Skip to main content

Department of Health and Human Services, Office of the Secretary: Health Insurance Reform: Security Standards

GAO-03-510R Mar 06, 2003
Jump To:
Skip to Highlights

Highlights

GAO reviewed the Department of Health and Human Services' (HHS) Office of the Secretary's new rule concerning security standards for health care information. GAO found that (1) the rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers; and (2) HHS complied with applicable requirements in promulgating the rule.

View Decision

Department of Health and Human Services, Office of the Secretary: Health Insurance Reform: Security Standards, GAO-03-510R, March 6, 2003






B-291999


March 6, 2003

The Honorable Chuck Grassley
Chairman
The Honorable Max Baucus
Ranking Minority Member
Committee on Finance
United States Senate


The Honorable W.J. Billy Tauzin
Chairman
The Honorable John D. Dingell
Ranking Minority Member
Committee on Energy and Commerce
House of Representatives

The Honorable William M. Thomas
Chairman
The Honorable Charles B. Rangel
Ranking Minority Member
Committee on Ways and Means
House of Representatives


Subject: Department of Health and Human Services, Office of the Secretary: Health Insurance Reform: Security Standards

Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Department of Health and Human Services (HHS), Office of the Secretary, entitled Health Insurance Reform: Security Standards (RIN: 0938-AI57). We received the rule on February 13, 2003. It was published in the Federal Register as a final rule on February 20, 2003. 68 Fed. Reg. 8334.

The final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers.

Enclosed is our assessment of the HHS's compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. Our review indicates that HHS complied with the applicable requirements.

If you have any questions about this report, please contact James W. Vickers, Assistant General Counsel, at (202) 512-8210. The official responsible for GAO evaluation work relating to the subject matter of the rule is William Scanlon, Managing Director, Health Care. Mr. Scanlon can be reached at (202) 512-7114.



signed

Kathleen E. Wannisky
Managing Associate General Counsel

Enclosure

cc: Ann Stallion
Regulations Coordinator
Department of Health and
Human Services

ENCLOSURE

ANALYSIS UNDER 5 U.S.C. 801(a)(1)(B)(i)-(iv) OF A MAJOR RULE
ISSUED BY THE
DEPARTMENT OF HEALTH AND HUMAN SERVICES,
OFFICE OF THE SECRETARY
ENTITLED
"HEALTH INSURANCE REFORM: SECURITY STANDARDS"
(RIN: 0938-AI57)



(i) Cost-benefit analysis

HHS performed a cost-benefit analysis in connection with its August 17, 2000, rule regarding Standards for Electronic Transactions. 65 Fed. Reg. 50312. That analysis showed the combined impact of the Administrative Simplification standards was expected to save the industry $29.9 billion over 10 years. With each succeeding rule in the area, HHS is including an impact analysis that is specific to the standards in that rule. However, it is only assessing the incremental cost of implementing a given standard over another.

In the preamble to the final rule, HHS discusses in qualitative terms the costs and burdens of complying with the final rule. However, because the rule affects over 2 million entities and covered entities have moved at different paces in complying with the instant rule and prior HHS rules, it is difficult to quantify the costs of implementing these security standards.

(ii) Agency actions relevant to the Regulatory Flexibility Act, 5 U.S.C. 603-605, 607, and 609

HHS prepared a Final Regulatory Flexibility Analysis in connection with the final rule. HHS notes that while each of the standards may not have a significant impact on a substantial number of small entities, the combined effects of all the standards are likely to have a significant effect on small entities.

In order to reduce the burden, HHS has restructured the proposed rule. Instead of 69 implementation features, the final rule only requires 13 implementation specifications with the remainder of the specifications termed addressable. For an addressable specification, an entity decides whether each specification is a reasonable and appropriate security measure to apply within its particular security framework.

(iii) Agency actions relevant to sections 202-205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1532-1535

HHS has determined that the final rule will result in a private sector mandate of more than $110 million in any one year and has included in the preamble to the final rule the required statements and assessments.

(iv) Other relevant information or requirements under acts and executive orders

Administrative Procedure Act, 5 U.S.C. 551 et seq.

The final rule was issued using the notice and comment procedures found at 5 U.S.C. 553. On August 12, 1998, a Notice of Proposed Rulemaking was published in the Federal Register. 63 Fed. Reg. 43242. In response, over 2,350 comments were received and are summarized in the preamble to the final rule.

Paperwork Reduction Act, 44 U.S.C. 3501-3520

The final rule contains information collections that are subject to review by the Office of Management and Budget (OMB) under the Paperwork Reduction Act. The preamble to the final rule contains the required information, including the annual burden hours and requests comments on the collections. The total annual burden hours are estimated at 64,539,264 hours.

Statutory authorization for the rule

The final rule is promulgated under the authority contained in sections 1171 through 1179 of the Social Security Act (42 U.S.C. 1320d-1329d-8) as added by section 262 of Public Law No. 104-191, 110 Stat. 2021-2031, and section 264 of Public Law 104-191 (42 U.S.C. 1320d-2(note)).

Executive Order No. 12866

The final rule was reviewed by OMB and found to be an economically significant regulatory action under the order.

Executive Order No. 13132 (Federalism)

Although the proposed rulemaking was published before the enactment of the order and, therefore, is not subject to the order's requirements, HHS consulted with state and local officials as part of an outreach program in developing the rule.

Downloads

GAO Contacts

Office of Public Affairs