(a) Standard. An individual has a right to adequate notice of the policies and procedures of a covered entity that is a health plan or a health care provider with respect to protected health information.
(b) Standard for notice procedures. A covered entity that is a health plan or health care provider must have procedures that provide adequate notice to individuals of their rights and the procedures for exercising their rights under this subpart with respect to protected health information about them.
(c) General implementation specification. A covered entity that has and follows procedures that meet the requirements of this section will be presumed to have provided adequate notice under this section.
(d) Implementation specifications: content of notice.
(1) Required elements. Notices required to be provided under this section must include in plain language a statement of each of the following elements:
(i) Uses and disclosures. The uses and disclosures, and the entity’s policies and procedures with respect to such uses and disclosures, must be described in sufficient detail to put the individual on notice of the uses and disclosures expected to be made of his or her protected health information. Such statement must:
(A) Describe the uses and disclosures that will be made without individual authorization; and
(B) Distinguish between those uses and disclosures the entity makes that are required by law and those that are permitted but not required by law.
(ii) Required statements. State that:
(A) Other uses and disclosures will be made only with the individual’s authorization and that such authorization may be revoked;
(B) An individual may request that certain uses and disclosures of his or her protected health information be restricted, and the covered entity is not required to agree to such a request;
(C) An individual has the right to request, and a description of the procedures for exercising, the following with respect to his or her protected health information:
(1) Inspection and copying;
(2) Amendment or correction; and
(3) An accounting of the disclosures of such information by the covered entity;
(D) The covered entity is required by law to protect the privacy of its individually identifiable health information, provide a notice of its policies and procedures with respect to such information, and abide by the terms of the notice currently in effect;
(E) The entity may change its policies and procedures relating to protected health information at any time, with a description of how individuals will be informed of material changes; and
(F) Individuals may complain to the covered entity and to the Secretary if they believe that their privacy rights have been violated.
(iii) Contact. The name and telephone number of a contact person or office required by § 164.518(a)(2).
(iv) Date. The date the version of the notice was produced.
(2) Revisions. A covered health plan or health care provider may change its policies or procedures required by this subpart at any time. When a covered health plan or health care provider materially revises its policies and procedures, it must update its notice as provided for by § 164.520(g).
(e) Implementation specifications: provision of notice. A covered entity must make the notice required by this section available:
(1) General requirement. On request; and
(2) Specific requirements. As follows:
(i) Health plans. Health plans must provide a copy of the notice to an individual covered by the plan:
(A) As of the date on which the health plan is required to be in compliance with this subpart;
(B) After the date described in paragraph (e)(2)(i)(A) of this section, at enrollment;
(C) After enrollment, within 60 days of a material revision to the content of the notice; and
(D) No less frequently than once every three years.
(ii) Health care providers. A health care provider must:
(A) During the one year period following the date by which the provider is required to come into compliance with this subpart, provide a copy to individuals currently served by the provider at the first service delivery to such individuals during such period, provided that, where service is not provided through a face-to-face contact, the provider must provide the notice in an appropriate manner within a reasonable period of time following first service delivery;
(B) After the one year period provided for by paragraph (e)(2)(ii)(A) of this section, provide a copy to individuals served by the provider at the first service delivery to such individuals, provided that, where service is not provided through a face-to-face contact, the provider must provide the notice in an appropriate manner within a reasonable period of time following first service delivery; and
(C) Post a copy of the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the provider to be able to read the notice. Any revision to the notice must be posted promptly.