Section

[Code of Federal Regulations]

[Title 45, Volume 1]

[Revised as of October 1, 2002]

From the U.S. Government Printing Office via GPO Access

[CITE: 45CFR164.520]

[Page 723-727]

TITLE 45--PUBLIC WELFARE

AND HUMAN SERVICES

PART 164--SECURITY AND PRIVACY--Table of Contents

Subpart E--Privacy of Individually Identifiable Health Information

Sec. 164.520 Notice of privacy practices for protected health information.

(a) Standard: notice of privacy practices--(1) Right to notice.

Except as provided by paragraph (a)(2) or (3) of this section, an

individual has a right to adequate notice of the uses and disclosures of

protected health information that may be made by the covered entity, and

of the individual's rights and the covered entity's legal duties with

respect to protected health information.

(2) Exception for group health plans. (i) An individual enrolled in

a group health plan has a right to notice:

(A) From the group health plan, if, and to the extent that, such an

individual does not receive health benefits under the group health plan

through an insurance contract with a health insurance issuer or HMO; or

(B) From the health insurance issuer or HMO with respect to the

group health plan through which such individuals receive their health

benefits under the group health plan.

(ii) A group health plan that provides health benefits solely

through an insurance contract with a health insurance issuer or HMO, and

that creates or receives protected health information in addition to

summary health information as defined in Sec. 164.504(a) or information

on whether the individual is participating in the group health plan, or

is enrolled in or has disenrolled from a health insurance issuer or HMO

offered by the plan, must:

(A) Maintain a notice under this section; and

(B) Provide such notice upon request to any person. The provisions

of paragraph (c)(1) of this section do not apply to such group health

plan.

Section

(iii) A group health plan that provides health benefits solely

through an insurance contract with a health insurance issuer or HMO, and

does not create or receive protected health information other than

summary health information as defined in Sec. 164.504(a) or information

on whether an individual is participating in the group health plan, or

is enrolled in or has disenrolled from a health insurance issuer or HMO

offered by the plan, is not required to maintain or provide a notice

under this section.

(3) Exception for inmates. An inmate does not have a right to notice

under this section, and the requirements of this section do not apply to

a correctional institution that is a covered entity.

(b) Implementation specifications: content of notice--(1) Required

elements. The covered entity must provide a notice that is written in

plain language and that contains the elements required by this

paragraph.

(i) Header. The notice must contain the following statement as a

header or otherwise prominently displayed: ``THIS NOTICE DESCRIBES HOW

MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN

GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.''

(ii) Uses and disclosures. The notice must contain:

(A) A description, including at least one example, of the types of

uses and disclosures that the covered entity is permitted by this

subpart to make for

[[Page 724]]

each of the following purposes: treatment, payment, and health care

operations.

(B) A description of each of the other purposes for which the

covered entity is permitted or required by this subpart to use or

disclose protected health information without the individual's written

consent or authorization.

(C) If a use or disclosure for any purpose described in paragraphs

(b)(1)(ii)(A) or (B) of this section is prohibited or materially limited

by other applicable law, the description of such use or disclosure must

reflect the more stringent law as defined in Sec. 160.202 of this

subchapter.

(D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of

this section, the description must include sufficient detail to place

the individual on notice of the uses and disclosures that are permitted

or required by this subpart and other applicable law.

(E) A statement that other uses and disclosures will be made only

with the individual's written authorization and that the individual may

revoke such authorization as provided by Sec. 164.508(b)(5).

(iii) Separate statements for certain uses or disclosures. If the

covered entity intends to engage in any of the following activities, the

Section

description required by paragraph (b)(1)(ii)(A) of this section must

include a separate statement, as applicable, that:

(A) The covered entity may contact the individual to provide

appointment reminders or information about treatment alternatives or

other health-related benefits and services that may be of interest to

the individual;

(B) The covered entity may contact the individual to raise funds for

the covered entity; or

(C) A group health plan, or a health insurance issuer or HMO with

respect to a group health plan, may disclose protected health

information to the sponsor of the plan.

(iv) Individual rights. The notice must contain a statement of the

individual's rights with respect to protected health information and a

brief description of how the individual may exercise these rights, as

follows:

(A) The right to request restrictions on certain uses and

disclosures of protected health information as provided by

Sec. 164.522(a), including a statement that the covered entity is not

required to agree to a requested restriction;

(B) The right to receive confidential communications of protected

health information as provided by Sec. 164.522(b), as applicable;

(C) The right to inspect and copy protected health information as

provided by Sec. 164.524;

(D) The right to amend protected health information as provided by

Sec. 164.526;

(E) The right to receive an accounting of disclosures of protected

health information as provided by Sec. 164.528; and

(F) The right of an individual, including an individual who has

agreed to receive the notice electronically in accordance with paragraph

(c)(3) of this section, to obtain a paper copy of the notice from the

covered entity upon request.

