|
§
164.524 Access of individuals to protected health information.
(a)
Standard: access to protected health
information. (1) Right of access.
Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an
individual has a right of access to inspect and obtain a copy of protected
health information about the individual in a designated record
set, for as long
as the protected health information is maintained in the designated record
set,
except for:
(i)
Psychotherapy notes;
(ii)
Information compiled in reasonable anticipation of, or for use in, a civil,
criminal, or administrative action or proceeding; and
(iii)
Protected health information maintained by a covered entity that is:
(A)
Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C.
263a, to the extent the provision of access to the individual would be
prohibited by law; or
(B)
Exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to
42 CFR 493.3(a)(2).
(2)
Unreviewable grounds for denial. A covered entity may deny an individual
access without providing the individual an opportunity for review, in the
following circumstances.
(i)
The protected health information is excepted from the right of access by
paragraph (a)(1) of this section.
(ii)
A covered entity that is a correctional institution or a covered
health care
provider acting under the direction of the correctional institution may deny, in
whole or in part, an inmate’s request to obtain a copy of
protected health information, if obtaining such copy would jeopardize the health, safety,
security, custody, or rehabilitation of the individual or of other
inmates, or
the safety of any officer, employee, or other person at the correctional
institution or responsible for the transporting of the inmate.
(iii)
An individual’s access to protected health information created or obtained by
a covered health care provider in the course of research that includes
treatment
may be temporarily suspended for as long as the research is in progress,
provided that the individual has agreed to the denial of access when consenting
to participate in the research that includes
treatment, and the covered health
care provider has informed the individual that the right of access will be
reinstated upon completion of the research.
(iv)
An individual’s access to protected health information that is contained in
records that are subject to the Privacy Act, 5 U.S.C. § 552a, may be denied, if
the denial of access under the Privacy Act would meet the requirements of that
law.
(v)
An individual’s access may be denied if the
protected health information was
obtained from someone other than a health care provider under a promise of
confidentiality and the access requested would be reasonably likely to reveal
the source of the information.
(3)
Reviewable grounds for denial. A covered entity may deny an individual
access, provided that the individual is given a right to have such denials
reviewed, as required by paragraph (a)(4) of this section, in the following
circumstances:
(i)
A licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely to
endanger the life or physical safety of the individual or another person;
(ii)
The protected health information makes reference to another person (unless such
other person is a health care
provider) and a licensed health care professional
has determined, in the exercise of professional judgment, that the access
requested is reasonably likely to cause substantial harm to such other person;
or
(iii)
The request for access is made by the individual’s personal representative and
a licensed health care professional has determined, in the exercise of
professional judgment, that the provision of access to such personal
representative is reasonably likely to cause substantial harm to the individual
or another person.
(4)
Review of a denial of access. If access is denied on a ground permitted
under paragraph (a)(3) of this section, the individual has the right to have the
denial reviewed by a licensed health care professional who is designated by the
covered entity to act as a reviewing official and who did not participate in the
original decision to deny. The covered entity must provide or deny access in
accordance with the determination of the reviewing official under paragraph
(d)(4) of this section.
(b)
Implementation specifications: requests for access and timely action.
(1)
Individual’s request for access. The covered entity must permit an
individual to request access to inspect or to obtain a copy of the protected
health information about the individual that is maintained in a designated
record set. The covered entity may require individuals to make requests for
access in writing, provided that it informs individuals of such a requirement.
(2)
Timely action by the covered
entity. (i) Except as provided in paragraph
(b)(2)(ii) of this section, the covered entity must act on a request for access
no later than 30 days after receipt of the request as follows.
(A)
If the covered entity grants the request, in whole or in part, it must inform
the individual of the acceptance of the request and provide the access
requested, in accordance with paragraph (c) of this section.
(B)
If the covered entity denies the request, in whole or in part, it must provide
the individual with a written denial, in accordance with paragraph (d) of this
section.
(ii)
If the request for access is for protected health information that is not
maintained or accessible to the covered entity on-site, the
covered entity must
take an action required by paragraph (b)(2)(i) of this section by no later than
60 days from the receipt of such a request.
