Supporting Statement for Standards for Privacy
of Individually Identifiable Health Information
and Supporting Regulations Contained in
45 CFR Parts 160 and 164
A. Justification
1. Circumstances Making the Collection of Information Necessary
This information collection request is for an extension on a previously approved OCR data collection, OMB # 0990-0294. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) and its implementing regulations at 45 CFR Part 160 and Subparts A and E of Part 164, the HIPAA Privacy Rule require covered entities (health plans, health care clearinghouses, and certain health care providers) to maintain strong protections for the privacy of individually identifiable health information; to use or disclose this information only as required or permitted by the Privacy Rule or with the express written authorization of the individual; to provide a notice of the entity’s privacy practices; and to document compliance with the Privacy Rule. All of these requirements were carefully considered and deemed necessary to assure the achievement of the regulation’s goals to balance the need for information with the need to protect the privacy of this sensitive information.
2.
Purpose and Use of Information Collection
The
individually identifiable health information collected is used by
patients and by more than 500,000 covered entities affected by the
HIPAA Privacy Rule. The information is routinely used by covered
entities for treatment, payment, and health care operations. In
addition, the information is used for specified public policy
purposes, including research, public health, and as required by other
laws. The Privacy Rule also ensures that the individual is able to
access and seek amendments to their health records, to receive a
notice of privacy practices from their direct treatment providers and
health plan, and to request restrictions on the uses and disclosures
of their information.
3. Use of Improved Information Technology and Burden Reduction
The HIPAA Privacy Rule is, in part, necessitated by the rapidly changing nature of technology. Computerization is greatly enhancing the potential use and dissemination of health information. The Privacy Rule was constructed to allow covered entities at different levels of technological sophistication to be able to adapt their existing systems to the requirements of the regulation. Thus, covered entities are able to determine for themselves the appropriate level of technology.
4. Efforts to Identify Duplication and Use of Similar Information
The requirements of the HIPAA Privacy Rule do not duplicate those of any other federal regulation.
5. Impact on Small Businesses or Other Small Entities
The HIPAA Privacy Rule provides great flexibility to covered entities, including small businesses, to determine the policies and procedures that are best suited to the entity’s current practices to comply with the standards, implementation specifications and requirements of the Privacy Rule. The Privacy Rule generally provides a flexible and scalable approach to appropriate methods for compliance depending on the size and capabilities of each individual covered entity.
6. Consequences of Collecting the Information Less Frequent Collection
Under the HIPAA Privacy Rule, the frequency of collection is a function of activity by covered entitles and the policies and procedures that they establish for complying with the Privacy Rule.
7. Special Circumstances Relating to the Guidelines of 5 CFR 1320.5
There are no special circumstances under the HIPAA Privacy Rule.
8. Comments in Response to the Federal Register Notice/Outside Consultation
A 60-day Federal Register Notice was published in the Federal Register on XXXX (see attachment).
9. Explanation of Any Payment/Gift to Respondents
There are no payments or gifts to the respondents.
10. Assurance of Confidentiality Provided to Respondents
The HIPAA Privacy Rule requires covered entities to protect individually identifiable health information.
11. Justification for Sensitive Questions
The HIPAA Privacy Rule requires covered entities to protect individually identifiable health information they hold. The federal government does not require that sensitive questions be asked in this information collection.
12. Estimates of Annualized Burden Hours (Total Hours & Wages)
Because the HIPAA Privacy Rule has been in effect for several years, these numbers are based on past experience with this information collection. The overall total for respondents to comply with the information collection requirements of the Privacy Rule is 62,254,161 burden hours.
