45 CFR 164.522 - Rights to request privacy protection for protected health information. | Title 45 - Public Welfare | Code of Federal Regulations

§ 164.522

Rights to request privacy protection for protected health information.

(a) (1) Standard: Right of an individual to request restriction of uses and disclosures. A covered entity must permit an individual to request that the covered entity restrict:

(A) Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and

(B) Disclosures permitted under § 164.510(b).

(ii) A covered entity is not required to agree to a restriction.

(iii) A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual.

(iv) If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information.

(v) A restriction agreed to by a covered entity under paragraph (a) of this section, is not effective under this subpart to prevent uses or disclosures permitted or required under §§ 164.502(a)(2)(ii), 164.510(a) or 164.512.

(2) Implementation specifications: Terminating a restriction. A covered entity may terminate its agreement to a restriction, if :

(i) The individual agrees to or requests the termination in writing;

(ii) The individual orally agrees to the termination and the oral agreement is documented; or

(iii) The covered entity informs the individual that it is terminating its agreement to a restriction, except that such termination is only effective with respect to protected health information created or received after it has so informed the individual.

(3) Implementation specification: Documentation. A covered entity that agrees to a restriction must document the restriction in accordance with § 164.530(j).

(b) (1) Standard: Confidential communications requirements. A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations.

(ii) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual.

(2) Implementation specifications: Conditions on providing confidential communications. (i) A covered entity may require the individual to make a request for a confidential communication described in paragraph (b)(1) of this section in writing.

(ii) A covered entity may condition the provision of a reasonable accommodation on:

(A) When appropriate, information as to how payment, if any, will be handled; and

(B) Specification of an alternative address or other method of contact.

(iii) A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis.

(iv) A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual.

[65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53271, Aug. 14, 2002]

Title 45 published on 2012-10-01

The following are only the Rules published in the Federal Register after the published date of Title 45.

For a complete list of all Rules, Proposed Rules, and Notices view the Rulemaking tab.

2013-01-25; vol. 78 # 17 - Friday, January 25, 2013

78 FR 5566 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules

GPO FDSys XML | Text

Additional Documents

type	regulations.gov
FR Doc.	2013-01073
RIN	0945-AA03

DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary

Final rule.

Effective date: This final rule is effective on March 26, 2013. Compliance date: Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013.

45 CFR Parts 160 and 164

Summary

The Department of Health and Human Services (HHS or “the Department”) is issuing this final rule to: Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act” or “the Act”) to strengthen the privacy and security protection for individuals' health information; modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comment received on the interim final rule; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.

United States Code

U.S.C. : Title 42 - THE PUBLIC HEALTH AND WELFARE

§ 1320d - Definitions

42 USC § 1320d–1 - General requirements for adoption of standards

42 USC § 1320d–2 - Standards for information transactions and data elements

42 USC § 1320d–3 - Timetables for adoption of standards

42 USC § 1320d–4 - Requirements

42 USC § 1320d–5 - General penalty for failure to comply with requirements and standards

42 USC § 1320d–6 - Wrongful disclosure of individually identifiable health information

42 USC § 1320d–7 - Effect on State law

42 USC § 1320d–8 - Processing payment transactions by financial institutions

Title 45 published on 2012-10-01

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR 164 after this date.

2013-04-23; vol. 78 # 78 - Tuesday, April 23, 2013

78 FR 23872 - HIPAA Privacy Rule and the National Instant Criminal Background Check System (NICS)

GPO FDSys XML | Text

Additional Documents

type	regulations.gov
FR Doc.	2013-09602
RIN

DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary

Advance notice of proposed rulemaking.

Submit comments on or before June 7, 2013.

45 CFR Parts 160 and 164

Summary

On January 16, 2013, President Barack Obama announced a series of Executive Actions to reduce gun violence in the United States, including efforts to improve the Federal government's background check system for the sale or transfer of firearms by licensed dealers, called the National Instant Criminal Background Check System (NICS). Among those persons disqualified from possessing or receiving firearms under Federal law are individuals who have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise have been determined, through a formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others or being incapable of managing their own affairs (referred to below as the “mental health prohibitor”). Concerns have been raised that, in certain states, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule may be a barrier to States' reporting the identities of individuals subject to the mental health prohibitor to the NICS. The Department of Health and Human Services (HHS or “the Department”), which administers the HIPAA regulations, is issuing this Advance Notice of Proposed Rulemaking (ANPRM) to solicit public comments on such barriers to reporting and ways in which these barriers can be addressed. In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS by those HIPAA covered entities responsible for involuntary commitments or the formal adjudications that would subject individuals to the mental health prohibitor, or that are otherwise designated by the States to report to the NICS. In addition, we are soliciting comments on the best methods to disseminate information on relevant HIPAA policies to State level entities that originate or maintain information that may be reported to NICS. Finally, we are soliciting public input on whether there are ways to mitigate any unintended adverse consequences for individuals seeking needed mental health services that may be caused by creating express regulatory permission to report relevant information to NICS. The Department will use the information it receives to determine how best to address these issues.

2013-01-25; vol. 78 # 17 - Friday, January 25, 2013

78 FR 5566 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules

GPO FDSys XML | Text

Additional Documents

type	regulations.gov
FR Doc.	2013-01073
RIN	0945-AA03

DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary

Final rule.

Effective date: This final rule is effective on March 26, 2013. Compliance date: Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013.

45 CFR Parts 160 and 164

Summary

The Department of Health and Human Services (HHS or “the Department”) is issuing this final rule to: Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act” or “the Act”) to strengthen the privacy and security protection for individuals' health information; modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comment received on the interim final rule; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.

45 CFR 164.522 - Rights to request privacy protection for protected health information.

CFR Toolbox

Law about... Articles from Wex

Find a Lawyer

Get Involved