individual that is electronically

[[Page 82766]]

maintained or transmitted.'' (63 FR 43243). The final Security Rule
will detail the system and administrative requirements that a covered
entity must meet in order to assure itself and the Secretary that
health information is safe from destruction and tampering from people
without authorization for its access.
    By contrast, the Privacy Rule describes the requirements that
govern the circumstances under which protected health information must
be used or disclosed with and without patient involvement and when a
patient may have access to his or her protected health information.
    While the vast majority of health care entities are privately owned
and operated, we note that federal, state, and local government
providers are reflected in the total costs as well. Federal, state, and
locally funded hospitals represent approximately 26 percent of
hospitals in the United States. This is a significant portion of
hospitals, but it represents a relatively small proportion of all
provider entities. We estimated that the number of government providers
who are employed at locations other than government hospitals is
significantly smaller (approximately two percent of all providers).
Weighting the relative number of government hospital and non-hospital
providers by the revenue these types of providers generate, we estimate
that health care services provided directly by government entities
represent 3.4 percent of total health care services. Indian Health
Service and tribal facilities costs are included in the total, since
the adjustments made to the original private provider data to reflect
federal providers included them. In developing the rule, the Department
consulted with states, representatives of the National Congress of
American Indians, representatives of the National Indian Health Board,
and a representative of the self-governance tribes. During the
consultation we discussed issues regarding the application of Title II
of HIPAA to the states and tribes.
    The costs associated with this final rule involve, for each
provision, consideration of both the degree to which covered entities
must modify their existing records management systems and privacy
policies under the final rule, and the extent to which there is a
change in behavior by both patients and the covered entities as a
result of the final rule. The following sections examine these
provisions as they apply to the various covered entities under the
final rule. The major costs that covered entities will incur are one-
time costs associated with implementation of the final rules, and
ongoing costs that result in continuous requirements in the final rule.
    The Department has quantified the costs imposed by the final
regulation to the extent possible. The cost of many provisions were
estimated by first using data from the Census Bureau's Statistics of
U.S. Business to identify the number of non-hospital health care
providers, hospitals and health plans. Then, using the Census Bureau's
Current Population Survey (CPS) wage data for the classes of employees
affected by the rule, the Department identified the hourly wage of the
type of employee assumed to be mostly likely responsible for compliance
with a given provision. Where the Department believed a number of
different types of employees might be responsible for complying with a
certain provision, as is often expected to be the case, the Department
established a weighted-average wage based on the types of employees
involved. Finally, the Department made assumptions regarding the number
of person-hours per institution required to comply with the rule.
    The Department cannot determine precisely how many person-hours per
institution will be required to comply with a given provision, however,
the Department attempted to establish reasonable estimates based on
fact-finding discussions with private sector health care providers, the
advice of the Department's consultants, and the Department's own best
judgement of the level of burden required to comply with a given
provision. Moreover, the Department recognizes that the number of hours
required to comply with a given requirement of the rule will vary from
provider to provider and health plan to health plan, particularly given
the flexibility and scalability permitted under the rule. Therefore,
the Department considers the estimates to be averages across the entire
class of health care providers, hospitals, or health plans in question.
    Underlying all annual cost estimates are growth projections. For
growth in the number of patients, the Department used data from the
National Ambulatory Medical Care Survey, the National Hospital
Ambulatory Medical Care Survey, the National Home and Hospice Survey,
the National Nursing Home Survey, and information from the American
Hospital Association. For growth in the number of health care workers,
the Department used data from the Bureau of Health Professions in the
Department's Health Resources Services Administration (HRSA). For
insurance coverage growth (private and military coverage), we used a
five-year average annual growth rate in employer-sponsored, individual,
military, and overall coverage growth from the Census Bureau's CPS,
1995-1999. To estimate growth in the number of Medicare and Medicaid
enrollees, the Department used the enrollment projections of the Health
Care Financing Administration's Office of the Actuary. For growth in
the number of hospitals, health care providers and health plans, trend
rates were derived from the Census Bureau's Statistics of U.S.
Businesses, using SIC code-specific five-year annual average growth
rate from 1992-1997 (the most recent data available). For wage growth,
the Department used the same assumptions made in the Medicare Trustees'
Hospital Insurance Trust Fund report for 2000.
    In some areas, the Department was able to obtain very reliable
data, such as survey data from the Statistics of U.S. Businesses and
the Medical Expenditures Panel Survey (MEPS). In numerous areas,
however, there was too little information or data to support
quantitative estimates. As a result, the Department relied on data
provided in the public comments or subsequent fact-finding to provide a
basis for making key assumptions. We were able to provide a reasonable
cost estimate for virtually all aspects of the regulation, except law
enforcement. In this latter area, the Department was unable to obtain
sufficient data about current practices (e.g., the number of criminal
and civil investigations that may involve requests for protected health
information, the number of subpoenas for protected health information,
etc.) to determine the marginal effects of the regulation. As discussed
more fully below, the Department believes the effects of the final rule
are marginal because the policies adopted in the final rule appear to
largely reflect current practice.
    The NPRM included an estimate of $3.8 billion for the privacy
proposal. The estimate for the final rule is $18.0 billion. Much of the
difference can be explained by two factors. First, the NPRM estimate
was for five years; the final rule estimate is for ten years. The
Department chose the longer period for the final rule because ten years
was also the period of analysis in the Transactions Rule RIA, and we
wanted to facilitate comparisons, given that the net benefits and costs
of the administrative simplification rules should be considered
together. Second, the final impact analysis includes cost estimates for
a number of key provisions that were not estimated in the NPRM because
the Department did not have adequate information at the time.

[[Page 82767]]

Although we received little useable data in the public comments (see
comment and response section), the Department was able to undertake
more extensive fact-finding and collect sufficient information to make
informed assumptions about the level of effort and time various
provisions of the final rule are likely to impose on different types of
affected entities.
    The estimate of $18.0 billion represents a gross cost, not a net
cost. As discussed more fully below in the benefits section, the
benefits of enhanced privacy and confidentiality of personal health
information are very significant. If people believe their information
will be used properly and not disseminated beyond certain bounds
without their knowledge and consent, they will be much more likely to
seek proper health care, provide all relevant health information, and
abide by their providers' recommendations. In addition, more confidence
by individuals and covered entities that privacy will be maintained
will lead to an increase in electronic transactions and the
efficiencies and cost savings that stem from such action. The benefits
section quantifies some examples of benefits. The Department was not
able to identify data sources or models that would permit us to measure
benefits more broadly or accurately. The inability to quantify
benefits, however, does not lessen the importance or value that is
ultimately realized by having a national standard for health
information privacy.
    The largest initial costs resulting from the final Privacy Rule
stem primarily from the requirement that covered entities use and
disclose only the minimum necessary protected health information, that
covered entities develop policies and codify their privacy procedures,
and that covered entities designate a privacy official and train all
personnel with access to individually identifiable health information.
The largest ongoing costs will result from the minimum necessary
provisions pertaining internal uses of individually identifiable health
information, and the cost of a privacy official. In addition, covered
entities will have recurring costs for training, disclosure tracking
and notice requirements. A smaller number of large entities may have
significant costs for de-identification of protected health information
and additional requirements for research.
    The privacy costs are in addition to the Transactions Rule
estimates. The cost of complying with the regulation represents
approximately 0.23 percent of projected national health expenditures
the first year the regulation is enacted. The costs for the first eight
years of the final regulation represents 0.07 percent of the increase
in national health care costs experienced over the same period.\46\
---------------------------------------------------------------------------

    \46\ Health Care Finance Administration, Office of the Actuary,
2000. Estimates for the national health care expenditure accounts
are only available through 2008; hence, we are only able to make the
comparison through that year.
---------------------------------------------------------------------------

Minimum Necessary

    The ``minimum necessary'' policy in the final rule has essentially
three components: first, it does not pertain to certain uses and
disclosures including treatment-related exchange of information among
health care providers; second, for disclosures that are made on a
routine and recurring basis, such as insurance claims, a covered entity
is required to have policies and procedures for governing such
exchanges (but the rule does not require a case-by-case determination);
and third, providers must have a process for reviewing non-routine
requests on a case-by-case basis to assure that only the minimum
necessary information is disclosed.
    Based on public comments and subsequent fact-finding, the
Department has concluded that the requirements of the final rule are
generally similar to the current practice of most providers. For
standard disclosure requests, for example, providers generally have
established procedures for determining how much health information is
released. For non-routine disclosures, providers have indicated that
they currently ask questions to discern how much health information is
necessary for such disclosure. Under the final rule, we anticipate
providers will have to be more thorough in their policies and
procedures and more vigilant in their oversight of them; hence, the
costs of this provision are significant.
    To make the final estimates for this provision, the Department
considered the minimum necessary requirement in two parts. First,
providers, hospitals, and health plans will need to establish policies
and procedures which govern uses and disclosures of protected health
information. Next, these entities will need to adjust current practices
that do not comply with the rule, such as updating passwords and making
revisions to software.
    To determine the policies and procedures for the minimum necessary
requirement, the Department assumed that each hospital would spend 160
hours, health plans would spend 107 hours, and non-hospital providers
would spend 8 hours. As noted above, the time estimates for this and
other provisions of the rule are considered an average number of
person-hours for the institutions involved. An underlying assumption is
that some hospitals, and to a lesser extent health plans, are part of
chains or larger entities that will be able to prepare the basic
materials at a corporate level for a number of covered entities.
    Once the policies and procedures are established, the Department
estimates there will be costs resulting from implementing the new
policies and procedures to restrict internal uses of protected health
information to the minimum necessary. Initially, this will require 560
hours for hospitals, 160 hours for health plans, and 12 hours for non-
hospital providers.\47\ The wage for health care providers and
hospitals is estimated at $47.28, a weighted average of various health
care professionals based on CPS data; the wage for health plans is
estimated to be $33.82, based on average wages in the insurance
industry (note that all wage assumptions in this impact analysis assume
a 39 percent load for benefits, the standard Bureau of Labor Statistics
assumption). In addition, there will be time required on an annual
basis to ensure that the implemented practices continue to meet the
requirements of the rule. Therefore, the Department estimates that on
an annual ongoing basis (after the first year), hospitals will require
320 hours, health plans 100 hours, and non-hospital providers 8 hours
to comply with this provision.
---------------------------------------------------------------------------

    \47\ These estimates were, in part, derived from a report
prepared for the Department by the Gartner Group, consultants in
health care information technology: ``Gartner DHHS Privacy
Regulation Study,'' by Jim Klein and Wes Rishel, submitted to the
Office of the Assistant Secretary for Policy and Evaluation on
October 20, 2000.
---------------------------------------------------------------------------

    The initial cost attributable to the minimum necessary provision is
$926 million. The total cost of the provision is $5.757 billion. (These
estimates are for the cost of complying with the minimum necessary
provisions that restrict internal uses to the minimum necessary. The
Department has estimated in the business associates section below the
requirement limiting disclosures outside the covered entity to the
minimum amount necessary.)

Privacy Official

    The final rule requires entities to designate a privacy official
who will be responsible for the development and implementation of
privacy policies and procedures. In this cost analysis, the Department
has estimated each of the primary administrative requirements of the
rule (e.g., training, policy and

[[Page 82768]]

procedure development, etc), including the development and
implementation costs associated with each specific requirement. These
activities will certainly involve the privacy official to some degree;
thus, some costs for the privacy official, particularly in the initial
years, are subsumed in other cost requirements. Nonetheless, we
anticipate that there will be additional ongoing responsibilities that
the privacy official will have to address, such as coordinating between
departments, evaluating procedures and assuring compliance. To avoid
double-counting, the cost calculated in this section is only for the
ongoing, operational functions of a privacy official (e.g., clarifying
procedures for staff) that are in addition to items discussed in other
sections of this impact analysis.
    The Department assumes the privacy official role will be an
additional responsibility given to an existing employee in the covered
entity, such as an office manager in a small entity or a compliance
official in a larger institution. Moreover, today any covered entity
that handles individually identifiable health information has one or
more people with responsibility for handling and protecting the
confidentiality of such information. As a result of the specific
requirement for a privacy official, the Department assumes covered
entities will centralize this function, but the overall effort is not
likely to increase significantly. Specifically, the Department has
assumed non-hospital providers will need to devote, on average, an
additional 30 minutes per week of an official's time (i.e., 26 hours
per year) to compliance with the final regulation for the first two
years and 15 minutes per week for the remaining eight years (i.e., 13
hours per year). For hospitals and health plans, which are more likely
to have a greater diversity of activities involving privacy issues, we
have assumed three hours per week for the first two years (i.e., 156
hours per year), and 1.5 hours per week for the remaining eight years
(i.e., 78 hours per year).
    For non-hospital providers, the time was calculated at a wage of
$34.13 per hour, which is the average wage for managers of medicine and
health according to the CPS. For hospitals, we used a wage of $79.44,
which is the rate for senior planning officers.\48\ For health plans,
the Department assumed a wage of $88.42 based on the wage for top
claims executives.\49\ Although individual hospitals and health plans
may not necessarily select their planning officers or claims executives
to be their privacy officials, we believe they will be of comparable
responsibility, and therefore comparable pay, in larger institutions.
---------------------------------------------------------------------------

    \48\ ``Top Compensation in the Healthcare Industry, 1997'',
Coopers & Lybrand, New York, NY.,
http://www.pohly.com/salary/2.shtml>.
    \49\ ``A Unifif Survey of Compensation in Financial Services:
2000,'' July 2000, Unifi Network Survey unit, PriceWaterhouseCoopers
LLP and Global HR Solutions LLC, Westport, Ct., http://
public.wsj.com/careers/resources/documents/20000912-insuranceexecs-
tab.htm>.
---------------------------------------------------------------------------

    The initial year cost for privacy officials will be $723 million;
the ten-year cost will be $5.9 billion.

Internal Complaints

    The final rule requires each covered entity to have an internal
process to allow an individual to file a complaint concerning the
covered entity's compliance with its privacy policies and procedures.
The requirement includes designating a contact person or office
responsible for receiving complaints and documenting the disposition of
them, if any. This function may be performed by the privacy official,
but because it is a distinct right under the final rule and may be
performed by someone else, we are costing it separately.
    The covered entity only is required to receive and document a
complaint (no response is required), which we assume will take, on
average, ten minutes (the complaint can be oral or in writing). The
Department believes that such complaints will be uncommon. We have
assumed that one in every thousand patients will file a complaint,
which is approximately 10.6 million complaints over ten years. Based on
a weighted-average hourly wage of $47.28 at ten minutes per complaint,
the cost of this policy is $6.6 million in the first year. Using wage
growth and patient growth assumptions, the cost of this policy is $103
million over ten years.

Disclosure Tracking and History

    The final rule requires providers to be able to produce a record of
all disclosures of protected health information, except in certain
circumstances. The exceptions include disclosures for treatment,
payment, health care operations, or disclosures to an individual. This
requirement will require a notation in the record (electronic or paper)
of when, to whom, and what information was disclosed, as well as the
purpose of such disclosure or a copy of an individual's written
authorization or request for a disclosure.
    Based on information from several hospital sources, the Department
assumes that all hospitals already track disclosures of individually
identifiable health information and that 15 percent of all patient
records held by a hospital will have an annual disclosure that will
have to be recorded in an individual's record. It was more difficult to
obtain a reliable estimate for non-hospital providers, though it
appears that they receive many fewer requests. The Department assumed a
ten percent rate for ambulatory care patients and five percent, for
nursing homes, home health, dental and pharmacy providers. (It was
difficult to obtain any reliable data for these latter groups, but
those we talked to said that they had very few, and some indicated that
they currently keep track of them in the records.) These estimated
percentages represent about 63 million disclosures that will have to be
recorded in the first year, with each recording estimated to require
two minutes. At the average nurse's salary of $30.39 per hour, the cost
in the first year is $25.7 million. For health plans, the Department
assumed that disclosures of protected health information are more rare
than for health care providers. Therefore, the Department assumed that
there will be disclosures of protected health information for five
percent of covered lives. At the average wage for the insurance
industry of $33.82 per hour, the initial cost for health plans is $6.8
million. Using our standard growth rates for wages, patients, and
covered entities, the ten-year cost for providers and health plans is
$519 million.
    In addition, although hospitals generally track patient disclosures
today, the Department assumes that hospitals will seek to update
software systems to assure full compliance. Based on software upgrade
costs provided by the Department's private sector consultants with
expertise in the area (the Gartner Group), the Department assumed that
each upgrade would cost $35,000 initially and $6,300 annually
thereafter, for a total cost of $572 million over ten years.
    The final rule also requires covered entities to provide
individuals with an accounting of disclosures upon request. The
Department assumes that few patients will request a history of
disclosures of their protected medical information. Therefore, we
estimate that one in a thousand patients will request such an
accounting each year, which is approximately 850,000 requests. If it
takes an average of five minutes to copy any disclosures and the work
is done by a nurse, the cost for the first year will be $2.1 million.
The total ten-year cost is $33.8 million.

[[Page 82769]]

De-Identification of Information

    The rule allows covered entities to determine that health
information is de-identified (i.e., that it is not individually
identifiable health information) if certain conditions are met.
Currently, some entities release de-identified information for research
purposes. De-identified information may originate from automated
systems (such as records maintained by pharmacy benefit managers) and
non-automated systems (such as individual medical records maintained by
providers). As compared with current practice, the rule requires that
an expanded list of identifiers be removed for the data (such as
driver's license numbers, and detailed geographic and certain age
information). For example, as noted in a number of public comments,
currently complete birth dates (day, month, and year) and zip codes are
often included in de-identified information. The final rule requires
that only the year of birth (except in certain circumstances) and the
first three digits of the zip code can be included in de-identified
information.
    These changes will not require extensive change from current
practice. Providers generally remove most of the 19 identifiers listed
in the final rule. The Department relied on Gartner Group estimates
that some additional programmer time will be required by covered
entities that produce de-identified information to make revisions in
their procedures to eliminate additional identifiers. Entities that de-
identify information will have to review existing and future data flows
to assure compliance with the final rule. For example, an automated
system may need to be re-programmed to remove additional identifiers
from otherwise protected health information. (The costs of educating
staff about the de-identification requirements are included in the cost
estimate for training staff on privacy policies.)
    The Department was not able to obtain any reliable information on
the volume of medical data that is currently de-identified. To provide
some measure of the potential magnitude, we assumed that health plans
and hospitals would have an average of two existing agreements that
would need to be reviewed and modified. Based on information provided
by our consultants, we estimate that these agreements would require an
average of 152 hours by hospitals and 116 hours by health plans to
review and revise existing agreements to conform to the final rule.
Using the weighted average wage of $47.28, the initial costs will be
$124 million. Using our standard growth rates for wages, patients, and
covered entities, the total cost of the provision is $1.1 billion over
ten years.
    The Department expects that the final rule and the increasing trend
toward computerization of large record sets will result over time in
de-identification being performed by relatively few firms or
associations. Whether the covered entity is a small provider with
relatively few files or a hospital or health plan with large record
files, it will be more efficient to contract with specialists in these
firms or associations (as ``business associates'' of the covered
entity) to de-identify files. The process will be different but the
ultimate cost is likely to be the same or only slightly higher, if at
all, than the costs for de-identification today. The estimate is for
the costs required to conform existing and future agreements to the
provisions of the rule. The Department has not quantified the benefits
that might arise from changes in the market for de-identified
information because the centralization and efficiency that will come
from it will not be fully realized for several years, and we do not
have a reliable means of estimating such changes.

Policy and Procedures Development

    The final regulation imposes a variety of requirements which
collectively will necessitate entities to develop policies and
procedures (henceforth in this section to be referred to as policies)
to establish and maintain compliance with the regulation. These include
policies such as those for inspection and copying, amending records,
and receiving complaints.\50\ In developing the final regulations,
simplifying the administrative burden was a significant consideration.
To the extent practical, consistent with maintaining adequate
protection of protected health information, the final rule is designed
to encourage the development of policies by professional associations
and others, that will reduce costs and facilitate greater consistency
across providers and other covered entities.
---------------------------------------------------------------------------

    \50\ The cost for policies for minimum necessary, because they
will be distinct and extensive, are presented separately, above.
---------------------------------------------------------------------------

    The development of policies will occur at two levels: first, at the
association or other large scale levels; and second, at the entity
level. Because of the generic nature of many of the final rule's
provisions, the Department anticipates that trade, professional
associations, and other groups serving large numbers of members or
clients will develop materials that can be used broadly. These will
likely include the model privacy practice notice that all covered
entities will have to provide patients; general descriptions of the
regulation's requirements appropriate for various types of health care
providers; checklists of steps entities will have to take to comply;
training materials; and recommended procedures or guidelines. The
Department spoke with a number of professional associations, and they
confirmed that they would expect to provide such materials for their
members at either the federal or state level.
    Using Faulkner and Gray's Health Data Directory 2000, we identified
216 associations that would be likely to provide guidance to members.
In addition, we assume three organizations (i.e., one for hospitals,
health plans, and other health care providers) in each state would also
provide some additional services to help covered entities coordinate
the requirements of this rule with state laws and requirements. The
Department assumed that these associations would each provide 320 hours
of legal analysis at $150 per hour, and 640 hours of senior analysts
time at $50 per hour. This equals $17.3 million. Hourly rates for legal
council are the average billing rate for a staff attorney.\51\ The
senior analysts rates are based on a salary of $75,000 per year, plus
benefits, which was provided by a major professional association.
---------------------------------------------------------------------------

    \51\ ``The Altman Weil 1999 Survey of Law Firm Economics,''
http://www.altmanweil.com/publications/survey/sife99/standard.htm>.
---------------------------------------------------------------------------

    For larger health care entities such as hospitals and health plans,
the Department assumed that the complexity of their operations would
require them to seek more customized assistance from outside council or
consultants. Therefore, the Department assumes that each hospital and
health plan (including self-administered, self-insured health plans)
will, on average, require 40 hours of outside assistance. The resulting
cost for external policy development is estimated to be $112 million.
    All covered entities are expected to require some time for internal
policy development beyond what is provided by associations or outside
consultants. For most non-hospital providers, the external assistance
will provide most of the necessary information. Therefore, we expect
these health care providers will need only eight hours to adapt these
policies for their specific use (training cost is estimated separately
in the impact analysis). Hospitals and

[[Page 82770]]

health plans, which employ more individuals and are involved in a wider
array of endeavors, are likely to require more specific policies
tailored to their operations to comply with the final rule. For these
entities, we assume an average of 320 hours of policy development per
institution. The total cost for internal policy development is
estimated to be $468 million.
    The total cost for policy, plan, and procedures development for the
final regulation is estimated to be $598 million. All of these costs
are initial costs.

Training

    The final regulation's requirements provide covered entities with
considerable flexibility in how to best fulfill the necessary training
of their workforce. As a result, the actual practices may vary
substantially based on such factors as the number of members of the
workforce, the types of operations, worker turnover, and experience of
the workforce. Training is estimated to cost $737 million over ten
years. The Department estimates that at the time of the effective date,
approximately 6.7 million health care workers will have to be trained,
and in the subsequent ten years, 7 million more will have to be trained
because of worker turnover. The estimate of employee numbers are based
on 2000 CPS data regarding the number of health care workers who
indicated they worked for a health care institution. To estimate a
workforce turnover rate, the Department relied on a study submitted in
the public comments which used a turnover rate of ten percent or less,
depending on the labor category. To be conservative, the Department
assumed ten percent for all categories.
    Covered entities will need to provide members of the workforce with
varying amounts of training depending on their responsibilities, but on
average, the Department estimates that each member of the workforce who
is likely to have access to protected health information will require
one hour of training in the policies and procedures of the covered
entity. The initial training cost estimate is based on teacher training
with an average class size of ten. After the initial training, the
Department expects some training (for example, new employees in larger
institutions) will be done by videotape, video conference, or computer,
all of which are likely to be less expensive. Training materials were
assumed to cost an average of $2 per worker. The opportunity cost for
the training time is based on the average wage for each health care
labor category listed in the CPS, plus a 39 percent load for benefits.
Wages were increased based on the wage inflation factor utilized for
the short-term assumptions (which covers ten years) in the Medicare
Trustees' Annual Report for 1999.

