NRPM: Standards for Privacy of Individually Identifiable Health Information. III. Small Business Assistance


This rule is significant because it establishes for the first time a federally required regime of information practices in the medical industry. The length, and at times complexity, of the preamble discussion may impress small businesses as creating overly burdensome and costly requirements. We believe, however, that several features of the rule, combined with initiatives by the Department and professional associations, will make rule easily administrable for the vast majority of small businesses.

First, a significant portion of the rule addresses the topic of signed individual authorization for disclosure of health information -- the information that the authorization would include and when such an authorization would be required. Importantly, no patient written authorization would be required when information is disclosed for purposes of treatment and payment and health care operations, or when disclosure is mandated by law. In other words, doctors who disclose patient health information only to other doctors for treatment purposes, or to insurance companies to process payment, or for operational purposes can continue to do so without any change in current practices under this proposal. Only those covered entities who disclose health information to marketers, reporters, private investigators, researchers, and others for purposes unrelated to treatment, payment, and health care operations are required to get the written consent of the patient in accordance with this rule.

Second, the Department plans to engage in outreach and education programs to ease the implementation of this rule for small businesses. Already, this rule provides model forms for getting patient authorization and provides an example of a notice of information practices (another requirement in the rule, described further below). We also expect that professional associations will develop forms tailored to specific groups’ needs. The Department pledges to work with professional associations to provide the greatest possible guidance to small businesses covered by this rule.

Third, in implementing this rule, we will apply the principle of “scalability,” so that a particular entity’s characteristics -- including its size, type of business, and information practices -- would be relevant to how that entity adopts procedures to comply with this rule. Take one example – this rule requires the designation of a “privacy official.” Large health plans dealing with a vast range of information flows may well consider hiring a full time person to oversee compliance with the rule, to assist in planning systems development, and to draft contracts with business partners, among other tasks. A small doctor’s office, on the other hand, may instead determine that an existing office manager could oversee the office’s privacy policies. There would be no expectation that this small doctor’s office hire a full-time privacy official. In each of these examples, the covered entity would be complying with the rule’s requirement that a privacy official be designated -- but the ways that each complies would reflect the different circumstances of each entity’s practice.

It is important for small businesses to understand what their obligations would be and to implement the necessary procedures to comply, with the help of Department’s model forms and other resources from professional associations. While most covered entities would need to be in compliance within two years of the final publication of the rule, small businesses would have an extra year to come into compliance.

Here, we set out the principal (although not exclusive) requirements for small businesses: