Final Standards for
Privacy of Individually Identifiable Health Information
§ 164.520 Notice of privacy practices for protected
health information.
(a) Standard: notice of privacy
practices.
- Right to notice. Except as provided by paragraph
(a)(2) or (3) of this section, an individual has a
right to adequate notice of the uses and disclosures
of protected health information that may be made by
the covered entity, and of the individual’s rights
and the covered entity’s legal duties with respect
to protected health information.
- Exception for group health plans.
- An individual enrolled in a group health plan
has a right to notice:
- From the group health plan, if, and to the
extent that, such an individual does not receive
health benefits under the group health plan
through an insurance contract with a health
insurance issuer or HMO; or
- From the health insurance issuer or HMO
with respect to the group health plan though
which such individuals receive their health
benefits under the group health plan.
- A group health plan that provides health benefits
solely through an insurance contract with a health
insurance issuer or HMO, and that creates or receives
protected health information in addition to summary
health information as defined in §
164.504(a) or information on whether the individual
is participating in the group health plan, or
is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan, must:
- Maintain a notice under this section; and
- Provide such notice upon request to any
person. The provisions of paragraph (c)(1)
of this section do not apply to such group
health plan.
- A group health plan that provides health benefits
solely through an insurance contract with a health
insurance issuer or HMO, and does not create or
receive protected health information other than
summary health information as defined in §
164.504(a) or information on whether an individual
is participating in the group health plan, or
is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan, is
not required to maintain or provide a notice under
this section.
- Exception for inmates. An inmate does not have a
right to notice under this section, and the requirements
of this section do not apply to a correctional institution
that is a covered entity.
(b) Implementation specifications:
content of notice.
- Required elements. The covered entity must provide
a notice that is written in plain language and that
contains the elements required by this paragraph.
- Header. The notice must contain the following
statement as a header or otherwise prominently
displayed: “THIS NOTICE DESCRIBES HOW MEDICAL
INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.”
- Uses and disclosures. The notice must contain:
- A description, including at least one example,
of the types of uses and disclosures that
the covered entity is permitted by this subpart
to make for each of the following purposes:
treatment, payment, and health care operations.
- A description of each of the other purposes
for which the covered entity is permitted
or required by this subpart to use or disclose
protected health information without the individual’s
written consent or authorization.
- If a use or disclosure for any purpose described
in paragraphs (b)(1)(ii)(A) or (B) of this
section is prohibited or materially limited
by other applicable law, the description of
such use or disclosure must reflect the more
stringent law as defined in § 160.202.
- For each purpose described in paragraph
(b)(1)(ii)(A) or (B) of this section, the
description must include sufficient detail
to place the individual on notice of the uses
and disclosures that are permitted or required
by this subpart and other applicable law.
- A statement that other uses and disclosures
will be made only with the individual's written
authorization and that the individual may
revoke such authorization as provided by §
164.508(b)(5).
- Separate statements for certain uses or disclosures.
If the covered entity intends to engage in any
of the following activities, the description required
by paragraph (b)(1)(ii)(A) of this section must
include a separate statement, as applicable, that:
- The covered entity may contact the individual
to provide appointment reminders or information
about treatment alternatives or other heath-related
benefits and services that may be of interest
to the individual;
- The covered entity may contact the individual
to raise funds for the covered entity; or
- A group health plan, or a health insurance
issuer or HMO with respect to a group health
plan, may disclose protected health information
to the sponsor of the plan.
- Individual rights. The notice must contain a
statement of the individual’s rights with
respect to protected health information and a
brief description of how the individual may exercise
these rights, as follows:
- The right to request restrictions on certain
uses and disclosures of protected health information
as provided by §
164.522(a), including a statement that
the covered entity is not required to agree
to a requested restriction;
- The right to receive confidential communications
of protected health information as provided
by § 164.522(b),
as applicable;
- The right to inspect and copy protected
health information as provided by §
164.524;
- The right to amend protected health information
as provided by § 164.526;
- The right to receive an accounting of disclosures
of protected health information as provided
by § 164.528; and
- The right of an individual, including an
individual who has agreed to receive the notice
electronically in accordance with paragraph
(c)(3) of this section, to obtain a paper
copy of the notice from the covered entity
upon request.
- Covered entity’s duties. The notice must
contain:
- A statement that the covered entity is required
by law to maintain the privacy of protected
health information and to provide individuals
with notice of its legal duties and privacy
practices with respect to protected health
information;
- A statement that the covered entity is required
to abide by the terms of the notice currently
in effect; and
- For the covered entity to apply a change
in a privacy practice that is described in
the notice to protected health information
that the covered entity created or received
prior to issuing a revised notice, in accordance
with § 164.530(i)(2)(ii),
a statement that it reserves the right to
change the terms of its notice and to make
the new notice provisions effective for all
protected health information that it maintains.
The statement must also describe how it will
provide individuals with a revised notice.
- Complaints. The notice must contain a statement
that individuals may complain to the covered entity
and to the Secretary if they believe their privacy
rights have been violated, a brief description
of how the individual may file a complaint with
the covered entity, and a statement that the individual
will not be retaliated against for filing a complaint.