Notice

    This section describes only the cost associated with the production
and provision of a notice. The cost of developing the policy stated in
the notice is covered under policies and procedures, above.
    Covered health care providers with direct treatment relationships
are required to provide a notice of privacy practices no later than the
date of the first service delivery to individuals after the compliance
date for the covered health care provider. The Department assumed that
for most types of health care providers (such as physicians, dentists,
and pharmacists) one notice would be distributed to each patient during
his or her first visit following the compliance date for the covered
provider, but not for subsequent visits. For hospitals, however, the
Department assumed that a notice would be provided at each admission,
regardless of how many visits an individual has in a given year. In
subsequent years, the Department assumed that non-hospital providers
would only provide notices to their new patients, because it is assumed
that providers can distinguish between new and old patients, although
hospitals will continue to provide a notice for each admission. The
total number of notices provided in the initial year is estimated to be
816 million.
    Under the final rule, only providers that have direct treatment
relationships with individuals are required to provide notices to them.
To estimate the number of visits that trigger a notice in the initial
year and in subsequent years, the Department relied on the Medical
Expenditure Panel Survey (MEPS, 1996 data) conducted by the
Department's Agency for Healthcare Quality and Research. This data set
provides estimates for the number of total visits to a variety of
health care providers in a given year and estimates of the number of
patients with at least one visit to each type of each care provider. To
estimate the number of new patients in a given year, the Department
used the National Ambulatory Medical Care Survey and the National
Hospital Ambulatory Medical Care Survey, which indicate that for
ambulatory care visits to physician offices and hospital ambulatory
care departments, 13 percent of all patients are new. This data was
used as a proxy for other types of providers, such as dentists and
nursing homes, because the Department did not have estimates for new
patients for other types of providers. The number of new patients was
increased over time to account for growth in the patient population.
Therefore, the number of notices provided in years 2004 through 2012 is
estimated to be 5.3 billion.
    For health plans, the Department estimated the number of notices by
trending forward the average annual rate of growth from 1995 through
1998 (the most recent data available) of private policy holders using
the Census Bureau's Current Population Survey, and also by using Health
Care Financing Administration Office of the Actuary's estimates for
growth in Medicare and Medicaid enrollment. It should be noted that the
regulation does not require that the notice be mailed to individuals.
Therefore, the Department assumed that health plans would include their
privacy policy in the annual mailings they make to members, such as by
adding a page to an existing information booklet.
    Since clinical laboratories generally do not have direct contact
with patients, they would not normally be required to provide notices.
However, there are some laboratory services that involve direct patient
contact, such as patients who have tests performed in a laboratory or
at a health fair. We found no data from which we could estimate the
number of such visits. Therefore, we have assumed that labs would incur
no costs as a result of this requirement.
    The printing cost of the policy is estimated to be $0.05, based on
data obtained from the Social Security Administration, which does a
significant number of printings for distribution. Some large bulk
users, such as health plans, can probably reproduce the document for
less, and small providers simply may copy the notice, which would also
be less than $0.05. Nonetheless, at $0.05, the total cost of the
initial notice is $50.8 million.
    Using our standard growth rate for patients, the total cost for
notices is estimated to be $391 million for the ten-year period.

Requirements on Use and Disclosure for Research

    The final regulation places certain requirements on covered
entities that supply individually identifiable health information to
researchers. As a result of these requirements, researchers who seek
such health information and the Institutional Review Boards (IRBs) that
review research projects will have additional responsibilities.
Moreover, a covered entity doing research, or another entity requesting
disclosure of

[[Page 82771]]

protected health information for research that is not currently subject
to IRB review (research that is 100 percent privately funded and which
takes place in institutions which do not have ``multiple project
assurances'') may need to seek IRB or privacy board approval if they
want to avoid the requirement to obtain authorization for use or
disclosure of protected health information for research, thereby
creating the need for additional IRBs and privacy boards that do not
currently exist.
    To estimate the additional requirements placed on existing IRBs,
the Department relied on a survey of IRBs conducted by James Bell
Associates on behalf of NIH and on estimates of the total number of
existing IRBs provided by NIH staff. Based on this information, the
Department concluded that of the estimated 4,000 IRBs in existence, the
median number of initial current research project reviews is 133 per
IRB, of which only ten percent do not receive direct consent for the
use of protected health information. (Obtaining consent nullifies the
need for IRB privacy scrutiny.) Therefore, in the first year of
implementation, there will be 76,609 initial reviews affected by the
regulation, and the Department assumes that the requirement to consider
the privacy protections in the research protocols under review will add
an average of 1 hour to each review. The cost to researchers for having
to develop protocols which protect protected health information is
difficult to estimate, but the Department assumes that each of the
affected 76,609 studies will require an average of an additional 8
hours of time for protocol development and implementation. At the
average medical scientist hourly wage of $46.61, the initial cost is
$32.1 million; the total ten-year cost of these requirements is $468
million over ten years.
    As stated above, some privately funded research not subject to any
IRB review currently may need to obtain IRB or privacy board approval
under the final rule. Estimating how much research exists which does
not currently go through any IRB review is highly speculative, because
the experts consulted by the Department all agree that there is no data
on the volume of privately funded research. Likewise, public comments
on this subject provided no useful data. However, the Department
assumed that most research that takes place today is subject to IRB
review, given that so much research has some government funding and
many large research institutions have multiple project assurances. As a
result, the Department assumed that the total volume of non-IRB
reviewed research is equal to 25 percent of all IRB-reviewed research,
leading to 19,152 new IRB or privacy board reviews in the first year of
the regulation. Using the same assumptions as used above for wages,
time spent developing privacy protection protocols for researchers, and
time spent by IRB and privacy board members, the total one-year cost
for new IRB and privacy board reviews is $8 million.
    For estimating total ten-year costs, the Department used the Bell
study, which showed an average annual growth rate of 3.7 percent in the
number of studies reviewed by IRBs. Using this growth rate, the total
ten-year cost for the new research requirements is $117 million.

Consent

    Under the final rule, a covered health care provider with direct
treatment relationships must obtain an individual's consent for use or
disclosure of protected health information for treatment, payment, or
health care operations. Covered providers with indirect treatment
relationships and health plans may obtain such consent if they so
choose. Providers and health plans that seek consent under this rule
can condition treatment or enrollment upon provision of such consent.
Based on public comments and discussions with a wide array of health
care providers, it is apparent that most currently obtain written
consent for use and disclosure of individually identifiable health
information for payment. Under the final rule, they will have to obtain
consent for treatment and health care operations, as well, but this may
entail only minor changes in the language of the consent to incorporate
these other categories and to conform to the rule.
    Although the Department was unable to obtain any systematic data,
the anecdotal evidence suggests that most non-hospital providers and
virtually all hospitals follow this practice. For the cost analysis,
the Department assumes that 90 percent of the non-hospital providers
and all hospitals currently obtain some consent for use and disclosure
of individually identifiable health information. For providers that
currently obtain written consent, there is only a nominal cost for
changing the language on the document to conform to the rule. For this
activity, we assumed $0.05 cost per document for revising existing
consent documents.
    For the ten percent of treating providers who currently do not
obtain consent, there is the cost of creating consent documents (which
will be standardized), which is also assumed to be $0.05 per document.
It is assumed that all providers required to obtain consent under the
rule will do so upon the first visit, so there will be no mailing cost.
For non-hospital providers, we assume the consent will be maintained in
paper form, which is what most providers currently do (electronic form,
if available, is cheaper to maintain). There is no new cost for records
maintenance because the consent will be kept in active files (paper or
electronic).
    The initial cost of the consent requirement is estimated to be $166
million. Using our standard assumptions for patient growth, the total
costs for the ten years is estimated to be $227 million.

Authorizations

    Patient authorizations are required for uses or disclosures of
protected health information that are not otherwise explicitly
permitted under the final rule with or without consent. In addition to
uses and disclosures of protected health information for treatment,
payment, and health care operations with or without consent, the rule
also permits certain uses of protected health information, such as
fund-raising for the covered entity and certain types of marketing
activity, without prior consent or authorization. Authorizations are
generally required if a covered entity wants to provide protected
health information to third party for use by the third party for
marketing or for research that is not approved by an IRB or privacy
board.
    The requirement for obtaining authorizations for use or disclosure
of protected health information for most marketing activity will make
direct third-party marketing more difficult because covered entities
may not want to obtain and track such authorizations, or they may
obtain too few to make the effort economically worthwhile. However, the
final rule permits an alternative arrangement: the covered entity can
engage in health-related marketing on behalf of a third party,
presumably for a fee. Moreover, the covered entity could retain another
party, through a business associate relationship, to conduct the actual
health-related marketing, such as mailings or telemarketing, under the
covered entity's name. The Department is unable to estimate the cost of
these changes because there is no credible data on the extent of
current third party marketing practices or the price that third party
marketers currently pay for information from covered entities. The
effect of the final rule is to change the

[[Page 82772]]

arrangement of practices to enhance accountability of protected health
information by the covered entity and its business associates; however,
there is nothing inherently costly in these changes.
    Examples of other circumstances in which authorizations are
required under the final rule include disclosure of protected health
information to an employer for an employment physical, pre-enrollment
underwriting for insurance, or the sharing of protected health
insurance information by an insurer with an employer. The Department
assumes there is no new cost associated with these requirements because
providers have said that obtaining authorization under such
circumstances is current practice.
    To use or disclose psychotherapy notes for most purposes (including
for treatment, payment, or health care operations), a covered entity
must obtain specific authorization by the individual that is distinct
from any authorization for use and disclosure of other protected health
information. This is current practice, so there is no new cost
associated with this provision.

Confidential Communications

    The final rule permits individuals to receive communications of
protected health information from a covered health care provider or a
health plan by an alternative means or at an alternative address. A
covered provider and a health plan must accommodate reasonable
requests; however, a health plan may require the individual to state
that disclosure of such information may endanger the individual. A
number of providers and health plans indicated that they currently
provide this service for patients who request it. For providers and
health plans with electronic records system, maintaining separate
addresses for certain information is simple and inexpensive, requiring
little or no change in the system. For providers with paper records,
the cost may be higher because they will have to manually check records
to determine which information must be treated in accordance with such
requests. Although some providers currently provide this service, the
Department was unable to obtain any reliable estimate of the number of
such requests today or the number of providers who perform this
service. The cost attributable to this requirement to send materials to
alternate addresses does not appear to be significant.

Employers With Insured Group Health Plans

    Some group health plans will use or maintain protected health
information, particularly group health plans that are self-insured.
Also, some plan sponsors that perform administrative functions on
behalf of their group health plans, may need protected health
information. The final rule permits a group health plan, or a health
insurance issuer or HMO that provides benefits on behalf of the group
health plan, to disclose protected health information to a plan sponsor
who performs administrative functions on its behalf for certain
purposes and if certain requirements are met. The plan documents must
be amended to: describe the permitted uses and disclosures of protected
health information by the plan sponsor; specify that disclosure is
permitted only upon receipt of a certification by the plan sponsor that
the plan documents have been amended and the plan sponsor agrees to
certain restrictions on the use of protected health information; and
provide for adequate firewalls to assure unauthorized personnel do not
have access to individually identifiable health information.
    Some plan sponsors may need information, not to administer the
group health plan, but to amend, modify, or terminate the plan. ERISA
case law describes such activities as settlor functions. For example, a
plan sponsor may want to change its contract from a preferred provider
organization to a health maintenance organization (HMO). In order to
obtain premium information, the plan sponsor may need to provide the
HMO with aggregate claims information. Under the rule, the plan sponsor
can obtain summary information with certain identifiers removed, in
order to provide it to the HMO and receive a premium rate.
    The Department assumes that most plan sponsors who are small
employers (those with 50 or fewer employees) will elect not to receive
protected health information because they will have little, if any,
need for such data. Any needs that plan sponsors of small group health
plans may have for information can be accomplished by receiving the
information in summary form. The Department has assumed that only 5
percent of plan sponsors of small group health plans that provide
coverage through a contract with an issuer will actually take the steps
necessary to receive protected health information. This is
approximately 96,900 firms. For these firms, the Department assumes it
will take one hour to determine procedural and organization issues and
an additional \1/3\ hour of an attorney's time to make plan document
changes, which will be simple and essentially standardized. This will
cost $7.1 million.
    Plan sponsors who are employers of medium (51-199 employees) and
large (over 200 employees) firms that provide health benefits through
contracts with issuers are more likely to want access to protected
health information for plan administration, for example to use it to
audit claims or perform quality assurance functions on behalf of the
group health plan. The Department assumes that 25 percent of plan
sponsors of medium sized firms and 75 percent of larger firms will want
to receive protected health information. This is approximately 38,000
medium size firms and 27,000 larger firms. To provide access to
protected health information by the group health plan, a plan sponsor
will have to assess the current flow of protected health information
from their issuer and determine what information is necessary and
appropriate. The plan sponsors may then have to make internal
organizational changes to assure adequate protection of protected
health information so that the relevant requirements are met for the
group health plan. We assume that medium size firms will take 16 work
hours to complete organizational changes, plus one hour of legal time
to make changes to plan documents and certify to the insurance carrier
that the firm is eligible to receive protected health information. We
assume that larger firms will require 32 hours of internal
organizational work and one hour of legal time. This will cost $52.4
million and is a one-time expense.

Business Associates

    The final rule requires a covered entity to have a written contract
or other arrangement that documents satisfactory assurance that
business associate will appropriately safeguard protected health
information in order to disclose it to a business associate based on
such an arrangement. The Department expects business associate
contracts to be fairly standardized, except for language that will have
to be tailored to the specific arrangement between the parties, such as
the allowable uses and disclosures of information. The Department
assumes the standard language initially will be developed by trade and
professional associations for their members. Small providers are likely
to simply adopt the language or make minor modifications, while health
plans and hospitals may start with the prototype language but may make
more specific changes to

[[Page 82773]]

meet their institutional needs. The regulation includes a requirement
that the covered entity take steps to correct, and in some cases
terminate, a contract, if necessary, if they know of violations by a
business associate. This oversight requirement is consistent with
standard oversight of a contract.
    The Department could not derive a per entity cost for this work
directly. In lieu of this, we have assumed that the trade and
professional associations' work plus any minor tailoring of it by a
covered entity would amount to one hour per non-hospital provider and
two hours for hospitals and health plans. The larger figure for
hospitals and health plans reflects the fact that they are likely to
have a more extensive array of relationships with business associates.
    The cost for the changes in business associate contracts is
estimated to be $103 million. This will be an initial year cost only
because the Department assumes that this contract language will become
standard in future contracts.
    In addition, the Department has estimated the cost for business
associates to comply with the minimum necessary provisions. As part of
the minimum necessary provisions, covered entities will have to
establish policies to ensure that only the minimum necessary protected
health information is shared with business associates. To the extent
that data are exchanged, covered entities will have to review the data
and systems programs to assure compliance.
    For non-hospital providers, we estimate that the first year will
require an average of three hours to review existing agreements, and
thereafter, they will require an additional hour to assure business
associate compliance. We estimate that hospitals will require an
additional 200 hours the first year and 16 hours in subsequent years;
health plans will require an additional 112 hours the first year and 8
hours in subsequent years. As in other areas, we have assumed a
weighted average wage for the respective sectors.
    The cost of the covered entities assuring business associates'
complying with the minimum necessary is $197 million in the first year,
and a total of $697 million over ten years. (These estimates include
the both the cost for the covered entity and the business associates.)

Inspection and Copying

    In the NPRM estimate, inspection and copying were a major cost.
Based on data and information from the public comments and further
fact-finding, however, the Department has re-estimated these policies
and found them to be much less expensive.
    The public comments demonstrate that copying of records is wide-
spread today. Records are routinely copied, in whole or in part, as
part of treatment or when patients change providers. In addition,
copying occurs as part of legal proceedings. The amount of inspection
and copying of medical records that occurs for these purposes is not
expected to change measurably as a result of the final regulation.
    The final regulation establishes the right of individuals to
access, that is to inspect and obtain a copy of, protected health
information about them in designated record sets. Although this is an
important right, the Department does not expect it to result in
dramatic increases in requests from individuals. The Georgetown report
on state privacy laws indicates that 33 states currently give patients
some right to access medical information. The most common right of
access granted by state law is the right to inspect personal
information held by physicians and hospitals. In the process of
developing estimates for the cost of providing access, we assumed that
most providers currently have procedures for allowing patients to
inspect and obtain a copy of individually identifiable health
information about themselves. The economic impact of requiring entities
to allow individuals to access their records should be relatively
small. One public commenter addressed this issue and provided specific
data which supports this conclusion.
    Few studies address the cost of providing medical records to
patients. The most recent was a study in 1998 by the Tennessee
Comptroller of the Treasury. It found an average cost of $9.96 per
request, with an average of 31 pages per request. The cost per page of
providing copies was $0.32 per page. This study was performed on
hospitals only. The cost per request may be lower for other types of
providers, since those seeking hospital records are more likely to have
more complicated records than those in a primary care or other types of
offices. An earlier report showed much higher costs than the Tennessee
study. In 1992, Rose Dunn published a report based on her experience as
a manager of medical records. She estimated a 10-page request would
cost $5.32 in labor costs only, equaling labor cost per page of $0.53.
However, this estimate appears to reflect costs before computerization.
The expected time spent per search was 30.6 minutes; 85 percent of this
time could be significantly reduced with computerization (this includes
time taken for file retrieval, photocopying, and re-filing; file
retrieval is the only time cost that would remain under
computerization).
    In estimating the cost of copying records, the Department relied on
the public comment from a medical records outsourcing industry
representative, which submitted specific volume and cost data from a
major firm that provides extensive medical record copying services.
According to these data, 900 million pages of medical records are
copied each year in the U.S., the average medical record is 31 pages,
and copying costs are $0.50 per page. In addition, the commenter noted
that only 10 percent of all requests are made directly from patients,
and of those, the majority are for purposes of continuing care
(transfer to another provider), not for purposes of individual
inspection. The Department assumed that 25 percent of direct patient
requests to copy medical records are for purposes of inspecting their
accuracy (i.e., 2.5 percent of all copy requests) or 850,000 in 2003 if
the current practice remained unchanged.
    To estimate the marginal increase in copying that might result from
the regulation, the Department assumed that as patients gained more
awareness of their right to inspect and copy their records, more
requests will occur. As a result, the Department assumed a ten percent
increase in the number of requests to inspect and copy medical records
over the current baseline, which would amount to a little over 85,000
additional requests in 2003 at a cost of $1.3 million. Allowing for a
5.3 percent increase in records based on the increase in ambulatory
care visits, the highest growth rate among health service sectors (the
National Ambulatory Medical Care Survey, 1998), the total cost for the
ten-year period would be $16.8 million.
    The final rule allows a provider to deny an individual the right to
inspect or obtain a copy of protected health information in a
designated record set under certain circumstances, and it provides, in
certain circumstances, that the patient can request the denial to be
reviewed by another licensed health care professional. The initial
provider can choose a licensed health care professional to render the
second review.
    The Department assumes denials and subsequent requests for reviews
will be extremely rare. The Department estimates there are about
932,000 annual requests for inspections (i.e., base plus new requests
resulting from the regulation), or approximately 11 million over the
ten-year period. If one-

[[Page 82774]]

tenth of one percent of these requests were to result in a denial in
accordance with the rule, the result would be 11,890 cases. Not all
these cases would be appealed. If 25 percent were appealed, the result
would be 2,972 cases. If a second provider were to spend 15 minutes
reviewing the case, the cost would be $6,000 in the first year and
$86,360 over ten years.

Amendments to Protected Health Information

    Many providers and health plans currently allow patients to amend
the information in their medical record, where appropriate. If an error
exists, both the patient and the provider or health plan benefit from
the correction. However, as with inspection and copying, many states do
not provide individuals with the right to request amendment to
protected health information about themselves. Based on these
assumptions, the Department concludes that the principal economic
effect of the final rule would be to expand the right to request
amendments to protected health information held by a health plan or
provider to those who are not currently covered by amendment
requirements under state laws or codes of conduct. In addition, the
rule may draw additional attention to the issue of inaccuracies in
information and may stimulate patient demand for amendment of medical
records, including in those states that currently provide a right to
amend medical records.
    Under the final regulation, if a patient requests an amendment to
his or her medical record, the provider must either accept the
amendment or provide the individual with the opportunity to submit a
statement disagreeing with the denial. The provider must acknowledge
the request and inform the patient of his action.
    The cost calculations assume that individuals who request an
opportunity to amend their medical record have already obtained a copy
of it. Therefore, the administrative cost of amending the patient's
record is completely separate from inspection and copying costs.
    Based on fact-finding discussions with a variety of providers, the
Department assumes that 25 percent of the projected 850,000 people who
request to inspect their records will seek to amend them. This number
is the existing demand plus the additional requests resulting from the
rule. Over ten years, the number of expected amendment requests will be
2.7 million. Unlike inspections, which currently occur in a small
percentage of cases, our fact-finding suggests that patients very
rarely seek to amend their records, but that the establishment of this
right in the rule will spur more requests. The 25 percent appears to be
high based on our discussions with providers but it is being used to
avoid an underestimation of the cost.
    As noted, the provider or health plan is not required to evaluate
any amendment requests, only to append or otherwise link to the request
in the record. We expect the responses will vary: sometimes an
assistant will only make the appropriate notation in the record,
requiring only a few minutes; other times a provider or manager will
review the request and make changes if appropriate, which may require
as much as an hour. To be conservative in its estimate, the Department
has assumed, on average, 30 minutes for each amendment request at a
cost of $47.28 per hour (2000 CPS).
    The first-year cost for the amendment policy is estimated to be $5
million. The ten-year cost of this provision is $78.8 million.

Law Enforcement and Judicial and Administrative Proceedings

    The law enforcement provisions of the final rule allow disclosure
of protected health information without patient authorization under
four circumstances: (1) Pursuant to legal process or as otherwise
required by law; (2) to locate or identify a suspect, fugitive,
material witness, or missing person; (3) under specified conditions
regarding a victim of crime; and (4) and when a covered entity believes
the protected health information constitutes evidence of a crime
committed on its premises. As under current law and practice, a covered
entity may disclose protected health information to a law enforcement
official if such official.
    Based on our fact finding, we are not able to estimate any
additional costs from the final rule regarding disclosures to law
enforcement officials. The final rule makes clear that current court
orders and grand jury subpoenas will continue to provide a basis for
covered entities to disclose protected health information to law
enforcement officials. The three-part test, which covered entities must
use to decide whether to disclose information in response to an
administrative request such as an administrative subpoena, represents a
change from current practice. There will be only minimal costs to draft
the standard language for such subpoenas. We are unable to estimate
other costs attributable to the use of administrative subpoenas. We
have not been able to discover any specific information about the costs
to law enforcement of establishing the predicates for issuing the
administrative subpoena, nor have we been able to estimate the number
of such subpoenas that will likely be issued once the final rule is
implemented.
    A covered entity may disclose protected health information in
response to an order in the course of a judicial or administrative
proceeding if reasonable efforts have been made to give the individual,
who is the subject of the protected health information, notice of and
an opportunity to object to the disclosure or to secure a qualified
protective order.
    The Department was unable to estimate any additional costs due to
compliance with the final rule's provisions regarding judicial and
administrative proceedings. The provision requiring a covered entity to
make efforts to notify an individual that his or her records will be
used in proceedings is similar to current practice; attorneys for
plaintiffs and defendants agreed that medical records are ordinarily
produced after the relevant party has been notified. With regard to
protective orders, we believe that standard language for such orders
can be created at minimal cost. The cost of complying with such
protective orders will also likely be minimal, because attorney's
client files are ordinarily already treated under safeguards comparable
to those contemplated under the qualified protective orders. The
Department was unable to make an estimate of how many such protective
orders might be created annually.
    We thus do not make any estimate of the initial or ongoing costs
for judicial, administrative, or law enforcement proceedings.

