View Rule

Statement of Need: The Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules to implement the privacy and security provisions in sections 13400 to 13410 of the Health Information Technology for Economic and Clinical Health Act (title XIII of Division A of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5). These regulations will improve the privacy and security protection of health information.

Summary of the Legal Basis: Subtitle D of the Health Information Technology for Economic and Clinical Health Act (title XIII of the American Recovery and Reinvestment Act of 2009) requires the Office for Civil Rights to modify certain provisions of the HIPAA Privacy and Security Rules to implement sections 13400 to 13410 of the Act.

Alternatives: The Office for Civil Rights is statutorily mandated to make modifications to the HIPAA Privacy and Security Rules to implement the privacy provisions at sections 13400 to 13410 of the Health Information Technology for Economic and Clinical Health Act (title XIII of the American Recovery and Reinvestment Act of 2009).

Anticipated Costs and Benefits: These modifications to the HIPAA Privacy, Security, and Enforcement Rules will benefit health care consumers by strengthening the privacy and security protections afforded their health information by HIPAA covered entities and their business associated. The Agency believe the primary cost associate with this regulation will be for covered entities to revise and redistribute their notices of privacy practices to ensure health care consumers are informed of their new rights and protections. The Agency estimates the cost of revising and redistributing these notices to total approximates $166.1 million over the first year following the effective date of the regulation. Of this total, the cost heal care providers is estimated to be approximately $46 million and to health plans to be approximately $120.1 million. The Agency does not believe that the additional modification to Privacy, Security, or Enforcement Rules required by this regulation will significantly increase covered entity or business associates and in some cases will reduce burden. Further, it is expected that the costs of modifying business associate contracts will be mitigated both by the additional one-year transition period which will allow the costs of modifying contracts to be incorporated into the normal renegotiation of contracts as the contracts expire, as well as sample business associate contract language to be provided by the Agency.