Comment: A number of commenters inquired as to how a covered entity can request technical assistance from the Secretary to come into compliance. A number of commenters suggested that the Secretary provide interpretive guidance to assist with compliance. Others recommended that the Secretary have a contact person or privacy official, available by telephone or email, to provide guidance on the appropriateness of a disclosure or a denial of access. One commenter suggested that there be a formal process for a covered entity to submit compliance activities to the Secretary for prior approval and clarification. This commenter suggested that clarifications be published on a contemporaneous basis in the Federal Register to help correct any ambiguities and confusion in implementation. It was also suggested that the Secretary undertake an assessment of "best practices" of covered entities and document and promote the findings to serve as a convenient "road map" for other covered entities. Another commenter suggested that we work with providers to create implementation guidelines modeled after the interpretative guidelines that HCFA creates for surveyors on the conditions of participation for Medicare and Medicaid contractors.
Response: While we have not in the final rule committed the Secretary to any specific model of providing guidance or assistance, we do state our intent, subject to budget and staffing constraints, to develop a technical assistance program that will include the provision of written material when appropriate to assist covered entities in achieving compliance. We will consider other models including HCFA's Medicare and Medicaid interpretative guidelines. Further information regarding the Secretary's technical assistance program may be provided in the Federal Register and on the HHS Office for Civil Rights (OCR) Web Site. While OCR plans to have fully trained staff available to respond to questions, its ability to provide individualized advice in regard to such matters as the appropriateness of a particular disclosure or the sufficiency of compliance activities will be based on staff resources and demands. The idea of looking at "best practices" and sharing information with all covered entities is a good one and we will explore how best to do this. We note that a covered entity is not excused from compliance with the regulation because of any failure to receive technical assistance or guidance.