We proposed in the NPRM to require a covered health care provider or health plan that elects to deny a request for inspection or copying to make any other protected health information requested available to the individual to the extent possible, consistent with the denial.
In the final rule, we clarify the proposed approach. A covered entity that denies access, in whole or in part, must, to the extent possible, give the individual access to any other protected health information requested after excluding the protected health information to which the covered entity has a ground to deny access. We intend covered entities to redact or otherwise exclude only the information that falls within one or more of the denial criteria described above and to permit inspection and copying of all remaining information, to the extent it is possible to do so.
We also proposed to require covered providers and health plans, upon denying a request for access in whole or in part, to provide the individual with a written statement in plain language of the basis for the denial and how the individual could make a complaint to the covered entity or the Secretary.
We retain the proposed approach. A covered entity that denies access, in whole or in part, must provide the individual with a written denial in plain language that explains the basis for the denial. The written denial could include a direct reference to the section of the regulation relied upon for the denial, but the regulatory citation alone does not sufficiently explain the reason for the denial. The written denial must also describe how the individual can complain to the covered entity and the Secretary and must include the name or title and the telephone number of the covered entity's contact person or office that is responsible for receiving complaints.
In the final rule, we impose two additional requirements when the covered entity denies access, in whole or in part. First, if a covered entity denies a request on the basis of one of the reviewable grounds for denial, the written denial must describe the individual's right to a review of the denial and how the individual may exercise this right. Second, if the covered entity denies the request because it does not maintain the requested information, and the covered entity knows where the requested information is maintained, the covered entity must inform the individual where to direct the request for access.
Finally, we specify a covered entity's responsibilities when an individual requests a review of a denial. If the individual requests a review of a denial made under § 164.524(a)(3), the covered entity must designate a licensed health care professional to act as the reviewing official. This reviewing official must not have been involved in the original decision to deny access. The covered entity must promptly refer a request for review to the designated reviewing official. The reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in § 164.524(a)(3). The covered entity must promptly provide the individual with written notice of the reviewing official's decision and otherwise carry out the decision in accordance with the requirements of this section.