The rule requires covered entities to prepare and make available a notice that informs individuals about uses and disclosures of protected health information that may be made by the covered entity and that informs of the individual's rights and covered entity's legal duties with respect to protected health information. The final rule makes changes to the NPRM that reduce the burden of this provision on covered entities and allows flexibility. The NPRM proposed that the notice describe the uses and disclosures of information that the entity expected to make without individual authorization. The final rule only requires that the notice describe uses and disclosures that the entity is permitted or required to make under the rule without an individual's written consent or authorization. This change will allow entities to use standardized notice language within a given state, which will minimize the burden of each covered entity preparing a notice. Professional associations may develop model language to assist entities in developing notices required by the rule. While the final rule specifies minimum notice requirements, it allows entities flexibility to add more detail about a covered entity's privacy policies.
The NPRM also proposed that health plans distribute the notice every three years. The final rule reduced this burden by requiring health plans (in addition to providing notice to individuals at enrollment and prior to the compliance date of this rule) to inform individuals at least once every three years about the availability of the notice and how to obtain a copy rather than to distribute a copy of the notice.
In discussing the requirement for covered entities to prepare and make available a notice, we considered exempting small businesses (83 percent of entities) or extremely small entities (fewer than 10 employees). The Department decided that informing consumers of their privacy rights and of the activities of covered entities with which they conduct business was too important a goal of this rule to exempt any entities.
In addition to requiring a basic notice, we considered requiring a longer more detailed notice that would be available to individuals on request. However, we decided that it would be overly burdensome to all entities, especially small entities, to require two notices.
We believe that the proposed rule appropriately balances the benefits of providing individuals with information about uses and disclosures of protected health information with covered entities' need for flexibility in describing such information.