Costs to the Federal Government

    The rule will have a cost impact on various federal agencies that
administer programs that require the use of individual health
information. The federal costs of complying with the regulation and the
costs when federal government entities are serving as providers are
included in the regulation's total cost estimate outlined in the impact
analysis. Federal agencies or programs clearly affected by the rule are
those that meet the definition of a covered entity. However, non-
covered agencies or programs that handle medical information, either
under permissible exceptions to the disclosure rules or through an
individual's expressed authorization, will likely incur some costs
complying with provisions of this rule. A sample of federal agencies
encompassed by the

[[Page 82775]]

broad scope of this rule include the: Department of Health and Human
Services, Department of Defense, Department of Veterans Affairs,
Department of State, and the Social Security Administration.
    The greatest cost and administrative burden on the federal
government will fall to agencies and programs that act as covered
entities, by virtue of being either a health plan or provider. Examples
include the Medicare, Medicaid, Children's Health Insurance and Indian
Health Service programs at the Department of Health and Human Services;
the CHAMPVA health program at the Department of Veterans Affairs; and
the TRICARE health program at the Department of Defense. These and
other health insurance or provider programs operated by the federal
government are subject to requirements placed on covered entities under
this rule, including, but not limited to, those outlined in Section D
of the impact analysis. While many of these federal programs already
afford privacy protections for individual health information through
the Privacy Act and standards set by the Departments and implemented
through their contracts with providers, this rule is nonetheless
expected to create additional requirements. Further, we anticipate that
most federal health programs will, to some extent, need to modify their
existing practices to comply fully with this rule. The cost to federal
programs that function as health plans will be generally the same as
those for the private sector.
    A unique cost to the federal government will be in the area of
enforcement. The Office for Civil Rights (OCR), located at the
Department of Health and Human Services, has the primary responsibility
to monitor and audit covered entities. OCR will monitor and audit
covered entities in both the private and government sectors, will
ensure compliance with requirements of this rule, and will investigate
complaints from individuals alleging violations of their privacy
rights. In addition, OCR will be required to recommend penalties and
other remedies as part of their enforcement activities. These
responsibilities represent an expanded role for OCR. Beyond OCR, the
enforcement provisions of this rule may have additional costs to the
federal government through increased litigation, appeals, and inspector
general oversight.
    Examples of other unique costs to the federal government may
include such activities as public health surveillance at the Centers
for Disease Control and Prevention, health research projects at the
Agency for Healthcare Research and Quality, clinical trials at the
National Institutes of Health, and law enforcement investigations and
prosecutions by the Federal Bureau of Investigations. For these and
other activities, federal agencies will incur some costs to ensure that
protected health information is handled and tracked in ways that comply
with the requirements of this title.
    We estimate that federal costs under this rule will be
approximately $196 million in 2003 and $1.8 billion over ten years. The
ten-year federal cost estimate represents about 10.2 percent of the
privacy regulation's total cost. This estimate was derived in two
steps.
    First, we assumed that the proportion of the privacy regulation's
total cost accruing to the federal government in a given year will be
equivalent to the proportion of projected federal costs as a percentage
of national health expenditures for that year. To estimate these
proportions, we used the Health Care Financing Administration's
November 1998 National Health Expenditure projections (the most recent
data available) of federal health expenditures as a percent of national
health expenditures from 2003 through 2008, trended forward to 2012. We
then adjusted these proportions to exclude Medicare and Medicaid
spending, reflecting the fact that the vast majority of participating
Medicare and Medicaid providers will not be able to pass through the
costs of complying with this rule to the federal government because
they are not reimbursed under cost-based payment systems. This
calculation yields a partial federal cost of $166 million in 2003 and
$770 million over ten years.
    Second, we add the Medicare and federal Medicaid costs resulting
from the privacy regulation that HCFA's Office of the Actuary project
can be passed through to the federal government. These costs reflect
the actuaries' assumption regarding how much of the total privacy
regulation cost burden will fall on participating Medicare and Medicaid
providers, based on the November 1998 National Health Expenditure data.
Then the actuaries estimate what percentage of the total Medicare and
federal Medicaid burden could be billed to the programs, assuming that
(1) only 3 percent of Medicare providers and 5 percent of Medicaid
providers are still reimbursed under cost-based payment systems, and
(2) over time, some Medicaid costs will be incorporated into the
state's Medicaid expenditure projections that are used to develop the
federal cost share of Medicaid spending. The results of this actuarial
analysis add another $30 million in 2003 and $1.0 billion over ten
years to the federal cost estimate. Together, these three steps
constitute the total federal cost estimate of $236 million in 2003 and
$2.2 billion over ten years.

Costs to State and Local Governments

    The rule will also have a cost effect on various state and local
agencies that administer programs requiring the use of individually
identifiable health information. State and local agencies or programs
clearly affected by the rule are those that meet the definition of a
covered entity. The costs when government entities are serving as
providers are included in the total cost estimates. However, non-
covered agencies or programs that handle individually identifiable
health information, either under permissible exceptions to the
disclosure rules or through an individual's expressed authorization,
will likely incur some costs complying with provisions of this rule.
Samples of state and local agencies or programs encompassed by the
broad scope of this rule include: Medicaid, State Children's Health
Insurance Programs, county hospitals, state mental health facilities,
state or local nursing facilities, local health clinics, and public
health surveillance activities, among others. We have included state
and local costs in the estimation of total costs in this section.
    The greatest cost and administrative burden on the state and local
government will fall to agencies and programs that act as covered
entities, by virtue of being either a health plan or provider, such as
Medicaid, State Children's Health Insurance Programs, and county
hospitals. These and other health insurance or provider programs
operated by state and local government are subject to requirements
placed on covered entities under this rule, including, but not limited
to, those outlined in this section (Section E) of the impact analysis.
Many of these state and local programs already afford privacy
protections for individually identifiable health information through
the Privacy Act. For example, state governments often become subject to
Privacy Act requirements when they contract with the federal
government. This rule is expected to create additional requirements
beyond those covered by the Privacy Act. Furthermore, we anticipate
that most state and local health programs will, to some extent, need to
modify their existing Privacy Act practices to fully comply with this
rule. The cost to state

[[Page 82776]]

and local programs that function as health plans will be different than
the private sector, much as the federal costs vary from private health
plans.
    A preliminary analysis suggests that state and local government
costs will be on the order of $460 million in 2003 and $2.4 billion
over ten years. We assume that the proportion of the privacy
regulation's total cost accruing to state and local governments in a
given year will be equivalent to the proportion of projected state and
local costs as a percentage of national health expenditures for that
year. To estimate these proportions, we used the Health Care Financing
Administration's November 1998 National Health Expenditure projections
of state and local health expenditures as a percent of national health
expenditures from 2003 through 2008, trended forward to 2012. Based on
this approach, we assume that over the entire 2003 to 2012 period, 13.6
percent, or $2.4 billion, of the privacy regulation's total cost will
accrue to state and local governments. Of the $2.4 billion state and
local government cost, 19 percent will be incurred in the regulation's
first year (2003). In each of the out-years (2004-2012), the average
percent of the total cost incurred will be about nine percent per year.
These state and local government costs are included in the total cost
estimates discussed in the regulatory impact analysis.

F. Benefits

    There are important societal benefits associated with improving
health information privacy. Confidentiality is a key component of trust
between patients and providers, and some studies indicate that a lack
of privacy may deter patients from obtaining preventive care and
treatment.\52\ For these reasons, traditional approaches to estimating
the value of a commodity cannot fully capture the value of personal
privacy. It may be difficult for individuals to assign value to privacy
protection because most individuals view personal privacy as a right.
Therefore, the benefits of the proposed regulation are impossible to
estimate based on the market value of health information alone.
However, it is possible to evaluate some of the benefits that may
accrue to individuals as a result of proposed regulation, and these
benefits, alone, suggest that the regulation is warranted. Added to
these benefits is the intangible value of privacy, the security that
individuals feel when personal information is kept confidential. This
benefit is very real and very significant but there are no reliable
means of measuring dollar value of such benefit.
---------------------------------------------------------------------------

    \52\ Equifax-Harris Consumer Privacy Survey, 1994.
---------------------------------------------------------------------------

    As noted in the comment and response section, a number of
commenters raised legitimate criticisms of the Department's approach to
estimating benefits. The Department considered other approaches,
including attempts to measure benefits in the aggregate rather than the
specific examples set forth in the NPRM. However, we were unable to
identify data or models that would provide credible measures. Privacy
has not been studied empirically from an economic perspective, and
therefore, we concluded that the approach taken in the NPRM is still
the most useful means of illustrating that the benefits of the
regulation are significant in relation to the economic costs.
    Before beginning the discussion of the benefits, it is important to
create a framework for how the costs and benefits may be viewed in
terms of individuals rather than societal aggregates. We have estimated
the value an insured individual would need to place on increased
privacy to make the privacy regulation a net benefit to those who
receive health insurance. Our estimates are derived from data produced
by the 1998 Current Population Survey from the Census Bureau (the most
recent available at the time of the analysis), which show that 220
million persons are covered by either private or public health
insurance. Joining the Census Bureau data with the costs calculated in
Section E, we have estimated the cost of the regulation to be
approximately $6.25 per year (or approximately $0.52 per month) for
each insured individual (including people in government programs). If
we assume that individuals who use the health care system will be
willing to pay more than this per year to improve health information
privacy, the benefits of the proposed regulation will outweigh the
cost.
    This is a conservative estimate of the number of people who will
benefit from the regulation because it assumes that only those
individuals who have health insurance or are in government programs
will use medical services or benefit from the provisions of the
proposed regulation. Currently, there are 42 million Americans who do
not have any form of health care coverage. The estimates do not include
those who pay for medical care directly, without any insurance or
government support. By lowering the number of users in the system, we
have inflated our estimate of the per-person cost of the regulation;
therefore, we assume that our estimate represents the highest possible
cost for an individual.
    An alternative approach to determining how people would have to
value increased privacy for this regulation to be beneficial is to look
at the costs divided by the number of encounters with health care
professionals annually. Data from the Medical Expenditure Panel Survey
(MEPS) produced by the Agency for Healthcare Policy Research (AHCPR)
show approximately 776.3 million health care visits (e.g., office
visits, hospital and nursing home stays, etc.) in the first year
(2003). As with the calculation of average annual cost per insured
patient, we divided the total cost of complying with the regulation by
the total annual number of health care visits. The cost of instituting
requirements of the proposed regulation is $0.19 per health care visit.
If we assume that individuals would be willing to pay more than $0.19
per health care visit to improve health information privacy, the
benefits of the proposed regulation outweigh the cost.
Qualitative Discussion
    A well designed privacy standard can be expected to build
confidence among the public about the confidentiality of their medical
records. The seriousness of public concerns about privacy in general
are shown in the 1994 Equifax-Harris Consumer Privacy Survey, where
``84 percent of Americans are either very or somewhat concerned about
threats to their personal privacy.'' \53\ A 1999 report, ``Promoting
Health and Protecting Privacy'' notes ``* * * many people fear their
personal health information will be used against them: to deny
insurance, employment, and housing, or to expose them to unwanted
judgements and scrutiny.'' \54\ These concerns would be partly allayed
by the privacy standard.
---------------------------------------------------------------------------

    \53\ Consumer Privacy Survey, Harris-Equifax, 1994, p vi.
    \54\ Promoting Health: Protecting Privacy, California Health
Care Foundation and Consumers Union, January 1999, p 12.
---------------------------------------------------------------------------

    Fear of disclosure of treatment is an impediment to health care for
many Americans. In the 1993 Harris-Equifax Health Information Privacy
Survey, seven percent of respondents said they or a member of their
immediate family had chosen not to seek medical services due to fear of
harm to job prospects or other life opportunities. About two percent
reported having chosen not to file an insurance claim because of
concerns of lack of privacy or confidentiality.\55\ Increased
confidence

[[Page 82777]]

on the part of patients that their privacy would be protected would
lead to increased treatment among people who delay or never begin care,
as well as among people who receive treatment but pay directly (to the
extent that the ability to use their insurance benefits will reduce
cost barriers to more complete treatment). It will also change the
dynamic of current payments. Insured patients currently paying out-of-
pocket to protect confidentiality will be more likely to file with
their insurer and to seek all necessary care. The increased utilization
that would result from increased confidence in privacy could be
beneficial under many circumstances. For many medical conditions, early
and comprehensive treatment can lead to lower costs.
---------------------------------------------------------------------------

    \55\ Health Information Survey, Harris-Equifax, 1993, pp 49-50.
---------------------------------------------------------------------------

    The following are four examples of areas where increased confidence
in privacy would have significant benefits. They were chosen both
because they are representative of widespread and serious health
problems, and because they are areas where reliable and relatively
complete data are available for this kind of analysis. The logic of the
analysis, however, applies to any health condition, including
relatively minor conditions. We expect that some individuals might be
concerned with maintaining privacy even if they have no significant
health problems because it is likely that they will develop a medical
condition in the future that they will want to keep private.

Cancer

    The societal burden of disease imposed by cancer is indisputable.
Cancer is the second leading cause of death in the US,\56\ exceeded
only by heart disease. In 2000, it is estimated that 1.22 million new
cancer cases will be diagnosed.\57\ The estimated prevalence of cancer
cases (both new and existing cases) in 1999 was 8.37 million.\58\ In
addition to mortality, incidence, and prevalence rates, the other
primary methods of assessing the burden of disease are cost-of-illness
and quality of life measures.\59\ Cost of illness measures the economic
costs associated with treating the disease (direct costs) and lost
income associated with morbidity and mortality (indirect costs). The
National Institutes of Health estimates that the overall annual cost of
cancer in 1990 was $96.1 billion; $27.5 billion in direct medical costs
and $68.7 billion for lost income due to morbidity and mortality.\60\
Health-related quality of life measures integrate the mortality and
morbidity effects of disease to produce health status scores for an
individual or population. For example, the Quality Adjusted Life Year
(QALY) combines the pain, suffering, and productivity loss caused by
illness into a single measure. The Disability Adjusted Life Year (DALY)
is based on the sum of life years lost to premature mortality and years
that are lived, adjusted for disability.\61\ The analysis below is
based on the cost-of-illness measure for cancer, which is more
developed than the quality of life measure.
---------------------------------------------------------------------------

    \56\ American Cancer Society. http://4a2z.com/cgi/
rfr.cgi?4CANCER-2-http://www.cancer.org/frames.html
    \57\ American Cancer Society. http://www3.cancer.org/cancerinfo/
sitecenter.asp?ctid= 8&scp= 0&scs= 0&scss= 0&scdoc = 40000.
    \58\ Polednak, AP. ``Estimating Prevalence of Cancer in the
United States,'' Cancer 1997; 8-:136-41
    \59\ Martin Brown, ``The Burden of Illness of Cancer: Economic
Cost and Quality of Life.'' Annual Review of Public Health,
2001:22:91-113.
    \60\ Disease-Specific Estimates of Direct and Indirect Costs of
Illness and NIH Support: Fiscal Year 2000 Update. Department of
Health and Human Services, Naitonal Institutes of Health, Office of
the Director, February 2000.
    \61\ DALY scores for 10 cancer sites are presented in Brown,
``The Burden of Illness of Cancer: Economic Cost and Quality of
Life,'' figure 1.
---------------------------------------------------------------------------

    Among the most important elements in the fight against cancer are
screening, early detection and treatment of the disease. However, many
patients are concerned that cancer detection and treatment will make
them vulnerable to discrimination by insurers or employers. These
privacy concerns have been cited as a reason patients do not seek early
treatment for diseases such as cancer. As a result of forgoing early
treatment, cancer patients may ultimately face a more severe illness
and/or premature death.
    Increasing people's confidence in the privacy of their medical
information would encourage more people with cancer to seek cancer
treatment earlier, which would increase cancer survival rates and thus
reduce the lost wages associated with cancer. For example, only 24
percent of ovarian cancers are diagnosed in the early stages. Of these,
approximately 90 percent of patients survive treatment. The survival
rate of women who detect breast cancer early is similarly high; more
than 90 percent of women who detect and treat breast cancer in its
early stages will survive.\62\
---------------------------------------------------------------------------

    \62\ Breast Cancer Information Service. http://trfn.clpgh.org/
bcis/FAQ/facts2.html
---------------------------------------------------------------------------

    We have attempted to estimate the annual savings in foregone wages
that would result from earlier treatment due to enhanced protection of
the privacy of medical records. We do not assume there would be
increased medical costs from earlier treatment because the costs of
earlier and longer cancer treatment are probably offset by the costs of
treating late-stage cancer among people who would otherwise not be
treated until their cases had progressed.
    Although figures on the number of individuals who avoid cancer
treatment due to privacy concerns do not exist, some indirect evidence
is available. A 1993 Harris-Equifax Health Information Privacy Survey
(noted earlier) found that seven percent of respondents reported that
they or a member of their immediate family had chosen not to seek
services for a physical or mental health condition due to fear of harm
to job prospects or other life opportunities. It should be noted that
this survey is somewhat dated and represents only one estimate.
Moreover, given the wording of the question, there are other reasons
aside from privacy concerns that led these individuals to respond
affirmatively. However, for the purposes of this estimate, we assume
that privacy concerns were responsible for the majority of positive
responses.
    Based on the Harris-Equifax survey estimate that seven percent of
people did not seek services for physical or mental health conditions
due to fears about job prospects or other opportunities, we assume that
the proportion of people diagnosed with cancer who did not seek earlier
treatment due to these fears is also seven percent. Applying this seven
percent figure to the estimated number of total cancer cases (8.37
million) gives us an estimate of 586,000 people who did not seek
earlier cancer treatment due to privacy concerns. We estimate annual
lost wages due to cancer morbidity and mortality per cancer patient by
dividing total lost wages ($68.7 billion) by the number of cancer
patients (8.37 million), which rounds to $8,200. We then assume that
cancer patients who seek earlier treatment would achieve a one-third
reduction in cancer mortality and morbidity due to earlier treatment.
The assumption of a one-third reduction in mortality and morbidity is
derived from a study showing a one-third reduction in colorectal cancer
mortality due to colorectal cancer screening.\63\ We could have chosen
a lower or higher treatment success rate. By multiplying 586,000 by
$8,200 by one-third, we calculate that $1.6 billion in lost wages could
be saved each year by encouraging more people to seek early cancer
treatment through enhanced privacy protections. This estimate
illustrates the potential savings

[[Page 82778]]

in lost wages due to cancer that could be achieved with greater privacy
protections.
---------------------------------------------------------------------------

    \63\ Jack S. Mandel, et al., ``Reducing Mortality from
Colorectal Cancer by Screening for Fecal Occult Blood,'' The New
England Journal of Medicine, May 13, 1993, Vol, 328, No. 19.
---------------------------------------------------------------------------

HIV/AIDS

    Early detection is essential for the survival of a person with HIV
(Human Immunodeficiency Virus). Concerns about the confidentiality of
HIV status would likely deter some people from getting tested. For this
reason, each state has passed some sort of legislation regarding
confidentiality of an individual's HIV status. However, HIV status can
be revealed indirectly through disclosure of HAART (Highly Active Anti-
Retroviral Therapy) or similar HIV treatment drug use. In addition,
since HIV/AIDS (Acquired Immune Deficiency Syndrome) is often the only
specially protected condition, ``blacked out'' information on medical
charts could indicate HIV positive status.\64\ Strengthening privacy
protections beyond this disease could increase confidence in privacy
regarding HIV as well. Drug therapy for HIV positive persons has proven
to be a life-extending, cost-effective tool.\65\ A 1998 study showed
that beginning treatment with HAART in the early asymptomatic stage is
more cost-effective than beginning it late. After five years, only 15
percent of patients with early treatment are estimated to develop an
ADE (AIDS-defining event), whereas 29 percent would if treatment began
later. Early treatment with HAART prolongs survival (adjusted for
quality of life) by 6.2 percent. The overall cost of early HAART
treatment is estimated at $23,700 per quality-adjusted year of life
saved.\66\
---------------------------------------------------------------------------

    \64\ Promoting Health: Protecting Privacy, California Health
Care Foundation and Consumers Union, January 1999, p 13
    \65\ For example, Roger Detels, M.D., et al., in ``Effectiveness
of Potent Anti-retroviral Therapy. * * *'' JAMA, 1998; 280:1497-1503
note the impact of therapy on HIV persons with respect to
lengthening the time to development of AIDS, not just delaying death
in persons who already have AIDS.
    \66\ John Hornberger et al., ``Early treatment with highly
active anti-retroviral therapy (HAART) is cost-effective compared to
delayed treatment,'' 12th World AIDS conference, 1998.
---------------------------------------------------------------------------

Other Sexually Transmitted Diseases

    It is difficult to know how many people are avoiding testing for
STDs despite having a sexually transmitted disease. A 1998 study by the
Kaiser Family Foundation found that the incidence of disease was 15.3
million in 1996, though there is great uncertainty due to under-
reporting.\67\ For a potentially embarrassing disease such as an STD,
seeking treatment requires trust in both the provider and the health
care system for confidentiality of such information. Greater trust
should lead to more testing and greater levels of treatment. Earlier
treatment for curable STDs can mean a decrease in morbidity and the
costs associated with complications. These include expensive fertility
problems, fetal blindness, ectopic pregnancies, and other reproductive
complications.\68\ In addition, there could be greater overall savings
if earlier treatment translates into reduced spread of infections.
---------------------------------------------------------------------------

    \67\ Sexually Transmitted Diseases in America, Kaiser Family
Foundation, 1998, p. 12.
    \68\ Standard Medical information; see http://www.mayohealth.org
for examples.
---------------------------------------------------------------------------

Mental Health Treatment

    When individuals have a better understanding of the privacy
practices that we are requiring in this proposed rule, some will be
less reluctant to seek mental health treatment. One way that
individuals will receive this information is through the notice
requirement. Increased use of mental health and services would be
expected to be beneficial to the persons receiving the care, to their
families, and to society at large. The direct benefit to the individual
from treatment would include improved quality of life, reduced
disability associated with mental conditions, reduced mortality rate,
and increased productivity associated with reduced disability and
mortality. The benefit to families would include quality of life
improvements and reduced medical costs for other family members
associated with abusive behavior by the treated individual.
    The potential economic benefits associated with improving privacy
of individually identifiable health information and thus encouraging
some portion of individuals to seek initial mental health treatment or
increase service use are difficult to quantify well. Nevertheless,
using a methodology similar to the one used above to estimate potential
savings in cancer costs, one can lay out a range of possible benefit
levels to illustrate the possibility of cost savings associated with an
expansion of mental health and treatment to individuals who, due to
protections offered by the privacy regulation, might seek treatment
that they otherwise would not have. This can be illustrated by drawing
upon existing data on the economic costs of mental illness and the
treatment effectiveness of interventions.
    The 1998 Substance Abuse and Mental Health Statistics Source Book
from the Substance Abuse and Mental Health Services Administration
(SAMHSA) estimates that the economic cost to society of mental illness
in 1994 was about $204.4 billion. About $91.7 billion was due to the
cost of treatment and medical care and $112.6 billion (1994 dollars)
was due to loss of productivity associated with morbidity and mortality
and other related costs, such as crime.\69\ Evidence suggests that
appropriate treatment of mental health disorders can result in 50-80
percent of individuals experiencing improvements in these types of
conditions. Improvements in patient functioning and reduced hospital
stays could result in hundreds of millions of dollars in cost savings
annually.
---------------------------------------------------------------------------

    \69\ Substance Abuse and Mental Health Services Administration.
http://www.samhsa.gov/oas/srcbk/costs-02htm. Source of data: DP
Rice, Costs of Mental Illness (unpublished data).
---------------------------------------------------------------------------

    Although figures on the number of individuals who avoid mental
health treatment due to privacy concerns do not exist, some indirect
evidence is available. As noted in the cancer discussion, the 1993
Harris-Equifax Health Information Privacy Survey found that 7 percent
of respondents reported that they or a member of their immediate family
had chosen not to seek services for a physical or mental health
condition due to fear of harm to job prospects or other life
opportunities. (See above for limitations to this data).
    We assume that the proportion of people with a mental health
disorder who did not seek treatment due to fears about job prospects or
other opportunities is the same as the proportion in the Harris-Equifax
survey sample who did not seek services for physical or mental health
conditions due to the same fears (7 percent). The 1999 Surgeon
General's Report on Mental Health estimates that 28 percent of the U.S.
adult population has a diagnosable mental and/or substance abuse
disorder and 20 percent of the population has a mental and/or substance
abuse disorder for which they do not receive treatment.\70\ Based on
the Surgeon General's Report, we estimate that 15 percent of the adult
population has a mental disorder for which they do not seek
treatment.\71\ Assuming that 7

[[Page 82779]]

percent of those with mental disorders did not seek treatment due to
privacy concerns, we estimate that 1.05 percent of the adult population
\72\ (15 percent multiplied by 7 percent), or 2.07 million people, did
not seek treatment for mental illness due to privacy fears.
---------------------------------------------------------------------------

    \70\ Department of Health and Human Services, Mental Health: A
Report of the Surgeon General. Rockville, MD: 1999, page 408.
    \71\ According to the Surgeon General's Report, 28 percent of
the adult population have either a mental or addictive disorder,
whether or not they receive services: 19 percent have a mental
disorder alone, 6 percent have a substance abuse disorder alone, and
3 percent have both. Subtracting the 3 percent who have both, about
three-quarters of the population with either a mental or addictive
disorder have a mental disorder and one-quarter have a substance
abuse disorder. We assume that this ratio (three-quarter to one-
quarter) is the same for the adult population with either a mental
or addictive disorder who do not receive services. Thus, we assume
that 15 percent of the population have an untreated mental disorder
(three-quarters of 20 percent) and 5 percent have an untreated
addictive disorder (one-quarter of 20 percent).
    \72\ According to the Population Estimates Program, Population
Division, U.S. Census Bureau, the U.S. population age 20 and older
is 197.1 million on Sept. 1, 2000. This estimate of the adult
population is used throughout this section.
---------------------------------------------------------------------------

    The indirect (non-treatment) economic cost of mental illness per
person with mental illness is $2,590 ($112.6 billion divided by 43.4
million people with mental illness).\73\ The treatment cost of mental
illness per person with mental illness is $2,110 ($91.7 billion divided
by 43.4 million individuals). If we assume that indirect economic costs
saved by encouraging more individuals with mental illness to enter
treatment are offset by the additional treatment costs, the net savings
is about $480 per person.
---------------------------------------------------------------------------

    \73\ The number of adults with mental illness is calculated by
multiplying the U.S. Census Bureau estimate of the U.S. adult
population--197.1 million--by the percent of the adult population
with mental illness--22 percent, according to the Surgeon General's
Report on Mental Health, which says that 19 percent of the
population have a mental disorder alone and three percent have a
mental and substance abuse disorder.
---------------------------------------------------------------------------

    As stated above, appropriate treatment of mental health disorders
can result in 50-80 percent of individuals experiencing improvements in
these types of conditions. Therefore, we multiply the number of
individuals with mental disorders who would seek treatment with greater
privacy protections (2.07 million) by the treatment effectiveness rate
by the net savings per effective treatment ($480). Assuming a 50
percent success rate, this equation yields annual savings of $497
million. Assuming an 80 percent success rate, this yields annual
savings of $795 million.
    Given the existing data on the annual economic costs of mental
illness and the rates of treatment effectiveness for these disorders,
coupled with assumptions regarding the percentage of individuals who
would seek mental health treatment with greater privacy protections,
the potential net economic benefits could range from approximately $497
million to $795 million annually.

