Supporting Statement for
Standards for Privacy of Individually Identifiable Health Information,
Security Standards for the Protection of Electronic Protected Health Information,
and Supporting Regulations Contained in
45 CFR Parts 160 and 164
A. Justification
1. Circumstances Making the Collection of Information Necessary
We are requesting OMB approval for the revision of a previously approved Office for Civil Rights (OCR) data collection, OMB #0945-0003 (formerly OMB #0990-0294).
The Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA) (Public Law 111–5), enacted on February 17, 2009, requires the Office for Civil Rights (OCR) to revise its information collection under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules (45 CFR Parts 160 and 164). The HITECH Act requires modification of the HIPAA Privacy and Security Rules to extend direct liability to business associates for compliance with certain provisions and to strengthen privacy and security protections for health information.
Additionally, Section 105 of the Genetic Information Nondiscrimination Act of 2008 (GINA) (Public Law 110-233), entitled “Privacy and Confidentiality,” amends Part C of Title XI of the Social Security Act by adding section 1180 to address the application of the HIPAA Privacy Rule to genetic information. Section 1180 requires revision of the Privacy Rule to clarify that genetic information is health information and to prohibit health plans from using or disclosing genetic information for underwriting purposes.
2. Purpose and Use of Information Collection
The current information collection for the HIPAA Privacy Rule addresses HIPAA requirements related to the use, disclosure, and safeguarding of individually identifiable health information by covered entities affected by the Rule. The information is routinely used by covered entities and business associates for treatment, payment, and health care operations. In addition, the information is used for specified public policy purposes, including research, public health, and as required by other laws. The Privacy Rule also ensures that individuals are able to exercise certain rights with respect to their information, including the rights to access and seek amendments to their health records and to receive a Notice of Privacy Practices (NPP) from their direct treatment providers and health plans. As noted above, we modify this collection to reflect regulatory revisions to the Privacy and Security Rules pursuant to GINA and the HITECH Act, made permanent in the Omnibus HIPAA Final Rule published on January 25, 2013 (78 FR 5566), which enhance these rights for individuals and strengthen privacy and security protections for individually identifiable information used or disclosed by business associates.
3. Use of Improved Information Technology and Burden Reduction
The HIPAA Privacy and Security Rules were constructed to allow covered entities at different levels of technological sophistication to be able to adapt their existing systems to the requirements of the regulations. Thus, covered entities are able to determine for themselves the appropriate level of technology and implement safeguards in a manner that is reasonable and appropriate for their particular environments. The Privacy Rule allows entities covered by HIPAA to provide the NPPs to an individual by email, if the individual agrees to notice in an electronic format, and such agreement has not been withdrawn. In addition, the revised Privacy Rule permits health plans to post updated NPPs to their websites and include a copy in their next annual mailing rather than send a separate mailing to all enrollees within 60 days of a material change in the NPP, as was previously required by the Rule.
4. Efforts to Identify Duplication and Use of Similar Information
The requirements of the HIPAA Privacy and Security Rules, including these modifications, do not duplicate those of any other federal regulation.
5. Impact on Small Businesses or Other Small Entities
The HIPAA Privacy and Security Rules provide great flexibility to covered entities and business associates, including small businesses, to determine the policies and procedures that are best suited to the entities’ current practices to comply with the standards, implementation specifications and requirements of the Rules. The Rules generally provide a flexible and scalable approach to appropriate methods for compliance depending on the size and capabilities of each individual covered entity and business associate.
6. Consequences of Less Frequent Collection
Under the HIPAA Privacy and Security Rules, the frequency of collection is a function of activity by covered entities and business associates and the policies and procedures that they establish for complying with the Rules.
7. Special Circumstances Relating to the Guidelines of 5 CFR 1320.5
There are no special circumstances.
8. Comments in Response to the Federal Register Notice/Outside Consultation
The GINA and HITECH Act information collection requirements were finalized with the publication of the Omnibus HIPAA Final Rule on January 25, 2013 (78 FR 5566). We did not receive additional public comments on these requirements.
9. Explanation of Any Payment/Gift to Respondents
There are no payments or gifts to the respondents.
10. Assurance of Confidentiality Provided to Respondents
The HIPAA Privacy and Security Rules require covered entities and business associates to protect individually identifiable health information.
11. Justification for Sensitive Questions
The federal government does not require that sensitive questions be asked in this information collection.
12. Estimates of Annualized Burden Hours (Total Hours & Wages)
The overall total for respondents to comply with the information collection requirements of the Rules is 32,762,365 burden hours at a cost of $1,405,079,365.
