The Department expects small entities to face a cost burden as a result of complying with the proposed regulation. We estimate that the burden of developing privacy policies and procedures is lower in dollar terms for small businesses than for large businesses, but we recognize that the cost of implementing privacy provisions could be a larger burden to small entities as a proportion of total revenue. Due to these concerns, we have relied on the principle of scalability throughout the rule, and have based our cost estimates on the expectation that small entities will develop less expensive and less complex privacy measures that comply with the rule than large entities.
In many cases, we have specifically considered the impact that the rule may have on solo practitioners or rural health care providers. If a health care provider only maintains paper records and does not engage in any electronic transactions, the regulation would not apply to such provider. We assume that those providers will be small health care providers. For small health care providers that are covered health care providers, we expect that they will not be required to change their business practices dramatically, because we based many of the standards, implementation specifications, and requirements on current practice and we have taken a flexible approach to allow scalability based on a covered entity's activities and size. In developing policies and procedures to comply with the proposed regulation, scalability allows entities to consider their basic functions and the ways in which protected health information is used or disclosed. All covered entities must take appropriate steps to address privacy concerns, and in determining the scope and extent of their compliance activities, businesses should weigh the costs and benefits of alternative approaches and should scale their compliance activities to their structure, functions, and capabilities within the requirements of the rule.