V. Final Regulatory Flexibility Analysis

A. Introduction

    Pursuant to the Regulatory Flexibility Act 5 U.S.C. 601 et seq.,
the Department must prepare a regulatory flexibility analysis if the
Secretary certifies that a final rule would have a significant economic
impact on a substantial number of small entities.\74\
---------------------------------------------------------------------------

    \74\ ``Entities'' and ``establishments'' are synonymous in this
analysis.
---------------------------------------------------------------------------

    This analysis addresses four issues: (1) The need for, and
objective of, the rule; (2) a summary of the public comments to the
NPRM and the Department's response; (3) a description and estimate of
the number of small entities affected by the rule; and (4) a
description of the steps the agency has taken to minimize the economic
impact on small entities, consistent with the law and the intent of the
rule. The following sections provide details on each of these issues. A
description of the projected reporting and record keeping requirements
of the rule are included in Section IX, below.

B. Reasons for Promulgating the Rule

    This proposed rule is being promulgated in response to a statutory
mandate to do so under section 264 of Public Law 104-191. Additional
information on the reasons for promulgating the rule can be found in
earlier preamble discussions (see Section I. B. above).
1. Objectives and Legal Basis
    This information can be found in earlier preamble discussions (See
I. C. and IV., above).
2. Relevant Federal Provisions
    This information can be found in earlier preamble discussions (See
I. C., above).

C. Summary of Public Comments

    The Department received only a few comments regarding the Initial
Regulatory Flexibility Analysis (IRFA) contained in the NPRM. A number
of commenters argued that the estimates IRFA were too low or
incomplete. The estimates were incomplete to the extent that a number
of significant policy provisions in the proposal were not estimated
because of too little information at the time. In the final IRFA we
have estimates for these provisions. As for the estimates being too
low, the Department has sought as much information as possible. The
methodology employed for allocating costs to the small business sectors
is explained in the following section.
    Most of the other comments pertaining to the IRFA criticized
specific estimates in the NPRM. Generally, the commenters argued that
certain cost elements were not included in the cost estimates presented
in the NPRM. The Department has expanded our description of our data
and methodology in both the final RIA and this final RFA to try to
clarify the data and assumptions made and the rationale for using them.
    Finally, a number of commenters suggested that small entities be
exempted from coverage from the final rule, or that they be given more
time to comply. As the Department has explained in the Response to
Comment section above, such changes were considered but rejected. Small
entities constitute the vast majority of all entities that are covered;
to exempt them would essentially nullify the purpose of the rule.
Extensions were also considered but rejected. The rule does not take
effect for two years, which is ample time for small entities to learn
about the rule and make the necessary changes to come into compliance.

D. Economic Effects on Small Entities

1. Number and Types of Small Entities Affected
    The Small Business Administration defines small businesses in the
health care sector as those organizations with less than $5 million in
annual revenues. Nonprofit organizations are also considered small
entities;\75\ however, individuals and states are not included in the
definition of a small entity. Similarly, small government jurisdictions
with a population of less than 50,000 are considered small
entities.\76\
---------------------------------------------------------------------------

    \75\ ``Entities'' and ``establishments'' are used synonymously
in this RFA.
    \76\ ``Small governments'' were not included in this analysis
directly; rather we have included the kinds of institutions within
those governments that are likely to incur costs, such as government
hospitals and clinics.
---------------------------------------------------------------------------

    Small business in the health care sector affected by this rule may
include such businesses as: Nonprofit health plans, hospitals, and
skilled nursing facilities (SNFs); small businesses providing health
coverage; small physician practices; pharmacies; laboratories; durable
medical equipment (DME) suppliers; health care clearinghouses; billing
companies; and vendors that supply software applications to health care
entities.
    The U.S. Small Business Administration reports that as of 1997,
there were 562,916 small health care entities \77\ classified within
the SIC

[[Page 82780]]

codes we have identified as being covered establishments (Table A).
---------------------------------------------------------------------------

    \77\ Entities are the physical location where an enterprise
conducts business. An enterprise may conduct business in more than
one establishment.
[GRAPHIC] [TIFF OMITTED] TR28DE00.000

    These small businesses represent 82.6% of all health care
establishments examined.\78\ Small businesses represent a significant
portion of the total number of health care establishments but a small
portion of the revenue stream for all health care establishments. In
1997, the small health care businesses represented generated
approximately $430 billion in annual receipts, or 30.2% of the total
revenue generated by health care establishments (Table B).\79\ The
following sections provide estimates of the number of small health care
establishments that will be required to comply with the rule. Note,
however, that the SBA's published annual receipts of health care
industries differ from the National Health Expenditure data that the
Health Care Financing Administration (HCFA) maintains.

[[Page 82781]]

These data do not provide the specific revenue data required for a RFA;
only the SBA data has the requisite establishment and revenue data for
this analysis.
---------------------------------------------------------------------------

    \78\ Office of Advocacy, U.S. Small Business Administration,
from data provided by the Bureau of the Census, Statistics of U.S.
Businesses, 1997.
    \79\ Op.cit, 1997.
    [GRAPHIC] [TIFF OMITTED] TR28DE00.002


[[Page 82782]]

    The Small Business Administration reports that approximately 74
percent of the 18,000 medical laboratories and dental laboratories in
the U.S. are small entities.\80\ Furthermore, based on SBA data, 55
percent of the 3,300 durable medical equipment suppliers that are not
part of drug and proprietary stores in the U.S. are small entities.
Over 90 percent of health practitioner offices are small
businesses.\81\ Doctor offices (90%), dentist offices (99%), osteopathy
(97%) and other health practitioner offices (97%) are primarily
considered small businesses.
---------------------------------------------------------------------------

    \80\ Office of Advocacy, U.S. Small Business Administration,
from data provided by the Bureau of the Census, Statistics of U.S.
Businesses, 1997.
    \81\ Op.cit., 1997.
---------------------------------------------------------------------------

    There are also a number of hospitals, home health agencies, non-
profit nursing facilities, and skilled nursing facilities that will be
affected by the proposed rule. According to the American Hospital
Association, there are approximately 3,131 nonprofit hospitals
nationwide. Additionally, there are 2,788 nonprofit home health
agencies in the U.S. and the Health Care Financing Administration
reports that there are 591 nonprofit nursing facilities and 4,280
nonprofit skilled nursing facilities.\82\
---------------------------------------------------------------------------

    \82\ Health Care Financing Administration, OSCAR.
---------------------------------------------------------------------------

    Some contractors that are not covered entities but that work with
covered health care entities will be required to adopt policies and
procedures to protect information. We do not expect that the additional
burden placed on contractors will be significant. We have not estimated
the effect of the proposed rule on these entities because we cannot
reasonably anticipate the number or type of contracts affected by the
proposed rule. We also do not know the extent to which contractors
would be required to modify their policy practices as a result of the
rule.
2. Activities and Costs Associated With Compliance
    This section summarizes specific activities that covered entities
must undertake to comply with the rule's provisions and options
considered by the Department that would reduce the burden to small
entities. In developing this rule, the Department considered a variety
of alternatives for minimizing the economic burden that it will create
for small entities. We did not exempt small businesses from the rule
because they represent such a large and critical proportion of the
health care industry (82.6 percent); a significant portion of
individually identifiable health information is generated or held by
these small businesses.
    The guiding principle in our considerations of how to address the
burden on small entities has been to make provisions performance rather
than specification oriented--that is, the rule states the standard to
be achieved but allows institutions flexibility to determine how to
achieve the standard within certain parameters. Moreover, to the extent
possible, we have allowed entities to determine the extent to which
they will address certain issues. This ability to adapt provisions to
minimize burden has been addressed in the regulatory impact analysis
above, but it will be briefly discussed again in the following section.
    Before discussing specific provisions, it is important to note some
of the broader questions that were addressed in formulating this rule.
The Department considered extending the compliance period for small
entities but concluded that it did not have the legal authority to do
so (see discussion above). The rule, pursuant to HIPAA, creates an
extended compliance time of 36 months (rather than 24 months) only for
small health plans and not for other small entities. The Department
also considered giving small entities longer response times for time
limits set forth in the rule, but decided to establish standard time
limits that we believe are reasonable for covered entities of all
sizes, with the understanding that larger entities may not need as much
time as they have been allocated in certain situations. This permits
each covered entity the flexibility to establish policies regarding
time limits that are consistent with the entity's current practices.
    Although we considered the needs of small entities during our
discussions of all provisions for this final rule, we are highlighting
the most significant discussions in the following sections:

Scalability

    Wherever possible, the final rule provides a covered entity with
flexibility to create policies and procedures that are best suited to
the entity's current practices in order to comply with the standards,
implementation specifications, and requirements of the rule. This
allows the covered entity to assess its own needs in devising,
implementing, and maintaining appropriate privacy policies, procedures,
and documentation to address these regulatory requirements. It also
will allow a covered entity to take advantage of developments and
methods for protecting privacy that will evolve over time in a manner
that is best suited to that institution. This approach allows covered
entities to strike a balance between protecting privacy of individually
identifiable health information and the economic cost of doing so
within prescribed boundaries set forth in the rule. Health care
entities must consider both factors when devising their privacy
solutions. The Department assumes that professional and trade
associations will provide guidance to their members in understanding
the rule and providing guidance on how they can best achieve
compliance. This philosophy is similar to the approach in the
Transactions Rule.
    The privacy standard must be implemented by all covered entities,
regardless of size. However, we believe that the flexible approach
under this rule is more efficient and appropriate then a single
approach to safeguarding health information privacy. For example, in a
small physician practice, the office manager might be designated to
serve as the privacy official as one of many of her duties. In a large
health plan, the privacy official position may require more time and
greater privacy experience, or the privacy official may have the
regular support and advice of a privacy staff or board. The entity can
decide how to implement this privacy official requirement based on the
entity's structure and needs.
    The Department decided to use this scaled approach to minimize the
burden on all entities, with an emphasis on small entities. The varying
needs and capacities of entities should be reflected in the policies
and procedures adopted by the organization and the overall approach it
takes to achieve compliance.

Minimum Necessary

    The ``minimum necessary'' policy in the final rule has essentially
three components: first, it does not pertain to certain uses and
disclosures including treatment-related exchange of information among
health care providers; second, for disclosures that are made on a
routine basis, such as insurance claims, a covered entity is required
to have policies and procedures governing such exchanges (but the rule
does not require a case-by-case determination in such cases); and
third, providers must have a process for reviewing non-routine requests
on a case-by-case basis to assure that only the minimum necessary
information is disclosed. The final rule makes changes to the NPRM that
reduce the burden of compliance on small businesses.
    Based on public comments and subsequent fact-finding, the
Department sought to lessen the burden of this

[[Page 82783]]

provision. The NPRM proposed applying the minimum necessary standard to
disclosures to providers for treatment purposes and would have required
individual review of all uses of protected health information. The
final rule exempts disclosures of protected health information from a
covered entity to a health care provider for treatment from the minimum
necessary provision and eliminates the case-by-case determinations that
would have been necessary under the NPRM. The Department has concluded
that the requirements of the final rule are similar to the current
practice of most health care providers. For standard disclosure
requests, for example, providers generally have established procedures.
Under the final rule providers will have to have policies and
procedures to determine the minimum amount of protected health
information to disclose for standard disclosure requests as well, but
may need to review and revise existing procedures to make sure they are
consistent with the final rule. For non-routine disclosures, providers
have indicated that they currently ask questions to discern how much
information should be disclosed. In short, the minimum necessary
requirements of this rule are similar to current practice, particularly
among small providers.

Policy and Procedures

    The rule requires that covered entities develop and document
policies and procedures with respect to protected health information to
establish and maintain compliance with the regulation. Through the
standards, requirements, and implementation specifications, we are
proposing a framework for developing and documenting privacy policies
and procedures rather than adopting a rigid, prescriptive approach to
accommodate entities of different sizes, type of activities, and
business practices. Small providers will be able to develop more
limited policies and procedures under the rule, than will large
providers and health plans, based on the volume of protected health
information. We also expect that provider and health plan associations
will develop model policies and procedures for their members, which
will reduce the burden on small businesses.

Privacy Official

    The rule requires covered entities to designate a privacy official
who will be responsible for the development and implementation of
privacy policies and procedures. The implementation of this requirement
may vary based on the size of the entity. For example, a small
physician's practice might designate the office manager as the privacy
official in addition to her broader administrative responsibilities.
Once the privacy official has been trained, the time required to
accomplish the duties imposed on such person is not likely to be much
more than under current practice. Therefore, the requirement imposes a
minimal burden on small businesses.

Internal Complaints

    The final rule requires covered entities to have an internal
process for individuals to make complaints regarding the covered
entities' privacy policies and procedures required by the rule and its
compliance with such policies. The requirement includes identifying a
contact person or office responsible for receiving complaints and
documenting all complaints received and the disposition of such
complaints, if any. The covered entity only is required to receive and
document a complaint (the complaint can be oral or in writing), which
should take a short amount of time. The Department believes that
complaints about a covered entity's privacy policies and procedures
will be uncommon. Thus, the burden on small businesses should be
minimal.

Training

    In developing the NPRM, the Department considered a number of
alternatives for training, including requiring specific training
materials, training certification, and periodic retraining. In the
NPRM, the Department recommended flexibility in the materials and
training method used, but proposed recertification every three years
and retraining in the event of material changes in policy.
    Based on public comment, particularly from small businesses, the
Department has lessened the burden in the final rule. As in the
proposal, the final rule requires all employees who are likely to have
contact with protected health information to be trained. Covered
entities will have to train employees by the compliance date specific
to the type of covered entity and train new employees within a
reasonable time of initial employment. In addition, a covered entity
will have to train each member of its workforce whose functions are
affected by a material change in the policies or procedures of such
entity. However, the final rule leaves to the employer the decisions
regarding the nature and method of training to achieve this
requirement. The Department expects a wide variety of options to be
made available by associations, professional groups, and vendors.
Methods might include classroom instruction, videos, booklets, or
brochures tailored to particular levels of need of workers and
employers. Moreover, the recertification requirement of the NPRM has
been dropped to ease the burden on small entities.

Consent

    The NPRM proposed prohibiting covered entities from requiring
individuals to provide written consent for the use and disclosure of
protected health information for treatment, payment, and health care
operations purposes. The final rule requires certain health care
providers to obtain written consent before using or disclosing
protected health information for treatment, payment, and health care
operations, with a few exceptions. This requirement was included in the
final rule in response to comments that this reflects current practice
of health care providers health care providers with direct treatment
relationships. Because providers are already obtaining such consent,
this requirement represents a minimal burden.

Notice of Privacy Rights

    The rule requires covered entities to prepare and make available a
notice that informs individuals about uses and disclosures of protected
health information that may be made by the covered entity and that
informs of the individual's rights and covered entity's legal duties
with respect to protected health information. The final rule makes
changes to the NPRM that reduce the burden of this provision on covered
entities and allows flexibility. The NPRM proposed that the notice
describe the uses and disclosures of information that the entity
expected to make without individual authorization. The final rule only
requires that the notice describe uses and disclosures that the entity
is permitted or required to make under the rule without an individual's
written consent or authorization. This change will allow entities to
use standardized notice language within a given state, which will
minimize the burden of each covered entity preparing a notice.
Professional associations may develop model language to assist entities
in developing notices required by the rule. While the final rule
specifies minimum notice requirements, it allows entities flexibility
to add more detail about a covered entity's privacy policies.
    The NPRM also proposed that health plans distribute the notice
every three years. The final rule reduced this

[[Page 82784]]

burden by requiring health plans (in addition to providing notice to
individuals at enrollment and prior to the compliance date of this
rule) to inform individuals at least once every three years about the
availability of the notice and how to obtain a copy rather than to
distribute a copy of the notice.
    In discussing the requirement for covered entities to prepare and
make available a notice, we considered exempting small businesses (83
percent of entities) or extremely small entities (fewer than 10
employees). The Department decided that informing consumers of their
privacy rights and of the activities of covered entities with which
they conduct business was too important a goal of this rule to exempt
any entities.
    In addition to requiring a basic notice, we considered requiring a
longer more detailed notice that would be available to individuals on
request. However, we decided that it would be overly burdensome to all
entities, especially small entities, to require two notice.
    We believe that the proposed rule appropriately balances the
benefits of providing individuals with information about uses and
disclosures of protected health information with covered entities' need
for flexibility in describing such information.

Access to Protected Health Information

    The public comments demonstrate that inspection and copying of
individually identifiable health information is wide-spread today.
Individuals routinely request copies of such information, in whole or
in part, for purposes that include providing health information to
another health care provider or as part of legal proceedings. The
amount of inspection and copying of individually identifiable health
information that occurs for these purposes is not expected to change as
a result of the final regulation.
    The final regulation establishes the right of individuals to
inspect and copy protected health information about them. Although this
is an important right, the Department does not expect it to result in
dramatic increases in requests from individuals. We assume that most
health care providers currently have procedures for allowing patients
to inspect and copy this information. The economic impact on small
businesses of requiring covered entities to provide individuals with
access to protected health information should be relatively small.
Moreover, entities can recoup the costs of copying such information by
charging reasonable cost-based fees.

Amendments to Protected Health Information

    Many health care providers and health plans currently make
provisions to help patients expedite amendments and corrections of
their medical record where appropriate. If an error exists, both the
patient and the health care provider on health plan benefit from the
correction. However, as with inspection and copying, a person's right
to request amendment and correction of individually identifiable health
information about them is not guaranteed by all states. Based on these
assumptions, the Department concludes that the principal economic
effect of the final rule will be to expand the right to request
amendments to protected health information held by health plans and
covered health care providers to those who are currently granted such
right by state law. In addition, the rule may draw additional attention
to the issue of record inaccuracies and stimulate patient demand for
amendment of medical records.
    Under the final regulation, if an individual requests an amendment
to protected health information about him or her, the health care
provider must either accept the amendment or provide the individual
with the opportunity to submit a statement disagreeing with the denial.
We expect the responses to requests will vary; sometimes an assistant
will only make the appropriate notation in the record, requiring only a
few minutes; other times a health care provider or manager will review
the request and make changes if appropriate, which may require as much
as an hour.
    Unlike inspections, which currently occur in a small percentage of
cases, fact-finding suggests that individuals rarely seek to amend
their records today, but the establishment of this right in the rule
may spur more requests, including among those who in the past would
have only sought to inspect their records. Nevertheless, we expect that
the absolute number of additional amendment requests caused by the rule
to be small (about 200,000 per per spread over more than 600,000
entities), which will impose only a minor burden on small businesses.

Accounting for Disclosures

    The rule grants individuals the right to receive an accounting of
disclosures made by a health care provider or plan for purposes other
than treatment, payment, or health care operations, with certain
exceptions such as disclosures to the individual. The individual may
request an accounting of disclosures made up to six years prior to the
request. In order to fulfill such requests, covered health care
providers and health plans may track disclosures by making a notation
in the individual's medical record regarding the (manual or electronic)
when a disclosure is made. We have learned through fact-finding that
some health care providers currently track various types of
disclosures. Moreover, the Department does not expect many individuals
will request an accounting of disclosures. Thus, this requirement will
impose a minor burden on small businesses.

De-Identification of Information

    In this rule, the Department allows covered entities to determine
that health information is de-identified (i.e. that it is not
individually identifiable health information), if certain conditions
are met. Moreover, information that has been de-identified in
accordance with the rule is not considered individually identifiable
information and may be used or disclosed without regard to the
requirements of the regulation. The covered entity may assign a code or
other means of record identification to allow de-identified information
to be re-identified if requirements regarding derivation and security
are met.
    As with other components of this rule, the approach used to remove
identifiers from data can be scaled to the size of the entity.
Individually identifiable health information can be de-identified in
one of two ways; by either removing each of the identifiers listed in
the rule or by engaging in a statistical and scientific analysis to
determine that information is very unlikely to identify an individual.
Small entities without the resources to conduct such an analysis can
create de-identified information by removing the full list of possible
identifiers set forth in this regulation. Unless the covered entity
knows that the information could still identify an individual, the
requirement of this rule would be fulfilled. However, larger, more
sophisticated covered entities may close to determine independently
what information needs to be removed based on sophisticated statistical
and scientific analysis.
    Efforts to remove identifiers from information are optional. If a
covered entity can not use or disclose protected health information for
a particular purpose but believes that removing identifiers is
excessively burdensome, it can choose not to release the protected
health information, or it can seek an authorization from individuals
for the use or disclosure of protected health

[[Page 82785]]

information including some or all of the identifiers.
    Finally, as discussed in the Regulatory Impact Analysis, the
Department believes that very few small entities engage in de-
identification currently. Fewer small entities are expected to engage
in such activity in the future because the increasing trend toward
computerization of large record sets will result in de-identification
being performed by relatively few firms or associations over time. We
expect that a small covered entity will find it more efficient to
contract with specialists in large firms to de-identify protected
health information. Larger entities are more likely to have both the
electronic systems and the volume of records that will make them
attractive for this business.

Monitoring Business Associates

    The final rule requires a covered entity with a business associate
to have a written contract or other arrangement that documents
satisfactory assurance that the business associate will appropriately
safeguard protected health information. The Department expects business
associate contracts to be fairly standardized, except for language that
will have to be tailored to the specific arrangement between the
parties, such as the allowable uses and disclosures of information. The
Department assumes the standard language initially will be developed by
trade and professional associations for their members. Small health
care providers are likely to simply adopt the language or make minor
modifications. The regulation includes a requirement that the covered
entity take steps to correct, and in some cases terminate, a contract,
if necessary, if they know of violations by a business associate. This
oversight requirement is consistent with standard oversight of a
contract. The Department expects that most entities, particularly
smaller ones, will utilize standard language that restricts uses and
disclosures of individually identifiable health information their
contracts with business associates. This will limit the burden on small
businesses.
    The NPRM proposed that covered entities be held accountable for the
uses and disclosures of individually identifiable health information by
their business associates. An entity would have been in violation of
the rule if it knew of a breach in the contract by a business associate
and failed to cure the breach or terminate the contract. The final rule
reduces the extent to which an entity must monitor the actions of its
business associates. The entity no longer has to ``ensure'' that each
business associate complies with the rule's requirements. Entities will
be required to cure a breach or terminate a contract for business
associate actions only if they knew about a contract violation. The
final rule is consistent with the oversight a business would provide
for any contract, and therefore, the changes in the final rule will
impose no new significant cost for small businesses in monitoring their
business associates' behavior.

