[Federal Register: December 28, 2000 (Volume 65, Number 250)]
[Rules and Regulations]
[Page 82811-82829]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28de00-36]

[[pp. 82811-82829]] Standards for Privacy of Individually Identifiable Health
Information

[[Continued from page 82810]]

[[Page 82811]]

    (f)(1) Standard: Joint consents. Covered entities that participate
in an organized health care arrangement and that have a joint notice
under Sec. 164.520(d) may comply with this section by a joint consent.
    (2) Implementation specifications: Requirements for joint consents.
(i) A joint consent must:
    (A) Include the name or other specific identification of the
covered entities, or classes of covered entities, to which the joint
consent applies; and
    (B) Meet the requirements of this section, except that the
statements required by this section may be altered to reflect the fact
that the consent covers more than one covered entity.
    (ii) If an individual revokes a joint consent, the covered entity
that receives the revocation must inform the other entities covered by
the joint consent of the revocation as soon as practicable.

Sec. 164.508  Uses and disclosures for which an authorization is
required.

    (a) Standard: Authorizations for uses and disclosures. (1)
Authorization required: General rule. Except as otherwise permitted or
required by this subchapter, a covered entity may not use or disclose
protected health information without an authorization that is valid
under this section. When a covered entity obtains or receives a valid
authorization for its use or disclosure of protected health
information, such use or disclosure must be consistent with such
authorization.
    (2) Authorization required: psychotherapy notes. Notwithstanding
any other provision of this subpart, other than transition provisions
provided for in Sec. 164.532, a covered entity must obtain an
authorization for any use or disclosure of psychotherapy notes, except:
    (i) To carry out the following treatment, payment, or health care
operations, consistent with consent requirements in Sec. 164.506:
    (A) Use by originator of the psychotherapy notes for treatment;
    (B) Use or disclosure by the covered entity in training programs in
which students, trainees, or practitioners in mental health learn under
supervision to practice or improve their skills in group, joint,
family, or individual counseling; or
    (C) Use or disclosure by the covered entity to defend a legal
action or other proceeding brought by the individual; and
    (ii) A use or disclosure that is required by Sec. 164.502(a)(2)(ii)
or permitted by Sec. 164.512(a); Sec. 164.512(d) with respect to the
oversight of the originator of the psychotherapy notes;
Sec. 164.512(g)(1); or Sec. 164.512(j)(1)(i).
    (b) Implementation specifications: General requirements.--(1) Valid
authorizations.
    (i) A valid authorization is a document that contains the elements
listed in paragraph (c) and, as applicable, paragraph (d), (e), or (f)
of this section.
    (ii) A valid authorization may contain elements or information in
addition to the elements required by this section, provided that such
additional elements or information are not be inconsistent with the
elements required by this section.
    (2) Defective authorizations. An authorization is not valid, if the
document submitted has any of the following defects:
    (i) The expiration date has passed or the expiration event is known
by the covered entity to have occurred;
    (ii) The authorization has not been filled out completely, with
respect to an element described by paragraph (c), (d), (e), or (f) of
this section, if applicable;
    (iii) The authorization is known by the covered entity to have been
revoked;
    (iv) The authorization lacks an element required by paragraph (c),
(d), (e), or (f) of this section, if applicable;
    (v) The authorization violates paragraph (b)(3) of this section, if
applicable;
    (vi) Any material information in the authorization is known by the
covered entity to be false.
    (3) Compound authorizations. An authorization for use or disclosure
of protected health information may not be combined with any other
document to create a compound authorization, except as follows:
    (i) An authorization for the use or disclosure of protected health
information created for research that includes treatment of the
individual may be combined as permitted by Sec. 164.506(b)(4)(ii) or
paragraph (f) of this section;
    (ii) An authorization for a use or disclosure of psychotherapy
notes may only be combined with another authorization for a use or
disclosure of psychotherapy notes;
    (iii) An authorization under this section, other than an
authorization for a use or disclosure of psychotherapy notes may be
combined with any other such authorization under this section, except
when a covered entity has conditioned the provision of treatment,
payment, enrollment in the health plan, or eligibility for benefits
under paragraph (b)(4) of this section on the provision of one of the
authorizations.
    (4) Prohibition on conditioning of authorizations. A covered entity
may not condition the provision to an individual of treatment, payment,
enrollment in the health plan, or eligibility for benefits on the
provision of an authorization, except:
    (i) A covered health care provider may condition the provision of
research-related treatment on provision of an authorization under
paragraph (f) of this section;
    (ii) A health plan may condition enrollment in the health plan or
eligibility for benefits on provision of an authorization requested by
the health plan prior to an individual's enrollment in the health plan,
if:
    (A) The authorization sought is for the health plan's eligibility
or enrollment determinations relating to the individual or for its
underwriting or risk rating determinations; and
    (B) The authorization is not for a use or disclosure of
psychotherapy notes under paragraph (a)(2) of this section;
    (iii) A health plan may condition payment of a claim for specified
benefits on provision of an authorization under paragraph (e) of this
section, if:
    (A) The disclosure is necessary to determine payment of such claim;
and
    (B) The authorization is not for a use or disclosure of
psychotherapy notes under paragraph (a)(2) of this section; and
    (iv) A covered entity may condition the provision of health care
that is solely for the purpose of creating protected health information
for disclosure to a third party on provision of an authorization for
the disclosure of the protected health information to such third party.
    (5) Revocation of authorizations. An individual may revoke an
authorization provided under this section at any time, provided that
the revocation is in writing, except to the extent that:
    (i) The covered entity has taken action in reliance thereon; or
    (ii) If the authorization was obtained as a condition of obtaining
insurance coverage, other law provides the insurer with the right to
contest a claim under the policy.
    (6) Documentation. A covered entity must document and retain any
signed authorization under this section as required by Sec. 164.530(j).
    (c) Implementation specifications: Core elements and requirements.
(1) Core elements. A valid authorization under this section must
contain at least the following elements:
    (i) A description of the information to be used or disclosed that
identifies the information in a specific and meaningful fashion;

[[Page 82812]]

    (ii) The name or other specific identification of the person(s), or
class of persons, authorized to make the requested use or disclosure;
    (iii) The name or other specific identification of the person(s),
or class of persons, to whom the covered entity may make the requested
use or disclosure;
    (iv) An expiration date or an expiration event that relates to the
individual or the purpose of the use or disclosure;
    (v) A statement of the individual's right to revoke the
authorization in writing and the exceptions to the right to revoke,
together with a description of how the individual may revoke the
authorization;
    (vi) A statement that information used or disclosed pursuant to the
authorization may be subject to redisclosure by the recipient and no
longer be protected by this rule;
    (vii) Signature of the individual and date; and
    (viii) If the authorization is signed by a personal representative
of the individual, a description of such representative's authority to
act for the individual.
    (2) Plain language requirement. The authorization must be written
in plain language.
    (d) Implementation specifications: Authorizations requested by a
covered entity for its own uses and disclosures. If an authorization is
requested by a covered entity for its own use or disclosure of
protected health information that it maintains, the covered entity must
comply with the following requirements.
    (1) Required elements. The authorization for the uses or
disclosures described in this paragraph must, in addition to meeting
the requirements of paragraph (c) of this section, contain the
following elements:
    (i) For any authorization to which the prohibition on conditioning
in paragraph (b)(4) of this section applies, a statement that the
covered entity will not condition treatment, payment, enrollment in the
health plan, or eligibility for benefits on the individual's providing
authorization for the requested use or disclosure;
    (ii) A description of each purpose of the requested use or
disclosure;
    (iii) A statement that the individual may:
    (A) Inspect or copy the protected health information to be used or
disclosed as provided in Sec. 164.524; and
    (B) Refuse to sign the authorization; and
    (iv) If use or disclosure of the requested information will result
in direct or indirect remuneration to the covered entity from a third
party, a statement that such remuneration will result.
    (2) Copy to the individual. A covered entity must provide the
individual with a copy of the signed authorization.
    (e) Implementation specifications: Authorizations requested by a
covered entity for disclosures by others. If an authorization is
requested by a covered entity for another covered entity to disclose
protected health information to the covered entity requesting the
authorization to carry out treatment, payment, or health care
operations, the covered entity requesting the authorization must comply
with the following requirements.
    (1) Required elements. The authorization for the disclosures
described in this paragraph must, in addition to meeting the
requirements of paragraph (c) of this section, contain the following
elements:
    (i) A description of each purpose of the requested disclosure;
    (ii) Except for an authorization on which payment may be
conditioned under paragraph (b)(4)(iii) of this section, a statement
that the covered entity will not condition treatment, payment,
enrollment in the health plan, or eligibility for benefits on the
individual's providing authorization for the requested use or
disclosure; and
    (iii) A statement that the individual may refuse to sign the
authorization.
    (2) Copy to the individual. A covered entity must provide the
individual with a copy of the signed authorization.
    (f) Implementation specifications: Authorizations for uses and
disclosures of protected health information created for research that
includes treatment of the individual.
    (1) Required elements. Except as otherwise permitted by
Sec. 164.512(i), a covered entity that creates protected health
information for the purpose, in whole or in part, of research that
includes treatment of individuals must obtain an authorization for the
use or disclosure of such information. Such authorization must:
    (i) For uses and disclosures not otherwise permitted or required
under this subpart, meet the requirements of paragraphs (c) and (d) of
this section; and
    (ii) Contain:
    (A) A description of the extent to which such protected health
information will be used or disclosed to carry out treatment, payment,
or health care operations;
    (B) A description of any protected health information that will not
be used or disclosed for purposes permitted in accordance with
Secs. 164.510 and 164.512, provided that the covered entity may not
include a limitation affecting its right to make a use or disclosure
that is required by law or permitted by Sec. 164.512(j)(1)(i); and
    (C) If the covered entity has obtained or intends to obtain the
individual's consent under Sec. 164.506, or has provided or intends to
provide the individual with a notice under Sec. 164.520, the
authorization must refer to that consent or notice, as applicable, and
state that the statements made pursuant to this section are binding.
    (2) Optional procedure. An authorization under this paragraph may
be in the same document as:
    (i) A consent to participate in the research;
    (ii) A consent to use or disclose protected health information to
carry out treatment, payment, or health care operations under
Sec. 164.506; or
    (iii) A notice of privacy practices under Sec. 164.520.

