March 31, 2001

Standards for Privacy of Individually Identifiable Health Information

Key materials
Contact us
To speak with a scholar or learn more on this topic, visit our contact page.


Notice Requesting Comment on Final Rule 

Stated Purpose:

Secretary Thompson requested additional comments on the final rule purporting to protect the Privacy of individually identifiable health information.

Summary of RSP Comment:

Since additional data on costs and benefits were obtained during the Notice of Proposed Rule-Making (NRPM), and because the rule was finalized in the waning hours of the Clinton Administration, Secretary Thompson requested additional public comments on the final rule. The final rule seeks to impose a national standard for protection of individually identifiable health information, covering both electronically stored and paper records.

The rule mandates a series of procedural safeguards that must be instituted by health care plans and providers including (a) development and documentation of formal privacy policies; (b) ensuring business associate compliance with those policies; (c) designation of internal privacy officials; and (d) establishment of a "Minimum Necessary" disclosure standard, among others. Mercatus estimated initial start-up costs of complying with the rule's requirements at $4.0 billion, with recurring annual costs of $1.8 billion. By comparison, HHS estimates these costs at $3.5 billion and $1.6 billion respectively. Based on this range of estimates the long-run costs of the HHS rules are likely to range between $25 billion and $30 billion.

The rule may be cost-effective if the benefits HHS expects to accrue were in fact net social benefits; however, the benefits HHS has identified simply represent transfers among consumers. That is, those individuals currently providing individually identifiable health information will see a net transfer from their activities to those individuals currently avoiding the health care system because of perceived poor privacy protections. Even laying aside the question of transfers, however, in its final form, the medical privacy rule is complex and occasionally redundant or inconsistent. It is redundant, for example, when it mandates consent even though consent is customarily obtained today in the absence of any rule. It is inconsistent in that it purports to protect patient privacy, but is then riddled with exceptions such as those for certain marketing or fund raising purposes, as well as for government access to individual records without strict requirements for due process.