Comments: Many of the comments to this provision addressed the costs and complexity of the regulation as a whole, not the additional costs of documenting policies and procedures per se. Some did, either implicitly or explicitly, object to the need to develop and document policies and procedures as creating excessive administrative burden. Many of these commenters also asserted that there is a contradiction between the administrative burden of this provision and one of the statutory purposes of this section of the HIPAA to reduce costs through administrative simplification. Suggested alternatives were generally reliance on existing regulations and ethical standards, or on current business practices.
Response: A specific discussion of cost and burden is found in the Regulatory Impact Analysis of this final rule.
We do not believe there is a contradiction between the administrative costs of this provision and of the goal of administrative simplification. In the Administrative Simplification provisions of the HIPAA, Congress combined a mandate to facilitate the efficiencies and cost savings for the health care industry that the increasing use of electronic technology affords, with a mandate to improve privacy and confidentiality protections. Congress recognized, and we agree, that the benefits of electronic commerce can also cause increased vulnerability to inappropriate access and use of medical information, and so must be balanced with increased privacy protections. By including the mandate for privacy standards in section 264 of the HIPAA, Congress determined that existing regulations and ethical standards, and current business practices were insufficient to provide the necessary protections.
Congress mandated that the total benefits associated with administrative simplification must outweigh its costs, including the costs of implementing the privacy regulation. We are well within this mandate.
Comments: Several commenters suggested that the documentation requirements not be established as a standard under the regulation, because standards are subject to penalties. They recommend we delete the documentation standards and instead provide specific guidance and technical assistance. Several commenters objected to the suggestion in the NPRM that professional associations assist their members by developing appropriate policies for their membership. Several commentators representing professional associations believed this to be an onerous and costly burden for the associations, and suggested instead that we develop specific models which might require only minor modification. Some of these same associations were also concerned about liability issues in developing such guidelines. One commenter argued that sample forms, procedures, and policies should be provided as part of the Final Rule, so that practitioners would not be overburdened in meeting the demands of the regulations. They urged us to apply this provision only to larger entities.
Response: The purpose of requiring covered entities to develop policies and procedures for implementing this regulation is to ensure that important decisions affecting individuals' rights and privacy interests are made thoughtfully, not on an ad hoc basis. The purpose of requiring covered entities to maintain written documentation of these policies is to facilitate workforce training, and to facilitate creation of the required notice of information practices. We further believe that requiring written documentation of key decisions about privacy will enhance accountability, both within the covered entity and to the Department, for compliance with this regulation.
We do not include more specific guidance on the content of the required policies and procedures because of the vast difference in the size of covered entities and types of covered entities' businesses. We believe that covered entities should have the flexibility to design the policies and procedures best suited to their business and information practices. We do not exempt smaller entities, because the privacy of their patients is no less important than the privacy of individuals who seek care from large providers. Rather, to address this concern we ensure that the requirements of the rule are flexible so that smaller covered entities need not follow detailed rules that might be appropriate for larger entities with complex information systems.
We understand that smaller covered entities may require some assistance, and intend to provide such technical assistance after publication of this rule. We hope to work with professional associations and other groups that target classes of providers, plans and patients, in developing specialized material for these groups. Our discussions with several such organizations indicate their intent to work on various aspects of model documentation, including forms. Because the associations' comments regarding concerns about liability did not provide sufficient details, we cannot address them here.
Comment: Many commenters discussed the need for a recognition of scalability of the policies and procedures of an entity based on size, capabilities, and needs of the participants. It was noted that the actual language of the draft regulations under § 164.520 did not address scalability, and suggested that some scalability standard be formally incorporated into the regulatory language and not rely solely on the NPRM introductory commentary.
Response: In § 164.530(i)(1) of the final rule, we specify that we require covered entities to implement policies and procedures that take into account the size of the covered entity and the types of activities that relate to protected health information undertaken by the covered entity.
Comment: One commenter objected to our proposal to allow covered entities to make uses or disclosures not permitted by their current notice if a compelling reason exists to make the use or disclosure and the entity documents the reasons and changes its policies within 30 days of the use or disclosure. The commenter argued that the subjective language of the regulation might give entities the ability to engage in post hoc justifications for violations of their own information practices and policies. The commenter suggested that there should be an objective standard for reviewing the covered entity's reasons before allowing the covered entity to amend its policies.
Response: We eliminate this provision from the final rule. The final rule requires each covered entity to include in its notice of information practices a statement of all permitted uses under this rule, not just those in which the covered entity actually engages in at the time of that notice.
Comment: Some commenters expressed concern that the required retention period in the NPRM applied to the retention of medical records.
Response: The retention requirement of this regulation only applies to the documentation required by the rule, for example, keeping a record of accounting for disclosures or copies of policies and procedures. It does not apply to medical records.
Comments: Comments on the six year retention period were mixed. Some commenters endorsed the six-year retention period for maintaining documentation. One of the comments stated this retention period would assist physicians legally. Other commenters believed that the retention period would be an undue burden. One commenter noted that most State Board of Pharmacy regulations require pharmacies to keep records for two years, so the six year retention period would triple document retention costs.
Response: We established the retention period at six years because this is the statute of limitations for the civil monetary penalties. This rule does not apply to all pharmacy records, but only to the documentation required by this rule.