Sec. 164.510  Uses and disclosures requiring an opportunity for the
individual to agree or to object.

    A covered entity may use or disclose protected health information
without the written consent or authorization of the individual as
described by Secs. 164.506 and 164.508, respectively, provided that the
individual is informed in advance of the use or disclosure and has the
opportunity to agree to or prohibit or restrict the disclosure in
accordance with the applicable requirements of this section. The
covered entity may orally inform the individual of and obtain the
individual's oral agreement or objection to a use or disclosure
permitted by this section.
    (a) Standard: use and disclosure for facility directories. (1)
Permitted uses and disclosure. Except when an objection is expressed in
accordance with paragraphs (a)(2) or (3) of this section, a covered
health care provider may:
    (i) Use the following protected health information to maintain a
directory of individuals in its facility:
    (A) The individual's name;
    (B) The individual's location in the covered health care provider's
facility;
    (C) The individual's condition described in general terms that does
not communicate specific medical information about the individual; and
    (D) The individual's religious affiliation; and
    (ii) Disclose for directory purposes such information:
    (A) To members of the clergy; or

[[Page 82813]]

    (B) Except for religious affiliation, to other persons who ask for
the individual by name.
    (2) Opportunity to object. A covered health care provider must
inform an individual of the protected health information that it may
include in a directory and the persons to whom it may disclose such
information (including disclosures to clergy of information regarding
religious affiliation) and provide the individual with the opportunity
to restrict or prohibit some or all of the uses or disclosures
permitted by paragraph (a)(1) of this section.
    (3) Emergency circumstances. (i) If the opportunity to object to
uses or disclosures required by paragraph (a)(2) of this section cannot
practicably be provided because of the individual's incapacity or an
emergency treatment circumstance, a covered health care provider may
use or disclose some or all of the protected health information
permitted by paragraph (a)(1) of this section for the facility's
directory, if such disclosure is:
    (A) Consistent with a prior expressed preference of the individual,
if any, that is known to the covered health care provider; and
    (B) In the individual's best interest as determined by the covered
health care provider, in the exercise of professional judgment.
    (ii) The covered health care provider must inform the individual
and provide an opportunity to object to uses or disclosures for
directory purposes as required by paragraph (a)(2) of this section when
it becomes practicable to do so.
    (b) Standard: uses and disclosures for involvement in the
individual's care and notification purposes. (1) Permitted uses and
disclosures. (i) A covered entity may, in accordance with paragraphs
(b)(2) or (3) of this section, disclose to a family member, other
relative, or a close personal friend of the individual, or any other
person identified by the individual, the protected health information
directly relevant to such person's involvement with the individual's
care or payment related to the individual's health care.
    (ii) A covered entity may use or disclose protected health
information to notify, or assist in the notification of (including
identifying or locating), a family member, a personal representative of
the individual, or another person responsible for the care of the
individual of the individual's location, general condition, or death.
Any such use or disclosure of protected health information for such
notification purposes must be in accordance with paragraphs (b)(2),
(3), or (4) of this section, as applicable.
    (2) Uses and disclosures with the individual present. If the
individual is present for, or otherwise available prior to, a use or
disclosure permitted by paragraph (b)(1) of this section and has the
capacity to make health care decisions, the covered entity may use or
disclose the protected health information if it:
    (i) Obtains the individual's agreement;
    (ii) Provides the individual with the opportunity to object to the
disclosure, and the individual does not express an objection; or
    (iii) Reasonably infers from the circumstances, based the exercise
of professional judgment, that the individual does not object to the
disclosure.
    (3) Limited uses and disclosures when the individual is not
present. If the individual is not present for, or the opportunity to
agree or object to the use or disclosure cannot practicably be provided
because of the individual's incapacity or an emergency circumstance,
the covered entity may, in the exercise of professional judgment,
determine whether the disclosure is in the best interests of the
individual and, if so, disclose only the protected health information
that is directly relevant to the person's involvement with the
individual's health care. A covered entity may use professional
judgment and its experience with common practice to make reasonable
inferences of the individual's best interest in allowing a person to
act on behalf of the individual to pick up filled prescriptions,
medical supplies, X-rays, or other similar forms of protected health
information.
    (4) Use and disclosures for disaster relief purposes. A covered
entity may use or disclose protected health information to a public or
private entity authorized by law or by its charter to assist in
disaster relief efforts, for the purpose of coordinating with such
entities the uses or disclosures permitted by paragraph (b)(1)(ii) of
this section. The requirements in paragraphs (b)(2) and (3) of this
section apply to such uses and disclosure to the extent that the
covered entity, in the exercise of professional judgment, determines
that the requirements do not interfere with the ability to respond to
the emergency circumstances.

Sec. 164.512  Uses and disclosures for which consent, an authorization,
or opportunity to agree or object is not required.

    A covered entity may use or disclose protected health information
without the written consent or authorization of the individual as
described in Secs. 164.506 and 164.508, respectively, or the
opportunity for the individual to agree or object as described in
Sec. 164.510, in the situations covered by this section, subject to the
applicable requirements of this section. When the covered entity is
required by this section to inform the individual of, or when the
individual may agree to, a use or disclosure permitted by this section,
the covered entity's information and the individual's agreement may be
given orally.
    (a) Standard: Uses and disclosures required by law. (1) A covered
entity may use or disclose protected health information to the extent
that such use or disclosure is required by law and the use or
disclosure complies with and is limited to the relevant requirements of
such law.
    (2) A covered entity must meet the requirements described in
paragraph (c), (e), or (f) of this section for uses or disclosures
required by law.
    (b) Standard: uses and disclosures for public health activities.
(1) Permitted disclosures. A covered entity may disclose protected
health information for the public health activities and purposes
described in this paragraph to:
    (i) A public health authority that is authorized by law to collect
or receive such information for the purpose of preventing or
controlling disease, injury, or disability, including, but not limited
to, the reporting of disease, injury, vital events such as birth or
death, and the conduct of public health surveillance, public health
investigations, and public health interventions; or, at the direction
of a public health authority, to an official of a foreign government
agency that is acting in collaboration with a public health authority;
    (ii) A public health authority or other appropriate government
authority authorized by law to receive reports of child abuse or
neglect;
    (iii) A person subject to the jurisdiction of the Food and Drug
Administration:
    (A) To report adverse events (or similar reports with respect to
food or dietary supplements), product defects or problems (including
problems with the use or labeling of a product), or biological product
deviations if the disclosure is made to the person required or directed
to report such information to the Food and Drug Administration;
    (B) To track products if the disclosure is made to a person
required or directed by the Food and Drug Administration to track the
product;
    (C) To enable product recalls, repairs, or replacement (including
locating and

[[Page 82814]]

notifying individuals who have received products of product recalls,
withdrawals, or other problems); or
    (D) To conduct post marketing surveillance to comply with
requirements or at the direction of the Food and Drug Administration;
    (iv) A person who may have been exposed to a communicable disease
or may otherwise be at risk of contracting or spreading a disease or
condition, if the covered entity or public health authority is
authorized by law to notify such person as necessary in the conduct of
a public health intervention or investigation; or
    (v) An employer, about an individual who is a member of the
workforce of the employer, if:
    (A) The covered entity is a covered health care provider who is a
member of the workforce of such employer or who provides a health care
to the individual at the request of the employer:
    (1) To conduct an evaluation relating to medical surveillance of
the workplace; or
    (2) To evaluate whether the individual has a work-related illness
or injury;
    (B) The protected health information that is disclosed consists of
findings concerning a work-related illness or injury or a workplace-
related medical surveillance;
    (C) The employer needs such findings in order to comply with its
obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50
through 90, or under state law having a similar purpose, to record such
illness or injury or to carry out responsibilities for workplace
medical surveillance;
    (D) The covered health care provider provides written notice to the
individual that protected health information relating to the medical
surveillance of the workplace and work-related illnesses and injuries
is disclosed to the employer:
    (1) By giving a copy of the notice to the individual at the time
the health care is provided; or
    (2) If the health care is provided on the work site of the
employer, by posting the notice in a prominent place at the location
where the health care is provided.
    (2) Permitted uses. If the covered entity also is a public health
authority, the covered entity is permitted to use protected health
information in all cases in which it is permitted to disclose such
information for public health activities under paragraph (b)(1) of this
section.
    (c) Standard: Disclosures about victims of abuse, neglect or
domestic violence. (1) Permitted disclosures. Except for reports of
child abuse or neglect permitted by paragraph (b)(1)(ii) of this
section, a covered entity may disclose protected health information
about an individual whom the covered entity reasonably believes to be a
victim of abuse, neglect, or domestic violence to a government
authority, including a social service or protective services agency,
authorized by law to receive reports of such abuse, neglect, or
domestic violence:
    (i) To the extent the disclosure is required by law and the
disclosure complies with and is limited to the relevant requirements of
such law;
    (ii) If the individual agrees to the disclosure; or
    (iii) To the extent the disclosure is expressly authorized by
statute or regulation and:
    (A) The covered entity, in the exercise of professional judgment,
believes the disclosure is necessary to prevent serious harm to the
individual or other potential victims; or
    (B) If the individual is unable to agree because of incapacity, a
law enforcement or other public official authorized to receive the
report represents that the protected health information for which
disclosure is sought is not intended to be used against the individual
and that an immediate enforcement activity that depends upon the
disclosure would be materially and adversely affected by waiting until
the individual is able to agree to the disclosure.
    (2) Informing the individual. A covered entity that makes a
disclosure permitted by paragraph (c)(1) of this section must promptly
inform the individual that such a report has been or will be made,
except if:
    (i) The covered entity, in the exercise of professional judgment,
believes informing the individual would place the individual at risk of
serious harm; or
    (ii) The covered entity would be informing a personal
representative, and the covered entity reasonably believes the personal
representative is responsible for the abuse, neglect, or other injury,
and that informing such person would not be in the best interests of
the individual as determined by the covered entity, in the exercise of
professional judgment.
    (d) Standard: Uses and disclosures for health oversight activities.
(1) Permitted disclosures. A covered entity may disclose protected
health information to a health oversight agency for oversight
activities authorized by law, including audits; civil, administrative,
or criminal investigations; inspections; licensure or disciplinary
actions; civil, administrative, or criminal proceedings or actions; or
other activities necessary for appropriate oversight of:
    (i) The health care system;
    (ii) Government benefit programs for which health information is
relevant to beneficiary eligibility;
    (iii) Entities subject to government regulatory programs for which
health information is necessary for determining compliance with program
standards; or
    (iv) Entities subject to civil rights laws for which health
information is necessary for determining compliance.
    (2) Exception to health oversight activities. For the purpose of
the disclosures permitted by paragraph (d)(1) of this section, a health
oversight activity does not include an investigation or other activity
in which the individual is the subject of the investigation or activity
and such investigation or other activity does not arise out of and is
not directly related to:
    (i) The receipt of health care;
    (ii) A claim for public benefits related to health; or
    (iii) Qualification for, or receipt of, public benefits or services
when a patient's health is integral to the claim for public benefits or
services.
    (3) Joint activities or investigations. Nothwithstanding paragraph
(d)(2) of this section, if a health oversight activity or investigation
is conducted in conjunction with an oversight activity or investigation
relating to a claim for public benefits not related to health, the
joint activity or investigation is considered a health oversight
activity for purposes of paragraph (d) of this section.
    (4) Permitted uses. If a covered entity also is a health oversight
agency, the covered entity may use protected health information for
health oversight activities as permitted by paragraph (d) of this
section.
    (e) Standard: Disclosures for judicial and administrative
proceedings.
    (1) Permitted disclosures. A covered entity may disclose protected
health information in the course of any judicial or administrative
proceeding:
    (i) In response to an order of a court or administrative tribunal,
provided that the covered entity discloses only the protected health
information expressly authorized by such order; or
    (ii) In response to a subpoena, discovery request, or other lawful
process, that is not accompanied by an order of a court or
administrative tribunal, if:
    (A) The covered entity receives satisfactory assurance, as
described in paragraph (e)(1)(iii) of this section, from the party
seeking the information that reasonable efforts have been made by

