Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Policy and Procedures


The rule requires that covered entities develop and document policies and procedures with respect to protected health information to establish and maintain compliance with the regulation. Through the standards, requirements, and implementation specifications, we are proposing a framework for developing and documenting privacy policies and procedures rather than adopting a rigid, prescriptive approach to accommodate entities of different sizes, type of activities, and business practices. Small providers will be able to develop more limited policies and procedures under the rule, than will large providers and health plans, based on the volume of protected health information. We also expect that provider and health plan associations will develop model policies and procedures for their members, which will reduce the burden on small businesses.