NRPM: Standards for Privacy of Individually Identifiable Health Information. ii. Required statements.

11/03/1999

We are proposing that the notice include several basic statements to inform the individual of their rights and interests with respect to protected health information. First, we propose to require the notice to inform individuals that the covered plan or provider will not use or disclose their protected health information for purposes not listed in the notice without the individual’s authorization. Individuals need to understand that they can authorize a disclosure of their protected health information and that the covered entity may request the individual to authorize a disclosure, and that such disclosures are subject to their control. The notice should also inform individuals that such authorizations can be revoked.

Second, we propose that the notice inform individuals that they have the right to request that the covered plan or provider restrict certain uses and disclosures of protected health information about them. The notice would also inform individuals that the covered plan or provider is not required to agree to such a request.

Third, we propose that the notice also inform individuals about their right of access to protected health information for inspection and copying and to an accounting of disclosures as provided in proposed §§ 164.514 and 164.515. In addition, the notice would inform individuals about their right to request an amendment or correction of protected health information as proposed in § 164.516. The notice would include brief descriptions of the procedures for submitting requests to the covered plan or provider.

Fourth, the notice would be required to include a statement that there are legal requirements that require the covered plan or provider to protect the privacy of its information, provide a notice of information practices, and abide by the terms of that notice. Individuals should be aware that there are government requirements in place to protect their privacy. Without this statement, individuals may not realize that covered plans or providers are required to take measures to protect their privacy, and may therefore be less interested in pursuing their rights or finding out more information.

Fifth, the notice would be required to include a statement that the entity may revise its policies and procedures with respect to uses or disclosures of protected health information at any time and that such a revision could result in additional uses or disclosures without the individual’s authorization. The notice also should inform the individual how a revised notice would be made available when material revisions in policies and procedures are made. For example, when a provider makes a material change to its notice, proposed § 164.512(e) would require the provider to post a new notice.

Finally, we propose that the notice inform individuals that they have the right to complain to the covered entity and to the Secretary if they believe that their privacy rights have been violated.