0990-0294 rev2_07_21_09

0990-0294 rev2_07_21_09.doc

Standards for Privacy of Individually Identifiable Health Information and Supporting Regulations at 45 CFR Parts 160 and 164

OMB: 0990-0294

Document [doc]
Download: doc | pdf

Supporting Statement for Standards for Privacy

of Individually Identifiable Health Information

and Supporting Regulations Contained in

45 CFR Parts 160 and 164



A. Justification

1. Circumstances Making the Collection of Information Necessary

This information collection request is for an extension on a previously approved OCR data collection, OMB # 0990-0294. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) and its implementing regulations at 45 CFR Part 160 and Subparts A and E of Part 164, the HIPAA Privacy Rule require covered entities (health plans, health care clearinghouses, and certain health care providers) to maintain strong protections for the privacy of individually identifiable health information; to use or disclose this information only as required or permitted by the Privacy Rule or with the express written authorization of the individual; to provide a notice of the entity’s privacy practices; and to document compliance with the Privacy Rule. All of these requirements were carefully considered and deemed necessary to assure the achievement of the regulation’s goals to balance the need for information with the need to protect the privacy of this sensitive information.


2. Purpose and Use of Information Collection
The individually identifiable health information collected is used by patients and by more than 500,000 covered entities affected by the HIPAA Privacy Rule. The information is routinely used by covered entities for treatment, payment, and health care operations. In addition, the information is used for specified public policy purposes, including research, public health, and as required by other laws. The Privacy Rule also ensures that the individual is able to access and seek amendments to their health records, to receive a notice of privacy practices from their direct treatment providers and health plan, and to request restrictions on the uses and disclosures of their information.


3. Use of Improved Information Technology and Burden Reduction

The HIPAA Privacy Rule is, in part, necessitated by the rapidly changing nature of technology. Computerization is greatly enhancing the potential use and dissemination of health information. The Privacy Rule was constructed to allow covered entities at different levels of technological sophistication to be able to adapt their existing systems to the requirements of the regulation. Thus, covered entities are able to determine for themselves the appropriate level of technology.


4. Efforts to Identify Duplication and Use of Similar Information

The requirements of the HIPAA Privacy Rule do not duplicate those of any other federal regulation.


5. Impact on Small Businesses or Other Small Entities

The HIPAA Privacy Rule provides great flexibility to covered entities, including small businesses, to determine the policies and procedures that are best suited to the entity’s current practices to comply with the standards, implementation specifications and requirements of the Privacy Rule. The Privacy Rule generally provides a flexible and scalable approach to appropriate methods for compliance depending on the size and capabilities of each individual covered entity.


6. Consequences of Collecting the Information Less Frequent Collection

Under the HIPAA Privacy Rule, the frequency of collection is a function of activity by covered entitles and the policies and procedures that they establish for complying with the Privacy Rule.


7. Special Circumstances Relating to the Guidelines of 5 CFR 1320.5

There are no special circumstances under the HIPAA Privacy Rule.


8. Comments in Response to the Federal Register Notice/Outside Consultation

A 60-day Federal Register Notice was published in the Federal Register on May 4, 2009, vol. 74; pp. 20481-2 (see attachment).


9. Explanation of Any Payment/Gift to Respondents

There are no payments or gifts to the respondents.


10. Assurance of Confidentiality Provided to Respondents

The HIPAA Privacy Rule requires covered entities to protect individually identifiable health information.


11. Justification for Sensitive Questions

The HIPAA Privacy Rule requires covered entities to protect individually identifiable health information they hold. The federal government does not require that sensitive questions be asked in this information collection.


12. Estimates of Annualized Burden Hours (Total Hours & Wages)

Because the HIPAA Privacy Rule has been in effect for several years, these numbers are based on past experience with this information collection. The overall total for respondents to comply with the information collection requirements of the Privacy Rule is 62,254,161 burden hours.


12A. Estimated Annualized Burden Hours


Section

Type of Respondent


Number of Respondents

Number of Responses per Respondent

Average Burden hours per Response

Total Burden Hours

160.204

Process for Requesting Exception Determinations (states or persons)

40

1

16

640

164.504

Uses and Disclosures – Organizational Requirements

764,799

1

5/60

63,733

164.508

Uses and Disclosures for Which Individual authorization is required

764,799

1

1

764,799

164.512

Uses and Disclosures for which Consent, Individual Authorization, or Opportunity to Agree or Object is Not Required (for other specified purposes by an IRB or privacy board)

113,524

1

5/60

9,460

164.520

Notice of Privacy Practices for Protected Health Information (health plans)

10,570

1

3/60

529

164.520

Notice of Privacy Practices for Protected Health Information (health care providers – dissemination)

613,000,000

1

3/60

30,650,000

164.520

Notice of Privacy Practices for Protected Health Information (health care providers – acknowledgement)

