NRPM: Standards for Privacy of Individually Identifiable Health Information. 3. Scalability.


The privacy standards would need to be implemented by all covered entities, from the smallest provider to the largest, multi-state health plan. For this reason, we propose the privacy principles and standards that covered entities must meet, but leave the detailed policies and procedures for meeting these standards to the discretion of each covered entity. We intend that implementation of these standards be flexible and scalable, to account for nature of each covered entity’s business, as well as the covered entity’s size and resources. A single approach to implementation of these requirements would be neither economically feasible nor effective in safeguarding health information privacy. Instead, we would require that each covered entity assess its own needs and devise and implement privacy policies appropriate to its size, its information practices, and its business requirements. Examples of how implementation of these standards are scalable are provided in the relevant sections of this preamble. (See, also, the discussion in preamble sections II.C. and III.)