(iii)
If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A)
or (B) of this section within the time required by paragraph (b)(2)(i) or (ii)
of this section, as applicable, the covered entity may extend the time for such
actions by no more than 30 days, provided that:
(A)
The covered entity, within the time limit set by paragraph (b)(2)(i) or (ii) of
this section, as applicable, provides the individual with a written statement of
the reasons for the delay and the date by which the covered entity will complete
its action on the request; and
(B)
The covered entity may have only one such extension of time for action on a
request for access.
(c)
Implementation specifications: provision of access. If the covered entity
provides an individual with access, in whole or in part, to
protected health information, the
covered entity must comply with the following requirements.
(1)
Providing the access requested. The covered entity must provide the
access requested by individuals, including inspection or obtaining a copy, or
both, of the protected health information about them in designated record
sets.
If the same protected health information that is the subject of a request for
access is maintained in more than one designated record set or at more than one
location, the covered entity need only produce the protected health information
once in response to a request for access.
(2)
Form of access requested. (i) The covered entity must provide the
individual with access to the protected health information in the form or format
requested by the individual, if it is readily producible in such form or format;
or, if not, in a readable hard copy form or such other form or format as agreed
to by the covered entity and the individual.
(ii)
The covered entity may provide the individual with a summary of the
protected
health information requested, in lieu of providing access to the protected
health information or may provide an explanation of the protected health
information to which access has been provided, if:
(A)
The individual agrees in advance to such a summary or explanation; and
(B)
The individual agrees in advance to the fees imposed, if any, by the
covered
entity for such summary or explanation.
(3)
Time and manner of access. The covered entity must provide the access as
requested by the individual in a timely manner as required by paragraph (b)(2)
of this section, including arranging with the individual for a convenient time
and place to inspect or obtain a copy of the protected health
information, or
mailing the copy of the protected health information at the individual’s
request. The covered entity may discuss the scope, format, and other aspects of
the request for access with the individual as necessary to facilitate the timely
provision of access.
(4)
Fees. If the individual requests a copy of the
protected health
information or agrees to a summary or explanation of such information, the
covered entity may impose a reasonable, cost-based fee, provided that the fee
includes only the cost of:
(i)
Copying, including the cost of supplies for and labor of copying, the protected
health information requested by the individual;
(ii)
Postage, when the individual has requested the copy, or the summary or
explanation, be mailed; and
(iii)
Preparing an explanation or summary of the , if
agreed to by the individual as required by paragraph (c)(2)(ii) of this section.
(d)
Implementation specifications: denial of access. If the covered entity
denies access, in protected health
informationwhole or in part, to protected health
information, the covered
entity must comply with the following requirements.
(1)
Making other information accessible. The covered entity must, to the
extent possible, give the individual access to any other
protected health
information requested, after excluding the protected health information as to
which the covered entity has a ground to deny access.
(2)
Denial. The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must
be in plain language and contain:
(i)
The basis for the denial;
(ii)
If applicable, a statement of the individual’s review rights under paragraph
(a)(4) of this section, including a description of how the individual may
exercise such review rights; and
(iii)
A description of how the individual may complain to the
covered entity pursuant
to the complaint procedures in § 164.530(d) or to the Secretary pursuant to the
procedures in § 160.306. The description must include the name, or title, and
telephone number of the contact person or office designated in §
164.530(a)(1)(ii).
(3)
Other responsibility. If the covered entity does not maintain the
protected health information that is the subject of the individual’s request
for access, and the covered entity knows where the requested information is
maintained, the covered entity must inform the individual where to direct the
request for access.
(4)
Review of denial requested. If the individual has requested a review of a
denial under paragraph (a)(4) of this section, the covered entity must designate
a licensed health care professional, who was not directly involved in the denial
to review the decision to deny access. The covered entity must promptly refer a
request for review to such designated reviewing official. The designated
reviewing official must determine, within a reasonable period of time, whether
or not to deny the access requested based on the standards in paragraph (a)(3)
of this section. The covered entity must promptly provide written notice to the
individual of the determination of the designated reviewing official and take
other action as required by this section to carry out the designated reviewing
official’s determination.
(e)
Implementation specification: documentation. A covered entity must
document the following and retain the documentation as required by §
164.530(j):
(1)
The designated record sets that are subject to access by
individuals; and
(2)
The titles of the persons or offices responsible for receiving and processing
requests for access by individuals.
|
