The rule requires covered entities to designate a privacy official who will be responsible for the development and implementation of privacy policies and procedures. The implementation of this requirement may vary based on the size of the entity. For example, a small physician's practice might designate the office manager as the privacy official in addition to her broader administrative responsibilities. Once the privacy official has been trained, the time required to accomplish the duties imposed on such person is not likely to be much more than under current practice. Therefore, the requirement imposes a minimal burden on small businesses.