NRPM: Standards for Privacy of Individually Identifiable Health Information. f. Uses and disclosures permitted without authorization.


This proposed rule would not require any uses or authorizations other than to the subject individual and to the Secretary for compliance. If small entities believe that the costs of making such discretionary disclosures are considered too high, they could choose not to make such disclosures. We would allow all covered entities, but particularly small entities, to base their decisions about these disclosures on any criteria that they believe to be important. We expect that the additional costs related to these disclosures would be factored into their decisions.

In cases where uses or disclosures without authorization are required by other law, we would attempt to minimize costs by not requiring application of the minimum necessary principle.