12A. Estimated Annualized Burden Hours
With regard to the new information collection burdens associated with the need to comply with regulations revised by the HITECH Act and GINA, we attribute all of the compliance burden hours to the first year of implementation. However, we annualize these burden hours and costs over the three year approval period for purposes of the tables below.
In the Omnibus Final Rule, to annualize the one-time, first year costs of the new burdens over three years, we divided the expected number of responses per respondent by three, so that the average burden hours per response would accurately reflect the burden of one response. For example, we estimated the average burden hours per response at 3.5 hours for compliance with requirements under 164.316 (the first row in the table below). Because this burden would accrue only once in the three-year annualization period, we calculated the average number of responses per respondent as 1/3. Due to the technical limitations of the system HHS uses to submit ICR requests, this supporting statement instead reports an average annualized burden of one full response per respondent and presents 1/3 of the total burden of one response in the column for average burden hours. As a result, the burden hours per response listed in the table below do not match the burden hours per response presented in the Final Rule or in the calculations described in 12B of this supported statement to determine the total costs. However, the total burden hours and associated total costs of new burdens presented below are consistent with the burden reported in the Final Rule.
See the narrative in item 12B below for an explanation of the computation of the burden hours and costs for the new regulations. See the narrative in item 15 for an explanation of program changes or adjustments related to the ongoing collection burdens and costs below.
New Burdens Associated with the Final Rule
Section |
Type of Respondent
|
Number of Respondents |
Average Number of Responses per Respondent |
Average Burden hours per Response |
Total Burden Hours |
164.316 |
Documentation of Security Rule Policies and Procedures and Administrative Safeguards (business associates) |
300,000 |
1 |
70/60 |
350,000 |
164.504 |
Business Associates Needing to Establish or Modify Business Associate Agreements with Subcontractors |
375,000* |
1 |
20/60 |
125,000 |
164.520 |
Revision of Notice of Privacy Practices for Protected Health Information (drafting revised language) (health plans) |
1,500 |
1 |
.111 |
167 |
164.520 |
Dissemination of Notice of Privacy Practices for Protected Health Information (health plans) |
20,000,000 |
1 |
.00333335
|
66,667 |
164.520 |
Revision of Notice of Privacy Practices (providers) |
697,000 |
1 |
.11111 |
77,444 |
Total |
|
|
|
|
619,278 |
Section |
Type of Respondent
|
Number of Respondents |
Average Number of Responses per Respondent |
Average Burden Hours per Response |
Total Burden Hours |
164.316 |
Documentation of Security Rule Policies and Procedures and Administrative Safeguards (business associates) |
300,000 |
1 |
70/60 |
350,000 |
164.504 |
Business Associates Needing to Establish or Modify Business Associate Agreements with Subcontractors |
375,000* |
1 |
.33 |
125,000 |
164.520 |
Revision of Notice of Privacy Practices for Protected Health Information (drafting revised language) (health plans) |
1,500 |
1 |
.11 |
167 |
164.520 |
Dissemination of Notice of Privacy Practices for Protected Health Information (health plans) |
20,000,000 |
1 |
.03 (1 per 100 notices) |
66,667 |
164.520 |
Revision of Notice of Privacy Practices (providers) |
697,000 |
1 |
.11 |
77,444 |
Total |
|
|
|
|
619,278 |
|
|
*Number represents the mid-point for estimates that include a range of values. See narrative in item 12B for actual ranges. |
|||
Ongoing
Annual Burdens of Compliance with the Rules
Section |
Type of Respondent
|
Number of Respondents |
Number of Responses per Respondent |
Average Burden hours per Response |
Total Burden Hours |
160.204 |
Process for Requesting Exception Determinations (states or persons) |
1 |
1 |
16 |
16 |
164.504 |
Uses and Disclosures – Organizational Requirements |
700,000 |
1 |
5/60 |
58,333 |
164.508 |
Uses and Disclosures for Which Individual authorization is required |
700,000 |
1 |
1 |
700,000 |
164.512 |
Uses and Disclosures for Research Purposes |
113,524 |
1 |
5/60 |
9,460 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health plans – periodic distribution of NPPs by paper mail) |
100,000,000 |
1 |
0.25
|
416667 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health plans – periodic distribution of NPPs by electronic mail) |
100,000,000 |
1 |
0.167
|
278333 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health care providers – dissemination and acknowledgement) |
613,000,000 |
1 |
3/60 |
30,650,000 |
164.522 |
Rights to Request Privacy Protection for Protected Health Information |
150,000 |
1 |
3/60 |
7,500 |
164.524 |
Access of Individuals to Protected Health Information (disclosures) |
150,000 |
1 |
3/60 |
7,500 |
164.526 |
Amendment of Protected Health Information (requests) |
150,000 |
1 |
3/60 |
7,500 |
164.526 |
Amendment of Protected Health Information (denials) |
50,000 |
1 |
3/60 |
2,500 |
164.528 |
Accounting for Disclosures of Protected Health Information |
70,000 |
1 |
3/60 |
5,833 |
Total |
|
|
|
|
32,143,642 |
TOTAL HOURS 32,762,920
TOTAL 32,762,365 |
12B. Estimated Annualized Burden Costs
The HITECH Act modifies the HIPAA Privacy and Security Rules to extend jurisdiction to business associates and to strengthen privacy and security protections for health information. GINA requires changes to the Privacy Rule with regard to genetic information. The following paragraphs summarize the total burden hours and associated costs of the new and revised requirements, which we expect will be incurred in the first year of implementation. We then present the annualized costs for these requirements as well as the annual costs associated with other, ongoing compliance burdens that are not affected by the HITECH and GINA changes.
