November 3, 2010

Modifications to the HIPAA Privacy, Security, and Enforcement Rules

Proposed Rule
Summary

Score: 14 / 60

Additional details
Agency
Department of Health and Human Services
Regulatory Identification Number
0991-AB57
Agency Name
Department of Health and Human Services
Rule Publication Date
07/14/2010
Comment Closing Date
09/13/2010
Dollar Year
NA (maybe 1995, p. 40904)
Time Horizon (Years)
10

RULE SUMMARY

The Department of Health and Human Services (HHS or ‘‘the Department’’) is issuing this notice of proposed rulemaking to modify the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), the Security Standards for the Protection of Electronic Protected Health Information (Security Rule), and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of these modifications is to implement recent statutory amendments under the Health Information Technology for Economic and Clinical Health Act (‘‘the HITECH Act’’ or ‘‘the Act’’), to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of these HIPAA Rules.

MONETIZED COSTS & BENEFITS (AS REPORTED BY AGENCY)

Dollar Year
NA (maybe 1995, p. 40904)
 
Time Horizon (Years)
10
 
Discount Rates
3%
7%
Expected Costs (Annualized)
$194,720
$236,489
Expected Benefits (Annualized)
NA (Non-Monetized Benefits)
NA (Non-Monetized Benefits)
Expected Costs (Total)    
Expected Benefits (Total)    
Net Benefits (Annualized)    
Net Benefits (Total)    

METHODOLOGY

There are twelve criteria within our evaluation within three broad categories: Openness, Analysis and Use. For each criterion, the evaluators assign a score ranging from 0 (no useful content) to 5 (comprehensive analysis with potential best practices). Thus, each analysis has the opportunity to earn between 0 and 60 points.

Criterion Score

Openness

1. How easily were the RIA , the proposed rule, and any supplementary materials found online?
The RIA is a short section in the Federal Register notice. It is available via regulations.gov using a RIN search or a keyword search, but cannot be found on the HHS web site.
3/5
2. How verifiable are the data used in the analysis?
Cost calculations sometimes just provide results, occasionally mention data sources, and provide links in only a few cases.
1/5
3. How verifiable are the models and assumptions used in the analysis?
No research is cited to justify the assumptions going into either the cost or benefit analysis. There is no economic theory or modeling. Assumptions cam across as guesswork in some cases.
1/5
4. Was the analysis comprehensible to an informed layperson?
The cost calculation is understandable. So are the benefit discussions, though these usually consist of just a short, "armchair" qualitative description and a statement that nothing was quantified.
4/5