12A. Estimated Annualized Burden Hours
Section |
Type of Respondent
|
Number of Respondents |
Number of Responses per Respondent |
Average Burden hours per Response |
Total Burden Hours |
160.204 |
Process for Requesting Exception Determinations (states or persons) |
40 |
1 |
16 |
640 |
164.504 |
Uses and Disclosures – Organizational Requirements |
764,799 |
1 |
5/60 |
63,733 |
164.508 |
Uses and Disclosures for Which Individual authorization is required |
764,799 |
1 |
1 |
764,799 |
164.512 |
Uses and Disclosures for which Consent, Individual Authorization, or Opportunity to Agree or Object is Not Required (for other specified purposes by an IRB or privacy board) |
113,524 |
1 |
5/60 |
9,460 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health plans) |
10,570 |
1 |
3/60 |
529 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health care providers – dissemination) |
613,000,000 |
1 |
3/60 |
30,650,000 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health care providers – acknowledgement) |
613,000,000 |
1 |
3/60 |
30,650,000 |
164.522 |
Rights to Request Privacy Protection for Protected Health Information |
150,000 |
1 |
3/60 |
7,500 |
164.524 |
Access of Individuals to Protected Health Information (disclosures) |
150,000 |
1 |
3/60 |
7,500 |
164.526 |
Amendment of Protected Health Information (requests) |
150,000 |
1 |
3/60 |
7,500 |
164.526 |
Amendment of Protected Health Information (denials) |
50,000 |
1 |
3/60 |
2,500 |
164.528 |
Accounting for Disclosures of Protected Health Information |
1,080,000 |
1 |
5/60 |
90,000 |
Total |
|
|
|
|
62,254,161
|
12B. Estimated Annualized Burden Costs
The HIPAA Privacy Rule requires covered entities to collect information from all individuals to whom they provide treatment or services. In calculating the total respondent costs, OCR used the Department of Labor’s mean hourly wage estimate of $24.28 for the category “Healthcare Providers and Technical Workers, all Other.” The total burden cost, based on the 62,254,161 total burden hours, is $1,511,531,029.08.1,2
Section |
Type of Respondent
|
Total Burden Hours |
Hourly Wage Rate |
Total Respondent Costs |
160.204 |
Process for Requesting Exception Determinations (states or persons) |
640 |
$24.28 |
$15,539.00 |
164.504 |
Uses and Disclosures – Organizational Requirements |
63,733 |
$24.28 |
$1,547,437.00 |
164.508 |
Uses and Disclosures for Which Individual authorization is required |
764,799 |
$24.28 |
$18,569,320.00 |
164.512 |
Uses and Disclosures for which Consent, Individual Authorization, or Opportunity to Agree or Object is Not Required (for other specified purposes by an IRB or privacy board) |
9,460 |
$24.28 |
$229,689.00 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health plans) |
529 |
$24.28 |
$12,844.00 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health care providers – dissemination) |
30,650,000 |
$24.28 |
$744,182,000.00 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health care providers – acknowledgement) |
30,650,000 |
$24.28 |
$744,182,000.00 |
164.522 |
Rights to Request Privacy Protection for Protected Health Information |
7,500 |
$24.28 |
$182,100.00 |
164.524 |
Access of Individuals to Protected Health Information (disclosures) |
7,500 |
$24.28 |
$182,100.00 |
164.526 |
Amendment of Protected Health Information (requests) |
7,500 |
$24.28 |
$182,100.00 |
164.526 |
Amendment of Protected Health Information (denials) |
2,500 |
$24.28 |
$60,700.00 |
164.528 |
Accounting for Disclosures of Protected Health Information |
90,000 |
$24.28 |
$2,185,200.00 |
Total |
|
|
|
$1,511,531,029.00 |
13. Estimates of Other Total Annual Cost Burden to Respondents or Recordkeepers/Capital Costs
There are no capital costs associated with this information collection.
14. Annualized Cost to Federal Government
The HIPAA Privacy Rule requires covered entities to collect information in order to comply with the Privacy Rule’s requirements. Covered entities must collect this information and maintain this information in order to comply with the Privacy Rule. However, OCR does not produce the forms on which the information is collected, OCR does not store this information, nor does OCR require covered entities to provide them with all information they collect to comply with the Privacy Rule. This collection is done outside of OCR and is completely a function completed by the covered entities. Therefore, there is no cost to the federal government for this information collection.
15. Explanation for Program Changes or Adjustments
There are no program changes or adjustments.
16. Plans for Tabulation and Publication and Project Time Schedule
The HIPAA Privacy Rule requires covered entities to protect individually identifiable health information and to only disclose this information as permitted by the Privacy Rule.
17. Reason(s) Display of OMB Expiration Date is Inappropriate
OCR has no concerns about displaying the OMB expiration date.
18. Exceptions to Certification for Paperwork Reduction Act Submissions
There are no exceptions to the certification.
B. Collection of Information Employing Statistical Methods
Not applicable. The information collection required by the HIPAA Privacy Rule as described above in part A does not require nor lend itself to the application of statistical methods.
1 Healthcare Providers and Technical Occupations mean hourly wage estimate, May 2008 National Occupational Employment and Wage Estimate, Department of Labor, available at http://www.bls.gov/oes/current/oes_nat.htm.
2 OCR has rounded the Total Respondent Costs to the nearest dollar.
File Type | application/msword |
File Title | Supporting Statement for Standards for Privacy |
Author | Hannah Stahle |
Last Modified By | OCR |
File Modified | 2012-07-27 |
File Created | 2012-07-27 |