613,000,000

1

3/60

30,650,000

164.522

Rights to Request Privacy Protection for Protected Health Information

150,000

1

3/60

7,500

164.524

Access of Individuals to Protected Health Information (disclosures)

150,000

1

3/60

7,500

164.526

Amendment of Protected Health Information (requests)

150,000

1

3/60

7,500

164.526

Amendment of Protected Health Information (denials)

50,000

1

3/60

2,500

164.528

Accounting for Disclosures of Protected Health Information

1,080,000

1

5/60

90,000

Total





62,254,161



12B. Estimated Annualized Burden Costs

The HIPAA Privacy Rule requires covered entities to collect information from all individuals to whom they provide treatment or services. In calculating the total respondent costs, OCR used the Department of Labor’s mean hourly wage estimate of $24.28 for the category “Healthcare Providers and Technical Workers, all Other.” The total burden cost, based on the 62,254,161 total burden hours, is $1,511,531,029.08.1,2




Section

Type of Respondent


Total Burden Hours

Hourly Wage Rate

Total Respondent Costs

160.204

Process for Requesting Exception Determinations (states or persons)

640

$24.28

$15,539.00

164.504

Uses and Disclosures – Organizational Requirements

63,733

$24.28

$1,547,437.00

164.508

Uses and Disclosures for Which Individual authorization is required

764,799

$24.28

$18,569,320.00

164.512

Uses and Disclosures for which Consent, Individual Authorization, or Opportunity to Agree or Object is Not Required (for other specified purposes by an IRB or privacy board)

9,460

$24.28

$229,689.00

164.520

Notice of Privacy Practices for Protected Health Information (health plans)

529

$24.28

$12,844.00

164.520

Notice of Privacy Practices for Protected Health Information (health care providers – dissemination)

30,650,000

$24.28

$744,182,000.00

164.520

Notice of Privacy Practices for Protected Health Information (health care providers – acknowledgement)

30,650,000

$24.28

$744,182,000.00

164.522

Rights to Request Privacy Protection for Protected Health Information

7,500

$24.28

$182,100.00

164.524

Access of Individuals to Protected Health Information (disclosures)

7,500

$24.28

$182,100.00

164.526

Amendment of Protected Health Information (requests)

7,500

$24.28

$182,100.00

164.526

Amendment of Protected Health Information (denials)

2,500

$24.28

$60,700.00

164.528

Accounting for Disclosures of Protected Health Information

90,000

$24.28

$2,185,200.00

Total




$1,511,531,029.00


13. Estimates of Other Total Annual Cost Burden to Respondents or Recordkeepers/Capital Costs

There are no capital costs associated with this information collection.


14. Annualized Cost to Federal Government

The HIPAA Privacy Rule requires covered entities to collect information in order to comply with the Privacy Rule’s requirements. Covered entities must collect this information and maintain this information in order to comply with the Privacy Rule. However, OCR does not produce the forms on which the information is collected, OCR does not store this information, nor does OCR require covered entities to provide them with all information they collect to comply with the Privacy Rule. This collection is done outside of OCR and is completely a function completed by the covered entities. Therefore, there is no cost to the federal government for this information collection.


15. Explanation for Program Changes or Adjustments

OCR has increased the burden hours for covered entities to comply with the HIPAA Privacy Rule information collection requirements; however, this adjustment is only administrative and does nothing to change the burden on covered entities. When this was transferred from CMS to OCR in 2005, estimated the burden hours totaled 2,210,715. The total burden hours has now increased because the original burden upon covered entities for completing the Notice of Privacy Practices at 10 seconds. OCR has revised this to a burden of 3 minutes to more accurately reflect the time it is taking covered entities to have these forms completed. This, in turn, increased our total burden hours on covered entities.


16. Plans for Tabulation and Publication and Project Time Schedule

The HIPAA Privacy Rule requires covered entities to protect individually identifiable health information and to only disclose this information as permitted by the Privacy Rule.


17. Reason(s) Display of OMB Expiration Date is Inappropriate

OCR no concern displaying the OMB expiration date.


18. Exceptions to Certification for Paperwork Reduction Act Submissions

There are no exceptions to the certification.


B. Collection of Information Employing Statistical Methods

Not applicable. The information collection required by the HIPAA Privacy Rule as described above in part A does not require nor lend itself to the application of statistical methods.



1 Healthcare Providers and Technical Occupations mean hourly wage estimate, May 2008 National Occupational Employment and Wage Estimate, Department of Labor, available at http://www.bls.gov/oes/current/oes_nat.htm.

2 OCR has rounded the Total Respondent Costs to the nearest dollar.

6


File Typeapplication/msword
File TitleSupporting Statement for Standards for Privacy
AuthorHannah Stahle
Last Modified ByDHHS
File Modified2009-07-21
File Created2009-07-21

© 2024 OMB.report | Privacy Policy