[[Page 82815]]

such party to ensure that the individual who is the subject of the
protected health information that has been requested has been given
notice of the request; or
    (B) The covered entity receives satisfactory assurance, as
described in paragraph (e)(1)(iv) of this section, from the party
seeking the information that reasonable efforts have been made by such
party to secure a qualified protective order that meets the
requirements of paragraph (e)(1)(v) of this section.
    (iii) For the purposes of paragraph (e)(1)(ii)(A) of this section,
a covered entity receives satisfactory assurances from a party seeking
protecting health information if the covered entity receives from such
party a written statement and accompanying documentation demonstrating
that:
    (A) The party requesting such information has made a good faith
attempt to provide written notice to the individual (or, if the
individual's location is unknown, to mail a notice to the individual's
last known address);
    (B) The notice included sufficient information about the litigation
or proceeding in which the protected health information is requested to
permit the individual to raise an objection to the court or
administrative tribunal; and
    (C) The time for the individual to raise objections to the court or
administrative tribunal has elapsed, and:
    (1) No objections were filed; or
    (2) All objections filed by the individual have been resolved by
the court or the administrative tribunal and the disclosures being
sought are consistent with such resolution.
    (iv) For the purposes of paragraph (e)(1)(ii)(B) of this section, a
covered entity receives satisfactory assurances from a party seeking
protected health information, if the covered entity receives from such
party a written statement and accompanying documentation demonstrating
that:
    (A) The parties to the dispute giving rise to the request for
information have agreed to a qualified protective order and have
presented it to the court or administrative tribunal with jurisdiction
over the dispute; or
    (B) The party seeking the protected health information has
requested a qualified protective order from such court or
administrative tribunal.
    (v) For purposes of paragraph (e)(1) of this section, a qualified
protective order means, with respect to protected health information
requested under paragraph (e)(1)(ii) of this section, an order of a
court or of an administrative tribunal or a stipulation by the parties
to the litigation or administrative proceeding that:
    (A) Prohibits the parties from using or disclosing the protected
health information for any purpose other than the litigation or
proceeding for which such information was requested; and
    (B) Requires the return to the covered entity or destruction of the
protected health information (including all copies made) at the end of
the litigation or proceeding.
    (vi) Nothwithstanding paragraph (e)(1)(ii) of this section, a
covered entity may disclose protected health information in response to
lawful process described in paragraph (e)(1)(ii) of this section
without receiving satisfactory assurance under paragraph (e)(1)(ii)(A)
or (B) of this section, if the covered entity makes reasonable efforts
to provide notice to the individual sufficient to meet the requirements
of paragraph (e)(1)(iii) of this section or to seek a qualified
protective order sufficient to meet the requirements of paragraph
(e)(1)(iv) of this section.
    (2) Other uses and disclosures under this section. The provisions
of this paragraph do not supersede other provisions of this section
that otherwise permit or restrict uses or disclosures of protected
health information.
    (f) Standard: Disclosures for law enforcement purposes. A covered
entity may disclose protected health information for a law enforcement
purpose to a law enforcement official if the conditions in paragraphs
(f)(1) through (f)(6) of this section are met, as applicable.
    (1) Permitted disclosures: Pursuant to process and as otherwise
required by law. A covered entity may disclose protected health
information:
    (i) As required by law including laws that require the reporting of
certain types of wounds or other physical injuries, except for laws
subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or
    (ii) In compliance with and as limited by the relevant requirements
of:
    (A) A court order or court-ordered warrant, or a subpoena or
summons issued by a judicial officer;
    (B) A grand jury subpoena; or
    (C) An administrative request, including an administrative subpoena
or summons, a civil or an authorized investigative demand, or similar
process authorized under law, provided that:
    (1) The information sought is relevant and material to a legitimate
law enforcement inquiry;
    (2) The request is specific and limited in scope to the extent
reasonably practicable in light of the purpose for which the
information is sought; and
    (3) De-identified information could not reasonably be used.
    (2) Permitted disclosures: Limited information for identification
and location purposes. Except for disclosures required by law as
permitted by paragraph (f)(1) of this section, a covered entity may
disclose protected health information in response to a law enforcement
official's request for such information for the purpose of identifying
or locating a suspect, fugitive, material witness, or missing person,
provided that:
    (i) The covered entity may disclose only the following information:
    (A) Name and address;
    (B) Date and place of birth;
    (C) Social security number;
    (D) ABO blood type and rh factor;
    (E) Type of injury;
    (F) Date and time of treatment;
    (G) Date and time of death, if applicable; and
    (H) A description of distinguishing physical characteristics,
including height, weight, gender, race, hair and eye color, presence or
absence of facial hair (beard or moustache), scars, and tattoos.
    (ii) Except as permitted by paragraph (f)(2)(i) of this section,
the covered entity may not disclose for the purposes of identification
or location under paragraph (f)(2) of this section any protected health
information related to the individual's DNA or DNA analysis, dental
records, or typing, samples or analysis of body fluids or tissue.
    (3) Permitted disclosure: Victims of a crime. Except for
disclosures required by law as permitted by paragraph (f)(1) of this
section, a covered entity may disclose protected health information in
response to a law enforcement official's request for such information
about an individual who is or is suspected to be a victim of a crime,
other than disclosures that are subject to paragraph (b) or (c) of this
section, if:
    (ii) The individual agrees to the disclosure; or
    (iii) The covered entity is unable to obtain the individual's
agreement because of incapacity or other emergency circumstance,
provided that:
    (A) The law enforcement official represents that such information
is needed to determine whether a violation of law by a person other
than the victim has occurred, and such information is not intended to
be used against the victim;
    (B) The law enforcement official represents that immediate law
enforcement activity that depends upon the disclosure would be
materially and

[[Page 82816]]

