SBA: HHS Wrongly Determined HITECH “Will Not Substantially Impact Business Associates”

By Jay Vance
Originally posted at the AHDI Lounge.

On September 9, 2010, the Small Business Administration’s Office of Advocacy published a letter to the Health and Human Services Office of Civil Rights, the agency tasked with enforcing HIPAA and HITECH. The gist of the letter–from one government agency to another, keep in mind–is that HHS made a big mistake when it determined that extending HIPAA privacy and security compliance to business associates “will not have a significant impact on a substantial number of small businesses.”

I’ll pause while you reflect on that for a moment…
According to the SBA’s letter, HHS calculated that “the proposed rule would have an impact on covered providers of healthcare, health insurance issuers, and third party administrators acting on behalf of health plans, which is estimated to total 701,325 entities. Of the approximately $166.1 million in costs HHS is able to identify, the private sector will incur approximately 71 percent of the costs, or $118.1 million. The average cost per covered entity is therefore approximately $168.”

So $168 per small business, not so bad, right? The only problem with these calculations, according to the SBA letter, is that “HHS calculated the entire cost of the rule as being derived from the costs of ‘notifying individuals of their new privacy rights.'”

Again, a pause for reflection. Of all the new requirements that business associates must now meet under HITECH, the one expense BAs such as medical transcription service providers will most likely NEVER incur will be to notify individuals (patients) of their new privacy rights. Yet that is the ONLY cost HHS used to determine that BA compliance under HITECH will not have a significant impact!

The SBA letter rightly draws attention to this inconsistency by noting, “…HHS estimates only the new costs of notification, none of which appear to fall on newly covered ‘business associates’ of health providers and insurers. However, because these entities will have new requirements for monitoring contract performance and ensuring compliance, Advocacy believes they will have costs associated with implementing all of the health information security and privacy protocols, including developing new plans and procedures and implementing the resultant practices, as well as possibly renegotiating contracts. Without this information it is not possible for HHS to determine that there are no significant costs on covered ‘business associates,’ and therefore the factual basis of the certification is insufficient. Advocacy believes that HHS should revisit this issue and adequately estimate compliance costs on covered ‘business associates’ and then make a determination as to whether those costs are significant and whether a certification is still appropriate.”

What makes all this more than just an academic discussion is the Regulatory Flexibility Act of 1980. According to the RFA, “It is the purpose of this act to establish as a principle of regulatory issuance that agencies shall endeavor, consistent with the objectives…of applicable statutes, to fit regulatory and informational requirements to the scale of businesses…To achieve this principle, agencies are required to solicit and consider flexible regulatory proposals and to explain the rationale for their actions to assure that such proposals are given serious consideration.”

The law requires federal agencies to analyze the impact of their regulatory actions on small entities, which include small businesses, small non-profit organizations and small jurisdictions of government, and if the regulatory impact is likely to be “significant” and affecting a “substantial number” of these small entities, the federal agencies must seek less burdensome alternatives for these small entities.

I don’t know what “less burdensome alternatives” to the existing HITECH regulations for business associates such as medical transcription service providers would look like. But in my opinion, anything that would lessen the regulatory burden (and subsequent costs) on our industry, without compromising patient safety, is something worth pursuing. I applaud the SBA Office of Advocacy for bringing this issue to the forefront, and I hope it does some good.

Jay Vance, CMT
AHDI Lounge Administrator/Moderator