NRPM: Standards for Privacy of Individually Identifiable Health Information. g. Notice to individuals of rights and procedures.


The proposed rule would require covered entities to prepare and make available a notice that informs patients about their privacy rights and the entity’s actions to protect privacy. Entities that do not already comply with the proposed rule’s requirements would incur one-time legal and administrative costs. In addition, plans would incur ongoing costs related to the dissemination of the notice at least once every three years, and all covered entities would have ongoing costs related to dissemination to new individuals requesting services and requests for copies of the notice. Entities would also incur ongoing costs related to answering questions that are associated with the notice.

In discussing the requirement for covered entities to prepare and make available a notice regarding patient privacy rights and the entity’s privacy practices, we considered exempting small businesses. Because this would exempt 84 percent of firms, we decided not to create this exemption. The second option would be to exempt extremely small entities. One discussion defined small entities as those with fewer than 10 employees. We decided that informing consumers of their privacy rights and of the activities of covered entities with which they conduct business was too important to exempt any entities.

In addition to requiring a basic notice, we considered requiring a longer more detailed notice that would be available to individuals on request. However, we decided that making information available on request and allowing the covered entity to decide how best to provide such information represents a more balanced approach. We believe that it would be overly burdensome to all entities, especially small entities, to require two notices.

We considered prescribing specific language that each covered plan or provider would include in its notice. The advantages of this approach would be that the recipient would receive exactly the same information from each covered plan or provider in the same format and that it would be convenient for covered entities to use a uniform model notice.

There are, however, several disadvantages to this approach. First, and most importantly, no model notice could fully capture the information practices of every covered plan or provider. Large entities will have information practices different from those of small entities. Some health care providers, for example, academic teaching hospitals, might routinely disclose identifiable health information for research purposes. Other health care providers might rarely or never make such disclosures. To be useful to individuals, each entity’s notice of information practices should reflect its unique privacy practices.

Another disadvantage of prescribing specific language is that it would limit each covered plan or provider’s ability to distinguish itself in the area of privacy protections. We believe that if information on privacy protections becomes readily available, individuals might compare and select plans or providers based on their information practices. In addition, a uniform model notice could easily become outdated. As new communication methods or technologies are introduced, the content of the notices might need to reflect those changes.

We believe that the proposed rule appropriately balances a patient’s need for information and assurances regarding privacy with the covered entities’ need for flexibility in describing their operations and procedures to protect patient privacy. Instead of a model notice, we have included a sample notice to guide the development of notices. We believe that this is an appropriate way to reduce the burden on all entities including those classified as small.