As a result of the HITECH Act, some business associates may need to come into full compliance with the Security Rule’s documentation requirements. We estimate that this requirement will affect between 200,000 and 400,000 business associates, who will take between 2 to 5 hours to complete the work. For the purposes of this estimate, we use the mid-points of the two ranges resulting in an estimate of a 3.5 hour burden on approximately 300,000 business associates for an annualized burden of 350,000 hours ( (300,000 x 3.5)/3 = 350,000). At an assumed cost of $56.61 per hour1, we estimate the annualized costs to do so will be $19,813,500.
We estimate that between 250,000 and 500,000 business associates do not have compliant business associate agreements with their subcontractors and will need to amend these agreements to be compliant. Again, using the mid-point of 375,000 business associates as needing to take compliance actions, we estimate the cost of bringing their subcontractors into compliance will require approximately one hour of professional, legal time at approximately $84.32 per hour. 2 The annualized burden to meet this requirement is 125,000 hours ((375,000 x 1)/3 = 125,000) at a cost of $10,540,000 per year.
The burden hours and associated costs for health plans first include the drafting of a revised notice of privacy practices. We estimate that 1,500 insurance and administrative entities will each incur 20 minutes of legal services to draft the revised notices at a cost of $84.32 per hour (see fn. 2). Annualized, that represents a burden of 167 hours, at a cost of $14,081. Second, health plans will incur burden hours and costs for the dissemination of their revised notices. We have minimized this burden by allowing health plans to send the revised NPP with their next annual mailing if they post the new NPP on their website. We expect that only 10% of plan subscribers, or 20 million individuals, will receive their NPP in a separate mailing because their health plan does not maintain a website or otherwise decides not to take advantage of the flexibility provided in the revised rule. Because this would be a separate mailing, rather than part of the routine annual mailing, we estimate that entities can prepare and mail approximately 100 notices/hour for a total annualized burden of 66,667 hours (20 million/100 per hour = 200,000 hours/3 = 66,667 hours). At a labor cost of $22.53 per hour (based on hourly wages of $15.02 for office and administrative staff, plus 50 percent for benefits), the total cost for dissemination of the revised notices is estimated to be $1,502,000.
Finally, health care providers must also revise their notices of privacy practices, although they do not have dissemination costs as do health plans. We estimate the cost of revising a notice of privacy practices will require approximately 20 minutes of professional, legal time to draft the new provisions at $84.32 per hour (see fn. 2). For the approximately 697,000 health care providers and suppliers in the United States, the estimated annualized burden is 77,444 hours at a total cost of approximately $6,530,078.
The total burden for changes to the HIPAA Privacy and Security Rules, based on the 619,278 annualized burden hours is $38,399,659. For capital costs associated with these new provisions, see item 13 below.
In calculating the total respondent costs for the ongoing (unrevised) annual burden, OCR used the Department of Labor’s median hourly wage estimate (now $42.96, including 50% for benefits) for the category “Healthcare Practitioners and Technical Workers”3 and $22.53 for dissemination costs for health plans as in the estimate above. The total burden of ongoing compliance with the Rules, apart from the new burden estimates and capital costs, is 32,143,087 burden hours, or approximately $1,366,679,706.
