Department of Health and Human Services, Office of the Secretary, Standards for Privacy of Individually Identifiable Health Information, GAO-01-455R, B-287287, February 28, 2001

Department of Health and Human Services, Office of the Secretary, Standards for Privacy of Individually Identifiable Health Information, GAO-01-455R, B-287287, February 28, 2001

The Honorable James M. Jeffords Chairman The Honorable Edward M. Kennedy Ranking Member Committee on Health, Education, Labor, and Pensions United States Senate

The Honorable W. J. (Billy) Tauzin Chairman The Honorable John D. Dingell Ranking Minority Member Committee on Energy and Commerce House of Representatives

Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Department of Health and Human Services (HHS), Office of the Secretary, entitled "Department of Health and Human Services, Office of the Secretary, Standards for Privacy of Individually Identifiable Health Information" (RIN: 0991-AB08). We received the rule on February 13, 2001. It was published in the Federal Register as a final rule on December 28, 2000. 65 Fed. Reg. 82462.

The final rule contains standards to protect the privacy of individually identifiable health information. The rule applies to health plans, health care clearinghouses, and certain health care providers. The rule presents standards with respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information.

We note that the final rule has an announced effective date of February 26, 2001. While the rule was published in the Federal Register on December 28, 2000, Congress did not receive the rule until February 13, 2001. The Congressional Review Act requires major rules to have a 60-day delay in their effective dates following publication in the Federal Register or receipt of the rule by Congress, whichever is later. 5 U.S.C. 801(a)(3)(A). Therefore, the final rule, as published, would not have the required 60-day delay in its effective date for congressional review. However, on February 26, 2001, HHS published a correction of the effective date and compliance date in the Federal Register (66 Fed. Reg. 12434). The new effective date is April 14, 2001, and the new compliance date is April 14, 2003. The new compliance date is April 14, 2004, for small health plans.

Enclosed is our assessment of the HHS' compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. Our review indicates that HHS complied with the applicable requirements.

If you have any questions about this report, please contact James W. Vickers, Assistant General Counsel, at (202) 512-8210. The official responsible for GAO evaluation work relating to the subject matter of the rule is William Scanlon, Managing Director, Health Care. Mr. Scanlon can be reached at (202) 512-7114.

signed

Kathleen E. Wannisky
Managing Associate General Counsel

Enclosure

cc: Ms. Catherine P. Beck
Deputy Executive Secretary to the Department
Department of Health and Human Services

ENCLOSURE

ANALYSIS UNDER 5 U.S.C. Sec. 801(a)(1)(B)(i)-(iv) OF A MAJOR RULE ISSUED BY THE DEPARTMENT OF HEALTH AND HUMAN SERVICES, OFFICE OF THE SECRETARY ENTITLED "STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION" (RIN:0991-AB08)

(i) Cost-benefit analysis

HHS conducted a cost-benefit analysis of the final rule. The estimated cost of compliance is $17.6 billion over 10 years, 2003-2012. The net present value, applying an 11.2-percent discount rate (consisting of a 7-percent real discount rate and 4.2-percent inflation rate) is $11.8 billion. The largest cost items are the requirement to have a privacy official, $5.9 billion over 10 years, and the requirement that disclosures of protected health information only involve the minimum amount necessary, $5.8 billion over 10 years.

HHS notes that the benefits of the final rule are difficult to measure because people conceive of privacy as a right, not as a commodity. There is a wide gap between what people perceive to be the level of privacy afforded health information and what actually occurs with the use of such information today. Moreover, the benefits of improved privacy protection are likely to increase in the future as patients gain trust in the ability of health care practitioners to maintain confidentiality of their health information.

(ii) Agency actions relevant to the Regulatory Flexibility Act, 5 U.S.C. Secs. 603-605, 607, and 609

HHS prepared an Initial Regulatory Flexibility Analysis and a Final Regulatory Flexibility Analysis in connection with the proposed and final rules, respectively. These analyses comply with the requirements of the Act and include the need for the rule, a description and estimate of the number of small entities, and the steps taken by the agency to minimize the impact of the final rule on small entities.

The final analysis contains a discussion of the impracticability to either exempt small entities or delay compliance with the rule for small entities since they constitute the vast majority of covered entities.

(iii) Agency actions relevant to sections 202-205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. Secs. 1532-1535

The final rule contains both intergovernmental and private sector mandates, as defined in title II, of more than $100 million in any one year. HHS has prepared the required statement concerning the costs and benefits and how it adopted the least burdensome alternative consistent with achieving the rule's goal.

(iv) Other relevant information or requirements under acts and executive orders

Administrative Procedure Act, 5 U.S.C. Sec. 551 et seq.

The final rule was issued using the notice and comment procedures contained at 5 U.S.C. 553. On August 21, 1999, HHS published a Notice of Proposed Rulemaking in the Federal Register. 64 Fed. Reg. 59918. In the preamble to the final rule, HHS responds to the comments received in response to the notice.

Paperwork Reduction Act, 44 U.S.C. Secs. 3501-3520

The final rule contains information collections that are subject to review and approval by the Office of Management and Budget under the Paperwork Reduction Act.

The preamble to the final rule contains the information required by the Act regarding the various collections, including the need for the collection and the estimated annual burden hours involved. The cost assumptions regarding compliance with the collections are discussed in the Final Regulatory Impact Analysis, also found in the preamble.

Statutory authorization for the rule

The final rule is promulgated pursuant to the authority contained in sections 1171 through 1179 of the Social Security Act (42 U.S.C. 1320d through 1320d-8) as added by section 262 of Public Law 104-191, 110 Stat. 2021-2031, and section 264 of Public Law 102-191 (42 U.S.C. 1320d-2 note).

Executive Order No. 12866

The final rule was reviewed by the Office of Management and Budget and found to be an "economically significant" regulatory action.

Executive Order No. 13132 (Federalism)

HHS has concluded that the final rule has federalism implications under the order because the rule has substantial direct effects on states, on the relationship between the national government and states, and on the distribution of powers and responsibilities among the various levels of government. However, HHS states that these federalism implications flow from and are consistent with the underlying statute. The statute allows preemption of state and local rules that provide less stringent privacy protection.