LegiStorm

Summary:
Highlights


GAO reviewed the Department of Health and Human Services (HHS), Office of the Secretary's new rule entitled "HIPAA Privacy Rule To Support Reproductive Health Care Privacy." GAO found that the final rule (1) modifies the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009; and (2) amends provisions of the Privacy Rule to strengthen privacy protections for highly sensitive PHI about the reproductive health care of an individual, and directly advances the purposes of HIPAA by setting minimum protections of PHI and providing peace of mind that is essential to individuals' ability to obtain lawful reproductive health care.Enclosed is our assessment of HHS's compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. If you have any questions about this report or wish to contact GAO officials responsible for the evaluation work relating to the subject matter of the rule, please contact Charlie McKiver, Assistant General Counsel, at (202) 512-5992.






View Decision


B-336288

May 13, 2024

The Honorable Bernard Sanders
Chairman
The Honorable Bill Cassidy
Ranking Member
Committee on Health, Education, Labor, and Pensions
United States Senate

The Honorable Cathy McMorris Rodgers
Chair
The Honorable Frank Pallone, Jr.
Ranking Member
Committee on Energy and Commerce
House of Representatives

Subject: Department of Health and Human Services, Office of the Secretary: HIPAA Privacy Rule To Support Reproductive Health Care Privacy

Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Department of Health and Human Services (HHS), Office of the Secretary entitled ?HIPAA Privacy Rule To Support Reproductive Health Care Privacy? (RIN: 0945-AA20). We received the rule on April 17, 2024. It was published in the Federal Register as a final rule on April 26, 2024. 89 Fed. Reg. 32976. The effective date is June 25, 2024.

According to HHS, this final rule modifies the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009. HHS stated that the Privacy Rule is one of several rules that protect the privacy and security of individuals? protected health information (PHI). HHS also stated that the rule amends provisions of the Privacy Rule to strengthen privacy protections for highly sensitive PHI about the reproductive health care of an individual, and directly advances the purposes of HIPAA by setting minimum protections of PHI and providing peace of mind that is essential to individuals? ability to obtain lawful reproductive health care.

Enclosed is our assessment of HHS?s compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. If you have any questions about this report or wish to contact GAO officials responsible for the evaluation work relating to the subject matter of the rule, please contact Charlie McKiver, Assistant General Counsel, at (202) 512-5992.


Shirley A. Jones
Managing Associate General Counsel

Enclosure

cc: Calvin E. Dukes II
Regulations Coordinator
Department of Health and Human Services

ENCLOSURE

REPORT UNDER 5 U.S.C. § 801(a)(2)(A) ON A MAJOR RULE
ISSUED BY THE
DEPARTMENT OF HEALTH AND HUMAN SERVICES,
OFFICE OF THE SECRETARY
ENTITLED
?HIPAA PRIVACY RULE TO SUPPORT REPRODUCTIVE HEALTH CARE PRIVACY?
(RIN: 0945-AA20)

(i) Cost-benefit analysis

The Department of Health and Human Services (HHS), Office of the Secretary identified six general categories of quantifiable costs arising from this final rule: (1) responding to requests for the use or disclosure of protected health information for which an attestation is required; (2) revising business associate agreements; (3) updating the Notice of Privacy Practices and posting it online; (4) developing new or modified policies and procedures; (5) revising training programs for workforce members; and (6) requesting an exception from the Health Insurance Portability and Accountability Act?s general preemption authority. Using a 7 percent discount rate, HHS estimated the rule will result in annualized costs of $151.8 million; and using a 3 percent discount rate, HHS estimated annualized costs of $142.6 million.

HHS stated that the unquantified benefits of the rule include improved trust and confidence between individuals and health care providers; enhanced privacy and improved access to reproductive health care and information, which may prevent increases in maternal mortality and morbidity; increased accuracy and completeness in patient medical records, which may prevent poor health outcomes; enhanced support for survivors of rape, incest, and sex trafficking; and maintenance of family economic stability by allowing families to determine the timing and spacing of whether or when to be pregnant.