adversely affected by waiting until the individual is able to agree to
the disclosure; and
    (C) The disclosure is in the best interests of the individual as
determined by the covered entity, in the exercise of professional
judgment.
    (4) Permitted disclosure: Decedents. A covered entity may disclose
protected health information about an individual who has died to a law
enforcement official for the purpose of alerting law enforcement of the
death of the individual if the covered entity has a suspicion that such
death may have resulted from criminal conduct.
    (5) Permitted disclosure: Crime on premises. A covered entity may
disclose to a law enforcement official protected health information
that the covered entity believes in good faith constitutes evidence of
criminal conduct that occurred on the premises of the covered entity.
    (6) Permitted disclosure: Reporting crime in emergencies. (i) A
covered health care provider providing emergency health care in
response to a medical emergency, other than such emergency on the
premises of the covered health care provider, may disclose protected
health information to a law enforcement official if such disclosure
appears necessary to alert law enforcement to:
    (A) The commission and nature of a crime;
    (B) The location of such crime or of the victim(s) of such crime;
and
    (C) The identity, description, and location of the perpetrator of
such crime.
    (ii) If a covered health care provider believes that the medical
emergency described in paragraph (f)(6)(i) of this section is the
result of abuse, neglect, or domestic violence of the individual in
need of emergency health care, paragraph (f)(6)(i) of this section does
not apply and any disclosure to a law enforcement official for law
enforcement purposes is subject to paragraph (c) of this section.
    (g) Standard: Uses and disclosures about decedents. (1) Coroners
and medical examiners. A covered entity may disclose protected health
information to a coroner or medical examiner for the purpose of
identifying a deceased person, determining a cause of death, or other
duties as authorized by law. A covered entity that also performs the
duties of a coroner or medical examiner may use protected health
information for the purposes described in this paragraph.
    (2) Funeral directors. A covered entity may disclose protected
health information to funeral directors, consistent with applicable
law, as necessary to carry out their duties with respect to the
decedent. If necessary for funeral directors carry out their duties,
the covered entity may disclose the protected health information prior
to, and in reasonable anticipation of, the individual's death.
    (h) Standard: Uses and disclosures for cadaveric organ, eye or
tissue donation purposes. A covered entity may use or disclose
protected health information to organ procurement organizations or
other entities engaged in the procurement, banking, or transplantation
of cadaveric organs, eyes, or tissue for the purpose of facilitating
organ, eye or tissue donation and transplantation.
    (i) Standard: Uses and disclosures for research purposes. (1)
Permitted uses and disclosures. A covered entity may use or disclose
protected health information for research, regardless of the source of
funding of the research, provided that:
    (i) Board approval of a waiver of authorization. The covered entity
obtains documentation that an alteration to or waiver, in whole or in
part, of the individual authorization required by Sec. 164.508 for use
or disclosure of protected health information has been approved by
either:
    (A) An Institutional Review Board (IRB), established in accordance
with 7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16
CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR
46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45
CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or
    (B) A privacy board that:
    (1) Has members with varying backgrounds and appropriate
professional competency as necessary to review the effect of the
research protocol on the individual's privacy rights and related
interests;
    (2) Includes at least one member who is not affiliated with the
covered entity, not affiliated with any entity conducting or sponsoring
the research, and not related to any person who is affiliated with any
of such entities; and
    (3) Does not have any member participating in a review of any
project in which the member has a conflict of interest.
    (ii) Reviews preparatory to research. The covered entity obtains
from the researcher representations that:
    (A) Use or disclosure is sought solely to review protected health
information as necessary to prepare a research protocol or for similar
purposes preparatory to research;
    (B) No protected health information is to be removed from the
covered entity by the researcher in the course of the review; and
    (C) The protected health information for which use or access is
sought is necessary for the research purposes.
    (iii) Research on decedent's information. The covered entity
obtains from the researcher:
    (A) Representation that the use or disclosure is sought is solely
for research on the protected health information of decedents;
    (B) Documentation, at the request of the covered entity, of the
death of such individuals; and
    (C) Representation that the protected health information for which
use or disclosure is sought is necessary for the research purposes.
    (2) Documentation of waiver approval. For a use or disclosure to be
permitted based on documentation of approval of an alteration or
waiver, under paragraph (i)(1)(i) of this section, the documentation
must include all of the following:
    (i) Identification and date of action. A statement identifying the
IRB or privacy board and the date on which the alteration or waiver of
authorization was approved;
    (ii) Waiver criteria. A statement that the IRB or privacy board has
determined that the alteration or waiver, in whole or in part, of
authorization satisfies the following criteria:
    (A) The use or disclosure of protected health information involves
no more than minimal risk to the individuals;
    (B) The alteration or waiver will not adversely affect the privacy
rights and the welfare of the individuals;
    (C) The research could not practicably be conducted without the
alteration or waiver;
    (D) The research could not practicably be conducted without access
to and use of the protected health information;
    (E) The privacy risks to individuals whose protected health
information is to be used or disclosed are reasonable in relation to
the anticipated benefits if any to the individuals, and the importance
of the knowledge that may reasonably be expected to result from the
research;
    (F) There is an adequate plan to protect the identifiers from
improper use and disclosure;
    (G) There is an adequate plan to destroy the identifiers at the
earliest opportunity consistent with conduct of the research, unless
there is a health or research justification for retaining the
identifiers, or such retention is otherwise required by law; and
    (H) There are adequate written assurances that the protected health

[[Page 82817]]

information will not be reused or disclosed to any other person or
entity, except as required by law, for authorized oversight of the
research project, or for other research for which the use or disclosure
of protected health information would be permitted by this subpart.
    (iii) Protected health information needed. A brief description of
the protected health information for which use or access has been
determined to be necessary by the IRB or privacy board has determined,
pursuant to paragraph (i)(2)(ii)(D) of this section;
    (iv) Review and approval procedures. A statement that the
alteration or waiver of authorization has been reviewed and approved
under either normal or expedited review procedures, as follows:
    (A) An IRB must follow the requirements of the Common Rule,
including the normal review procedures (7 CFR 1c.108(b), 10 CFR
745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b),
21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR
46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40
CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR
11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR
745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110, 21 CFR
56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110,
34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45 CFR
690.110, or 49 CFR 11.110);
    (B) A privacy board must review the proposed research at convened
meetings at which a majority of the privacy board members are present,
including at least one member who satisfies the criterion stated in
paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver
of authorization must be approved by the majority of the privacy board
members present at the meeting, unless the privacy board elects to use
an expedited review procedure in accordance with paragraph
(i)(2)(iv)(C) of this section;
    (C) A privacy board may use an expedited review procedure if the
research involves no more than minimal risk to the privacy of the
individuals who are the subject of the protected health information for
which use or disclosure is being sought. If the privacy board elects to
use an expedited review procedure, the review and approval of the
alteration or waiver of authorization may be carried out by the chair
of the privacy board, or by one or more members of the privacy board as
designated by the chair; and
    (v) Required signature. The documentation of the alteration or
waiver of authorization must be signed by the chair or other member, as
designated by the chair, of the IRB or the privacy board, as
applicable.
    (j) Standard: Uses and disclosures to avert a serious threat to
health or safety. (1) Permitted disclosures. A covered entity may,
consistent with applicable law and standards of ethical conduct, use or
disclose protected health information, if the covered entity, in good
faith, believes the use or disclosure:
    (i)(A) Is necessary to prevent or lessen a serious and imminent
threat to the health or safety of a person or the public; and
    (B) Is to a person or persons reasonably able to prevent or lessen
the threat, including the target of the threat; or
    (ii) Is necessary for law enforcement authorities to identify or
apprehend an individual:
    (A) Because of a statement by an individual admitting participation
in a violent crime that the covered entity reasonably believes may have
caused serious physical harm to the victim; or
    (B) Where it appears from all the circumstances that the individual
has escaped from a correctional institution or from lawful custody, as
those terms are defined in Sec. 164.501.
    (2) Use or disclosure not permitted. A use or disclosure pursuant
to paragraph (j)(1)(ii)(A) of this section may not be made if the
information described in paragraph (j)(1)(ii)(A) of this section is
learned by the covered entity:
    (i) In the course of treatment to affect the propensity to commit
the criminal conduct that is the basis for the disclosure under
paragraph (j)(1)(ii)(A) of this section, or counseling or therapy; or
    (ii) Through a request by the individual to initiate or to be
referred for the treatment, counseling, or therapy described in
paragraph (j)(2)(i) of this section.
    (3) Limit on information that may be disclosed. A disclosure made
pursuant to paragraph (j)(1)(ii)(A) of this section shall contain only
the statement described in paragraph (j)(1)(ii)(A) of this section and
the protected health information described in paragraph (f)(2)(i) of
this section.
    (4) Presumption of good faith belief. A covered entity that uses or
discloses protected health information pursuant to paragraph (j)(1) of
this section is presumed to have acted in good faith with regard to a
belief described in paragraph (j)(1)(i) or (ii) of this section, if the
belief is based upon the covered entity's actual knowledge or in
reliance on a credible representation by a person with apparent
knowledge or authority.
    (k) Standard: Uses and disclosures for specialized government
functions. (1) Military and veterans activities. (i) Armed Forces
personnel. A covered entity may use and disclose the protected health
information of individuals who are Armed Forces personnel for
activities deemed necessary by appropriate military command authorities
to assure the proper execution of the military mission, if the
appropriate military authority has published by notice in the Federal
Register the following information:
    (A) Appropriate military command authorities; and
    (B) The purposes for which the protected health information may be
used or disclosed.
    (ii) Separation or discharge from military service. A covered
entity that is a component of the Departments of Defense or
Transportation may disclose to the Department of Veterans Affairs (DVA)
the protected health information of an individual who is a member of
the Armed Forces upon the separation or discharge of the individual
from military service for the purpose of a determination by DVA of the
individual's eligibility for or entitlement to benefits under laws
administered by the Secretary of Veterans Affairs.
    (iii) Veterans. A covered entity that is a component of the
Department of Veterans Affairs may use and disclose protected health
information to components of the Department that determine eligibility
for or entitlement to, or that provide, benefits under the laws
administered by the Secretary of Veterans Affairs.
    (iv) Foreign military personnel. A covered entity may use and
disclose the protected health information of individuals who are
foreign military personnel to their appropriate foreign military
authority for the same purposes for which uses and disclosures are
permitted for Armed Forces personnel under the notice published in the
Federal Register pursuant to paragraph (k)(1)(i) of this section.
    (2) National security and intelligence activities. A covered entity
may disclose protected health information to authorized federal
officials for the conduct of lawful intelligence, counter-intelligence,
and other national security activities authorized by the National
Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g.,
Executive Order 12333).
    (3) Protective services for the President and others. A covered
entity may disclose protected health

