The Department of Health and Human Services (HHS) 45 CFR Parts 160 and 164: “Breach Notification for Unsecured Protected Health Information; Interim Final Rule” (Breach Notice Rule) has been written about a lot. But much of what is written overlooks some of the very interesting prologue within that document that is very important to consider to frame the context within which the regulation was written…
Call me crazy (you won’t be the first), but I really love reading the complete text of these regulations. Much can be revealed in the parts most people don’t read because they either think the information is “boring” (a word I’ve banned from my son’s vocabulary until they are adults…ask them, they’ll concur), or they want to skip over it to get to the “meat” of the requirements. But really, all parts of the HHS Breach Notice Rule contain some meat.
What I find very interesting, perhaps because I’ve always loved math and the ways in which people can twist statistics to mean whatever they want to mean (for example, Rush Limbaugh is a master of twisting and using statistics to fit and support his own agendas), are the cost analyses that are usually included to show the economic impact of the law.
The statistics within the HHS Breach Notice Rule help to reveal the very widespread impact of this rule, which contains significantly more compliance requirements than just the considerations within the at least 48 U.S. state and territory breach notice laws.
Consider the following excerpt that looks at how many “small” businesses will be impacted by the rule:
“The scope of the interim final rule will apply to all HIPAA covered entities and their business associates. Based on U.S. business census data provided to the Small Business Administration Office of Advocacy there were 605,845 entities classified under the North American Industrial Classification System (NAICS) 62. Code 62 encompasses physicians, dentists, ambulatory care centers, kidney dialysis centers, family planning clinics, home care services, mental health and drug rehabilitation centers, medical laboratories, hospitals and nursing facilities. In addition, based on data from the Centers for Medicare & Medicaid Services, we estimate that there are 107,567 suppliers of durable medical equipment and prosthetics. Almost all of these health providers fall under the RFA’s definition of a small entity by either meeting the Small Business Administration’s (SBA’s) size standard of a small business or by being a non-dominant nonprofit organization. The SBA’s size standard for NAICS 62 ranges between $7 million and $34.5 million in annual receipts. Also covered under HIPAA are health insurance firms and third party administrators (NAICS codes 524114 and 524292). The 2006 business census data show that there are 1,045 insurance firms and 3,522 third party administrators. Of the combined total of health insurance firms and third party administrators, we estimate that approximately 71 percent, or 3,266, meet the SBA’s definition of a small entity of annual receipts of $7 million or less. Pharmacies are also considered covered entities under HIPAA (NAICS code 44611) and based on the 2007 National Association of Chain Drug Stores Industry Profile approximately 17,500 independent pharmacy drugstores meet the SBA definition of a small business of $7 million or less in annual receipts. For more information on SBA’s size standards, see the Small Business Administration’s Web site at http://sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf.”
Keep in mind these are just the estimated covered entities (CEs) that qualify as small businesses. Here’s a tally from the above:
605,845: physicians, dentists, ambulatory care centers,… hospitals and nursing facilities
107,567: suppliers of durable medical equipment and prosthetics (that are CEs)
3,266: insurance firms and third party administrators
17,500: independent pharmacy drugstores
=======
734,178: TOTAL small CEs <= but it looks like clearinghouses are missing, doesn't it? There are more types of clearinghouses than what would fall under third party administrators.
Think about how many more hundreds of thousands of medium to large CEs there are...the total number of CEs in the U.S. has to be well over 1 million.
Now, think about how HITECH has expanded HIPAA to now effectively require all business associates (BAs) to comply with the Security Rule and the Privacy Rule. And think about how many BAs are used by each CE. For example:
- One small CE I’m working with has 5 employees, and they have 5 BAs.
- A little bit larger CE I’ve helped, with around 50 employees, has 15 BAs.
- A large CE I actually did over 150 BA security and privacy program reviews for has over 4,000 business partners, of which 800 were identified as being BAs that had access, in some way, to protected health information (PHI).
The HITECH Act has effectively expanded the reach of HIPAA by probably 5 to 50 fold…or more. I want to know this number!
Another topic for another near future post.
Tags: awareness and training, breach law, breach notification, breach response, HIPAA, HITECH Act, Information Security, IT compliance, IT training, patient privacy, personally identifiable information, PII, policies and procedures, privacy training, security training