Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. 2. Activities and Costs Associated with Compliance


This section summarizes specific activities that covered entities must undertake to comply with the rule's provisions and options considered by the Department that would reduce the burden to small entities. In developing this rule, the Department considered a variety of alternatives for minimizing the economic burden that it will create for small entities. We did not exempt small businesses from the rule because they represent such a large and critical proportion of the health care industry (82.6 percent); a significant portion of individually identifiable health information is generated or held by these small businesses.

The guiding principle in our considerations of how to address the burden on small entities has been to make provisions performance rather than specification oriented-that is, the rule states the standard to be achieved but allows institutions flexibility to determine how to achieve the standard within certain parameters. Moreover, to the extent possible, we have allowed entities to determine the extent to which they will address certain issues. This ability to adapt provisions to minimize burden has been addressed in the regulatory impact analysis above, but it will be briefly discussed again in the following section.

Before discussing specific provisions, it is important to note some of the broader questions that were addressed in formulating this rule. The Department considered extending the compliance period for small entities but concluded that it did not have the legal authority to do so (see discussion above). The rule, pursuant to HIPAA, creates an extended compliance time of 36 months (rather than 24 months) only for small health plans and not for other small entities. The Department also considered giving small entities longer response times for time limits set forth in the rule, but decided to establish standard time limits that we believe are reasonable for covered entities of all sizes, with the understanding that larger entities may not need as much time as they have been allocated in certain situations. This permits each covered entity the flexibility to establish policies regarding time limits that are consistent with the entity's current practices.

Although we considered the needs of small entities during our discussions of all provisions for this final rule, we are highlighting the most significant discussions in the following sections: