0990-0294 rev2_07_21_09

Supporting Statement for Standards for Privacy

of Individually Identifiable Health Information

and Supporting Regulations Contained in

45 CFR Parts 160 and 164

A. Justification

1. Circumstances Making the Collection of Information Necessary

This information collection request is for an extension on a previously approved OCR data collection, OMB # 0990-0294. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) and its implementing regulations at 45 CFR Part 160 and Subparts A and E of Part 164, the HIPAA Privacy Rule require covered entities (health plans, health care clearinghouses, and certain health care providers) to maintain strong protections for the privacy of individually identifiable health information; to use or disclose this information only as required or permitted by the Privacy Rule or with the express written authorization of the individual; to provide a notice of the entity’s privacy practices; and to document compliance with the Privacy Rule. All of these requirements were carefully considered and deemed necessary to assure the achievement of the regulation’s goals to balance the need for information with the need to protect the privacy of this sensitive information.

2. Purpose and Use of Information Collection
The individually identifiable health information collected is used by patients and by more than 500,000 covered entities affected by the HIPAA Privacy Rule. The information is routinely used by covered entities for treatment, payment, and health care operations. In addition, the information is used for specified public policy purposes, including research, public health, and as required by other laws. The Privacy Rule also ensures that the individual is able to access and seek amendments to their health records, to receive a notice of privacy practices from their direct treatment providers and health plan, and to request restrictions on the uses and disclosures of their information.

3. Use of Improved Information Technology and Burden Reduction

The HIPAA Privacy Rule is, in part, necessitated by the rapidly changing nature of technology. Computerization is greatly enhancing the potential use and dissemination of health information. The Privacy Rule was constructed to allow covered entities at different levels of technological sophistication to be able to adapt their existing systems to the requirements of the regulation. Thus, covered entities are able to determine for themselves the appropriate level of technology.

4. Efforts to Identify Duplication and Use of Similar Information

The requirements of the HIPAA Privacy Rule do not duplicate those of any other federal regulation.

5. Impact on Small Businesses or Other Small Entities

The HIPAA Privacy Rule provides great flexibility to covered entities, including small businesses, to determine the policies and procedures that are best suited to the entity’s current practices to comply with the standards, implementation specifications and requirements of the Privacy Rule. The Privacy Rule generally provides a flexible and scalable approach to appropriate methods for compliance depending on the size and capabilities of each individual covered entity.

6. Consequences of Collecting the Information Less Frequent Collection

Under the HIPAA Privacy Rule, the frequency of collection is a function of activity by covered entitles and the policies and procedures that they establish for complying with the Privacy Rule.

7. Special Circumstances Relating to the Guidelines of 5 CFR 1320.5

There are no special circumstances under the HIPAA Privacy Rule.

8. Comments in Response to the Federal Register Notice/Outside Consultation

A 60-day Federal Register Notice was published in the Federal Register on May 4, 2009, vol. 74; pp. 20481-2 (see attachment).

9. Explanation of Any Payment/Gift to Respondents

There are no payments or gifts to the respondents.

10. Assurance of Confidentiality Provided to Respondents

The HIPAA Privacy Rule requires covered entities to protect individually identifiable health information.

11. Justification for Sensitive Questions

The HIPAA Privacy Rule requires covered entities to protect individually identifiable health information they hold. The federal government does not require that sensitive questions be asked in this information collection.

12. Estimates of Annualized Burden Hours (Total Hours & Wages)

Because the HIPAA Privacy Rule has been in effect for several years, these numbers are based on past experience with this information collection. The overall total for respondents to comply with the information collection requirements of the Privacy Rule is 62,254,161 burden hours.

12A. Estimated Annualized Burden Hours

12B. Estimated Annualized Burden Costs

The HIPAA Privacy Rule requires covered entities to collect information from all individuals to whom they provide treatment or services. In calculating the total respondent costs, OCR used the Department of Labor’s mean hourly wage estimate of $24.28 for the category “Healthcare Providers and Technical Workers, all Other.” The total burden cost, based on the 62,254,161 total burden hours, is $1,511,531,029.08.^1,2

13. Estimates of Other Total Annual Cost Burden to Respondents or Recordkeepers/Capital Costs

There are no capital costs associated with this information collection.

14. Annualized Cost to Federal Government

The HIPAA Privacy Rule requires covered entities to collect information in order to comply with the Privacy Rule’s requirements. Covered entities must collect this information and maintain this information in order to comply with the Privacy Rule. However, OCR does not produce the forms on which the information is collected, OCR does not store this information, nor does OCR require covered entities to provide them with all information they collect to comply with the Privacy Rule. This collection is done outside of OCR and is completely a function completed by the covered entities. Therefore, there is no cost to the federal government for this information collection.

15. Explanation for Program Changes or Adjustments

OCR has increased the burden hours for covered entities to comply with the HIPAA Privacy Rule information collection requirements; however, this adjustment is only administrative and does nothing to change the burden on covered entities. When this was transferred from CMS to OCR in 2005, estimated the burden hours totaled 2,210,715. The total burden hours has now increased because the original burden upon covered entities for completing the Notice of Privacy Practices at 10 seconds. OCR has revised this to a burden of 3 minutes to more accurately reflect the time it is taking covered entities to have these forms completed. This, in turn, increased our total burden hours on covered entities.

16. Plans for Tabulation and Publication and Project Time Schedule

The HIPAA Privacy Rule requires covered entities to protect individually identifiable health information and to only disclose this information as permitted by the Privacy Rule.

17. Reason(s) Display of OMB Expiration Date is Inappropriate

OCR no concern displaying the OMB expiration date.

18. Exceptions to Certification for Paperwork Reduction Act Submissions

There are no exceptions to the certification.

B. Collection of Information Employing Statistical Methods

Not applicable. The information collection required by the HIPAA Privacy Rule as described above in part A does not require nor lend itself to the application of statistical methods.