- Contact. The notice must contain the name, or
title, and telephone number of a person or office
to contact for further information as required
by § 164.530(a)(1)(ii).
- Effective date. The notice must contain the
date on which the notice is first in effect, which
may not be earlier than the date on which the
notice is printed or otherwise published.
- Optional elements.
- In addition to the information required by
paragraph (b)(1) of this section, if a covered
entity elects to limit the uses or disclosures
that it is permitted to make under this subpart,
the covered entity may describe its more limited
uses or disclosures in its notice, provided that
the covered entity may not include in its notice
a limitation affecting its right to make a use
or disclosure that is required by law or permitted
by § 164.512(j)(1)(i).
- For the covered entity to apply a change in
its more limited uses and disclosures to protected
health information created or received prior to
issuing a revised notice, in accordance with §
164.530(i)(2)(ii), the notice must include
the statements required by paragraph (b)(1)(v)(C)
of this section.
- Revisions to the notice. The covered entity must
promptly revise and distribute its notice whenever
there is a material change to the uses or disclosures,
the individual’s rights, the covered entity’s
legal duties, or other privacy practices stated in
the notice. Except when required by law, a material
change to any term of the notice may not be implemented
prior to the effective date of the notice in which
such material change is reflected.
(c) Implementation specifications:
provision of notice. A covered entity must make
the notice required by this section available on request
to any person and to individuals as specified in paragraphs
(c)(1) through (c)(4) of this section, as applicable.
- Specific requirements for health plans.
- A health plan must provide notice:
- No later than the compliance date for the
health plan, to individuals then covered by
the plan;
- Thereafter, at the time of enrollment, to
individuals who are new enrollees; and
- Within 60 days of a material revision to
the notice, to individuals then covered by
the plan.
- No less frequently than once every three years,
the health plan must notify individuals then covered
by the plan of the availability of the notice
and how to obtain the notice.
- The health plan satisfies the requirements of
paragraph (c)(1) of this section if notice is
provided to the named insured of a policy under
which coverage is provided to the named insured
and one or more dependents.
- If a health plan has more than one notice, it
satisfies the requirements of paragraph (c)(1)
of this section by providing the notice that is
relevant to the individual or other person requesting
the notice.
- Specific requirements for certain covered health
care providers. A covered health care provider that
has a direct treatment relationship with an individual
must:
- Provide the notice no later than the date of
the first service delivery, including service
delivered electronically, to such individual after
the compliance date for the covered health care
provider;
- If the covered health care provider maintains
a physical service delivery site:
- Have the notice available at the service
delivery site for individuals to request to
take with them; and
- Post the notice in a clear and prominent
location where it is reasonable to expect
individuals seeking service from the covered
health care provider to be able to read the
notice; and
- Whenever the notice is revised, make the notice
available upon request on or after the effective
date of the revision and promptly comply with
the requirements of paragraph (c)(2)(ii) of this
section, if applicable.
- Specific requirements for electronic notice.
- A covered entity that maintains a web site
that provides information about the covered entity’s
customer services or benefits must prominently
post its notice on the web site and make the notice
available electronically through the web site.
- A covered entity may provide the notice required
by this section to an individual by e-mail, if
the individual agrees to electronic notice and
such agreement has not been withdrawn. If the
covered entity knows that the e-mail transmission
has failed, a paper copy of the notice must be
provided to the individual. Provision of electronic
notice by the covered entity will satisfy the
provision requirements of paragraph (c) of this
section when timely made in accordance with paragraph
(c)(1) or (2) of this section.
- For purposes of paragraph (c)(2)(i) of this
section, if the first service delivery to an individual
is delivered electronically, the covered health
care provider must provide electronic notice automatically
and contemporaneously in response to the individual’s
first request for service.
- The individual who is the recipient of electronic
notice retains the right to obtain a paper copy
of the notice from a covered entity upon request.
(d) Implementation specifications:
joint notice by separate covered entities. Covered
entities that participate in organized health care arrangements
may comply with this section by a joint notice, provided
that:
- The covered entities participating in the organized
health care arrangement agree to abide by the terms
of the notice with respect to protected health information
created or received by the covered entity as part
of its participation in the organized health care
arrangement;
- The joint notice meets the implementation specifications
in paragraph (b) of this section, except that the
statements required by this section may be altered
to reflect the fact that the notice covers more than
one covered entity; and
- Describes with reasonable specificity the covered
entities, or class of entities, to which the joint
notice applies;
- Describes with reasonable specificity the service
delivery sites, or classes of service delivery
sites, to which the joint notice applies; and
- If applicable, states that the covered entities
participating in the organized health care arrangement
will share protected health information with each
other, as necessary to carry out treatment, payment,
or health care operations relating to the organized
health care arrangement.
- The covered entities included in the joint notice
must provide the notice to individuals in accordance
with the applicable implementation specifications
of paragraph (c) of this section. Provision of the
joint notice to an individual by any one of the covered
entities included in the joint notice will satisfy
the provision requirement of paragraph (c) of this
section with respect to all others covered by the
joint notice.
(e) Implementation specifications:
documentation. A covered entity must document compliance
with the notice requirements by retaining copies of
the notices issued by the covered entity as required
by § 164.530(j).
|