The overall burden associated with this information collection is 32,762,365. The total cost of compliance, including both new and ongoing hourly burden and capital costs, is approximately $1,405,079,365
New and Revised Costs Due to Omnibus Rule4
Section |
Type of Respondent
|
Annualized Total Burden Hours
|
Hourly Wage Rate |
Annualized Respondent Costs
|
164.316 |
Documentation of Security Rule Policies and Procedures and Administrative Safeguards (business associates) |
350,000 |
$56.61 |
$19,813,500 |
164.504 |
Business Associates Needing to Establish or Modify Business Associate Agreements with Subcontractors |
125,000 |
$84.32 |
$10,540,000 |
164.520 |
Revision of Notice of Privacy Practices for Protected Health Information (health plans) |
167 |
$84.32 |
$14,081 |
164.520 |
Dissemination of Notice of Privacy Practices for Protected Health Information (health plans) |
66,667 |
$22.53 |
$1,502,000 |
164.520 |
Revision of Notice of Privacy Practices for Protected Health Information (health care providers) |
77,444 |
$84.32 |
$6,530,078 |
Total |
|
|
|
$38,399,659 |
Ongoing Annual Burden Costs
Section |
Type of Respondent
|
Total Burden Hours |
Hourly Wage Rate |
Total Respondent Costs |
160.204 |
Process for Requesting Exception Determinations (states or persons) |
16 |
$42.965 |
$687 |
164.504 |
Uses and Disclosures – Organizational Requirements |
58,333 |
$42.96 |
$2,505,986 |
164.508 |
Uses and Disclosures for Which Individual authorization is required |
700,000 |
$42.96 |
$30,072,200 |
164.512 |
Uses and Disclosures for Research Purposes |
9,460 |
$42.96 |
$406,402 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health plans – periodic distribution of NPPs, half by paper mail and half by electronic mail) |
694,445 |
$22.53 |
$15,645,845 |
164.520 |
Notice of Privacy Practices for Protected Health Information (health care providers – dissemination and acknowledgement) |
30,650,000 |
$42.96 |
$1,316,724,000 |
164.522 |
Rights to Request Privacy Protection for Protected Health Information |
7,500 |
$42.96 |
$322,200 |
164.524 |
Access of Individuals to Protected Health Information (disclosures) |
7,500 |
$42.96 |
$322,200 |
164.526 |
Amendment of Protected Health Information (requests) |
7,500 |
$42.96 |
$322,200 |
164.526 |
Amendment of Protected Health Information (denials) |
2,500 |
$42.96 |
$107,400 |
164.528 |
Accounting for Disclosures of Protected Health Information |
5,833 |
$42.96 |
$250,586 |
Total |
|
|
|
$1,366,679,706 |
TOTAL $1,405,079,365 |
13. Estimates of Other Total Annual Cost Burden to Respondents or Record Keepers/Capital Costs
Capital costs will also be incurred by respondents, largely in connection with the need to print notices of privacy practices and in certain cases to mail the notices to the individual. For this calculation, we estimate the cost for paper and printing will be $.10 per notice and that postage will be an additional $.45 per notice mailed. Capital costs incurred to comply with the new provisions of GINA and HITECH Act are first-year costs that are annualized over the approval period.
With regard to the new requirements (see discussion above in item 12B), we estimate health plans will incur an annualized capital cost of $3.7 million related to the separate printing and mailing of a materially revised NPP to approximately 20 million beneficiaries (20 million x $0.10 = $2 million + $9 million (20 million x $0.45) = $11 million/3 = $3.67 million). On an ongoing basis, health plans are obligated to provide a beneficiary pool of some 200 million named policy holders with notice once every 3 years. As discussed in more detail in item 15, below, we assume that most health plans will provide the NPP annually as part of the other plan materials sent to all current and new enrollees. However, with the advance of technology and electronic communications, we estimate that only half of the 200 million named policy holders will receive a paper copy of the notice, requiring the plan to incur printing and mailing costs. Thus, health plans will annually print some 100 million notices for a cost of $10 million. Because we assume the NPP is mailed as part of materials that the health plan would otherwise send to current and potential new enrollees annually for their own business purposes as well as to meet other legal requirements, we do not attribute any capital cost for postage related to these annual mailings. In total, new and ongoing capital costs for health plans related to the printing and mailing of the NPP are $13.67 million.