(v) Covered entity's duties. The notice must contain:

(A) A statement that the covered entity is required by law to

maintain the privacy of protected health information and to provide

individuals with notice of its legal duties and privacy practices with

respect to protected health information;

(B) A statement that the covered entity is required to abide by the

terms of the notice currently in effect; and

(C) For the covered entity to apply a change in a privacy practice

that is described in the notice to protected health information that the

covered entity created or received prior to issuing a revised notice, in

accordance with Sec. 164.530(i)(2)(ii), a statement that it reserves the

right to change the terms of its notice and to make the new notice

provisions effective for all protected health information that it

maintains. The statement must also describe how it will provide

individuals with a revised notice.

Section

(vi) Complaints. The notice must contain a statement that

individuals may complain to the covered entity and to the Secretary if

they believe their privacy rights have been violated, a brief

description of how the individual may file a complaint with the covered

entity, and a statement that the individual

[[Page 725]]

will not be retaliated against for filing a complaint.

(vii) Contact. The notice must contain the name, or title, and

telephone number of a person or office to contact for further

information as required by Sec. 164.530(a)(1)(ii).

(viii) Effective date. The notice must contain the date on which the

notice is first in effect, which may not be earlier than the date on

which the notice is printed or otherwise published.

(2) Optional elements. (i) In addition to the information required

by paragraph (b)(1) of this section, if a covered entity elects to limit

the uses or disclosures that it is permitted to make under this subpart,

the covered entity may describe its more limited uses or disclosures in

its notice, provided that the covered entity may not include in its

notice a limitation affecting its right to make a use or disclosure that

is required by law or permitted by Sec. 164.512(j)(1)(i).

(ii) For the covered entity to apply a change in its more limited

uses and disclosures to protected health information created or received

prior to issuing a revised notice, in accordance with

Sec. 164.530(i)(2)(ii), the notice must include the statements required

by paragraph (b)(1)(v)(C) of this section.

(3) Revisions to the notice. The covered entity must promptly revise

and distribute its notice whenever there is a material change to the

uses or disclosures, the individual's rights, the covered entity's legal

duties, or other privacy practices stated in the notice. Except when

required by law, a material change to any term of the notice may not be

implemented prior to the effective date of the notice in which such

material change is reflected.

(c) Implementation specifications: Provision of notice. A covered

entity must make the notice required by this section available on

request to any person and to individuals as specified in paragraphs

(c)(1) through (c)(4) of this section, as applicable.

(1) Specific requirements for health plans. (i) A health plan must

provide notice:

(A) No later than the compliance date for the health plan, to

individuals then covered by the plan;

(B) Thereafter, at the time of enrollment, to individuals who are

new enrollees; and

(C) Within 60 days of a material revision to the notice, to

individuals then covered by the plan.

Section

(ii) No less frequently than once every three years, the health plan

must notify individuals then covered by the plan of the availability of

the notice and how to obtain the notice.

(iii) The health plan satisfies the requirements of paragraph (c)(1)

of this section if notice is provided to the named insured of a policy

under which coverage is provided to the named insured and one or more

dependents.

(iv) If a health plan has more than one notice, it satisfies the

requirements of paragraph (c)(1) of this section by providing the notice

that is relevant to the individual or other person requesting the

notice.

(2) Specific requirements for certain covered health care providers.

A covered health care provider that has a direct treatment relationship

with an individual must:

(i) Provide the notice no later than the date of the first service

delivery, including service delivered electronically, to such individual

after the compliance date for the covered health care provider;

(ii) If the covered health care provider maintains a physical

service delivery site:

(A) Have the notice available at the service delivery site for

individuals to request to take with them; and

(B) Post the notice in a clear and prominent location where it is

reasonable to expect individuals seeking service from the covered health

care provider to be able to read the notice; and

(iii) Whenever the notice is revised, make the notice available upon

request on or after the effective date of the revision and promptly

comply with the requirements of paragraph (c)(2)(ii) of this section, if

applicable.