[[Page 82818]]

information to authorized federal officials for the provision of
protective services to the President or other persons authorized by 18
U.S.C. 3056, or to foreign heads of state or other persons authorized
by 22 U.S.C. 2709(a)(3), or to for the conduct of investigations
authorized by 18 U.S.C. 871 and 879.
    (4) Medical suitability determinations. A covered entity that is a
component of the Department of State may use protected health
information to make medical suitability determinations and may disclose
whether or not the individual was determined to be medically suitable
to the officials in the Department of State who need access to such
information for the following purposes:
    (i) For the purpose of a required security clearance conducted
pursuant to Executive Orders 10450 and 12698;
    (ii) As necessary to determine worldwide availability or
availability for mandatory service abroad under sections 101(a)(4) and
504 of the Foreign Service Act; or
    (iii) For a family to accompany a Foreign Service member abroad,
consistent with section 101(b)(5) and 904 of the Foreign Service Act.
    (5) Correctional institutions and other law enforcement custodial
situations. (i) Permitted disclosures. A covered entity may disclose to
a correctional institution or a law enforcement official having lawful
custody of an inmate or other individual protected health information
about such inmate or individual, if the correctional institution or
such law enforcement official represents that such protected health
information is necessary for:
    (A) The provision of health care to such individuals;
    (B) The health and safety of such individual or other inmates;
    (C) The health and safety of the officers or employees of or others
at the correctional institution;
    (D) The health and safety of such individuals and officers or other
persons responsible for the transporting of inmates or their transfer
from one institution, facility, or setting to another;
    (E) Law enforcement on the premises of the correctional
institution; and
    (F) The administration and maintenance of the safety, security, and
good order of the correctional institution.
    (ii) Permitted uses. A covered entity that is a correctional
institution may use protected health information of individuals who are
inmates for any purpose for which such protected health information may
be disclosed.
    (iii) No application after release. For the purposes of this
provision, an individual is no longer an inmate when released on
parole, probation, supervised release, or otherwise is no longer in
lawful custody.
    (6) Covered entities that are government programs providing public
benefits. (i) A health plan that is a government program providing
public benefits may disclose protected health information relating to
eligibility for or enrollment in the health plan to another agency
administering a government program providing public benefits if the
sharing of eligibility or enrollment information among such government
agencies or the maintenance of such information in a single or combined
data system accessible to all such government agencies is required or
expressly authorized by statute or regulation.
    (ii) A covered entity that is a government agency administering a
government program providing public benefits may disclose protected
health information relating to the program to another covered entity
that is a government agency administering a government program
providing public benefits if the programs serve the same or similar
populations and the disclosure of protected health information is
necessary to coordinate the covered functions of such programs or to
improve administration and management relating to the covered functions
of such programs.
    (l) Standard: Disclosures for workers' compensation. A covered
entity may disclose protected health information as authorized by and
to the extent necessary to comply with laws relating to workers'
compensation or other similar programs, established by law, that
provide benefits for work-related injuries or illness without regard to
fault.

Sec. 164.514  Other requirements relating to uses and disclosures of
protected health information.

    (a) Standard: de-identification of protected health information.
Health information that does not identify an individual and with
respect to which there is no reasonable basis to believe that the
information can be used to identify an individual is not individually
identifiable health information.
    (b) Implementation specifications: requirements for de-
identification of protected health information. A covered entity may
determine that health information is not individually identifiable
health information only if:
    (1) A person with appropriate knowledge of and experience with
generally accepted statistical and scientific principles and methods
for rendering information not individually identifiable:
    (i) Applying such principles and methods, determines that the risk
is very small that the information could be used, alone or in
combination with other reasonably available information, by an
anticipated recipient to identify an individual who is a subject of the
information; and
    (ii) Documents the methods and results of the analysis that justify
such determination; or
    (2)(i) The following identifiers of the individual or of relatives,
employers, or household members of the individual, are removed:
    (A) Names;
    (B) All geographic subdivisions smaller than a State, including
street address, city, county, precinct, zip code, and their equivalent
geocodes, except for the initial three digits of a zip code if,
according to the current publicly available data from the Bureau of the
Census:
    (1) The geographic unit formed by combining all zip codes with the
same three initial digits contains more than 20,000 people; and
    (2) The initial three digits of a zip code for all such geographic
units containing 20,000 or fewer people is changed to 000.
    (C) All elements of dates (except year) for dates directly related
to an individual, including birth date, admission date, discharge date,
date of death; and all ages over 89 and all elements of dates
(including year) indicative of such age, except that such ages and
elements may be aggregated into a single category of age 90 or older;
    (D) Telephone numbers;
    (E) Fax numbers;
    (F) Electronic mail addresses;
    (G) Social security numbers;
    (H) Medical record numbers;
    (I) Health plan beneficiary numbers;
    (J) Account numbers;
    (K) Certificate/license numbers;
    (L) Vehicle identifiers and serial numbers, including license plate
numbers;
    (M) Device identifiers and serial numbers;
    (N) Web Universal Resource Locators (URLs);
    (O) Internet Protocol (IP) address numbers;
    (P) Biometric identifiers, including finger and voice prints;
    (Q) Full face photographic images and any comparable images; and
    (R) Any other unique identifying number, characteristic, or code;
and

[[Page 82819]]

    (ii) The covered entity does not have actual knowledge that the
information could be used alone or in combination with other
information to identify an individual who is a subject of the
information.
    (c) Implementation specifications: re-identification. A covered
entity may assign a code or other means of record identification to
allow information de-identified under this section to be re-identified
by the covered entity, provided that:
    (1) Derivation. The code or other means of record identification is
not derived from or related to information about the individual and is
not otherwise capable of being translated so as to identify the
individual; and
    (2) Security. The covered entity does not use or disclose the code
or other means of record identification for any other purpose, and does
not disclose the mechanism for re-identification.
    (d)(1) Standard: minimum necessary requirements. A covered entity
must reasonably ensure that the standards, requirements, and
implementation specifications of Sec. 164.502(b) and this section
relating to a request for or the use and disclosure of the minimum
necessary protected health information are met.
    (2) Implementation specifications: minimum necessary uses of
protected health information. (i) A covered entity must identify:
    (A) Those persons or classes of persons, as appropriate, in its
workforce who need access to protected health information to carry out
their duties; and
    (B) For each such person or class of persons, the category or
categories of protected health information to which access is needed
and any conditions appropriate to such access.
    (ii) A covered entity must make reasonable efforts to limit the
access of such persons or classes identified in paragraph (d)(2)(i)(A)
of this section to protected health information consistent with
paragraph (d)(2)(i)(B) of this section.
    (3) Implementation specification: Minimum necessary disclosures of
protected health information. (i) For any type of disclosure that it
makes on a routine and recurring basis, a covered entity must implement
policies and procedures (which may be standard protocols) that limit
the protected health information disclosed to the amount reasonably
necessary to achieve the purpose of the disclosure.
    (ii) For all other disclosures, a covered entity must:
    (A) Develop criteria designed to limit the protected health
information disclosed to the information reasonably necessary to
accomplish the purpose for which disclosure is sought; and
    (B) Review requests for disclosure on an individual basis in
accordance with such criteria.
    (iii) A covered entity may rely, if such reliance is reasonable
under the circumstances, on a requested disclosure as the minimum
necessary for the stated purpose when:
    (A) Making disclosures to public officials that are permitted under
Sec. 164.512, if the public official represents that the information
requested is the minimum necessary for the stated purpose(s);
    (B) The information is requested by another covered entity;
    (C) The information is requested by a professional who is a member
of its workforce or is a business associate of the covered entity for
the purpose of providing professional services to the covered entity,
if the professional represents that the information requested is the
minimum necessary for the stated purpose(s); or
    (D) Documentation or representations that comply with the
applicable requirements of Sec. 164.512(i) have been provided by a
person requesting the information for research purposes.
    (4) Implementation specifications: Minimum necessary requests for
protected health information. (i) A covered entity must limit any
request for protected health information to that which is reasonably
necessary to accomplish the purpose for which the request is made, when
requesting such information from other covered entities.
    (ii) For a request that is made on a routine and recurring basis, a
covered entity must implement policies and procedures (which may be
standard protocols) that limit the protected health information
requested to the amount reasonably necessary to accomplish the purpose
for which the request is made.
    (iii) For all other requests, a covered entity must review the
request on an individual basis to determine that the protected health
information sought is limited to the information reasonably necessary
to accomplish the purpose for which the request is made.
    (5) Implementation specification: Other content requirement. For
all uses, disclosures, or requests to which the requirements in
paragraph (d) of this section apply, a covered entity may not use,
discloses or request an entire medical record, except when the entire
medical record is specifically justified as the amount that is
reasonably necessary to accomplish the purpose of the use, disclosure,
or request.
    (e)(1) Standard: Uses and disclosures of protected health
information for marketing. A covered entity may not use or disclose
protected health information for marketing without an authorization
that meets the applicable requirements of Sec. 164.508, except as
provided for by paragraph (e)(2) of this section.
    (2) Implementation specifications: Requirements relating to
marketing. (i) A covered entity is not required to obtain an
authorization under Sec. 164.508 when it uses or discloses protected
health information to make a marketing communication to an individual
that:
    (A) Occurs in a face-to-face encounter with the individual;
    (B) Concerns products or services of nominal value; or
    (C) Concerns the health-related products and services of the
covered entity or of a third party and the communication meets the
applicable conditions in paragraph (e)(3) of this section.
    (ii) A covered entity may disclose protected health information for
purposes of such communications only to a business associate that
assists the covered entity with such communications.
    (3) Implementation specifications: Requirements for certain
marketing communications. For a marketing communication to qualify
under paragraph (e)(2)(i) of this section, the following conditions
must be met:
    (i) The communication must:
    (A) Identify the covered entity as the party making the
communication;
    (B) If the covered entity has received or will receive direct or
indirect remuneration for making the communication, prominently state
that fact; and
    (C) Except when the communication is contained in a newsletter or
similar type of general communication device that the covered entity
distributes to a broad cross-section of patients, enrollees, or other
broad groups of individuals, contain instructions describing how the
individual may opt out of receiving future such communications.
    (ii) If the covered entity uses or discloses protected health
information to target the communication to individuals based on their
health status or condition:
    (A) The covered entity must make a determination prior to making
the communication that the product or service being marketed may be
beneficial to the health of the type or class of individual targeted;
and
    (B) The communication must explain why the individual has been
targeted