Health care providers will incur a capital cost related to the printing of the NPP, but they will not incur any capital costs related to the dissemination of the NPP. With regard to the new requirements, given the ample compliance time provided by the new regulations in which to adjust for printing cycles and inventory controls, we estimate that health care providers will need to replace no more than 4 months of inventory as they transition from their current notice to the revised notice. Thus, if they annually print 613 million notices, a 4 months’ supply would result in the one-time printing of approximately 204 million notices at a cost of $20.4 million, for an annualized cost of $6.8 million. In addition, health care providers will incur an annual cost to print 613 million NPPs, or $61.3 million per year. In total, capital costs for health care providers in connection with the printing of the NPP are $68.1 million per year.
Total Annual/Annualized Capital Costs
164.520 |
Printing and Postage for Notice of Privacy Practices for Protected Health Information (health plans) |
0 |
0 |
$13,667,000 |
164.520 |
Printing Notice of Privacy Practices for Protected Health Information (health care providers) |
0 |
0 |
$68,100,000 |
Total |
|
|
|
$81,767,000 |
14. Annualized Cost to Federal Government
The HIPAA Privacy and Security Rules require covered entities and business associates to collect and maintain information in order to comply with the Rules’ requirements. However, OCR does not produce the forms on which the information is collected, OCR does not store this information, nor does OCR require covered entities and business associates to provide OCR with all information they collect to comply with the Rules. Covered entities and business associates collect information outside of OCR. Therefore, there is no cost to the federal government associated with the changes to the HIPAA Privacy and Security Rules.
15. Explanation for Program Changes or Adjustments
These data collections are both new and ongoing. Pursuant to GINA and the HITECH Act, the Privacy Rule requires covered entities to modify their NPPs and distribute them to individuals to advise them of the following new protections: (1) for health plans that intend to perform underwriting, the prohibition on the use or disclosure of genetic information for underwriting; (2) the prohibition on the sale of protected health information without the express written authorization of the individual, as well as other uses and disclosures that require the individual’s authorization; (3) the duty of a covered entity to notify affected individuals of a breach of unsecured protected health information; (4) the individual’s right to opt out of receiving fundraising communications for the covered entity; and (5) the right of the individual to restrict disclosures of protected health information to a health plan with respect to treatment services for which the individual has paid out of pocket in full. Covered entities are required to revise their NPP to reflect the changes in the law and to provide notice of the revision to individuals. Health care providers must provide the revised notice to new patients. Under changes to the Privacy Rule, a health plan that has a web site may notify individuals covered by the plan of the revised notice by posting the revised notice on the plan’s website and then including the revised notice in its next annual mailing to enrollees. The Department estimates that this new option for health plans to post revised notices on their websites rather than send a copy by mail within 60 days of a material change will reduce the total hourly burden of distributing the new NPPs that would otherwise have accrued from 2,000,000 hours to 200,000 hours. Details of the burdens and costs for the new provisions, including the changes to the NPP, are explained in item 12A and 12B.
With respect to ongoing burdens that are not affected by the changes to the HIPAA Rules, we have made a number of adjustments to reflect our experience with the frequency of the use of these provisions and have corrected other entries in the previous ICR. We address these adjustments below in order of the tables in 12A and 12B.
We have decreased the number of requests for an exception determination (45 CFR 160.204) from 16 to one, based on our experience over the last three years. As a result the total burden hours associated with this requirement is now 16 hours as compared with 640 hours at a cost of $687, reduced from $15,539. We have also decreased the estimated number of requests for an accounting of disclosures (45 CFR 164.528) based on our experience and feedback from regulated entities. Many fewer such requests are made each year when compared to the requests for access or amendment. Feedback we have received from covered entities suggests that, in any given year, the majority of such entities receive no requests to provide an accounting of disclosures. As such, we estimate that 10 percent of the approximately 700,000 covered entities will receive only one request per year, for approximately 70,000 requests annually. This reduces the burden hours to provide an accounting from 90,000 hours to 5,833 hours and the related costs from $2.2 million to $250,586. We have also used the updated covered entity count of 700,000 in calculating the burden hours in uses and disclosures in 45 CFR 164.504 and 164.508, but have not otherwise altered the assumptions for these collection burdens. The burden hours for the organizational requirements in 45 CFR 164.504 is now 58,333 (down from 63,733 burden hours in the 2009 ICR) and 700,000 burden hours for authorizations in 45 CFR 164.508 (down slightly from 764,799 in the 2009 ICR). However, the costs for these two items actually increased due to the change, explained below, in the hourly wage rate.