Analysis

5. How well does the analysis identify the desired outcomes and demonstrate that the regulation will achieve them?
1/5
Does the analysis clearly identify ultimate outcomes that affect citizens’ quality of life?
Stated benefits to individuals are "added information on their rights," greater control over uses of covered health information, and easier access to the information. There are also some cost/hassle reductions due to the 50 year limit on protection of health information after death and provisions making it easier for schools to get immunization records. Several of these are pretty clear benefits; the practical benefit of "increased rights" is vague and not elaborated.
4/5
Does the analysis identify how these outcomes are to be measured?
The benefits are not measured or monetized. HHS asks for comments.
0/5
Does the analysis provide a coherent and testable theory showing how the regulation will produce the desired outcomes?
There is no explicit theory. HHS assumes that issuing the regulations will lead to compliance and produce the desired effects.
1/5
Does the analysis present credible empirical support for the theory?
No relevant content. This is surprising, since past experience with HIPAA would presumably generate opportunities to assess its effects empirically.
0/5
Does the analysis adequately assess uncertainty about the outcomes?
Analysis acknowledges that HHS does not have any decent data to calculate benefits, but does nothing to remedy this beyond asking for comments.
1/5
6. How well does the analysis identify and demonstrate the existence of a market failure or other systemic problem the regulation is supposed to solve?
0/5
Does the analysis identify a market failure or other systemic problem?
No attempt to justify the regulation via reference to a market failure or other systemic problem. HHS simply says it is implementing the law Congress passed. Passing reference is made to the law's expansion of electronic health information, implying that greater safeguards might be necessary, but this is not elaborated.
1/5
Does the analysis outline a coherent and testable theory that explains why the problem (associated with the outcome above) is systemic rather than anecdotal?
No relevant content.
0/5
Does the analysis present credible empirical support for the theory?
No relevant content.
0/5
Does the analysis adequately assess uncertainty about the existence or size of the problem?
No relevant content.
0/5
7. How well does the analysis assess the effectiveness of alternative approaches?
0/5
Does the analysis enumerate other alternatives to address the problem?
No alternatives were considered. The analysis simply calculates the cost of mailing privacy notices required under the regulation and discusses benefits qualitatively.
0/5
Is the range of alternatives considered narrow (e.g., some exemptions to a regulation) or broad (e.g., performance-based regulation vs. command and control, market mechanisms, nonbinding guidance, information disclosure, addressing any government failures that caused the original problem)?
No alternatives considered.
0/5
Does the analysis evaluate how alternative approaches would affect the amount of the outcome achieved?
No alternatives considered, and amount of outcome was not even calculated for the proposed regulation.
0/5
Does the analysis adequately address the baseline? That is, what the state of the world is likely to be in the absence of federal intervention not just now but in the future?
The implicit baseline seems to be the recent past. No attempt made to project how privacy practices might change on their own, even though the federal government is ramping up the use of electronic health information.
0/5
8. How well does the analysis assess costs and benefits?
1/5
Does the analysis identify and quantify incremental costs of all alternatives considered?
Costs estimated are costs of printing and mailing new privacy notices. Costs, or cost reductions, stemming from other provisions are not calculated because HHS professes to have no relevant data.
2/5
Does the analysis identify all expenditures likely to arise as a result of the regulation?
Only the cost of privacy notices is calculated.
3/5
Does the analysis identify how the regulation would likely affect the prices of goods and services?
No relevant discussion. In particular, HHS should have considered how effectively outlawing marketing subsidiaries (in the agency's own estimation) would affect the cost of care.
0/5
Does the analysis examine costs that stem from changes in human behavior as consumers and producers respond to the regulation?
Analysis assumes that providers would simply discontinue selling certain types of health information rather than obtaining patient authorization. But it ascribes no cost to this behavioral change. Similarly, the analysis speculates an opt-out requirement for fundraising communications will lead to opt-outs, but provides no estimate.
1/5
If costs are uncertain, does the analysis present a range of estimates and/or perform a sensitivity analysis?
No relevant content.
0/5
Does the analysis identify the alternative that maximizes net benefits?
Benefits were not calculated and full costs were not calculated, and only one alternative was considered, so net benefits of alternatives could not be calculated and compared.
0/5
Does the analysis identify the cost-effectiveness of each alternative considered?
Benefits were not calculated and full costs were not calculated, so cost effectiveness could not be calculated.
0/5
Does the analysis identify all parties who would bear costs and assess the incidence of costs?
Analysis divides costs between private sector and state/federal health plans.
2/5
Does the analysis identify all parties who would receive benefits and assess the incidence of benefits?
Agency lists parties it believes will receive benefits, but no relevant discussion of incidence of benefits. This may be especially important because the value different individuals ascribe to privacy of health information may vary widely.
1/5

Use

9. Does the proposed rule or the RIA present evidence that the agency used the analysis?
HHS referenced the cost burden to justify its decision that some contracts with business associates were grandfathered and can be continued for up to a year after the compliance date.
3/5
10. Did the agency maximize net benefits or explain why it chose another alternative?
Benefits were not calculated and full costs were not calculated, so HHS had no cognizance of net benefits.
0/5
11. Does the proposed rule establish measures and goals that can be used to track the regulation's results in the future?
No relevant content.
0/5
12. Did the agency indicate what data it will use to assess the regulation's performance in the future and establish provisions for doing so?
No relevant content,
0/5
 
Total 14 / 60