 |
164.524(c) |
|
 |
|
| |
|
Provision of access:
8.1.5.1. |
CE must provide the access
requested by individuals, including inspection or obtaining
a copy, or both, of the PHI about them in designated record
sets. If the same PHI that is the subject of a request for access
is maintained in more than one designated record set or at more
than one location, the CE need only produce the PHI once in
response to a request for access. |
8.1.5.2. |
CE must provide the individual
with access to the PHI in the form or format requested by the
individual, if it is readily producible in such form or format;
or, if not, in a readable hard copy form or such other form
or format as agreed to by the CE and the individual. |
8.1.5.3. |
CE may provide the individual
with a summary of the PHI requested, in lieu of providing access
to the PHI or may provide an explanation of the PHI to which
access has been provided, if:
8.1.5.3.1. |
The individual agrees in advance
to such a summary or explanation; and
|
8.1.5.3.2. |
The individual agrees
in advance to the fees imposed, if any, by the CE for
such summary or explanation. |
|
8.1.5.4. |
CE must provide the access
as requested by the individual in a timely manner, including
arranging with the individual for a convenient time and place
to inspect or obtain a copy of the PHI, or mailing the copy
of the PHI at the individual's request. |
8.1.5.5. |
If the individual requests a copy of the
PHI or agrees to a summary or explanation of such information,
the CE may impose a reasonable, cost-based fee, provided that
the fee includes only the cost of:
8.1.5.5.1. |
Copying,
including the cost of supplies and labor; |
8.1.5.5.2. |
Postage;
and |
8.1.5.5.3. |
Preparing
an explanation or summary of the PHI, if agreed to by
the individual. |
|
|
|
164.524(d) |
|
|
|
| |
|
Denial of access:
8.1.6.1. |
CE must provide
a timely, written denial to the individual. The denial must
be in plain language and must contain:
8.1.6.1.1. |
The basis
for the denial; |
8.1.6.1.2. |
If applicable, a statement of the
individual's right to have the denial reviewed, including
a description of how the individual may exercise such
right; and
|
8.1.6.1.3. |
A description of how the individual
may complain to the covered entity (pursuant to the
complaint procedures set forth in ¶ 11.3.4. or
to the Secretary of HHS pursuant to ¶ 12.2. The
description must include the name, or title, and telephone
number of the contact person or office designated in
¶ 11.3.1.2.
|
|
8.1.6.2. |
CE must, to
the extent possible, give the individual access to any other
PHI requested, after excluding the PHI as to which the CE has
a ground to deny access. |
8.1.6.3. |
If the CE does
not maintain the PHI that is the subject of the individual's
request for access, and the CE knows where the requested information
is maintained, the CE must inform the individual where to direct
the request for access. |
|
|
164.524(e) |
|
|
|
| |
|
Documentation:
CE must document the following and retain the documentation for six
years from the date of its creation:
8.1.7.1. |
The designated
record sets that are subject to access by individuals; and |
8.1.7.2. |
The titles of
the persons or offices responsible for receiving and processing
requests for access by individuals. |
|
|
164.522
|
|
|
|
|
|
Rights
to Request Privacy Protection for PHI: |
|
164.522(a) |
|
|
|
| |
|
Right of an individual
to request restriction of uses and disclosures:
8.2.1.1. |
CE must permit individual to request
that CE restrict uses/disclosures for TPO and disclosures
pursuant to ¶ 6.2;
8.2.1.1.1. |
CE is not
required to agree to the restriction; |
8.2.1.1.2. |
If CE
agrees to the restriction, it must not use or disclose
the PHI in violation of the restriction except, if individual
who made request is in need of emergency treatment and
the restricted PHI is needed to provide that treatment,
CE may use the restricted PHI or disclose it to a health
care provider to provide such treatment; |
8.2.1.1.3. |
Upon disclosure
pursuant to ¶ 8.2.1.1.2., CE must request that such
health care provider not further use or disclose the PHI; |
8.2.1.1.4. |
An agreed
upon restriction is not effective to prevent uses or disclosures
permitted or required under 164.502(a)(2)(i),164.510(a)
or 164.512 [¶ 3.2.1.; ¶ 6.1; 9.]. |
|
8.2.1.2. |
Terminating
a restriction: CE may terminate its agreement to a restriction
if:
8.2.1.2.1. |
The individual agrees to or requests the termination in
writing; |
8.2.1.2.2. |
The individual orally agrees to
the termination, and agreement is documented; or
|
8.2.1.2.3. |
CE informs the individual that it is terminating its agreement
to the restriction, except that termination is only effective
as to PHI created or received after such notice. |
|
8.2.1.3. |
Documentation: CE that agrees to a restriction must document
the restriction in accordance with ¶ 11.3.10. |
|
|
| 164.522(b) |
|
|
|
| |
|
Confidential communications:
8.2.2.1. |
Requirements:
8.2.2.1.1. |
Provider
must permit individuals to request (and must accommodate
reasonable requests) to receive communications of PHI
from the provider by alternative means or at alternative
locations. |
8.2.2.1.2. |
A health
plan must permit individuals to request (and must
accommodate reasonable requests) to receive communications
of PHI from the health plan by alternative means or at
alternative locations if the individual clearly states
that disclosure of the information could endanger the
individual. |
|
8.2.2.2. |
Conditions on providing confidential
communications:
8.2.2.2.1. |
CE may
require the individual to make a request for a communication
to be made by alternative means or to an alternative location
in writing; |
8.2.2.2.2. |
CE may
condition the provision of a reasonable accommodation
on information as to how payment, if any, will be handled,
when appropriate, and specification of an alternate address
or method of contact; |
8.2.2.2.3. |
A provider
may not require an explanation from the individual as
to the basis for the request as a condition of providing
communications on a confidential basis; |
8.2.2.2.4. |
A health
plan may require that a request contain a statement
that disclosure of the information to which the request
pertains could endanger the individual. |
|
|
|
| |
|
|
|
|
| |
|
|
|
|