(3) Specific requirements for electronic notice. (i) A covered

entity that maintains a web site that provides information about the

covered entity's customer services or benefits must prominently post its

notice on the web site and make the notice available electronically

through the web site.

[[Page 726]]

(ii) A covered entity may provide the notice required by this

section to an individual by e-mail, if the individual agrees to

electronic notice and such agreement has not been withdrawn. If the

covered entity knows that the e-mail transmission has failed, a paper

copy of the notice must be provided to the individual. Provision of

electronic notice by the covered entity will satisfy the provision

requirements of paragraph (c) of this section when timely made in

accordance with paragraph (c)(1) or (2) of this section.

(iii) For purposes of paragraph (c)(2)(i) of this section, if the

first service delivery to an individual is delivered electronically, the

Section

covered health care provider must provide electronic notice

automatically and contemporaneously in response to the individual's

first request for service.

(iv) The individual who is the recipient of electronic notice

retains the right to obtain a paper copy of the notice from a covered

entity upon request.

(d) Implementation specifications: Joint notice by separate covered

entities. Covered entities that participate in organized health care

arrangements may comply with this section by a joint notice, provided

that:

(1) The covered entities participating in the organized health care

arrangement agree to abide by the terms of the notice with respect to

protected health information created or received by the covered entity

as part of its participation in the organized health care arrangement;

(2) The joint notice meets the implementation specifications in

paragraph (b) of this section, except that the statements required by

this section may be altered to reflect the fact that the notice covers

more than one covered entity; and

(i) Describes with reasonable specificity the covered entities, or

class of entities, to which the joint notice applies;

(ii) Describes with reasonable specificity the service delivery

sites, or classes of service delivery sites, to which the joint notice

applies; and

(iii) If applicable, states that the covered entities participating

in the organized health care arrangement will share protected health

information with each other, as necessary to carry out treatment,

payment, or health care operations relating to the organized health care

arrangement.

(3) The covered entities included in the joint notice must provide

the notice to individuals in accordance with the applicable

implementation specifications of paragraph (c) of this section.

Provision of the joint notice to an individual by any one of the covered

entities included in the joint notice will satisfy the provision

requirement of paragraph (c) of this section with respect to all others

covered by the joint notice.

(e) Implementation specifications: Documentation. A covered entity

must document compliance with the notice requirements by retaining

copies of the notices issued by the covered entity as required by

Sec. 164.530(j).

Effective Date Note: At 67 FR 53271, Aug. 14, 2002, Sec. 164.520,

was amended by removing the words ``consent or'' from paragraph

(b)(1)(ii)(B); in paragraph (c), introductory text, remove ``(c)(4)''

and add in its place ``(c)(3)''; revising paragraph (c)(2)(i);

redesignating paragraphs (c)(2)(ii) and (iii) as (c)(2)(iii) and (iv);

adding new paragraph (c)(2)(ii); amend redesignated paragraph (c)(2)(iv)

Section

by removing ``(c)(2)(ii)'' and adding in its place ``(c)(2)(iii)'';

amend paragraph (c)(3)(iii) by adding a sentence at the end; revising

paragraph (e), effective Oct. 15, 2002. For the convenience of the user,

the added and revised text is set forth as follows:

Sec. 164.520 Notice of privacy practices for protected health

information.

* * * * *

(c) Implementation specifications: provision of notice. * * *

(2) Specific requirements for certain covered health care providers.

* * *

(i) Provide the notice:

(A) No later than the date of the first service delivery, including

service delivered electronically, to such individual after the

compliance date for the covered health care provider; or

(B) In an emergency treatment situation, as soon as reasonably

practicable after the emergency treatment situation.

(ii) Except in an emergency treatment situation, make a good faith

effort to obtain a written acknowledgment of receipt of the notice

provided in accordance with paragraph (c)(2)(i) of this section, and if

not obtained, document its good faith efforts to obtain

[[Page 727]]

such acknowledgment and the reason why the acknowledgment was not

obtained;

* * * * *

(3) Specific requirements for electronic notice. * * *

(iii) * * * The requirements in paragraph (c)(2)(ii) of this section

apply to electronic notice.

* * * * *

(e) Implementation specifications: Documentation. A covered entity

must document compliance with the notice requirements, as required by

Sec. 164.530(j), by retaining copies of the notices issued by the

covered entity and, if applicable, any written acknowledgments of

receipt of the notice or documentation of good faith efforts to obtain

such written acknowledgment, in accordance with paragraph (c)(2)(ii) of

this section.