[[Page 82820]]

and how the product or service relates to the health of the individual.
    (iii) The covered entity must make reasonable efforts to ensure
that individuals who decide to opt out of receiving future marketing
communications, under paragraph (e)(3)(i)(C) of this section, are not
sent such communications.
    (f)(1) Standard: Uses and disclosures for fundraising. A covered
entity may use, or disclose to a business associate or to an
institutionally related foundation, the following protected health
information for the purpose of raising funds for its own benefit,
without an authorization meeting the requirements of Sec. 164.508:
    (i) Demographic information relating to an individual; and
    (ii) Dates of health care provided to an individual.
    (2) Implementation specifications: Fundraising requirements. (i)
The covered entity may not use or disclose protected health information
for fundraising purposes as otherwise permitted by paragraph (f)(1) of
this section unless a statement required by Sec. 164.520(b)(1)(iii)(B)
is included in the covered entity's notice;
    (ii) The covered entity must include in any fundraising materials
it sends to an individual under this paragraph a description of how the
individual may opt out of receiving any further fundraising
communications.
    (iii) The covered entity must make reasonable efforts to ensure
that individuals who decide to opt out of receiving future fundraising
communications are not sent such communications.
    (g) Standard: Uses and disclosures for underwriting and related
purposes. If a health plan receives protected heath information for the
purpose of underwriting, premium rating, or other activities relating
to the creation, renewal, or replacement of a contract of health
insurance or health benefits, and if such health insurance or health
benefits are not placed with the health plan, such health plan may not
use or disclose such protected health information for any other
purpose, except as may be required by law.
    (h)(1) Standard: Verification requirements. Prior to any disclosure
permitted by this subpart, a covered entity must:
    (i) Except with respect to disclosures under Sec. 164.510, verify
the identity of a person requesting protected health information and
the authority of any such person to have access to protected health
information under this subpart, if the identity or any such authority
of such person is not known to the covered entity; and
    (ii) Obtain any documentation, statements, or representations,
whether oral or written, from the person requesting the protected
health information when such documentation, statement, or
representation is a condition of the disclosure under this subpart.
    (2) Implementation specifications: Verification. (i) Conditions on
disclosures. If a disclosure is conditioned by this subpart on
particular documentation, statements, or representations from the
person requesting the protected health information, a covered entity
may rely, if such reliance is reasonable under the circumstances, on
documentation, statements, or representations that, on their face, meet
the applicable requirements.
    (A) The conditions in Sec. 164.512(f)(1)(ii)(C) may be satisfied by
the administrative subpoena or similar process or by a separate written
statement that, on its face, demonstrates that the applicable
requirements have been met.
    (B) The documentation required by Sec. 164.512(i)(2) may be
satisfied by one or more written statements, provided that each is
appropriately dated and signed in accordance with Sec. 164.512(i)(2)(i)
and (v).
    (ii) Identity of public officials. A covered entity may rely, if
such reliance is reasonable under the circumstances, on any of the
following to verify identity when the disclosure of protected health
information is to a public official or a person acting on behalf of the
public official:
    (A) If the request is made in person, presentation of an agency
identification badge, other official credentials, or other proof of
government status;
    (B) If the request is in writing, the request is on the appropriate
government letterhead; or
    (C) If the disclosure is to a person acting on behalf of a public
official, a written statement on appropriate government letterhead that
the person is acting under the government's authority or other evidence
or documentation of agency, such as a contract for services, memorandum
of understanding, or purchase order, that establishes that the person
is acting on behalf of the public official.
    (iii) Authority of public officials. A covered entity may rely, if
such reliance is reasonable under the circumstances, on any of the
following to verify authority when the disclosure of protected health
information is to a public official or a person acting on behalf of the
public official:
    (A) A written statement of the legal authority under which the
information is requested, or, if a written statement would be
impracticable, an oral statement of such legal authority;
    (B) If a request is made pursuant to legal process, warrant,
subpoena, order, or other legal process issued by a grand jury or a
judicial or administrative tribunal is presumed to constitute legal
authority.
    (iv) Exercise of professional judgment. The verification
requirements of this paragraph are met if the covered entity relies on
the exercise of professional judgment in making a use or disclosure in
accordance with Sec. 164.510 or acts on a good faith belief in making a
disclosure in accordance with Sec. 164.512(j).

Sec. 164.520  Notice of privacy practices for protected health
information.

    (a) Standard: notice of privacy practices. (1) Right to notice.
Except as provided by paragraph (a)(2) or (3) of this section, an
individual has a right to adequate notice of the uses and disclosures
of protected health information that may be made by the covered entity,
and of the individual's rights and the covered entity's legal duties
with respect to protected health information.
    (2) Exception for group health plans. (i) An individual enrolled in
a group health plan has a right to notice:
    (A) From the group health plan, if, and to the extent that, such an
individual does not receive health benefits under the group health plan
through an insurance contract with a health insurance issuer or HMO; or
    (B) From the health insurance issuer or HMO with respect to the
group health plan through which such individuals receive their health
benefits under the group health plan.
    (ii) A group health plan that provides health benefits solely
through an insurance contract with a health insurance issuer or HMO,
and that creates or receives protected health information in addition
to summary health information as defined in Sec. 164.504(a) or
information on whether the individual is participating in the group
health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan, must:
    (A) Maintain a notice under this section; and
    (B) Provide such notice upon request to any person. The provisions
of paragraph (c)(1) of this section do not apply to such group health
plan.

[[Page 82821]]

    (iii) A group health plan that provides health benefits solely
through an insurance contract with a health insurance issuer or HMO,
and does not create or receive protected health information other than
summary health information as defined in Sec. 164.504(a) or information
on whether an individual is participating in the group health plan, or
is enrolled in or has disenrolled from a health insurance issuer or HMO
offered by the plan, is not required to maintain or provide a notice
under this section.
    (3) Exception for inmates. An inmate does not have a right to
notice under this section, and the requirements of this section do not
apply to a correctional institution that is a covered entity.
    (b) Implementation specifications: content of notice.
    (1) Required elements. The covered entity must provide a notice
that is written in plain language and that contains the elements
required by this paragraph.
    (i) Header. The notice must contain the following statement as a
header or otherwise prominently displayed: ``THIS NOTICE DESCRIBES HOW
MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.''
    (ii) Uses and disclosures. The notice must contain:
    (A) A description, including at least one example, of the types of
uses and disclosures that the covered entity is permitted by this
subpart to make for each of the following purposes: treatment, payment,
and health care operations.
    (B) A description of each of the other purposes for which the
covered entity is permitted or required by this subpart to use or
disclose protected health information without the individual's written
consent or authorization.
    (C) If a use or disclosure for any purpose described in paragraphs
(b)(1)(ii)(A) or (B) of this section is prohibited or materially
limited by other applicable law, the description of such use or
disclosure must reflect the more stringent law as defined in
Sec. 160.202 of this subchapter.
    (D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of
this section, the description must include sufficient detail to place
the individual on notice of the uses and disclosures that are permitted
or required by this subpart and other applicable law.
    (E) A statement that other uses and disclosures will be made only
with the individual's written authorization and that the individual may
revoke such authorization as provided by Sec. 164.508(b)(5).
    (iii) Separate statements for certain uses or disclosures. If the
covered entity intends to engage in any of the following activities,
the description required by paragraph (b)(1)(ii)(A) of this section
must include a separate statement, as applicable, that:
    (A) The covered entity may contact the individual to provide
appointment reminders or information about treatment alternatives or
other health-related benefits and services that may be of interest to
the individual;
    (B) The covered entity may contact the individual to raise funds
for the covered entity; or
    (C) A group health plan, or a health insurance issuer or HMO with
respect to a group health plan, may disclose protected health
information to the sponsor of the plan.
    (iv) Individual rights. The notice must contain a statement of the
individual's rights with respect to protected health information and a
brief description of how the individual may exercise these rights, as
follows:
    (A) The right to request restrictions on certain uses and
disclosures of protected health information as provided by
Sec. 164.522(a), including a statement that the covered entity is not
required to agree to a requested restriction;
    (B) The right to receive confidential communications of protected
health information as provided by Sec. 164.522(b), as applicable;
    (C) The right to inspect and copy protected health information as
provided by Sec. 164.524;
    (D) The right to amend protected health information as provided by
Sec. 164.526;
    (E) The right to receive an accounting of disclosures of protected
health information as provided by Sec. 164.528; and
    (F) The right of an individual, including an individual who has
agreed to receive the notice electronically in accordance with
paragraph (c)(3) of this section, to obtain a paper copy of the notice
from the covered entity upon request.
    (v) Covered entity's duties. The notice must contain:
    (A) A statement that the covered entity is required by law to
maintain the privacy of protected health information and to provide
individuals with notice of its legal duties and privacy practices with
respect to protected health information;
    (B) A statement that the covered entity is required to abide by the
terms of the notice currently in effect; and
    (C) For the covered entity to apply a change in a privacy practice
that is described in the notice to protected health information that
the covered entity created or received prior to issuing a revised
notice, in accordance with Sec. 164.530(i)(2)(ii), a statement that it
reserves the right to change the terms of its notice and to make the
new notice provisions effective for all protected health information
that it maintains. The statement must also describe how it will provide
individuals with a revised notice.
    (vi) Complaints. The notice must contain a statement that
individuals may complain to the covered entity and to the Secretary if
they believe their privacy rights have been violated, a brief
description of how the individual may file a complaint with the covered
entity, and a statement that the individual will not be retaliated
against for filing a complaint.
    (vii) Contact. The notice must contain the name, or title, and
telephone number of a person or office to contact for further
information as required by Sec. 164.530(a)(1)(ii).
    (viii) Effective date. The notice must contain the date on which
the notice is first in effect, which may not be earlier than the date
on which the notice is printed or otherwise published.
    (2) Optional elements. (i) In addition to the information required
by paragraph (b)(1) of this section, if a covered entity elects to
limit the uses or disclosures that it is permitted to make under this
subpart, the covered entity may describe its more limited uses or
disclosures in its notice, provided that the covered entity may not
include in its notice a limitation affecting its right to make a use or
disclosure that is required by law or permitted by
Sec. 164.512(j)(1)(i).
    (ii) For the covered entity to apply a change in its more limited
uses and disclosures to protected health information created or
received prior to issuing a revised notice, in accordance with
Sec. 164.530(i)(2)(ii), the notice must include the statements required
by paragraph (b)(1)(v)(C) of this section.
    (3) Revisions to the notice. The covered entity must promptly
revise and distribute its notice whenever there is a material change to
the uses or disclosures, the individual's rights, the covered entity's
legal duties, or other privacy practices stated in the notice. Except
when required by law, a material change to any term of the notice may
not be implemented prior to the effective date of the notice in which
such material change is reflected.
    (c) Implementation specifications: Provision of notice. A covered
entity must make the notice required by this

