Covered entities of all types and sizes would be required to comply with the proposed privacy standards outlined below. The proposed standards would not impose particular mechanisms or procedures that covered entities must adopt to implement the standards. Instead, we would require that each affected entity assess its own needs and devise, implement, and maintain appropriate privacy policies, procedures, and documentation to address its business requirements. How each privacy standard would be satisfied would be business decisions that each entity would have to make. This allows the privacy standards to establish a stable baseline, yet remain flexible enough to take advantage of developments and methods for protecting privacy that will evolve over time.
Because the privacy standards would need to be implemented by all covered entities, from the smallest provider to the largest, multi-state health plan, a single approach to implementing these standards would be neither economically feasible nor effective in safeguarding health information privacy. For example, in a small physician practice the office manager might be designated to serve as the privacy official as one of many duties (see proposed § 164.518(a)) whereas at a large health plan, the privacy official may constitute a full time position and have the regular support and advice of a privacy staff or board.
In taking this approach, we intend to strike a balance between the need to maintain the confidentiality of protected health information and the economic cost of doing so. Health care entities must consider both aspects in devising their solutions. This approach is similar to the approach we proposed in the Notice of Proposed Rulemaking for the administrative simplification security and electronic signature standards.
We decided to use this scaled approach to minimize the burden on all entities with an emphasis on small entities.