Employers With Insured Group Health Plans

    Some group health plans will use or maintain individually
identifiable health information, particularly group health plans that
are self-insured. Also, some plan sponsors that perform administrative
functions on behalf of their group health plans may need protected
health information. The final rule permits a group health plan, or a
health insurance issuer or HMO that provides benefits on behalf of the
group health plan, to disclose protected health information to a plan
sponsor who performs administrative functions on its behalf for certain
purposes and if certain requirements are met. The plan documents must
be amended to: describe the permitted uses and disclosures of protected
health information by the plan sponsor; specify that disclosure is
permitted only upon receipt of a certification by the plan sponsor that
the plan documents have been amended and the plan sponsor agrees to
certain restrictions on the use of protected health information; and
provide for adequate firewalls to assure unauthorized personnel do not
have access to individually identifiable health information.
    Some plan sponsors may need information, not to administer the
group health plan, but to amend, modify, or terminate the health plan.
ERISA case law describes such activities as settlor functions. For
example a plan sponsor may want to change its contract from a preferred
provider organization to a health maintenance organization (HMO). In
order to obtain premium information, the health plan sponsor may need
to provide the HMO with aggregate claims information. Under the rule,
the health plan sponsor can obtain summary information with certain
identifiers removed, in order to provide it to the HMO and receive a
premium rate.
    The Department assumes that most health plan sponsors who are small
employers (those with 50 or fewer employees) will elect not to receive
individually identifiable health information because they will have
little, if any, need for such data. Any needs that sponsors of small
group health plans may have for information can be accomplished by
receiving the information in summary form from their health insurance
issuers.
3. The Burden on a Typical Small Business
    The Department expects small entities to face a cost burden as a
result of complying with the proposed regulation. We estimate that the
burden of developing privacy policies and procedures is lower in dollar
terms for small businesses than for large businesses, but we recognize
that the cost of implementing privacy provisions could be a larger
burden to small entities as a proportion of total revenue. Due to these
concerns, we have relied on the principle of scalability throughout the
rule, and have based our cost estimates on the expectation that small
entities will develop less expensive and less complex privacy measures
that comply with the rule than large entities.
    In many cases, we have specifically considered the impact that rule
may have on solo practitioners or rural health care providers. If a
health care provider only maintains paper records and does not engage
in any electronic transactions, the regulation would not apply to such
provider. We assume that those providers will be small health care
providers. For small health care providers that are covered health care
providers, we expect that they will not be required to change their
business practices dramatically, because we based many of the
standards, implementation specifications, and requirements on current
practice and we have taken a flexible approach to allow scalability
based on a covered entity's activities and size. In developing policies
and procedures to comply with the proposed regulation, scalability
allows entities to consider their basic functions and the ways in which
protected health information is used or disclosed. All covered entities
must take appropriate steps to address privacy concerns, and in
determining the scope and extent of their compliance activities,
businesses should weigh the costs and benefits of alternative
approaches and should scale their compliance activities to their
structure, functions, and capabilities within the requirements of the
rule.

Cost Assumptions

    To determine the cost burden to small businesses of complying with
the final rule, we used as a starting point the overall cost of the
regulation determined

[[Page 82786]]

in the regulatory impact analysis (RIA). Then we adopted a methodology
that apportions the costs found in the RIA to small business by using
Census Bureau's Statistics of U.S. Businesses. This Census Bureau
survey contains data on the number and proportion of establishments, by
Standard Industrial Classification Code (SIC code), that have revenues
of less than $5 million, which meets the Small Business
Administration's definition of a small business in the health care
sector. This data permitted us to calculate the proportion of the cost
of each requirement in the rule that is attributable to small
businesses. This methodology used for the regulatory flexibility
analysis (RFA) section is therefore based on the methodology used in
the (RIA), which was discussed earlier.
    The businesses accounted for in the SIC codes contain three groups
of covered entities: non-hospital health care providers, hospitals, and
health plans. Non-hospital health care providers include: drug stores,
offices and clinics of doctors, dentists, osteopaths, and other health
practitioners, nursing and personal care facilities, medical and dental
laboratories, home health care services, miscellaneous health and
allied services, and medical equipment rental and leasing
establishments. Health plans include accident and health insurance and
medical service plans.

Data Adjustments

    Several adjustments were made to the SIC code data to more
accurately determine the cost to small and non-profit businesses. For
health plans (SIC code 6320), we adjusted the SIC data to include self-
insured, self-administered health plans because these health plans are
not included in any SIC code, though they are covered entities under
the rule. Similarly, we have added third-party administrators (TPAs)
into this SIC. Although they are not covered entities, TPAs are likely
to be business associates of covered entities. For purposes of the
regulatory analyses, we have assumed that TPAs would bear many of the
same costs of the health plans to assure compliance for the covered
entity. To make this adjustment, we assumed the self-insured/self
administered health plans and TPAs have the average revenue of the
health plans contained in the SIC code, and then added those assumed
revenues to the SIC code and to the total of all health care
expenditures. Moreover, we needed to account for the cost to non-profit
institutions that might receive more than $5 million in revenue,
because all non-profit institutions are small businesses regardless of
revenue. To make this adjustment for hospitals, nursing homes, and home
health agencies, we used data on the number of non-profit institutions
from industry sources and from data reported to HCFA. With this data,
we assumed the current count of establishments in the SIC codes
includes these non-profit entities and that non-profits have the same
distribution of revenues as all establishments reported in the
applicable SIC codes. The proportions discussed below, which determine
the cost for small business, therefore include these non-profit
establishments in SIC codes 8030, 8060, and 8080.
    The SIC code tables provided in this RFA do not include several
categories of businesses that are included in the total cost to small
businesses. Claims clearinghouses are not included in the table because
claims clearinghouses report their revenues under the SIC 7374
``Computer Processing and Data Preparation,'' and the vast majority of
businesses in this SIC code are involved in non-medical claims data
processing. In addition, claims processing is often just one business-
line of companies that may be involved in multiple forms of data
processing, and therefore, even if the claims processing line of the
business generates less than $5 million in revenue, the company in
total may exceed the SBA definition for a small business (the total
firm revenue, not each line of business, is the standard for
inclusion). Similarly, fully-insured ERISA health plans sponsored by
employers are not identified as a separate category in the SIC code
tables because employers in virtually all SIC codes may sponsor fully-
insured health plans. We have identified the cost for small fully-
insured ERISA health plans by using the Department of Labor definition
of a small ERISA plan, which is a plan with fewer than 100 insured
participants. Using this definition, the initial cost for small fully-
insured ERISA health plans is $7.1 million. Finally, Institutional
Review Boards (IRBs) will not appear in a separate SIC code because
IRBs are not ``businesses''; rather, they are committees of researchers
who work for institutions where medical research is conducted, such as
universities or teaching hospitals. IRB members usually serve as a
professional courtesy or as part of their employment duties and are not
paid separately for their IRB duties. Although IRBs are not
``businesses'' that generate revenues, we have treated them as small
business for illustrative purposes in this RFA to demonstrate the
additional opportunity costs that will be faced by those researchers
who sit on IRBs. Therefore, assuming IRBs are small businesses, the
initial costs are $.089 million and ongoing costs are approximately
$84.2 million over 9 years.

The Cost Model Methodology

    The RIA model employs two basic methodologies to determine the
costs to small businesses that are covered entities. As stated above,
the RFA determines the cost to small businesses by apportioning the
total costs in the RIA using SIC code data. In places where the cost of
a given provision of the final rule is a function of the number of
covered entities, we determined the proportion of entities in each SIC
code that have less than $5 million in revenues (see Table A). We then
multiplied this proportion by the per-entity cost estimate of a given
provision as determined in the RIA. For example, the cost of the
privacy official provision is based on the fact that each covered
entity will need to have a privacy official. Therefore, we multiplied
the total cost of the privacy official, as determined in the RIA, by
the proportion of small businesses in each SIC code to determine the
small business cost. Using hospitals for illustrative purposes, because
small and non-profit hospitals account for 50 percent of all hospitals,
our methodology assigned 50 percent of the cost to small hospitals.
    We used a second, though similar, method when the cost of a given
provision in the RIA did not depend on the number of covered entities.
For example, the requirement to provide notice of the privacy policy is
a direct function of the number of patients in the health care system
because the actual number of notices distributed depends on how many
patients are seen. Therefore, for provisions like the notice
requirement, we used SIC code revenue data in a two-step process.
First, we apportioned the cost of each provision among sectors of the
health care industry by SIC code. For example, because hospital revenue
accounts for 27 percent of all health care revenue, we multiplied the
total cost of each such provision by 27 percent to determine the cost
for the hospital sector in total. Then to determine the cost for small
hospitals specifically, we calculated the proportion by the overall
cost. For example, 45.1 percent of all hospital revenue is generated by
small hospital, therefore, the cost to small hospitals was assumed to
account for 45.1 percent of all hospital costs. Estimates, by nature

[[Page 82787]]

are inexact. However, we feel this is a reasonable way to determine the
small business costs attributable to this regulation given the limited
data from which to work.

Total Costs and Costs Per Establishment for Small Business

    Based on the methodology described above, the total cost of
complying with the final rule in the initial year of 2003 is $1.9
billion. The ongoing costs to small business from 2004 to 2012 is $9.3
billion. Table C presents the initial and ongoing costs to small
business by each SIC code. According to this table, small doctors
offices, small dentists offices and small hospitals will face the
highest cost of complying with the final rule. However, much of the
reason for the higher costs faced by these three groups of small health
care providers is explained by the fact that there are a significant
number of health care providers in these categories.
BILLING CODE 4150-04-P

[[Page 82788]]

[GRAPHIC] [TIFF OMITTED] TR28DE00.003

[[Page 82789]]

    On a per-establishment basis, Table D demonstrates that the average
cost for small business of complying with the proposed rule in the
first year is $4,188 per-establishment. The ongoing costs of privacy
compliance are approximately $2,217 each year thereafter. We estimate
that the average cost of compliance in the first year for each small
non-hospital health care provider is approximately 0.6 percent of per-
establishment revenues. In subsequent years, per-establishment costs
about 0.3 percent of per-establishment revenues. For small hospitals
and health plans, the per-establishment cost of compliance in the first
year is 0.2 percent and 6.3 percent of per-establishment revenues
respectively. For subsequent years, the cost is only 0.1 percent and
2.9 percent of pre-establishment revenues respectively. These costs may
be offset in many firms by the savings realized through requirements of
the Transactions Rule.

[[Page 82790]]

[GRAPHIC] [TIFF OMITTED] TR28DE00.004

[[Page 82791]]

    Table E shows the cost to each SIC code of the major cost items of
the final rule. Listed are the top-five most costly provisions of the
rule (to small business) and then the cost of all other remaining
provisions. The costs of the most expensive five provisions represent
90 percent of the cost of the ongoing costs to small business, while
the remaining provisions only represent 7 percent.

[[Page 82792]]

Table E.--Average Annual Ongoing Cost to Small Business of
Implementing Provisions of the Privacy Regulation, After the First
Year \1\
[GRAPHIC] [TIFF OMITTED] TR28DE00.005

[[Page 82793]]

[GRAPHIC] [TIFF OMITTED] TR28DE00.006

[[Page 82794]]

VI. Unfunded Mandates

    The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires
cost-benefit and other analyses for rules that would cost more than
$100 million in a single year. The rule qualifies as a significant rule
under the statute. The Department has carried out the cost-benefit
analysis in sections D and E of this document, which includes a
discussion of unfunded costs to state and local governments resulting
from this regulation. In developing this regulation, the Department
adopted the least burdensome alternatives, consistent with achieving
the rule's goals.

A. Future Costs

    The Department estimates some of the future costs of the rule in
Section E of the Preliminary Regulatory Impact Analysis of this
document. The estimates made include costs for the ten years after the
effective date. As discussed in section E, state and local government
costs will be in the order of $460 million in 2003 and $2.4 billion
over ten years. Estimates for later years are not practical. The
changes in technology are likely to alter the nature of medical record-
keeping, and the uses of medical data are likely to vary dramatically
over this period. Therefore, any estimates for years beyond 2012 are
not feasible.

B. Particular Regions, Communities, or Industrial Sectors

    The rule applies to the health care industry and would, therefore,
affect that industry disproportionately. Any long-run increase in the
costs of health care services would largely be passed on to the entire
population of consumers. However, as discussed in the administrative
implication regulation, the Transactions Rule is estimated to save the
health care industry nearly $30 billion over essentially the same time
period. This more than offsets the costs of the Privacy Rule; indeed,
as discussed above, the establishment of consistent, national standards
for the protection of medical information is essential to fully realize
the savings from electronic transactions standards and other advances
that may be realized through ``e-health'' over the next decade. Without
strong privacy rules, patients and providers may be very reluctant to
fully participate in electronic and e-health opportunities.

C. National Productivity and Economic Growth

    The rule is not expected to substantially affect productivity or
economic growth. It is possible that productivity and growth in certain
sectors of the health care industry could be slightly lower than
otherwise because of the need to divert research and development
resources to compliance activities. The diversion of resources to
compliance activities would be temporary. Moreover, the Department
anticipates that, because the benefits of privacy are large, both
productivity and economic growth would be higher than in the absence of
the final rule. In section I.A. of this document, the Department
discusses its expectation that this rule will increase communication
among consumers, health plans, and providers and that implementation of
privacy protections will lead more people to seek health care. The
increased health of the population will lead to increased productivity
and economic growth.

D. Full Employment and Job Creation

    Some of the human resources devoted to the delivery of health care
services will be redirected by rule. The rule could lead to some short-
run changes in employment patterns as a result of the structural
changes within the health care industry. The growth of employment (job
creation) for the roles typically associated with health care
profession could also temporarily change but be balanced by an
increased need for those who can assist entities with complying with
this rule. Therefore, while there could be a temporary slowing of
growth in traditional health care professions, that will be offset by a
temporary increase in growth in fields that may assist with compliance
with this rule (e.g. worker training, and management consultants).

E. Exports

    Because the rule does not mandate any changes in products, current
export products will not be required to change in any way.
    The Department consulted with state and local governments, and
Tribal governments. See sections X and XI, below.

VII. Environmental Impact

    The Department has determined under 21 CFR 25.30(k) that this
action is of a type of does not individually or cumulatively have a
significant effect on the human environment. Therefore, neither an
environmental assessment nor an environmental impact statement is
required.

VIII. Collection of Information Requirements

    Under the Paperwork Reduction Act of 1995 PRA), agencies are
required to provide a 30-day notice in the Federal Register and solicit
public comment before a collection of information requirement is
submitted to the Office of Management and Budget (OMB) for review and
approval. In order to fairly evaluate whether an information collection
should be approved by OMB, section 3506(c)(2)(A) of the PRA requires
that we solicit comment on the following issues:
     Whether the information collection is necessary and useful
to carry out the proper functions of the agency;
     The accuracy of the agency's estimate of the information
collection burden;
     The quality, utility, and clarity of the information to be
collected; and
     Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
    Under the PRA, the time, effort, and financial resources necessary
to meet the information collection requirements referenced in this
section are to be considered. Due to the complexity of this regulation,
and to avoid redundancy of effort, we are referring readers to Section
V (Final Regulatory Impact Analysis) above, to review the detailed cost
assumptions associated with these PRA requirements. We explicitly seek,
and will consider, public comment on our assumptions as they relate to
the PRA requirements summarized in this section.

Section 160.204--Process for Requesting Exception Determinations

    Section 160.204 would require persons requesting to except a
provision of state law from preemption under Sec. 160.203(a) to submit
a written request, that meets the requirements of this section, to the
Secretary to except a provision of state law from preemption under
Sec. 160.203. The burden associated with these requirements is the time
and effort necessary for a state to prepare and submit the written
request for an exception determination to the Secretary for approval.
On an annual basis it is estimated that it will take 40 states 16 hours
each to prepare and submit a request. The total annual burden
associated with this requirement is 640 hours. The Department solicits
public comment on the number of requests and hours for others likely to
submit requests.

Section 160.306--Complaints to the Secretary

    A person who believes that a covered entity is not complying with
the applicable requirements of part 160 or the applicable standards,
requirements,

[[Page 82795]]

and implementation specifications of Subpart E of part 164 of this
subchapter may file a complaint with the Secretary. This requirement is
exempt from the PRA as stipulated under 5 CFR 1320.4(a)(2), an audit/
administrative action exemption.

Section 160.310--Responsibilities of Covered Entities

    A covered entity must keep such records and submit such compliance
reports, in such time and manner and containing such information,
necessary to enable the Secretary to ascertain whether the covered
entity has complied or is complying with the applicable requirements of
part 160 and the applicable standards, requirements, and implementation
specifications of subpart E of part 164. Refer to Sec. 164.530 for
discussion.

Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules

    A covered entity is permitted to disclose protected health
information to an individual, and is required to provide and individual
with access to protected health information, in accordance with the
requirements set forth under Sec. 164.524. Refer to Sec. 164.524 for
discussion.

Section 164.504--Uses and Disclosures--Organizational Requirements

    Except for disclosures of protected health information by a covered
entity that is a health care provider to another health care provider
for treatment purposes, Sec. 164.504 requires a covered entity to
maintain documentation demonstrating that it meets the requirements set
forth in this section and to demonstrate that it has obtained
satisfactory assurance from business associates that meet the
requirements of this part with each of its business associates. The
burden is 5 minutes per entity times an annual average of 764,799
entities for a total burden of 63,733 burden hours.

Section 164.506--Consent for Treatment, Payment, and Health Care
Operations

    Except in certain circumstances, a covered health care provider
that has a direct treatment relationship must obtain an individual's
consent for use or disclosure of protected health information for
treatment, payment, or health care operations. While this requirement
is subject to the PRA, we believe that the burden associated with this
requirement is exempt from the PRA as stipulated under 5 CFR
1320.3(b)(2).

Section 164.508--Uses and Disclosures for Which Individual
Authorization Is Required

    Under this section, a covered entity will need to obtain a written
authorization from an individual, before it uses or discloses protected
health information of the individual if the use or disclosure is not
otherwise permitted or required under the rule without authorization.
The burden associated with these requirements is the time and effort
necessary for a covered entity to obtain written authorization prior to
the disclosure of individually identifiable health information. On an
annual basis, we estimate that it will take 764,799 entities, an annual
average burden per entity of one hour for a total annual burden of
764,799 burden hours.

Section 164.510--Uses and Disclosures Requiring an Opportunity for
the Individual To Agree or To Object

    Section 164.510 allows, but does not require, covered entities to
use or disclose protected health information: (1) for health care
institutions, directories; and (2) to family members, close friends, or
other persons assisting in an individual's care, as well as government
agencies and disaster relief organizations conducting disaster relief
activities. This section of the rule addresses situations in which the
interaction between the covered entity and the individual is relatively
informal, and agreements may be made orally, without written
authorizations for use or disclosure. In general, to disclose protected
health information for these purposes, covered entities must inform
individuals in advance and must provide a meaningful opportunity for
the individual to prevent or restrict the disclosure. In certain
circumstances, such as in an emergency, when this informal discussion
cannot practicably occur, covered entities can make decisions about
disclosure or use, in accordance with the requirements of this section
based on their professional judgment of what is in the patient's best
interest. While these provisions are subject to the PRA, we believe
that the burden associated with this requirement is exempt from the PRA
as stipulated under 5 CFR 1320.3(b)(2).

Section 164.512--Uses and Disclosures for Which Consent, Individual
Authorization, or Opportunity To Agree or Object Is Not Required

    Section 164.1512 includes provisions that allow, but that do not
require, covered entities to disclose protected health information
without individual authorization for a variety of purposes which
represent important national priorities. Pursuant to Sec. 164.512,
covered entities may disclose protected health information for
specified purposes as follows: as required by law; for public health
activities; to public officials regarding victims of abuse, neglect, or
domestic violence; for health oversight; for judicial and
administrative proceedings; for law enforcement; for specified purposes
regarding decedents; for organ donation and transplantation; for
research; to avert an imminent threat to health or safety; for
specialized government functions (such as for intelligence and national
security activities); and to comply with workers' compensation laws.
While these provisions are subject to the PRA, we believe that the
burden associated with this requirement is exempt from the PRA as
stipulated under 5 CFR 1320.3(b)(2).
    For research, if a covered entity wants to use or disclose
protected health information without individual authorization, it must
obtain documentation that a waiver, in whole or in part, of the
individual authorization required by Sec. 164.508 for use or disclosure
of protected health information has been approved by either an
Institutional Review Board (IRB), established in accordance with 7 CFR
1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR
1028.107, 21 CFR 56.107, 22 CFR 225.107, 28 CFR 46.107, 32 CFR 219.107,
34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR
690.107, or 49 CFR 11.107; or a privacy board. The burden associated
with these requirements is the time and effort necessary for a covered
entity to maintain documentation demonstrating that they have obtained
IRB or privacy board approval, which meet the requirements of this
section. On an annual basis it is estimated that these requirements
will affect 113,524 IRB reviews. We further estimate that it will take
an average of 5 minutes per review to meet these requirements on an
annual basis. Therefore, the total estimated annual burden associated
with this requirement is 9,460 hours.

Section 164.514--Other Procedural Requirements Relating to Uses and
Disclosures of Protected Health Information

    Prior to any disclosure permitted by this subpart, a covered entity
must verify the identity and authority of persons requesting protected
health information, if the identity or authority of such person is not
known to the

[[Page 82796]]

covered entity, and obtain any documentation, statements, or
representations from the person requesting the protected health
information that is required as a condition of the disclosure. In
addition, a covered entity must retain any signed consent pursuant to
Sec. 164.506 and any signed authorization pursuant to Sec. 164.508 for
documentation purposes as required by Sec. 164.530(j). This requirement
is exempt from the PRA as stipulated under 5 CFR 1320.4(a)(1) and
(1)(2).

Section 164.520--Notice of Privacy Practices for Protected Health
Information

    Except in certain circumstances set forth in this section,
individuals have a right to adequate notice of the uses and disclosures
of protected health information that may be made by the covered entity,
and of the individual's rights and the covered entity's legal duties
with respect to protected health information. To comply with this
requirement a covered entity must provide a notice, written in plain
language, that includes the elements set forth in this section. For
health plans, there will be an average of 160.2 million notices each
year. We assume that the most efficient means of distribution for
health plans will be to send them out annually as part of the materials
they send to current and potential enrollees, even though it is not
required by the regulation. The number of notices per health plan per
year would be about 10,570. We further estimate that it will require
each health plan, on average, only 10 seconds to disseminate each
notice. The total annual burden associated with this requirement is
calculated to be 267,000 hours. Health care providers with direct
treatment relationships would provide a copy of the notice to an
individual at the time of first service delivery to the individual,
make the notice available at the service delivery site for individuals
to request and take with them, whenever the content of the notice is
revised, make the notice available upon request and post the notice, if
required by this section, and post a copy of the notice in a location
where it is reasonable to expect individuals seeking services from the
provider to be able to read the notice. The annual number of notices
disseminated by all providers is 613 million. We further estimate that
it will require each health provider, on average, 10 seconds to
disseminate each notice. This estimate is based upon the assumption
that the required notice will be incorporated into and disseminated
with other patient materials. The total annual burden associated with
this requirement is calculated to be 1 million hours.
    In addition, a covered entity must document compliance with the
notice requirements by retaining copies of the notices issued by the
covered entity. Refer to Sec. 164.530 for discussion.

Section 164.522--Rights To Request Privacy Proteciton for Protected
Health Information

    Given that the burden associated with the following information
collection requirements will differ significantly, by the type and size
of health plan or health care provider, we are explicitly soliciting
comment on the burden associated with the following requirements; as
outlined and required by this section, covered entities must provide
individuals with the opportunity to request restrictions related to the
uses or disclosures of protected health information for treatment,
payment, or health care operations. In addition, covered entities must
accommodate requests for confidential communications in certain
situations.

Section 164.524--Access of Individuals to Protected Health
Information

    As set forth in this section, covered entities must provide
individuals with access to inspect and obtain a copy of protected
health information about them in designated record sets, for so long as
the protected health information is maintained in the designated record
sets. This includes such information in a business associate's
designated record set that is not a duplicate of the information held
by the health care provider or health plan for so long as the
information is maintained. Where the request is denied in whole or in
part, the covered entity must provide the individual with a written
statement of the basis for the denial and a description of how the
individual may complain to the covered entity pursuant to the complaint
procedures established in Sec. 164.530 or to the Secretary pursuant to
the procedures established in Sec. 160.306 of this subpart. In certain
cases, the covered entity must provide the individual the opportunity
to have another health care professional review the denial. Pursuant to
public comment, we estimate that each disclosure will contain 31 pages
and that 150,000 disclosures will be made on an annual basis at three
minutes per disclosure for a total burden of 7,500 hours. Refer to
section V.E. for detailed discussion related to the costs associated
with meeting these requirements.

Section 164.526--Amendment of Protected Health Information

    Given that burden associated with the following information
collection requirements will differ significantly, by the type and size
of health plan or health care provider, we are explicitly soliciting
comment on the burden associated with the following requirements:
Individuals have the right to request amendment of protected health
information about them in designated record sets created by a covered
entity. Where the request is denied, a covered entity must provide the
individual with a written statement of the basis for the denial and an
explanation of how the individual may pursue the matter, including how
to file a complaint with the Secretary pursuant to Sec. 160.306 of this
subpart. As appropriate, a covered entity must identify the protected
health information in the designated record set that is the subject of
the disputed amendment and append or otherwise link the individual's
request for an amendment, the covered entity's denial of the request,
the individual's statement of disagreement, if any, and the covered
entity's rebuttal, if any, to the designated record set.

Section 164.528--Accounting for Disclosures of Protected Health
Information

    Based upon public comment it is assumed that it will take 5 minutes
per request times 1,081,000 requests for an annual burden of 90,083
hours. An individual may request that a covered entity provide an
accounting for disclosure for a period of time less than six years from
the date of the individual's request, as outlined in this section.

Section 164.530--Administrative Requirements

    A covered entity must maintain such policies and procedures in
written or electronic form where policies or procedures with respect to
protected health information are required by this subpart. Where a
communication is required by this subpart to be in writing, a covered
entity must maintain such writing, or an electronic copy, as
documentation; and where an action or activity is required by this
subpart to be documented, it must maintain a written or electronic
record of such action or activity. While these requirements are subject
to the PRA, we believe the burden associated with these requirements is
exempt from the PRA as stipulated under 5 CFR 1320.3(b)(2).