[[Page 82822]]

section available on request to any person and to individuals as
specified in paragraphs (c)(1) through (c)(4) of this section, as
applicable.
    (1) Specific requirements for health plans. (i) A health plan must
provide notice:
    (A) No later than the compliance date for the health plan, to
individuals then covered by the plan;
    (B) Thereafter, at the time of enrollment, to individuals who are
new enrollees; and
    (C) Within 60 days of a material revision to the notice, to
individuals then covered by the plan.
    (ii) No less frequently than once every three years, the health
plan must notify individuals then covered by the plan of the
availability of the notice and how to obtain the notice.
    (iii) The health plan satisfies the requirements of paragraph
(c)(1) of this section if notice is provided to the named insured of a
policy under which coverage is provided to the named insured and one or
more dependents.
    (iv) If a health plan has more than one notice, it satisfies the
requirements of paragraph (c)(1) of this section by providing the
notice that is relevant to the individual or other person requesting
the notice.
    (2) Specific requirements for certain covered health care
providers. A covered health care provider that has a direct treatment
relationship with an individual must:
    (i) Provide the notice no later than the date of the first service
delivery, including service delivered electronically, to such
individual after the compliance date for the covered health care
provider;
    (ii) If the covered health care provider maintains a physical
service delivery site:
    (A) Have the notice available at the service delivery site for
individuals to request to take with them; and
    (B) Post the notice in a clear and prominent location where it is
reasonable to expect individuals seeking service from the covered
health care provider to be able to read the notice; and
    (iii) Whenever the notice is revised, make the notice available
upon request on or after the effective date of the revision and
promptly comply with the requirements of paragraph (c)(2)(ii) of this
section, if applicable.
    (3) Specific requirements for electronic notice. (i) A covered
entity that maintains a web site that provides information about the
covered entity's customer services or benefits must prominently post
its notice on the web site and make the notice available electronically
through the web site.
    (ii) A covered entity may provide the notice required by this
section to an individual by e-mail, if the individual agrees to
electronic notice and such agreement has not been withdrawn. If the
covered entity knows that the e-mail transmission has failed, a paper
copy of the notice must be provided to the individual. Provision of
electronic notice by the covered entity will satisfy the provision
requirements of paragraph (c) of this section when timely made in
accordance with paragraph (c)(1) or (2) of this section.
    (iii) For purposes of paragraph (c)(2)(i) of this section, if the
first service delivery to an individual is delivered electronically,
the covered health care provider must provide electronic notice
automatically and contemporaneously in response to the individual's
first request for service.
    (iv) The individual who is the recipient of electronic notice
retains the right to obtain a paper copy of the notice from a covered
entity upon request.
    (d) Implementation specifications: Joint notice by separate covered
entities. Covered entities that participate in organized health care
arrangements may comply with this section by a joint notice, provided
that:
    (1) The covered entities participating in the organized health care
arrangement agree to abide by the terms of the notice with respect to
protected health information created or received by the covered entity
as part of its participation in the organized health care arrangement;
    (2) The joint notice meets the implementation specifications in
paragraph (b) of this section, except that the statements required by
this section may be altered to reflect the fact that the notice covers
more than one covered entity; and
    (i) Describes with reasonable specificity the covered entities, or
class of entities, to which the joint notice applies;
    (ii) Describes with reasonable specificity the service delivery
sites, or classes of service delivery sites, to which the joint notice
applies; and
    (iii) If applicable, states that the covered entities participating
in the organized health care arrangement will share protected health
information with each other, as necessary to carry out treatment,
payment, or health care operations relating to the organized health
care arrangement.
    (3) The covered entities included in the joint notice must provide
the notice to individuals in accordance with the applicable
implementation specifications of paragraph (c) of this section.
Provision of the joint notice to an individual by any one of the
covered entities included in the joint notice will satisfy the
provision requirement of paragraph (c) of this section with respect to
all others covered by the joint notice.
    (e) Implementation specifications: Documentation. A covered entity
must document compliance with the notice requirements by retaining
copies of the notices issued by the covered entity as required by
Sec. 164.530(j).

Sec. 164.522  Rights to request privacy protection for protected health
information.

    (a)(1) Standard: Right of an individual to request restriction of
uses and disclosures. (i) A covered entity must permit an individual to
request that the covered entity restrict:
    (A) Uses or disclosures of protected health information about the
individual to carry out treatment, payment, or health care operations;
and
    (B) Disclosures permitted under Sec. 164.510(b).
    (ii) A covered entity is not required to agree to a restriction.
    (iii) A covered entity that agrees to a restriction under paragraph
(a)(1)(i) of this section may not use or disclose protected health
information in violation of such restriction, except that, if the
individual who requested the restriction is in need of emergency
treatment and the restricted protected health information is needed to
provide the emergency treatment, the covered entity may use the
restricted protected health information, or may disclose such
information to a health care provider, to provide such treatment to the
individual.
    (iv) If restricted protected health information is disclosed to a
health care provider for emergency treatment under paragraph
(a)(1)(iii) of this section, the covered entity must request that such
health care provider not further use or disclose the information.
    (v) A restriction agreed to by a covered entity under paragraph (a)
of this section, is not effective under this subpart to prevent uses or
disclosures permitted or required under Secs. 164.502(a)(2)(i),
164.510(a) or 164.512.
    (2) Implementation specifications: Terminating a restriction. A
covered entity may terminate its agreement to a restriction, if :
    (i) The individual agrees to or requests the termination in
writing;
    (ii) The individual orally agrees to the termination and the oral
agreement is documented; or
    (iii) The covered entity informs the individual that it is
terminating its

[[Page 82823]]

agreement to a restriction, except that such termination is only
effective with respect to protected health information created or
received after it has so informed the individual.
    (3) Implementation specification: Documentation. A covered entity
that agrees to a restriction must document the restriction in
accordance with Sec. 164.530(j).
    (b)(1) Standard: Confidential communications requirements. (i) A
covered health care provider must permit individuals to request and
must accommodate reasonable requests by individuals to receive
communications of protected health information from the covered health
care provider by alternative means or at alternative locations.
    (ii) A health plan must permit individuals to request and must
accommodate reasonable requests by individuals to receive
communications of protected health information from the health plan by
alternative means or at alternative locations, if the individual
clearly states that the disclosure of all or part of that information
could endanger the individual.
    (2) Implementation specifications: Conditions on providing
confidential communications.
    (i) A covered entity may require the individual to make a request
for a confidential communication described in paragraph (b)(1) of this
section in writing.
    (ii) A covered entity may condition the provision of a reasonable
accommodation on:
    (A) When appropriate, information as to how payment, if any, will
be handled; and
    (B) Specification of an alternative address or other method of
contact.
    (iii) A covered health care provider may not require an explanation
from the individual as to the basis for the request as a condition of
providing communications on a confidential basis.
    (iv) A health plan may require that a request contain a statement
that disclosure of all or part of the information to which the request
pertains could endanger the individual.

Sec. 164.524  Access of individuals to protected health information.

    (a) Standard: Access to protected health information. (1) Right of
access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of
this section, an individual has a right of access to inspect and obtain
a copy of protected health information about the individual in a
designated record set, for as long as the protected health information
is maintained in the designated record set, except for:
    (i) Psychotherapy notes;
    (ii) Information compiled in reasonable anticipation of, or for use
in, a civil, criminal, or administrative action or proceeding; and
    (iii) Protected health information maintained by a covered entity
that is:
    (A) Subject to the Clinical Laboratory Improvements Amendments of
1988, 42 U.S.C. 263a, to the extent the provision of access to the
individual would be prohibited by law; or
    (B) Exempt from the Clinical Laboratory Improvements Amendments of
1988, pursuant to 42 CFR 493.3(a)(2).
    (2) Unreviewable grounds for denial. A covered entity may deny an
individual access without providing the individual an opportunity for
review, in the following circumstances.
    (i) The protected health information is excepted from the right of
access by paragraph (a)(1) of this section.
    (ii) A covered entity that is a correctional institution or a
covered health care provider acting under the direction of the
correctional institution may deny, in whole or in part, an inmate's
request to obtain a copy of protected health information, if obtaining
such copy would jeopardize the health, safety, security, custody, or
rehabilitation of the individual or of other inmates, or the safety of
any officer, employee, or other person at the correctional institution
or responsible for the transporting of the inmate.
    (iii) An individual's access to protected health information
created or obtained by a covered health care provider in the course of
research that includes treatment may be temporarily suspended for as
long as the research is in progress, provided that the individual has
agreed to the denial of access when consenting to participate in the
research that includes treatment, and the covered health care provider
has informed the individual that the right of access will be reinstated
upon completion of the research.
    (iv) An individual's access to protected health information that is
contained in records that are subject to the Privacy Act, 5 U.S.C.
552a, may be denied, if the denial of access under the Privacy Act
would meet the requirements of that law.
    (v) An individual's access may be denied if the protected health
information was obtained from someone other than a health care provider
under a promise of confidentiality and the access requested would be
reasonably likely to reveal the source of the information.
    (3) Reviewable grounds for denial. A covered entity may deny an
individual access, provided that the individual is given a right to
have such denials reviewed, as required by paragraph (a)(4) of this
section, in the following circumstances:
    (i) A licensed health care professional has determined, in the
exercise of professional judgment, that the access requested is
reasonably likely to endanger the life or physical safety of the
individual or another person;
    (ii) The protected health information makes reference to another
person (unless such other person is a health care provider) and a
licensed health care professional has determined, in the exercise of
professional judgment, that the access requested is reasonably likely
to cause substantial harm to such other person; or
    (iii) The request for access is made by the individual's personal
representative and a licensed health care professional has determined,
in the exercise of professional judgment, that the provision of access
to such personal representative is reasonably likely to cause
substantial harm to the individual or another person.
    (4) Review of a denial of access. If access is denied on a ground
permitted under paragraph (a)(3) of this section, the individual has
the right to have the denial reviewed by a licensed health care
professional who is designated by the covered entity to act as a
reviewing official and who did not participate in the original decision
to deny. The covered entity must provide or deny access in accordance
with the determination of the reviewing official under paragraph (d)(4)
of this section.
    (b) Implementation specifications: requests for access and timely
action. (1) Individual's request for access. The covered entity must
permit an individual to request access to inspect or to obtain a copy
of the protected health information about the individual that is
maintained in a designated record set. The covered entity may require
individuals to make requests for access in writing, provided that it
informs individuals of such a requirement.
    (2) Timely action by the covered entity. (i) Except as provided in
paragraph (b)(2)(ii) of this section, the covered entity must act on a
request for access no later than 30 days after receipt of the request
as follows.
    (A) If the covered entity grants the request, in whole or in part,
it must inform the individual of the acceptance of the request and
provide the access requested, in accordance with paragraph (c) of this
section.