In the 2009 ICR, we underestimated the ongoing burden to health plans of complying with the requirement to provide a current notice of privacy practices to enrollees every three years. The new submission corrects an error in the assumed number of respondents and we adjust the methodology to determine the burden hours to more accurately predict the notice burden to plans. First, the total number of respondents is estimated to be the 200 million named policy holders who are entitled to notice once every 3 years, based on more current estimates of public and private plan enrollees. We also acknowledge that, despite the obligation to only provide notice once every three years, health plans have found it most efficient to include the NPP with the plan materials that are sent to all current and potential enrollees on an annual basis, pursuant to the plan’s own business purposes and other legal requirements. Therefore, in this submission we are assuming the burden hours will accrue annually to health plans, rather than tri-annually. Second, we assume that many health plans are now communicating electronically with their beneficiaries and only half of notices are still provided as paper copies. Third, we assume that inclusion of the NPP with the other plan materials on an annual basis is very routine and in many cases even mechanized, resulting in much efficiency over the time required to individually process a separate, out-of-cycle mailing as in the estimates for mailing of the revised notices under the material change provisions (see discussion in 12B). We, therefore, assume that an office worker can collate and subsequently process the NPP as part of the other plan materials at a rate of 4 per minute or 240 per hour for paper copies and at a rate of 6 per minute or 360 per hour for the equivalent electronic processing requirements. Thus, health plans will incur 416,667 total burden hours to process and send the 100 million NPPs using paper copies, and 277,778 burden hours to process and send the 100 million NPPs by electronic means, for an aggregated burden of 694,445 hours. At a cost of $22.53 per hour, the cost for health plans to provide notice as part of their annual mailings to current and potential enrollees is approximately $15.7 million. This is a significant increase in the burden hours and costs attributed to the health plan provision of notice requirement, but is justified based on corrected and adjusted estimates of the number of notices, the recognition of this as an annual activity rather than a tri-annual requirement, and other factors related to the routine annual mailing processes used by health plans.
In the 2009 ICR, we adjusted upwards from 10 seconds to 3 minutes the time for health care providers to disseminate the notice of privacy practices to individuals and make a good faith attempt to obtain an acknowledgement from the individual of the receipt of the notice. Although these activities were originally listed separately in the ICR, we intended the increase in time to cover both activities as they occur simultaneously in practice. The 2009 ICR inadvertently continued to list the two activities separately and increased the time for each. We take this opportunity to combine the two activities into a single category for calculating burden hours and costs, and thereby, eliminate the duplication in the burden hours and costs attributed to this activity.
Finally, many of the costs for compliance with the regulatory provisions represented in the ongoing annual burden table have increased due to an increase in wages for the applicable labor category (hourly wages for this category increased from $24.28 to $28.64), but more significantly by the inclusion of a 50 percent add-on to the hourly wage for benefits. Thus, the wage only amount used in the 2009 ICR of $24.28 to compute costs is increased in this submission to $42.96 ($28.64, plus 50% for benefits). As a result, while the adjustments and corrections to the ongoing burden result in a decrease in the total burden hours from 62.3 million hours in the 2009 ICR to 32.1 million in this submission (or 48% fewer burden hours), the costs associated with these burden hours has changed from $1.511 billion in the 2009 ICR to $1.366 billion in this submission (or less than a 10% cost reduction).
16. Plans for Tabulation and Publication and Project Time Schedule
There are no plans for tabulation or publication.
17. Reason(s) Display of OMB Expiration Date is Inappropriate
The OMB expiration date may be displayed.
18. Exceptions to Certification for Paperwork Reduction Act Submissions
There are no exceptions to the certification.
B. Collection of Information Employing Statistical Methods
Not applicable. The information collection required by the HIPAA Privacy and Security Rules as described above in part A do not require the application of statistical methods.
1 The hourly rate for management analysts, which includes those with responsibility for designing systems and policies and procedures, is $56.61 (including median wages of $37.74 plus 50% for benefits).
2 The rate for lawyers is $84.32 per hour (including median wages of $56.21 plus 50% for benefits).
3 See hourly wage tables at http://www.bls.gov/oes/current/oes_nat.htm.
4 This table presents first-year costs annualized over three years.
5 The $42.96 wage, which includes $28.64 plus 50% for benefits, applies to the category “Healthcare Practitioners and Technical Workers.”
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | Supporting Statement for Standards for Privacy |
| Author | Hannah Stahle |
| File Modified | 0000-00-00 |
| File Created | 2021-01-28 |