[[Page 82797]]

    We have submitted a copy of this rule to OMB for its review of the
information collection requirements in Secs. 160.204, 160.306, 160.310,
164.502, 164.504, 164.506, 164.508, 164.510, 164.512, 164.514, 164.520,
164.522, 164.524, 164.526, 164.528, and Sec. 164.530. These
requirements are not effective until they have been approved by OMB. If
you comment on any of these information collection and record keeping
requirements, please mail copies directly to the following: Health Care
Financing Administration, Office of Information Services, Division of
HCFA Enterprise Standards, Room N2-14-26, 7500 Security Boulevard,
Baltimore, MD 21244-1850. ATTN: John Burke and to the Office of
Information and Regulatory Affairs, Office of Management and Budget,
Room 10235, New Executive Office Building, Washington, DC 20503. ATTN:
Allison Herron Eydt, HCFA Desk Officer.

IX. Executive Order 13132: Federalism

    The Department has examined the effects of provisions in the final
privacy regulation on the relationship between the federal government
and the states, as required by Executive Order 13132 on ``Federalism.''
Our conclusion is that the final rule does have federalism implications
because the rule has substantial direct effects on states, on the
relationship between the national government and states, and on the
distribution of power and responsibilities among the various levels of
government. The federalism implications of the rule, however, flow
from, and are consistent with the underlying statute. The statute
allows us to preempt state or local rules that provide less stringent
privacy protection requirements than federal law is consistent with
this Executive Order. Overall, the final rule attempts to balance both
the autonomy of the states with the necessity to create a federal
benchmark to preserve the privacy of personally identifiable health
information.
    It is recognized that the states generally have laws that relate to
the privacy of individually identifiable health information. The HIPAA
statue dictates the relationship between state law and this final rule.
Except for laws that are specifically exempted by the HIPAA statute,
state laws continue to be enforceable, unless they are contrary to Part
C of Title XI of the standards, requirements, or implementation
specifications adopted or pursuant to subpart x. However, under section
264(c)(2), not all contrary provisions of state privacy laws are
preempted; rather, the law provides that contrary provisions of state
law relating to the privacy of individually identifiable health
information that are also ``more stringent'' than the federal
regulatory requirements or implementation specifications will continue
to be enforceable.
    Section 3(b) of Executive Order 13132 recognizes that national
action limiting the policymaking discretion of states will be imposed
``* * * only where there is constitutional and statutory authority for
the action and the national activity is appropriate in light of the
presence of a problem of national significance.'' Personal privacy
issues are widely identified as a national concern by virtue of the
scope of interstate health commerce. HIPAA's provisions reflect this
position. HIPAA attempts to facilitate the electronic exchange of
financial and administrative health plan transactions while recognizing
challenges that local, national, and international information sharing
raise to confidentiality and privacy of health information.
    Section 3(d)(2) of the Executive Order 13132 requires the federal
government defer to the states to establish standards where possible.
HIPAA requires the Department to establish standards, and we have done
so accordingly. This approach is a key component of the final Privacy
Rule, and it adheres to section 4(a) of Executive Order 13132, which
expressly contemplates preemption when there is a conflict between
exercising state and federal authority under federal statute. Section
262 of HIPAA enacted Section 1178 of the Social Security Act,
developing a ``general rule'' that state laws or provisions that are
contrary to the provisions or requirements of Part C of Title XI, or
the standards or implementation specifications adopted, or established
thereunder are preempted. Several exceptions to this rule exist, each
of which is designed to maintain a high degree of state autonomy.
    Moreover, section 4(b) of the Executive Order authorizes preemption
of state law in the federal rule making context when there is ``the
exercise of state authority is directly conflicts with the exercise of
federal authority under federal statute * * *.'' Section 1178 (a)(2)(B)
of HIPAA specifically preempts state laws related to the privacy of
individually identifiable health information unless the state law is
more stringent. Thus, we have interpreted state and local laws and
regulations that would impose less stringent requirements for
protection of individually identifiable health information as
undermining the agency's goal of ensuring that all patients who receive
medical services are assured a minimum level of personal privacy.
Particularly where the absence of privacy protection undermines an
individual's access to health care services, both the personal and
public interest is served by establishing federal rules.
    The final rule would establish national minimum standards with
respect to the collection, maintenance, access, use, and disclosure of
individually identifiable health information. The federal law will
preempt state law only where state and federal laws are
``contradictory'' and the federal regulation is judged to establish
``more stringent'' privacy protections than state laws.
    As required by the previous Executive Order (E.O. 13132), states
and local governments were given, through the notice of proposed rule
making, an opportunity to participate in the proceedings to preempt
state and local laws (section 4(e)). The Secretary also provided a
review of preemption issues upon requests from states. In addition,
anticipating the promulgation of the Executive Order, appropriate
officials and organizations were consulted before this proposed action
is implemented (Section 3(a) of Executive Order 13132).
    The same section also includes some qualitative discussion of costs
that would occur beyond that time period. Most of the costs of proposed
rule, however, would occur in the years immediately after the
publication of a final rule. Future costs beyond the ten year period
will continue but will not be as great as the initial compliance costs.
    Finally, we have considered the cost burden that this proposed rule
would impose on state and local health care programs, such as Medicaid,
county hospitals, and other state health benefits programs. As
discussed in Section E of the Regulatory Impact Analysis of this
document, we estimate state and local government costs will be in the
order of $460 million in 2003 and $2.4 billion over ten years.
    The agency concludes that the policy in this final document has
been assessed in light of the principles, criteria, and requirements in
Executive Order 13132; that this policy is not inconsistent with that
Order; that this policy will not impose significant additional costs
and burdens on the states; and that this policy will not affect the
ability of the states to discharge traditional state governmental
functions.
    During our consultation with the states, representatives from
various state agencies and offices expressed concern that the final
regulation would preempt

[[Page 82798]]

all state privacy laws. As explained in this section, the regulation
would only preempt state laws where there is a direct conflict between
state laws and the regulation, and where the regulation provides more
stringent privacy protection than state law. We discussed this issue
during our consultation with state representatives, who generally
accepted our approach to the preemption issue. During the consultation,
we requested further information from the states about whether they
currently have laws requiring that providers have a ``duty to warn''
family members or third parties about a patient's condition other than
in emergency circumstances. Since the consultation, we have not
received additional comments or questions from the states.

X. Executive Order 13086; Consultation and Coordination With Indian
Tribal Governments

    In drafting the proposed rule, the Department consulted with
representatives of the National Congress of American Indians and the
National Indian Health Board, as well as with a representative of the
self-governance Tribes. During the consultation, we discussed issues
regarding the application of Title II of HIPAA to the Tribes, and
potential variations based on the relationship of each Tribe with the
IHS for the purpose of providing health services. Participants raised
questions about the status of Tribal laws regarding the privacy of
health information.

List of Subjects

45 CFR Part 160

    Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health insurance, Health records, Medicaid,
Medical research, Medicare, Privacy, Reporting and record keeping
requirements.

45 CFR Part 164

    Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health insurance, Health records, Medicaid,
Medical research, Medicare, Privacy, Reporting and record keeping
requirements.

    Note: to reader: This final rule is one of several proposed and
final rules that are being published to implement the Administrative
Simplification provisions of the Health Insurance Portability and
Accountability Act of 1996. 45 CFR subchapter C consisting of Parts
160 and 162 was added at 65 FR 50365, Aug. 17, 2000. Part 160
consists of general provisions, Part 162 consists of the various
administrative simplification regulations relating to transactions
and identifiers, and new Part 164 consists of the regulations
implementing the security and privacy requirements of the
legislation.

    Dated: December 19, 2000.
Donna Shalala,
Secretary,

    For the reasons set forth in the preamble, 45 CFR Subtitle A,
Subchapter C, is amended as follows:
    1. Part 160 is revised to read as follows:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

Subpart A--General Provisions
160.101   Statutory basis and purpose.
160.102   Applicability.
160.103   Definitions.
160.104   Modifications.
Subpart B--Preemption of State Law
160.201   Applicability.
160.202   Definitions.
160.203   General rule and exceptions.
160.204   Process for requesting exception determinations.
160.205   Duration of effectiveness of exception determinations.
Subpart C--Compliance and Enforcement
160.300   Applicability.
160.302   Definitions.
160.304   Principles for achieving compliance.
160.306   Complaints to the Secretary.
160.308   Compliance reviews.
160.310   Responsibilities of covered entities.
160.312   Secretarial action regarding complaints and compliance
reviews.

    Authority: Sec. 1171 through 1179 of the Social Security Act,
(42 U.S.C. 1320d-1329d-8) as added by sec. 262 of Pub. L. 104-191,
110 Stat. 2021-2031 and sec. 264 of Pub. L. 104-191 (42 U.S.C.
1320d-2(note)).

Subpart A--General Provisions

Sec. 160.101  Statutory basis and purpose.

    The requirements of this subchapter implement sections 1171 through
1179 of the Social Security Act (the Act), as added by section 262 of
Public Law 104-191, and section 264 of Public Law 104-191.

Sec. 160.102  Applicability.

    (a) Except as otherwise provided, the standards, requirements, and
implementation specifications adopted under this subchapter apply to
the following entities:
    (1) A health plan.
    (2) A health care clearinghouse.
    (3) A health care provider who transmits any health information in
electronic form in connection with a transaction covered by this
subchapter.
    (b) To the extent required under section 201(a)(5) of the Health
Insurance Portability Act of 1996, (Pub. L. 104-191), nothing in this
subchapter shall be construed to diminish the authority of any
Inspector General, including such authority as provided in the
Inspector General Act of 1978, as amended (5 U.S.C. App.).

Sec. 160.103  Definitions.

    Except as otherwise provided, the following definitions apply to
this subchapter:
    Act means the Social Security Act.
    ANSI stands for the American National Standards Institute.
    Business associate: (1) Except as provided in paragraph (2) of this
definition, business associate means, with respect to a covered entity,
a person who:
    (i) On behalf of such covered entity or of an organized health care
arrangement (as defined in Sec. 164.501 of this subchapter) in which
the covered entity participates, but other than in the capacity of a
member of the workforce of such covered entity or arrangement,
performs, or assists in the performance of:
    (A) A function or activity involving the use or disclosure of
individually identifiable health information, including claims
processing or administration, data analysis, processing or
administration, utilization review, quality assurance, billing, benefit
management, practice management, and repricing; or
    (B) Any other function or activity regulated by this subchapter; or
    (ii) Provides, other than in the capacity of a member of the
workforce of such covered entity, legal, actuarial, accounting,
consulting, data aggregation (as defined in Sec. 164.501 of this
subchapter), management, administrative, accreditation, or financial
services to or for such covered entity, or to or for an organized
health care arrangement in which the covered entity participates, where
the provision of the service involves the disclosure of individually
identifiable health information from such covered entity or
arrangement, or from another business associate of such covered entity
or arrangement, to the person.
    (2) A covered entity participating in an organized health care
arrangement that performs a function or activity as described by
paragraph (1)(i) of this definition for or on behalf of such organized
health care arrangement, or that provides a service as described in
paragraph (1)(ii) of this definition to or for such organized health
care arrangement, does not, simply through the performance of such
function or activity or the provision of such service,

[[Page 82799]]

become a business associate of other covered entities participating in
such organized health care arrangement.
    (3) A covered entity may be a business associate of another covered
entity.
    Compliance date means the date by which a covered entity must
comply with a standard, implementation specification, requirement, or
modification adopted under this subchapter.
    Covered entity means:
    (1) A health plan.
    (2) A health care clearinghouse.
    (3) A health care provider who transmits any health information in
electronic form in connection with a transaction covered by this
subchapter.
    Group health plan (also see definition of health plan in this
section) means an employee welfare benefit plan (as defined in section
3(1) of the Employee Retirement Income and Security Act of 1974
(ERISA), 29 U.S.C. 1002(1)), including insured and self-insured plans,
to the extent that the plan provides medical care (as defined in
section 2791(a)(2) of the Public Health Service Act (PHS Act), 42
U.S.C. 300gg-91(a)(2)), including items and services paid for as
medical care, to employees or their dependents directly or through
insurance, reimbursement, or otherwise, that:
    (1) Has 50 or more participants (as defined in section 3(7) of
ERISA, 29 U.S.C. 1002(7)); or
    (2) Is administered by an entity other than the employer that
established and maintains the plan.
    HCFA stands for Health Care Financing Administration within the
Department of Health and Human Services.
    HHS stands for the Department of Health and Human Services.
    Health care means care, services, or supplies related to the health
of an individual. Health care includes, but is not limited to, the
following:
    (1) Preventive, diagnostic, therapeutic, rehabilitative,
maintenance, or palliative care, and counseling, service, assessment,
or procedure with respect to the physical or mental condition, or
functional status, of an individual or that affects the structure or
function of the body; and
    (2) Sale or dispensing of a drug, device, equipment, or other item
in accordance with a prescription.
    Health care clearinghouse means a public or private entity,
including a billing service, repricing company, community health
management information system or community health information system,
and ``value-added'' networks and switches, that does either of the
following functions:
    (1) Processes or facilitates the processing of health information
received from another entity in a nonstandard format or containing
nonstandard data content into standard data elements or a standard
transaction.
    (2) Receives a standard transaction from another entity and
processes or facilitates the processing of health information into
nonstandard format or nonstandard data content for the receiving
entity.
    Health care provider means a provider of services (as defined in
section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical
or health services (as defined in section 1861(s) of the Act, 42 U.S.C.
1395x(s)), and any other person or organization who furnishes, bills,
or is paid for health care in the normal course of business.
    Health information means any information, whether oral or recorded
in any form or medium, that:
    (1) Is created or received by a health care provider, health plan,
public health authority, employer, life insurer, school or university,
or health care clearinghouse; and
    (2) Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the
provision of health care to an individual.
    Health insurance issuer (as defined in section 2791(b)(2) of the
PHS Act, 42 U.S.C. 300gg-91(b)(2) and used in the definition of health
plan in this section) means an insurance company, insurance service, or
insurance organization (including an HMO) that is licensed to engage in
the business of insurance in a State and is subject to State law that
regulates insurance. Such term does not include a group health plan.
    Health maintenance organization (HMO) (as defined in section
2791(b)(3) of the PHS Act, 42 U.S.C. 300gg-91(b)(3) and used in the
definition of health plan in this section) means a federally qualified
HMO, an organization recognized as an HMO under State law, or a similar
organization regulated for solvency under State law in the same manner
and to the same extent as such an HMO.
    Health plan means an individual or group plan that provides, or
pays the cost of, medical care (as defined in section 2791(a)(2) of the
PHS Act, 42 U.S.C. 300gg-91(a)(2)).
    (1) Health plan includes the following, singly or in combination:
    (i) A group health plan, as defined in this section.
    (ii) A health insurance issuer, as defined in this section.
    (iii) An HMO, as defined in this section.
    (iv) Part A or Part B of the Medicare program under title XVIII of
the Act.
    (v) The Medicaid program under title XIX of the Act, 42 U.S.C.
1396, et seq.
    (vi) An issuer of a Medicare supplemental policy (as defined in
section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).
    (vii) An issuer of a long-term care policy, excluding a nursing
home fixed-indemnity policy.
    (viii) An employee welfare benefit plan or any other arrangement
that is established or maintained for the purpose of offering or
providing health benefits to the employees of two or more employers.
    (ix) The health care program for active military personnel under
title 10 of the United States Code.
    (x) The veterans health care program under 38 U.S.C. chapter 17.
    (xi) The Civilian Health and Medical Program of the Uniformed
Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)).
    (xii) The Indian Health Service program under the Indian Health
Care Improvement Act, 25 U.S.C. 1601, et seq.
    (xiii) The Federal Employees Health Benefits Program under 5 U.S.C.
8902, et seq.
    (xiv) An approved State child health plan under title XXI of the
Act, providing benefits for child health assistance that meet the
requirements of section 2103 of the Act, 42 U.S.C. 1397, et seq.
    (xv) The Medicare+Choice program under Part C of title XVIII of the
Act, 42 U.S.C. 1395w-21 through 1395w-28.
    (xvi) A high risk pool that is a mechanism established under State
law to provide health insurance coverage or comparable coverage to
eligible individuals.
    (xvii) Any other individual or group plan, or combination of
individual or group plans, that provides or pays for the cost of
medical care (as defined in section 2791(a)(2) of the PHS Act, 42
U.S.C. 300gg-91(a)(2)).
    (2) Health plan excludes:
    (i) Any policy, plan, or program to the extent that it provides, or
pays for the cost of, excepted benefits that are listed in section
2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and
    (ii) A government-funded program (other than one listed in
paragraph (1)(i)-(xvi) of this definition):
    (A) Whose principal purpose is other than providing, or paying the
cost of, health care; or

[[Page 82800]]

    (B) Whose principal activity is:
    (1) The direct provision of health care to persons; or
    (2) The making of grants to fund the direct provision of health
care to persons.
    Implementation specification means specific requirements or
instructions for implementing a standard.
    Modify or modification refers to a change adopted by the Secretary,
through regulation, to a standard or an implementation specification.
    Secretary means the Secretary of Health and Human Services or any
other officer or employee of HHS to whom the authority involved has
been delegated.
    Small health plan means a health plan with annual receipts of $5
million or less.
    Standard means a rule, condition, or requirement:
    (1) Describing the following information for products, systems,
services or practices:
    (i) Classification of components.
    (ii) Specification of materials, performance, or operations; or
    (iii) Delineation of procedures; or
    (2) With respect to the privacy of individually identifiable health
information.
    Standard setting organization (SSO) means an organization
accredited by the American National Standards Institute that develops
and maintains standards for information transactions or data elements,
or any other standard that is necessary for, or will facilitate the
implementation of, this part.
    State refers to one of the following:
    (1) For a health plan established or regulated by Federal law,
State has the meaning set forth in the applicable section of the United
States Code for such health plan.
    (2) For all other purposes, State means any of the several States,
the District of Columbia, the Commonwealth of Puerto Rico, the Virgin
Islands, and Guam.
    Trading partner agreement means an agreement related to the
exchange of information in electronic transactions, whether the
agreement is distinct or part of a larger agreement, between each party
to the agreement. (For example, a trading partner agreement may
specify, among other things, the duties and responsibilities of each
party to the agreement in conducting a standard transaction.)
    Transaction means the transmission of information between two
parties to carry out financial or administrative activities related to
health care. It includes the following types of information
transmissions:

(1) Health care claims or equivalent encounter information.
(2) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10) Health claims attachments.
(11) Other transactions that the Secretary may prescribe by regulation.

    Workforce means employees, volunteers, trainees, and other persons
whose conduct, in the performance of work for a covered entity, is
under the direct control of such entity, whether or not they are paid
by the covered entity.

Sec. 160.104  Modifications.

    (a) Except as provided in paragraph (b) of this section, the
Secretary may adopt a modification to a standard or implementation
specification adopted under this subchapter no more frequently than
once every 12 months.
    (b) The Secretary may adopt a modification at any time during the
first year after the standard or implementation specification is
initially adopted, if the Secretary determines that the modification is
necessary to permit compliance with the standard or implementation
specification.
    (c) The Secretary will establish the compliance date for any
standard or implementation specification modified under this section.
    (1) The compliance date for a modification is no earlier than 180
days after the effective date of the final rule in which the Secretary
adopts the modification.
    (2) The Secretary may consider the extent of the modification and
the time needed to comply with the modification in determining the
compliance date for the modification.
    (3) The Secretary may extend the compliance date for small health
plans, as the Secretary determines is appropriate.

Subpart B--Preemption of State Law

Sec. 160.201  Applicability.

    The provisions of this subpart implement section 1178 of the Act,
as added by section 262 of Public Law 104-191.

Sec. 160.202  Definitions.

    For purposes of this subpart, the following terms have the
following meanings:
    Contrary, when used to compare a provision of State law to a
standard, requirement, or implementation specification adopted under
this subchapter, means:
    (1) A covered entity would find it impossible to comply with both
the State and federal requirements; or
    (2) The provision of State law stands as an obstacle to the
accomplishment and execution of the full purposes and objectives of
part C of title XI of the Act or section 264 of Pub. L. 104-191, as
applicable.
    More stringent means, in the context of a comparison of a provision
of State law and a standard, requirement, or implementation
specification adopted under subpart E of part 164 of this subchapter, a
State law that meets one or more of the following criteria:
    (1) With respect to a use or disclosure, the law prohibits or
restricts a use or disclosure in circumstances under which such use or
disclosure otherwise would be permitted under this subchapter, except
if the disclosure is:
    (i) Required by the Secretary in connection with determining
whether a covered entity is in compliance with this subchapter; or
    (ii) To the individual who is the subject of the individually
identifiable health information.
    (2) With respect to the rights of an individual who is the subject
of the individually identifiable health information of access to or
amendment of individually identifiable health information, permits
greater rights of access or amendment, as applicable; provided that,
nothing in this subchapter may be construed to preempt any State law to
the extent that it authorizes or prohibits disclosure of protected
health information about a minor to a parent, guardian, or person
acting in loco parentis of such minor.
    (3) With respect to information to be provided to an individual who
is the subject of the individually identifiable health information
about a use, a disclosure, rights, and remedies, provides the greater
amount of information.
    (4) With respect to the form or substance of an authorization or
consent for use or disclosure of individually identifiable health
information, provides requirements that narrow the scope or duration,
increase the privacy protections afforded (such as by expanding the
criteria for), or reduce the coercive effect of the circumstances
surrounding the authorization or consent, as applicable.
    (5) With respect to recordkeeping or requirements relating to
accounting of disclosures, provides for the retention or reporting of
more detailed information or for a longer duration.

[[Page 82801]]

    (6) With respect to any other matter, provides greater privacy
protection for the individual who is the subject of the individually
identifiable health information.
    Relates to the privacy of individually identifiable health
information means, with respect to a State law, that the State law has
the specific purpose of protecting the privacy of health information or
affects the privacy of health information in a direct, clear, and
substantial way.
    State law means a constitution, statute, regulation, rule, common
law, or other State action having the force and effect of law.

Sec. 160.203  General rule and exceptions.

    A standard, requirement, or implementation specification adopted
under this subchapter that is contrary to a provision of State law
preempts the provision of State law. This general rule applies, except
if one or more of the following conditions is met:
    (a) A determination is made by the Secretary under Sec. 160.204
that the provision of State law:
    (1) Is necessary:
    (i) To prevent fraud and abuse related to the provision of or
payment for health care;
    (ii) To ensure appropriate State regulation of insurance and health
plans to the extent expressly authorized by statute or regulation;
    (iii) For State reporting on health care delivery or costs; or
    (iv) For purposes of serving a compelling need related to public
health, safety, or welfare, and, if a standard, requirement, or
implementation specification under part 164 of this subchapter is at
issue, if the Secretary determines that the intrusion into privacy is
warranted when balanced against the need to be served; or
    (2) Has as its principal purpose the regulation of the manufacture,
registration, distribution, dispensing, or other control of any
controlled substances (as defined in 21 U.S.C. 802), or that is deemed
a controlled substance by State law.
    (b) The provision of State law relates to the privacy of health
information and is more stringent than a standard, requirement, or
implementation specification adopted under subpart E of part 164 of
this subchapter.
    (c) The provision of State law, including State procedures
established under such law, as applicable, provides for the reporting
of disease or injury, child abuse, birth, or death, or for the conduct
of public health surveillance, investigation, or intervention.
    (d) The provision of State law requires a health plan to report, or
to provide access to, information for the purpose of management audits,
financial audits, program monitoring and evaluation, or the licensure
or certification of facilities or individuals.

Sec. 160.204  Process for requesting exception determinations.

    (a) A request to except a provision of State law from preemption
under Sec. 160.203(a) may be submitted to the Secretary. A request by a
State must be submitted through its chief elected official, or his or
her designee. The request must be in writing and include the following
information:
    (1) The State law for which the exception is requested;
    (2) The particular standard, requirement, or implementation
specification for which the exception is requested;
    (3) The part of the standard or other provision that will not be
implemented based on the exception or the additional data to be
collected based on the exception, as appropriate;
    (4) How health care providers, health plans, and other entities
would be affected by the exception;
    (5) The reasons why the State law should not be preempted by the
federal standard, requirement, or implementation specification,
including how the State law meets one or more of the criteria at
Sec. 160.203(a); and
    (6) Any other information the Secretary may request in order to
make the determination.
    (b) Requests for exception under this section must be submitted to
the Secretary at an address that will be published in the Federal
Register. Until the Secretary's determination is made, the standard,
requirement, or implementation specification under this subchapter
remains in effect.
    (c) The Secretary's determination under this section will be made
on the basis of the extent to which the information provided and other
factors demonstrate that one or more of the criteria at Sec. 160.203(a)
has been met.

