(a) Standard: right of access. An individual has a right of access to, which includes a right to inspect and obtain a copy of, his or her protected health information in designated record sets of a covered entity that is a health plan or a health care provider, including such information in a business partner’s designated record set that is not a duplicate of the information held by the provider or plan, for so long as the information is maintained.
(b) Standard: denial of access to protected health information.
(1) Grounds. Except where the protected health information to which access is requested is subject to 5 U.S.C. 552a, a covered entity may deny a request for access under paragraph (a) of this section where:
(i) A licensed health care professional has determined that, in the exercise of reasonable professional judgment, the inspection and copying requested is reasonably likely to endanger the life or physical safety of the individual or another person;
(ii) The information is about another person (other than a health care provider) and a licensed health care professional has determined that the inspection and copying requested is reasonably likely to cause substantial harm to such other person;
(iii) The information was obtained under a promise of confidentiality from someone other than a health care provider and such access would be likely to reveal the source of the information;
(iv) The information was obtained by a covered entity that is a health care provider in the course of a clinical trial, the individual has agreed to the denial of access when consenting to participate in the trial (if the individual’s consent to participate was obtained), and the clinical trial is in progress; or
(v) The information was compiled in reasonable anticipation of, or for use in, a legal proceeding.
(2) Other information available. Where a denial of protected health information is made pursuant to paragraph (b)(1) of this section, the covered entity must make any other protected health information requested available to the individual to the extent possible consistent with the denial.
(c) Standard: procedures to protect rights of access. A covered entity that is a health plan or a health care provider must have procedures that enable individuals to exercise their rights under paragraph (a) of this section.
(d) Implementation specifications: access to protected health information. The procedures required by paragraph (c) of this section must:
(1) Means of request. Provide a means by which an individual can request inspection or a copy of protected health information about him or her.
(2) Time limit. Provide for taking action on such requests as soon as possible but not later than 30 days following receipt of the request.
(3) Request accepted. Where the request is accepted, provide:
(i) For notification of the individual of the decision and of any steps necessary to fulfill the request;
(ii) The information requested in the form or format requested, if it is readily producible in such form or format;
(iii) For facilitating the process of inspection and copying; and
(iv) For a reasonable, cost-based fee for copying health information provided pursuant to this paragraph, if deemed desirable by the entity.
(4) Request denied. Where the request is denied in whole or in part, provide the individual with a written statement in plain language of:
(i) The basis for the denial; and
(ii) A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in § 164.518(d)(2) or to the Secretary pursuant to the procedures established in § 164.522(b). The description must include:
(A) The name and telephone number of the contact person or office required by § 164.518(a)(2); and
(B) Information relevant to filing a complaint with the Secretary under § 164.522(b).