(ii) Agency actions relevant to the Regulatory Flexibility Act (RFA), 5 U.S.C. §§ 603?605, 607, and 609

HHS certified that this final rule will not have a significant economic impact on a substantial number of small entities.

(iii) Agency actions relevant to sections 202?205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. §§ 1532?1535

HHS determined that this final rule imposes mandates that would result in the expenditure by state, local, and tribal governments, in the aggregate, or on the private sector, of $100 million or more, updated annually for inflation, in any one year. HHS stated that the impact analysis in the rule addresses such effects both qualitatively and quantitatively.

(iv) Agency actions relevant to the Administrative Pay-As-You-Go-Act of 2023, Pub. L. No. 118-5, div. B, title III, 137 Stat 31 (June 3, 2023)

Section 270 of the Administrative Pay-As-You-Go-Act of 2023 amended 5 U.S.C. § 801(a)(2)(A) to require GAO to assess agency compliance with the Act, which establishes requirements for administrative actions that affect direct spending, in GAO?s major rule reports. In guidance to Executive Branch agencies, issued on September 1, 2023, the Office of Management and Budget (OMB) instructed that agencies should include a statement explaining that either: ?the Act does not apply to this rule because it does not increase direct spending; the Act does not apply to this rule because it meets one of the Act?s exemptions (and specifying the relevant exemption); the OMB Director granted a waiver of the Act?s requirements pursuant to section 265(a)(1) or (2) of the Act; or the agency has submitted a notice or written opinion to the OMB Director as required by section 263(a) or (b) of the Act? in their submissions of rules to GAO under the Congressional Review Act. OMB, Memorandum for the Heads of Executive Departments and Agencies, Subject: Guidance for Implementation of the Administrative Pay-As-You-Go Act of 2023, M-23-21 (Sept. 1, 2023), at 11?12. OMB also states that directives in the memorandum that supplement the requirements in the Act do not apply to proposed rules that have already been submitted to the Office of Information and Regulatory Affairs, however agencies must comply with any applicable requirements of the Act before finalizing such rules.

HHS did not address the Act in this final rule or in its submission to us.

(v) Other relevant information or requirements under acts and executive orders

Administrative Procedure Act, 5 U.S.C. §§ 551 et seq.

On April 17, 2023, HHS published a proposed rule. 88 Fed. Reg. 23506. According to HHS, it received more than 25,900 comments in response to the proposed rule, representing the views of approximately 51,500 individuals and 350 organizations. HHS stated that organizational commenters included professional and trade associations, including those representing medical professionals, health plans, health care providers, health information management professionals, health vendors, release-of-information vendors, employers, epidemiologists, and attorneys. HHS stated that it also received comments from advocacy organizations and Members of Congress, among others. In this final rule, HHS summarized and responded to general comments on the proposed rule.

Paperwork Reduction Act (PRA), 44 U.S.C. §§ 3501?3520

HHS determined that this final rule contains information collection requirements subject to PRA. HHS stated in its Regulatory Impact Analysis that it is revising certain information collection requirements associated with the rule and, as such, is revising the information collection last prepared in 2023 and approved under OMB Control Number 0945-0003. According to HHS, the revised information collection describes all new and adjusted information collection requirements for covered entities. HHS estimated the annual labor burden presented by the regulatory modifications to be 4,584,224 hours at a cost of $582,242,165.

Statutory authorization for the rule

HHS promulgated this final rule pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-2.

Executive Order No. 12866 (Regulatory Planning and Review)

HHS stated that this final rule is economically significant under the Order.

Executive Order No. 13132 (Federalism)

HHS stated that this final rule may have federalism implications because it may have direct effects on the states, the relationship between the federal government and states, and on the distribution of power and responsibilities among various levels of government relating to the disclosure of protected health information. HHS certified that it complied with the requirements of the Order, including review and consideration of comments from state and local government officials and the public about the interaction of the rule with state activity, in a meaningful and timely manner.




Downloads





Full Report (5 pages)