Sec. 160.205  Duration of effectiveness of exception determinations.

    An exception granted under this subpart remains in effect until:
    (a) Either the State law or the federal standard, requirement, or
implementation specification that provided the basis for the exception
is materially changed such that the ground for the exception no longer
exists; or
    (b) The Secretary revokes the exception, based on a determination
that the ground supporting the need for the exception no longer exists.

Subpart C--Compliance and Enforcement

Sec. 160.300  Applicability.

    This subpart applies to actions by the Secretary, covered entities,
and others with respect to ascertaining the compliance by covered
entities with and the enforcement of the applicable requirements of
this part 160 and the applicable standards, requirements, and
implementation specifications of subpart E of part 164 of this
subchapter.

Sec. 160.302  Definitions.

    As used in this subpart, terms defined in Sec. 164.501 of this
subchapter have the same meanings given to them in that section.

Sec. 160.304  Principles for achieving compliance.

    (a) Cooperation. The Secretary will, to the extent practicable,
seek the cooperation of covered entities in obtaining compliance with
the applicable requirements of this part 160 and the applicable
standards, requirements, and implementation specifications of subpart E
of part 164 of this subchapter.
    (b) Assistance. The Secretary may provide technical assistance to
covered entities to help them comply voluntarily with the applicable
requirements of this part 160 or the applicable standards,
requirements, and implementation specifications of subpart E of part
164 of this subchapter.

Sec. 160.306  Complaints to the Secretary.

    (a) Right to file a complaint. A person who believes a covered
entity is not complying with the applicable requirements of this part
160 or the applicable standards, requirements, and implementation
specifications of subpart E of part 164 of this subchapter may file a
complaint with the Secretary.
    (b) Requirements for filing complaints. Complaints under this
section must meet the following requirements:
    (1) A complaint must be filed in writing, either on paper or
electronically.
    (2) A complaint must name the entity that is the subject of the
complaint and describe the acts or omissions believed to be in
violation of the applicable requirements of this part 160 or the
applicable standards, requirements, and implementation specifications
of subpart E of part 164 of this subchapter.
    (3) A complaint must be filed within 180 days of when the
complainant knew or should have known that the act or omission
complained of occurred, unless this time limit is waived by the
Secretary for good cause shown.

[[Page 82802]]

    (4) The Secretary may prescribe additional procedures for the
filing of complaints, as well as the place and manner of filing, by
notice in the Federal Register.
    (c) Investigation. The Secretary may investigate complaints filed
under this section. Such investigation may include a review of the
pertinent policies, procedures, or practices of the covered entity and
of the circumstances regarding any alleged acts or omissions concerning
compliance.

Sec. 160.308  Compliance reviews.

    The Secretary may conduct compliance reviews to determine whether
covered entities are complying with the applicable requirements of this
part 160 and the applicable standards, requirements, and implementation
specifications of subpart E of part 164 of this subchapter.

Sec. 160.310  Responsibilities of covered entities.

    (a) Provide records and compliance reports. A covered entity must
keep such records and submit such compliance reports, in such time and
manner and containing such information, as the Secretary may determine
to be necessary to enable the Secretary to ascertain whether the
covered entity has complied or is complying with the applicable
requirements of this part 160 and the applicable standards,
requirements, and implementation specifications of subpart E of part
164 of this subchapter.
    (b) Cooperate with complaint investigations and compliance reviews.
A covered entity must cooperate with the Secretary, if the Secretary
undertakes an investigation or compliance review of the policies,
procedures, or practices of a covered entity to determine whether it is
complying with the applicable requirements of this part 160 and the
standards, requirements, and implementation specifications of subpart E
of part 164 of this subchapter.
    (c) Permit access to information. (1) A covered entity must permit
access by the Secretary during normal business hours to its facilities,
books, records, accounts, and other sources of information, including
protected health information, that are pertinent to ascertaining
compliance with the applicable requirements of this part 160 and the
applicable standards, requirements, and implementation specifications
of subpart E of part 164 of this subchapter. If the Secretary
determines that exigent circumstances exist, such as when documents may
be hidden or destroyed, a covered entity must permit access by the
Secretary at any time and without notice.
    (2) If any information required of a covered entity under this
section is in the exclusive possession of any other agency,
institution, or person and the other agency, institution, or person
fails or refuses to furnish the information, the covered entity must so
certify and set forth what efforts it has made to obtain the
information.
    (3) Protected health information obtained by the Secretary in
connection with an investigation or compliance review under this
subpart will not be disclosed by the Secretary, except if necessary for
ascertaining or enforcing compliance with the applicable requirements
of this part 160 and the applicable standards, requirements, and
implementation specifications of subpart E of part 164 of this
subchapter, or if otherwise required by law.

Sec. 160.312  Secretarial action regarding complaints and compliance
reviews.

    (a) Resolution where noncompliance is indicated. (1) If an
investigation pursuant to Sec. 160.306 or a compliance review pursuant
to Sec. 160.308 indicates a failure to comply, the Secretary will so
inform the covered entity and, if the matter arose from a complaint,
the complainant, in writing and attempt to resolve the matter by
informal means whenever possible.
    (2) If the Secretary finds the covered entity is not in compliance
and determines that the matter cannot be resolved by informal means,
the Secretary may issue to the covered entity and, if the matter arose
from a complaint, to the complainant written findings documenting the
non-compliance.
    (b) Resolution when no violation is found. If, after an
investigation or compliance review, the Secretary determines that
further action is not warranted, the Secretary will so inform the
covered entity and, if the matter arose from a complaint, the
complainant in writing.

    2. A new Part 164 is added to read as follows:

PART 164--SECURITY AND PRIVACY

Subpart A--General Provisions
Sec.
164.102   Statutory basis.
164.104   Applicability.
164.106   Relationship to other parts.
Subparts B-D--[Reserved]
Subpart E--Privacy of Individually Identifiable Health Information
164.500   Applicability.
164.501   Definitions.
164.502   Uses and disclosures of protected health information:
General rules.
164.504   Uses and disclosures: Organizational requirements.
164.506   Consent for uses or disclosures to carry out treatment,
payment, and health care operations.
164.508   Uses and disclosures for which an authorization is
required.
164.510   Uses and disclosures requiring an opportunity for the
individual to agree or to object.
164.512   Uses and disclosures for which consent, an authorization,
or opportunity to agree or object is not required.
164.514   Other requirements relating to uses and disclosures of
protected health information.
164.520   Notice of privacy practices for protected health
information.
164.522   Rights to request privacy protection for protected health
information.
164.524   Access of individuals to protected health information.
164.526   Amendment of protected health information.
164.528   Accounting of disclosures of protected health information.
164.530   Administrative requirements.
164.532   Transition requirements.
164.534   Compliance dates for initial implementation of the privacy
standards.

    Authority: 42 U.S.C. 1320d-2 and 1320d-4, sec. 264 of Pub. L.
104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320(d-2(note)).

Subpart A--General Provisions

Sec. 164.102  Statutory basis.

    The provisions of this part are adopted pursuant to the Secretary's
authority to prescribe standards, requirements, and implementation
standards under part C of title XI of the Act and section 264 of Public
Law 104-191.

Sec. 164.104  Applicability.

    Except as otherwise provided, the provisions of this part apply to
covered entities: health plans, health care clearinghouses, and health
care providers who transmit health information in electronic form in
connection with any transaction referred to in section 1173(a)(1) of
the Act.

Sec. 164.106  Relationship to other parts.

    In complying with the requirements of this part, covered entities
are required to comply with the applicable provisions of parts 160 and
162 of this subchapter.

Subpart B-D--[Reserved]

Subpart E--Privacy of Individually Identifiable Health Information

Sec. 164.500  Applicability.

    (a) Except as otherwise provided herein, the standards,
requirements, and

[[Page 82803]]

implementation specifications of this subpart apply to covered entities
with respect to protected health information.
    (b) Health care clearinghouses must comply with the standards,
requirements, and implementation specifications as follows:
    (1) When a health care clearinghouse creates or receives protected
health information as a business associate of another covered entity,
the clearinghouse must comply with:
    (i) Section 164.500 relating to applicability;
    (ii) Section 164.501 relating to definitions;
    (iii) Section 164.502 relating to uses and disclosures of protected
health information, except that a clearinghouse is prohibited from
using or disclosing protected health information other than as
permitted in the business associate contract under which it created or
received the protected health information;
    (iv) Section 164.504 relating to the organizational requirements
for covered entities, including the designation of health care
components of a covered entity;
    (v) Section 164.512 relating to uses and disclosures for which
consent, individual authorization or an opportunity to agree or object
is not required, except that a clearinghouse is prohibited from using
or disclosing protected health information other than as permitted in
the business associate contract under which it created or received the
protected health information;
    (vi) Section 164.532 relating to transition requirements; and
    (vii) Section 164.534 relating to compliance dates for initial
implementation of the privacy standards.
    (2) When a health care clearinghouse creates or receives protected
health information other than as a business associate of a covered
entity, the clearinghouse must comply with all of the standards,
requirements, and implementation specifications of this subpart.
    (c) The standards, requirements, and implementation specifications
of this subpart do not apply to the Department of Defense or to any
other federal agency, or non-governmental organization acting on its
behalf, when providing health care to overseas foreign national
beneficiaries.

Sec. 164.501  Definitions.

    As used in this subpart, the following terms have the following
meanings:
    Correctional institution means any penal or correctional facility,
jail, reformatory, detention center, work farm, halfway house, or
residential community program center operated by, or under contract to,
the United States, a State, a territory, a political subdivision of a
State or territory, or an Indian tribe, for the confinement or
rehabilitation of persons charged with or convicted of a criminal
offense or other persons held in lawful custody. Other persons held in
lawful custody includes juvenile offenders adjudicated delinquent,
aliens detained awaiting deportation, persons committed to mental
institutions through the criminal justice system, witnesses, or others
awaiting charges or trial.
    Covered functions means those functions of a covered entity the
performance of which makes the entity a health plan, health care
provider, or health care clearinghouse.
    Data aggregation means, with respect to protected health
information created or received by a business associate in its capacity
as the business associate of a covered entity, the combining of such
protected health information by the business associate with the
protected health information received by the business associate in its
capacity as a business associate of another covered entity, to permit
data analyses that relate to the health care operations of the
respective covered entities.
    Designated record set means:
    (1) A group of records maintained by or for a covered entity that
is:
    (i) The medical records and billing records about individuals
maintained by or for a covered health care provider;
    (ii) The enrollment, payment, claims adjudication, and case or
medical management record systems maintained by or for a health plan;
or
    (iii) Used, in whole or in part, by or for the covered entity to
make decisions about individuals.
    (2) For purposes of this paragraph, the term record means any item,
collection, or grouping of information that includes protected health
information and is maintained, collected, used, or disseminated by or
for a covered entity.
    Direct treatment relationship means a treatment relationship
between an individual and a health care provider that is not an
indirect treatment relationship.
    Disclosure means the release, transfer, provision of access to, or
divulging in any other manner of information outside the entity holding
the information.
    Health care operations means any of the following activities of the
covered entity to the extent that the activities are related to covered
functions, and any of the following activities of an organized health
care arrangement in which the covered entity participates:
    (1) Conducting quality assessment and improvement activities,
including outcomes evaluation and development of clinical guidelines,
provided that the obtaining of generalizable knowledge is not the
primary purpose of any studies resulting from such activities;
population-based activities relating to improving health or reducing
health care costs, protocol development, case management and care
coordination, contacting of health care providers and patients with
information about treatment alternatives; and related functions that do
not include treatment;
    (2) Reviewing the competence or qualifications of health care
professionals, evaluating practitioner and provider performance, health
plan performance, conducting training programs in which students,
trainees, or practitioners in areas of health care learn under
supervision to practice or improve their skills as health care
providers, training of non-health care professionals, accreditation,
certification, licensing, or credentialing activities;
    (3) Underwriting, premium rating, and other activities relating to
the creation, renewal or replacement of a contract of health insurance
or health benefits, and ceding, securing, or placing a contract for
reinsurance of risk relating to claims for health care (including stop-
loss insurance and excess of loss insurance), provided that the
requirements of Sec. 164.514(g) are met, if applicable;
    (4) Conducting or arranging for medical review, legal services, and
auditing functions, including fraud and abuse detection and compliance
programs;
    (5) Business planning and development, such as conducting cost-
management and planning-related analyses related to managing and
operating the entity, including formulary development and
administration, development or improvement of methods of payment or
coverage policies; and
    (6) Business management and general administrative activities of
the entity, including, but not limited to:
    (i) Management activities relating to implementation of and
compliance with the requirements of this subchapter;
    (ii) Customer service, including the provision of data analyses for
policy holders, plan sponsors, or other customers, provided that
protected health information is not disclosed to such policy holder,
plan sponsor, or customer.
    (iii) Resolution of internal grievances;

[[Page 82804]]

    (iv) Due diligence in connection with the sale or transfer of
assets to a potential successor in interest, if the potential successor
in interest is a covered entity or, following completion of the sale or
transfer, will become a covered entity; and
    (v) Consistent with the applicable requirements of Sec. 164.514,
creating de-identified health information, fundraising for the benefit
of the covered entity, and marketing for which an individual
authorization is not required as described in Sec. 164.514(e)(2).
    Health oversight agency means an agency or authority of the United
States, a State, a territory, a political subdivision of a State or
territory, or an Indian tribe, or a person or entity acting under a
grant of authority from or contract with such public agency, including
the employees or agents of such public agency or its contractors or
persons or entities to whom it has granted authority, that is
authorized by law to oversee the health care system (whether public or
private) or government programs in which health information is
necessary to determine eligibility or compliance, or to enforce civil
rights laws for which health information is relevant.
    Indirect treatment relationship means a relationship between an
individual and a health care provider in which:
    (1) The health care provider delivers health care to the individual
based on the orders of another health care provider; and
    (2) The health care provider typically provides services or
products, or reports the diagnosis or results associated with the
health care, directly to another health care provider, who provides the
services or products or reports to the individual.
    Individual means the person who is the subject of protected health
information.
    Individually identifiable health information is information that is
a subset of health information, including demographic information
collected from an individual, and:
    (1) Is created or received by a health care provider, health plan,
employer, or health care clearinghouse; and
    (2) Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the
provision of health care to an individual; and
    (i) That identifies the individual; or
    (ii) With respect to which there is a reasonable basis to believe
the information can be used to identify the individual.
    Inmate means a person incarcerated in or otherwise confined to a
correctional institution.
    Law enforcement official means an officer or employee of any agency
or authority of the United States, a State, a territory, a political
subdivision of a State or territory, or an Indian tribe, who is
empowered by law to:
    (1) Investigate or conduct an official inquiry into a potential
violation of law; or
    (2) Prosecute or otherwise conduct a criminal, civil, or
administrative proceeding arising from an alleged violation of law.
    Marketing means to make a communication about a product or service
a purpose of which is to encourage recipients of the communication to
purchase or use the product or service.
    (1) Marketing does not include communications that meet the
requirements of paragraph (2) of this definition and that are made by a
covered entity:
    (i) For the purpose of describing the entities participating in a
health care provider network or health plan network, or for the purpose
of describing if and the extent to which a product or service (or
payment for such product or service) is provided by a covered entity or
included in a plan of benefits; or
    (ii) That are tailored to the circumstances of a particular
individual and the communications are:
    (A) Made by a health care provider to an individual as part of the
treatment of the individual, and for the purpose of furthering the
treatment of that individual; or
    (B) Made by a health care provider or health plan to an individual
in the course of managing the treatment of that individual, or for the
purpose of directing or recommending to that individual alternative
treatments, therapies, health care providers, or settings of care.
    (2) A communication described in paragraph (1) of this definition
is not included in marketing if:
    (i) The communication is made orally; or
    (ii) The communication is in writing and the covered entity does
not receive direct or indirect remuneration from a third party for
making the communication.
    Organized health care arrangement means:
    (1) A clinically integrated care setting in which individuals
typically receive health care from more than one health care provider;
    (2) An organized system of health care in which more than one
covered entity participates, and in which the participating covered
entities:
    (i) Hold themselves out to the public as participating in a joint
arrangement; and
    (ii) Participate in joint activities that include at least one of
the following:
    (A) Utilization review, in which health care decisions by
participating covered entities are reviewed by other participating
covered entities or by a third party on their behalf;
    (B) Quality assessment and improvement activities, in which
treatment provided by participating covered entities is assessed by
other participating covered entities or by a third party on their
behalf; or
    (C) Payment activities, if the financial risk for delivering health
care is shared, in part or in whole, by participating covered entities
through the joint arrangement and if protected health information
created or received by a covered entity is reviewed by other
participating covered entities or by a third party on their behalf for
the purpose of administering the sharing of financial risk.
    (3) A group health plan and a health insurance issuer or HMO with
respect to such group health plan, but only with respect to protected
health information created or received by such health insurance issuer
or HMO that relates to individuals who are or who have been
participants or beneficiaries in such group health plan;
    (4) A group health plan and one or more other group health plans
each of which are maintained by the same plan sponsor; or
    (5) The group health plans described in paragraph (4) of this
definition and health insurance issuers or HMOs with respect to such
group health plans, but only with respect to protected health
information created or received by such health insurance issuers or
HMOs that relates to individuals who are or have been participants or
beneficiaries in any of such group health plans.
    Payment means:
    (1) The activities undertaken by:
    (i) A health plan to obtain premiums or to determine or fulfill its
responsibility for coverage and provision of benefits under the health
plan; or
    (ii) A covered health care provider or health plan to obtain or
provide reimbursement for the provision of health care; and
    (2) The activities in paragraph (1) of this definition relate to
the individual to whom health care is provided and include, but are not
limited to:

[[Page 82805]]

    (i) Determinations of eligibility or coverage (including
coordination of benefits or the determination of cost sharing amounts),
and adjudication or subrogation of health benefit claims;
    (ii) Risk adjusting amounts due based on enrollee health status and
demographic characteristics;
    (iii) Billing, claims management, collection activities, obtaining
payment under a contract for reinsurance (including stop-loss insurance
and excess of loss insurance), and related health care data processing;
    (iv) Review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of care, or
justification of charges;
    (v) Utilization review activities, including precertification and
preauthorization of services, concurrent and retrospective review of
services; and
    (vi) Disclosure to consumer reporting agencies of any of the
following protected health information relating to collection of
premiums or reimbursement:
    (A) Name and address;
    (B) Date of birth;
    (C) Social security number;
    (D) Payment history;
    (E) Account number; and
    (F) Name and address of the health care provider and/or health
plan.
    Plan sponsor is defined as defined at section 3(16)(B) of ERISA, 29
U.S.C. 1002(16)(B).
    Protected health information means individually identifiable health
information:
    (1) Except as provided in paragraph (2) of this definition, that
is:
    (i) Transmitted by electronic media;
    (ii) Maintained in any medium described in the definition of
electronic media at Sec. 162.103 of this subchapter; or
    (iii) Transmitted or maintained in any other form or medium.
    (2) Protected health information excludes individually identifiable
health information in:
    (i) Education records covered by the Family Educational Right and
Privacy Act, as amended, 20 U.S.C. 1232g; and
    (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).
    Psychotherapy notes means notes recorded (in any medium) by a
health care provider who is a mental health professional documenting or
analyzing the contents of conversation during a private counseling
session or a group, joint, or family counseling session and that are
separated from the rest of the individual's medical record.
Psychotherapy notes excludes medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies
of treatment furnished, results of clinical tests, and any summary of
the following items: Diagnosis, functional status, the treatment plan,
symptoms, prognosis, and progress to date.
    Public health authority means an agency or authority of the United
States, a State, a territory, a political subdivision of a State or
territory, or an Indian tribe, or a person or entity acting under a
grant of authority from or contract with such public agency, including
the employees or agents of such public agency or its contractors or
persons or entities to whom it has granted authority, that is
responsible for public health matters as part of its official mandate.
    Required by law means a mandate contained in law that compels a
covered entity to make a use or disclosure of protected health
information and that is enforceable in a court of law. Required by law
includes, but is not limited to, court orders and court-ordered
warrants; subpoenas or summons issued by a court, grand jury, a
governmental or tribal inspector general, or an administrative body
authorized to require the production of information; a civil or an
authorized investigative demand; Medicare conditions of participation
with respect to health care providers participating in the program; and
statutes or regulations that require the production of information,
including statutes or regulations that require such information if
payment is sought under a government program providing public benefits.
    Research means a systematic investigation, including research
development, testing, and evaluation, designed to develop or contribute
to generalizable knowledge.
    Treatment means the provision, coordination, or management of
health care and related services by one or more health care providers,
including the coordination or management of health care by a health
care provider with a third party; consultation between health care
providers relating to a patient; or the referral of a patient for
health care from one health care provider to another.
    Use means, with respect to individually identifiable health
information, the sharing, employment, application, utilization,
examination, or analysis of such information within an entity that
maintains such information.

Sec. 164.502  Uses and disclosures of protected health information:
general rules.

    (a) Standard. A covered entity may not use or disclose protected
health information, except as permitted or required by this subpart or
by subpart C of part 160 of this subchapter.
    (1) Permitted uses and disclosures. A covered entity is permitted
to use or disclose protected health information as follows:
    (i) To the individual;
    (ii) Pursuant to and in compliance with a consent that complies
with Sec. 164.506, to carry out treatment, payment, or health care
operations;
    (iii) Without consent, if consent is not required under
Sec. 164.506(a) and has not been sought under Sec. 164.506(a)(4), to
carry out treatment, payment, or health care operations, except with
respect to psychotherapy notes;
    (iv) Pursuant to and in compliance with a valid authorization under
Sec. 164.508;
    (v) Pursuant to an agreement under, or as otherwise permitted by,
Sec. 164.510; and
    (vi) As permitted by and in compliance with this section,
Sec. 164.512, or Sec. 164.514(e), (f), and (g).
    (2) Required disclosures. A covered entity is required to disclose
protected health information:
    (i) To an individual, when requested under, and required by
Sec. 164.524 or Sec. 164.528; and
    (ii) When required by the Secretary under subpart C of part 160 of
this subchapter to investigate or determine the covered entity's
compliance with this subpart.
    (b) Standard: Minimum necessary. (1) Minimum necessary applies.
When using or disclosing protected health information or when
requesting protected health information from another covered entity, a
covered entity must make reasonable efforts to limit protected health
information to the minimum necessary to accomplish the intended purpose
of the use, disclosure, or request.
    (2) Minimum necessary does not apply. This requirement does not
apply to:
    (i) Disclosures to or requests by a health care provider for
treatment;
    (ii) Uses or disclosures made to the individual, as permitted under
paragraph (a)(1)(i) of this section, as required by paragraph (a)(2)(i)
of this section, or pursuant to an authorization under Sec. 164.508,
except for authorizations requested by the covered entity under
Sec. 164.508(d), (e), or (f);
    (iii) Disclosures made to the Secretary in accordance with subpart
C of part 160 of this subchapter;

[[Page 82806]]

    (iv) Uses or disclosures that are required by law, as described by
Sec. 164.512(a); and
    (v) Uses or disclosures that are required for compliance with
applicable requirements of this subchapter.
    (c) Standard: Uses and disclosures of protected health information
subject to an agreed upon restriction. A covered entity that has agreed
to a restriction pursuant to Sec. 164.522(a)(1) may not use or disclose
the protected health information covered by the restriction in
violation of such restriction, except as otherwise provided in
Sec. 164.522(a).
    (d) Standard: Uses and disclosures of de-identified protected
health information.
    (1) Uses and disclosures to create de-identified information. A
covered entity may use protected health information to create
information that is not individually identifiable health information or
disclose protected health information only to a business associate for
such purpose, whether or not the de-identified information is to be
used by the covered entity.
    (2) Uses and disclosures of de-identified information. Health
information that meets the standard and implementation specifications
for de-identification under Sec. 164.514(a) and (b) is considered not
to be individually identifiable health information, i.e., de-
identified. The requirements of this subpart do not apply to
information that has been de-identified in accordance with the
applicable requirements of Sec. 164.514, provided that:
    (i) Disclosure of a code or other means of record identification
designed to enable coded or otherwise de-identified information to be
re-identified constitutes disclosure of protected health information;
and
    (ii) If de-identified information is re-identified, a covered
entity may use or disclose such re-identified information only as
permitted or required by this subpart.
    (e)(1) Standard: Disclosures to business associates. (i) A covered
entity may disclose protected health information to a business
associate and may allow a business associate to create or receive
protected health information on its behalf, if the covered entity
obtains satisfactory assurance that the business associate will
appropriately safeguard the information.
    (ii) This standard does not apply:
    (A) With respect to disclosures by a covered entity to a health
care provider concerning the treatment of the individual;
    (B) With respect to disclosures by a group health plan or a health
insurance issuer or HMO with respect to a group health plan to the plan
sponsor, to the extent that the requirements of Sec. 164.504(f) apply
and are met; or
    (C) With respect to uses or disclosures by a health plan that is a
government program providing public benefits, if eligibility for, or
enrollment in, the health plan is determined by an agency other than
the agency administering the health plan, or if the protected health
information used to determine enrollment or eligibility in the health
plan is collected by an agency other than the agency administering the
health plan, and such activity is authorized by law, with respect to
the collection and sharing of individually identifiable health
information for the performance of such functions by the health plan
and the agency other than the agency administering the health plan.
    (iii) A covered entity that violates the satisfactory assurances it
provided as a business associate of another covered entity will be in
noncompliance with the standards, implementation specifications, and
requirements of this paragraph and Sec. 164.504(e).
    (2) Implementation specification: documentation. A covered entity
must document the satisfactory assurances required by paragraph (e)(1)
of this section through a written contract or other written agreement
or arrangement with the business associate that meets the applicable
requirements of Sec. 164.504(e).
    (f) Standard: Deceased individuals. A covered entity must comply
with the requirements of this subpart with respect to the protected
health information of a deceased individual.
    (g)(1) Standard: Personal representatives. As specified in this
paragraph, a covered entity must, except as provided in paragraphs
(g)(3) and (g)(5) of this section, treat a personal representative as
the individual for purposes of this subchapter.
    (2) Implementation specification: adults and emancipated minors. If
under applicable law a person has authority to act on behalf of an
individual who is an adult or an emancipated minor in making decisions
related to health care, a covered entity must treat such person as a
personal representative under this subchapter, with respect to
protected health information relevant to such personal representation.
    (3) Implementation specification: unemancipated minors. If under
applicable law a parent, guardian, or other person acting in loco
parentis has authority to act on behalf of an individual who is an
unemancipated minor in making decisions related to health care, a
covered entity must treat such person as a personal representative
under this subchapter, with respect to protected health information
relevant to such personal representation, except that such person may
not be a personal representative of an unemancipated minor, and the
minor has the authority to act as an individual, with respect to
protected health information pertaining to a health care service, if:
    (i) The minor consents to such health care service; no other
consent to such health care service is required by law, regardless of
whether the consent of another person has also been obtained; and the
minor has not requested that such person be treated as the personal
representative;
    (ii) The minor may lawfully obtain such health care service without
the consent of a parent, guardian, or other person acting in loco
parentis, and the minor, a court, or another person authorized by law
consents to such health care service; or
    (iii) A parent, guardian, or other person acting in loco parentis
assents to an agreement of confidentiality between a covered health
care provider and the minor with respect to such health care service.
    (4) Implementation specification: Deceased individuals. If under
applicable law an executor, administrator, or other person has
authority to act on behalf of a deceased individual or of the
individual's estate, a covered entity must treat such person as a
personal representative under this subchapter, with respect to
protected health information relevant to such personal representation.
    (5) Implementation specification: Abuse, neglect, endangerment
situations. Notwithstanding a State law or any requirement of this
paragraph to the contrary, a covered entity may elect not to treat a
person as the personal representative of an individual if:
    (i) The covered entity has a reasonable belief that:
    (A) The individual has been or may be subjected to domestic
violence, abuse, or neglect by such person; or
    (B) Treating such person as the personal representative could
endanger the individual; and
    (ii) The covered entity, in the exercise of professional judgment,
decides that it is not in the best interest of the individual to treat
the person as the individual's personal representative.
    (h) Standard: Confidential communications. A covered health care
provider or health plan must comply with the applicable requirements of
Sec. 164.522(b) in communicating protected health information.

[[Page 82807]]

    (i) Standard: Uses and disclosures consistent with notice. A
covered entity that is required by Sec. 164.520 to have a notice may
not use or disclose protected health information in a manner
inconsistent with such notice. A covered entity that is required by
Sec. 164.520(b)(1)(iii) to include a specific statement in its notice
if it intends to engage in an activity listed in
Sec. 164.520(b)(1)(iii)(A)-(C), may not use or disclose protected
health information for such activities, unless the required statement
is included in the notice.
    (j) Standard: Disclosures by whistleblowers and workforce member
crime victims.
    (1) Disclosures by whistleblowers. A covered entity is not
considered to have violated the requirements of this subpart if a
member of its workforce or a business associate discloses protected
health information, provided that:
    (i) The workforce member or business associate believes in good
faith that the covered entity has engaged in conduct that is unlawful
or otherwise violates professional or clinical standards, or that the
care, services, or conditions provided by the covered entity
potentially endangers one or more patients, workers, or the public; and
    (ii) The disclosure is to:
    (A) A health oversight agency or public health authority authorized
by law to investigate or otherwise oversee the relevant conduct or
conditions of the covered entity or to an appropriate health care
accreditation organization for the purpose of reporting the allegation
of failure to meet professional standards or misconduct by the covered
entity; or
    (B) An attorney retained by or on behalf of the workforce member or
business associate for the purpose of determining the legal options of
the workforce member or business associate with regard to the conduct
described in paragraph (j)(1)(i) of this section.
    (2) Disclosures by workforce members who are victims of a crime. A
covered entity is not considered to have violated the requirements of
this subpart if a member of its workforce who is the victim of a
criminal act discloses protected health information to a law
enforcement official, provided that:
    (i) The protected health information disclosed is about the
suspected perpetrator of the criminal act; and
    (ii) The protected health information disclosed is limited to the
information listed in Sec. 164.512(f)(2)(i).

Sec. 164.504  Uses and disclosures: Organizational requirements.

    (a) Definitions. As used in this section:
    Common control exists if an entity has the power, directly or
indirectly, significantly to influence or direct the actions or
policies of another entity.
    Common ownership exists if an entity or entities possess an
ownership or equity interest of 5 percent or more in another entity.
    Health care component has the following meaning:
    (1) Components of a covered entity that perform covered functions
are part of the health care component.
    (2) Another component of the covered entity is part of the entity's
health care component to the extent that:
    (i) It performs, with respect to a component that performs covered
functions, activities that would make such other component a business
associate of the component that performs covered functions if the two
components were separate legal entities; and
    (ii) The activities involve the use or disclosure of protected
health information that such other component creates or receives from
or on behalf of the component that performs covered functions.
    Hybrid entity means a single legal entity that is a covered entity
and whose covered functions are not its primary functions.
    Plan administration functions means administration functions
performed by the plan sponsor of a group health plan on behalf of the
group health plan and excludes functions performed by the plan sponsor
in connection with any other benefit or benefit plan of the plan
sponsor.
    Summary health information means information, that may be
individually identifiable health information, and:
    (1) That summarizes the claims history, claims expenses, or type of
claims experienced by individuals for whom a plan sponsor has provided
health benefits under a group health plan; and
    (2) From which the information described at Sec. 164.514(b)(2)(i)
has been deleted, except that the geographic information described in
Sec. 164.514(b)(2)(i)(B) need only be aggregated to the level of a five
digit zip code.
    (b) Standard: Health care component. If a covered entity is a
hybrid entity, the requirements of this subpart, other than the
requirements of this section, apply only to the health care
component(s) of the entity, as specified in this section.
    (c)(1) Implementation specification: Application of other
provisions. In applying a provision of this subpart, other than this
section, to a hybrid entity:
    (i) A reference in such provision to a ``covered entity'' refers to
a health care component of the covered entity;
    (ii) A reference in such provision to a ``health plan,'' ``covered
health care provider,'' or ``health care clearinghouse'' refers to a
health care component of the covered entity if such health care
component performs the functions of a health plan, covered health care
provider, or health care clearinghouse, as applicable; and
    (iii) A reference in such provision to ``protected health
information'' refers to protected health information that is created or
received by or on behalf of the health care component of the covered
entity.
    (2) Implementation specifications: Safeguard requirements. The
covered entity that is a hybrid entity must ensure that a health care
component of the entity complies with the applicable requirements of
this subpart. In particular, and without limiting this requirement,
such covered entity must ensure that:
    (i) Its health care component does not disclose protected health
information to another component of the covered entity in circumstances
in which this subpart would prohibit such disclosure if the health care
component and the other component were separate and distinct legal
entities;
    (ii) A component that is described by paragraph (2)(i) of the
definition of health care component in this section does not use or
disclose protected health information that is within paragraph (2)(ii)
of such definition for purposes of its activities other than those
described by paragraph (2)(i) of such definition in a way prohibited by
this subpart; and
    (iii) If a person performs duties for both the health care
component in the capacity of a member of the workforce of such
component and for another component of the entity in the same capacity
with respect to that component, such workforce member must not use or
disclose protected health information created or received in the course
of or incident to the member's work for the health care component in a
way prohibited by this subpart.
    (3) Implementation specifications: Responsibilities of the covered
entity. A covered entity that is a hybrid entity has the following
responsibilities:
    (i) For purposes of subpart C of part 160 of this subchapter,
pertaining to compliance and enforcement, the covered entity has the
responsibility to comply with this subpart.
    (ii) The covered entity has the responsibility for complying with

[[Page 82808]]

Sec. 164.530(i), pertaining to the implementation of policies and
procedures to ensure compliance with this subpart, including the
safeguard requirements in paragraph (c)(2) of this section.
    (iii) The covered entity is responsible for designating the
components that are part of one or more health care components of the
covered entity and documenting the designation as required by
Sec. 164.530(j).
    (d)(1) Standard: Affiliated covered entities. Legally separate
covered entities that are affiliated may designate themselves as a
single covered entity for purposes of this subpart.
    (2) Implementation specifications: Requirements for designation of
an affiliated covered entity. (i) Legally separate covered entities may
designate themselves (including any health care component of such
covered entity) as a single affiliated covered entity, for purposes of
this subpart, if all of the covered entities designated are under
common ownership or control.
    (ii) The designation of an affiliated covered entity must be
documented and the documentation maintained as required by
Sec. 164.530(j).
    (3) Implementation specifications: Safeguard requirements. An
affiliated covered entity must ensure that:
    (i) The affiliated covered entity's use and disclosure of protected
health information comply with the applicable requirements of this
subpart; and
    (ii) If the affiliated covered entity combines the functions of a
health plan, health care provider, or health care clearinghouse, the
affiliated covered entity complies with paragraph (g) of this section.
    (e)(1) Standard: Business associate contracts. (i) The contract or
other arrangement between the covered entity and the business associate
required by Sec. 164.502(e)(2) must meet the requirements of paragraph
(e)(2) or (e)(3) of this section, as applicable.
    (ii) A covered entity is not in compliance with the standards in
Sec. 164.502(e) and paragraph (e) of this section, if the covered
entity knew of a pattern of activity or practice of the business
associate that constituted a material breach or violation of the
business associate's obligation under the contract or other
arrangement, unless the covered entity took reasonable steps to cure
the breach or end the violation, as applicable, and, if such steps were
unsuccessful:
    (A) Terminated the contract or arrangement, if feasible; or
    (B) If termination is not feasible, reported the problem to the
Secretary.
    (2) Implementation specifications: Business associate contracts. A
contract between the covered entity and a business associate must:
    (i) Establish the permitted and required uses and disclosures of
such information by the business associate. The contract may not
authorize the business associate to use or further disclose the
information in a manner that would violate the requirements of this
subpart, if done by the covered entity, except that:
    (A) The contract may permit the business associate to use and
disclose protected health information for the proper management and
administration of the business associate, as provided in paragraph
(e)(4) of this section; and
    (B) The contract may permit the business associate to provide data
aggregation services relating to the health care operations of the
covered entity.
    (ii) Provide that the business associate will:
    (A) Not use or further disclose the information other than as
permitted or required by the contract or as required by law;
    (B) Use appropriate safeguards to prevent use or disclosure of the
information other than as provided for by its contract;
    (C) Report to the covered entity any use or disclosure of the
information not provided for by its contract of which it becomes aware;
    (D) Ensure that any agents, including a subcontractor, to whom it
provides protected health information received from, or created or
received by the business associate on behalf of, the covered entity
agrees to the same restrictions and conditions that apply to the
business associate with respect to such information;
    (E) Make available protected health information in accordance with
Sec. 164.524;
    (F) Make available protected health information for amendment and
incorporate any amendments to protected health information in
accordance with Sec. 164.526;
    (G) Make available the information required to provide an
accounting of disclosures in accordance with Sec. 164.528;
    (H) Make its internal practices, books, and records relating to the
use and disclosure of protected health information received from, or
created or received by the business associate on behalf of, the covered
entity available to the Secretary for purposes of determining the
covered entity's compliance with this subpart; and
    (I) At termination of the contract, if feasible, return or destroy
all protected health information received from, or created or received
by the business associate on behalf of, the covered entity that the
business associate still maintains in any form and retain no copies of
such information or, if such return or destruction is not feasible,
extend the protections of the contract to the information and limit
further uses and disclosures to those purposes that make the return or
destruction of the information infeasible.
    (iii) Authorize termination of the contract by the covered entity,
if the covered entity determines that the business associate has
violated a material term of the contract.
    (3) Implementation specifications: Other arrangements. (i) If a
covered entity and its business associate are both governmental
entities:
    (A) The covered entity may comply with paragraph (e) of this
section by entering into a memorandum of understanding with the
business associate that contains terms that accomplish the objectives
of paragraph (e)(2) of this section.
    (B) The covered entity may comply with paragraph (e) of this
section, if other law (including regulations adopted by the covered
entity or its business associate) contains requirements applicable to
the business associate that accomplish the objectives of paragraph
(e)(2) of this section.
    (ii) If a business associate is required by law to perform a
function or activity on behalf of a covered entity or to provide a
service described in the definition of business associate in
Sec. 160.103 of this subchapter to a covered entity, such covered
entity may disclose protected health information to the business
associate to the extent necessary to comply with the legal mandate
without meeting the requirements of this paragraph (e), provided that
the covered entity attempts in good faith to obtain satisfactory
assurances as required by paragraph (e)(3)(i) of this section, and, if
such attempt fails, documents the attempt and the reasons that such
assurances cannot be obtained.
    (iii) The covered entity may omit from its other arrangements the
termination authorization required by paragraph (e)(2)(iii) of this
section, if such authorization is inconsistent with the statutory
obligations of the covered entity or its business associate.
    (4) Implementation specifications: Other requirements for contracts
and other arrangements. (i) The contract or other arrangement between
the covered entity and the business associate may

[[Page 82809]]

permit the business associate to use the information received by the
business associate in its capacity as a business associate to the
covered entity, if necessary:
    (A) For the proper management and administration of the business
associate; or
    (B) To carry out the legal responsibilities of the business
associate.
    (ii) The contract or other arrangement between the covered entity
and the business associate may permit the business associate to
disclose the information received by the business associate in its
capacity as a business associate for the purposes described in
paragraph (e)(4)(i) of this section, if:
    (A) The disclosure is required by law; or
    (B)(1) The business associate obtains reasonable assurances from
the person to whom the information is disclosed that it will be held
confidentially and used or further disclosed only as required by law or
for the purpose for which it was disclosed to the person; and
    (2) The person notifies the business associate of any instances of
which it is aware in which the confidentiality of the information has
been breached.
    (f)(1) Standard: Requirements for group health plans. (i) Except as
provided under paragraph (f)(1)(ii) of this section or as otherwise
authorized under Sec. 164.508, a group health plan, in order to
disclose protected health information to the plan sponsor or to provide
for or permit the disclosure of protected health information to the
plan sponsor by a health insurance issuer or HMO with respect to the
group health plan, must ensure that the plan documents restrict uses
and discloses of such information by the plan sponsor consistent with
the requirements of this subpart.
    (ii) The group health plan, or a health insurance issuer or HMO
with respect to the group health plan, may disclose summary health
information to the plan sponsor, if the plan sponsor requests the
summary health information for the purpose of :
    (A) Obtaining premium bids from health plans for providing health
insurance coverage under the group health plan; or
    (B) Modifying, amending, or terminating the group health plan.
    (2) Implementation specifications: Requirements for plan documents.
The plan documents of the group health plan must be amended to
incorporate provisions to:
    (i) Establish the permitted and required uses and disclosures of
such information by the plan sponsor, provided that such permitted and
required uses and disclosures may not be inconsistent with this
subpart.
    (ii) Provide that the group health plan will disclose protected
health information to the plan sponsor only upon receipt of a
certification by the plan sponsor that the plan documents have been
amended to incorporate the following provisions and that the plan
sponsor agrees to:
    (A) Not use or further disclose the information other than as
permitted or required by the plan documents or as required by law;
    (B) Ensure that any agents, including a subcontractor, to whom it
provides protected health information received from the group health
plan agree to the same restrictions and conditions that apply to the
plan sponsor with respect to such information;
    (C) Not use or disclose the information for employment-related
actions and decisions or in connection with any other benefit or
employee benefit plan of the plan sponsor;
    (D) Report to the group health plan any use or disclosure of the
information that is inconsistent with the uses or disclosures provided
for of which it becomes aware;
    (E) Make available protected health information in accordance with
Sec. 164.524;
    (F) Make available protected health information for amendment and
incorporate any amendments to protected health information in
accordance with Sec. 164.526;
    (G) Make available the information required to provide an
accounting of disclosures in accordance with Sec. 164.528;
    (H) Make its internal practices, books, and records relating to the
use and disclosure of protected health information received from the
group health plan available to the Secretary for purposes of
determining compliance by the group health plan with this subpart;
    (I) If feasible, return or destroy all protected health information
received from the group health plan that the sponsor still maintains in
any form and retain no copies of such information when no longer needed
for the purpose for which disclosure was made, except that, if such
return or destruction is not feasible, limit further uses and
disclosures to those purposes that make the return or destruction of
the information infeasible; and
    (J) Ensure that the adequate separation required in paragraph
(f)(2)(iii) of this section is established.
    (iii) Provide for adequate separation between the group health plan
and the plan sponsor. The plan documents must:
    (A) Describe those employees or classes of employees or other
persons under the control of the plan sponsor to be given access to the
protected health information to be disclosed, provided that any
employee or person who receives protected health information relating
to payment under, health care operations of, or other matters
pertaining to the group health plan in the ordinary course of business
must be included in such description;
    (B) Restrict the access to and use by such employees and other
persons described in paragraph (f)(2)(iii)(A) of this section to the
plan administration functions that the plan sponsor performs for the
group health plan; and
    (C) Provide an effective mechanism for resolving any issues of
noncompliance by persons described in paragraph (f)(2)(iii)(A) of this
section with the plan document provisions required by this paragraph.
    (3) Implementation specifications: Uses and disclosures. A group
health plan may:
    (i) Disclose protected health information to a plan sponsor to
carry out plan administration functions that the plan sponsor performs
only consistent with the provisions of paragraph (f)(2) of this
section;
    (ii) Not permit a health insurance issuer or HMO with respect to
the group health plan to disclose protected health information to the
plan sponsor except as permitted by this paragraph;
    (iii) Not disclose and may not permit a health insurance issuer or
HMO to disclose protected health information to a plan sponsor as
otherwise permitted by this paragraph unless a statement required by
Sec. 164.520(b)(1)(iii)(C) is included in the appropriate notice; and
(iv) Not disclose protected health information to the plan sponsor for
the purpose of employment-related actions or decisions or in connection
with any other benefit or employee benefit plan of the plan sponsor.
    (g) Standard: Requirements for a covered entity with multiple
covered functions.
    (1) A covered entity that performs multiple covered functions that
would make the entity any combination of a health plan, a covered
health care provider, and a health care clearinghouse, must comply with
the standards, requirements, and implementation specifications of this
subpart, as applicable to the health plan, health care provider, or
health care clearinghouse covered functions performed.

[[Page 82810]]

    (2) A covered entity that performs multiple covered functions may
use or disclose the protected health information of individuals who
receive the covered entity's health plan or health care provider
services, but not both, only for purposes related to the appropriate
function being performed.

Sec. 164.506  Consent for uses or disclosures to carry out treatment,
payment, or health care operations.

    (a) Standard: Consent requirement. (1) Except as provided in
paragraph (a)(2) or (a)(3) of this section, a covered health care
provider must obtain the individual's consent, in accordance with this
section, prior to using or disclosing protected health information to
carry out treatment, payment, or health care operations.
    (2) A covered health care provider may, without consent, use or
disclose protected health information to carry out treatment, payment,
or health care operations, if:
    (i) The covered health care provider has an indirect treatment
relationship with the individual; or
    (ii) The covered health care provider created or received the
protected health information in the course of providing health care to
an individual who is an inmate.
    (3)(i) A covered health care provider may, without prior consent,
use or disclose protected health information created or received under
paragraph (a)(3)(i)(A)-(C) of this section to carry out treatment,
payment, or health care operations:
    (A) In emergency treatment situations, if the covered health care
provider attempts to obtain such consent as soon as reasonably
practicable after the delivery of such treatment;
    (B) If the covered health care provider is required by law to treat
the individual, and the covered health care provider attempts to obtain
such consent but is unable to obtain such consent; or
    (C) If a covered health care provider attempts to obtain such
consent from the individual but is unable to obtain such consent due to
substantial barriers to communicating with the individual, and the
covered health care provider determines, in the exercise of
professional judgment, that the individual's consent to receive
treatment is clearly inferred from the circumstances.
    (ii) A covered health care provider that fails to obtain such
consent in accordance with paragraph (a)(3)(i) of this section must
document its attempt to obtain consent and the reason why consent was
not obtained.
    (4) If a covered entity is not required to obtain consent by
paragraph (a)(1) of this section, it may obtain an individual's consent
for the covered entity's own use or disclosure of protected health
information to carry out treatment, payment, or health care operations,
provided that such consent meets the requirements of this section.
    (5) Except as provided in paragraph (f)(1) of this section, a
consent obtained by a covered entity under this section is not
effective to permit another covered entity to use or disclose protected
health information.
    (b) Implementation specifications: General requirements. (1) A
covered health care provider may condition treatment on the provision
by the individual of a consent under this section.
    (2) A health plan may condition enrollment in the health plan on
the provision by the individual of a consent under this section sought
in conjunction with such enrollment.
    (3) A consent under this section may not be combined in a single
document with the notice required by Sec. 164.520.
    (4)(i) A consent for use or disclosure may be combined with other
types of written legal permission from the individual (e.g., an
informed consent for treatment or a consent to assignment of benefits),
if the consent under this section:
    (A) Is visually and organizationally separate from such other
written legal permission; and
    (B) Is separately signed by the individual and dated.
    (ii) A consent for use or disclosure may be combined with a
research authorization under Sec. 164.508(f).
    (5) An individual may revoke a consent under this section at any
time, except to the extent that the covered entity has taken action in
reliance thereon. Such revocation must be in writing.
    (6) A covered entity must document and retain any signed consent
under this section as required by Sec. 164.530(j).
    (c) Implementation specifications: Content requirements. A consent
under this section must be in plain language and:
    (1) Inform the individual that protected health information may be
used and disclosed to carry out treatment, payment, or health care
operations;
    (2) Refer the individual to the notice required by Sec. 164.520 for
a more complete description of such uses and disclosures and state that
the individual has the right to review the notice prior to signing the
consent;
    (3) If the covered entity has reserved the right to change its
privacy practices that are described in the notice in accordance with
Sec. 164.520(b)(1)(v)(C), state that the terms of its notice may change
and describe how the individual may obtain a revised notice;
    (4) State that:
    (i) The individual has the right to request that the covered entity
restrict how protected health information is used or disclosed to carry
out treatment, payment, or health care operations;
    (ii) The covered entity is not required to agree to requested
restrictions; and
    (iii) If the covered entity agrees to a requested restriction, the
restriction is binding on the covered entity;
    (5) State that the individual has the right to revoke the consent
in writing, except to the extent that the covered entity has taken
action in reliance thereon; and
    (6) Be signed by the individual and dated.
    (d) Implementation specifications: Defective consents. There is no
consent under this section, if the document submitted has any of the
following defects:
    (1) The consent lacks an element required by paragraph (c) of this
section, as applicable; or
    (2) The consent has been revoked in accordance with paragraph
(b)(5) of this section.
    (e) Standard: Resolving conflicting consents and authorizations.
(1) If a covered entity has obtained a consent under this section and
receives any other authorization or written legal permission from the
individual for a disclosure of protected health information to carry
out treatment, payment, or health care operations, the covered entity
may disclose such protected health information only in accordance with
the more restrictive consent, authorization, or other written legal
permission from the individual.
    (2) A covered entity may attempt to resolve a conflict between a
consent and an authorization or other written legal permission from the
individual described in paragraph (e)(1) of this section by:
    (i) Obtaining a new consent from the individual under this section
for the disclosure to carry out treatment, payment, or health care
operations; or
    (ii) Communicating orally or in writing with the individual in
order to determine the individual's preference in resolving the
conflict. The covered entity must document the individual's preference
and may only disclose protected health information in accordance with
the individual's preference.

[[Continued on page 82811]]