[[Page 82824]]

    (B) If the covered entity denies the request, in whole or in part,
it must provide the individual with a written denial, in accordance
with paragraph (d) of this section.
    (ii) If the request for access is for protected health information
that is not maintained or accessible to the covered entity on-site, the
covered entity must take an action required by paragraph (b)(2)(i) of
this section by no later than 60 days from the receipt of such a
request.
    (iii) If the covered entity is unable to take an action required by
paragraph (b)(2)(i)(A) or (B) of this section within the time required
by paragraph (b)(2)(i) or (ii) of this section, as applicable, the
covered entity may extend the time for such actions by no more than 30
days, provided that:
    (A) The covered entity, within the time limit set by paragraph
(b)(2)(i) or (ii) of this section, as applicable, provides the
individual with a written statement of the reasons for the delay and
the date by which the covered entity will complete its action on the
request; and
    (B) The covered entity may have only one such extension of time for
action on a request for access.
    (c) Implementation specifications: Provision of access. If the
covered entity provides an individual with access, in whole or in part,
to protected health information, the covered entity must comply with
the following requirements.
    (1) Providing the access requested. The covered entity must provide
the access requested by individuals, including inspection or obtaining
a copy, or both, of the protected health information about them in
designated record sets. If the same protected health information that
is the subject of a request for access is maintained in more than one
designated record set or at more than one location, the covered entity
need only produce the protected health information once in response to
a request for access.
    (2) Form of access requested. (i) The covered entity must provide
the individual with access to the protected health information in the
form or format requested by the individual, if it is readily producible
in such form or format; or, if not, in a readable hard copy form or
such other form or format as agreed to by the covered entity and the
individual.
    (ii) The covered entity may provide the individual with a summary
of the protected health information requested, in lieu of providing
access to the protected health information or may provide an
explanation of the protected health information to which access has
been provided, if:
    (A) The individual agrees in advance to such a summary or
explanation; and
    (B) The individual agrees in advance to the fees imposed, if any,
by the covered entity for such summary or explanation.
    (3) Time and manner of access. The covered entity must provide the
access as requested by the individual in a timely manner as required by
paragraph (b)(2) of this section, including arranging with the
individual for a convenient time and place to inspect or obtain a copy
of the protected health information, or mailing the copy of the
protected health information at the individual's request. The covered
entity may discuss the scope, format, and other aspects of the request
for access with the individual as necessary to facilitate the timely
provision of access.
    (4) Fees. If the individual requests a copy of the protected health
information or agrees to a summary or explanation of such information,
the covered entity may impose a reasonable, cost-based fee, provided
that the fee includes only the cost of:
    (i) Copying, including the cost of supplies for and labor of
copying, the protected health information requested by the individual;
    (ii) Postage, when the individual has requested the copy, or the
summary or explanation, be mailed; and
    (iii) Preparing an explanation or summary of the protected health
information, if agreed to by the individual as required by paragraph
(c)(2)(ii) of this section.
    (d) Implementation specifications: Denial of access. If the covered
entity denies access, in whole or in part, to protected health
information, the covered entity must comply with the following
requirements.
    (1) Making other information accessible. The covered entity must,
to the extent possible, give the individual access to any other
protected health information requested, after excluding the protected
health information as to which the covered entity has a ground to deny
access.
    (2) Denial. The covered entity must provide a timely, written
denial to the individual, in accordance with paragraph (b)(2) of this
section. The denial must be in plain language and contain:
    (i) The basis for the denial;
    (ii) If applicable, a statement of the individual's review rights
under paragraph (a)(4) of this section, including a description of how
the individual may exercise such review rights; and
    (iii) A description of how the individual may complain to the
covered entity pursuant to the complaint procedures in Sec. 164.530(d)
or to the Secretary pursuant to the procedures in Sec. 160.306. The
description must include the name, or title, and telephone number of
the contact person or office designated in Sec. 164.530(a)(1)(ii).
    (3) Other responsibility. If the covered entity does not maintain
the protected health information that is the subject of the
individual's request for access, and the covered entity knows where the
requested information is maintained, the covered entity must inform the
individual where to direct the request for access.
    (4) Review of denial requested. If the individual has requested a
review of a denial under paragraph (a)(4) of this section, the covered
entity must designate a licensed health care professional, who was not
directly involved in the denial to review the decision to deny access.
The covered entity must promptly refer a request for review to such
designated reviewing official. The designated reviewing official must
determine, within a reasonable period of time, whether or not to deny
the access requested based on the standards in paragraph (a)(3) of this
section. The covered entity must promptly provide written notice to the
individual of the determination of the designated reviewing official
and take other action as required by this section to carry out the
designated reviewing official's determination.
    (e) Implementation specification: Documentation. A covered entity
must document the following and retain the documentation as required by
Sec. 164.530(j):
    (1) The designated record sets that are subject to access by
individuals; and
    (2) The titles of the persons or offices responsible for receiving
and processing requests for access by individuals.

Sec. 164.526  Amendment of protected health information.

    (a) Standard: Right to amend. (1) Right to amend. An individual has
the right to have a covered entity amend protected health information
or a record about the individual in a designated record set for as long
as the protected health information is maintained in the designated
record set.
    (2) Denial of amendment. A covered entity may deny an individual's
request for amendment, if it determines that the protected health
information or record that is the subject of the request:
    (i) Was not created by the covered entity, unless the individual
provides a reasonable basis to believe that the

[[Page 82825]]

originator of protected health information is no longer available to
act on the requested amendment;
    (ii) Is not part of the designated record set;
    (iii) Would not be available for inspection under Sec. 164.524; or
    (iv) Is accurate and complete.
    (b) Implementation specifications: requests for amendment and
timely action. (1) Individual's request for amendment. The covered
entity must permit an individual to request that the covered entity
amend the protected health information maintained in the designated
record set. The covered entity may require individuals to make requests
for amendment in writing and to provide a reason to support a requested
amendment, provided that it informs individuals in advance of such
requirements.
    (2) Timely action by the covered entity. (i) The covered entity
must act on the individual's request for an amendment no later than 60
days after receipt of such a request, as follows.
    (A) If the covered entity grants the requested amendment, in whole
or in part, it must take the actions required by paragraphs (c)(1) and
(2) of this section.
    (B) If the covered entity denies the requested amendment, in whole
or in part, it must provide the individual with a written denial, in
accordance with paragraph (d)(1) of this section.
    (ii) If the covered entity is unable to act on the amendment within
the time required by paragraph (b)(2)(i) of this section, the covered
entity may extend the time for such action by no more than 30 days,
provided that:
    (A) The covered entity, within the time limit set by paragraph
(b)(2)(i) of this section, provides the individual with a written
statement of the reasons for the delay and the date by which the
covered entity will complete its action on the request; and
    (B) The covered entity may have only one such extension of time for
action on a request for an amendment.
    (c) Implementation specifications: Accepting the amendment. If the
covered entity accepts the requested amendment, in whole or in part,
the covered entity must comply with the following requirements.
    (1) Making the amendment. The covered entity must make the
appropriate amendment to the protected health information or record
that is the subject of the request for amendment by, at a minimum,
identifying the records in the designated record set that are affected
by the amendment and appending or otherwise providing a link to the
location of the amendment.
    (2) Informing the individual. In accordance with paragraph (b) of
this section, the covered entity must timely inform the individual that
the amendment is accepted and obtain the individual's identification of
and agreement to have the covered entity notify the relevant persons
with which the amendment needs to be shared in accordance with
paragraph (c)(3) of this section.
    (3) Informing others. The covered entity must make reasonable
efforts to inform and provide the amendment within a reasonable time
to:
    (i) Persons identified by the individual as having received
protected health information about the individual and needing the
amendment; and
    (ii) Persons, including business associates, that the covered
entity knows have the protected health information that is the subject
of the amendment and that may have relied, or could foreseeably rely,
on such information to the detriment of the individual.
    (d) Implementation specifications: Denying the amendment. If the
covered entity denies the requested amendment, in whole or in part, the
covered entity must comply with the following requirements.
    (1) Denial. The covered entity must provide the individual with a
timely, written denial, in accordance with paragraph (b)(2) of this
section. The denial must use plain language and contain:
    (i) The basis for the denial, in accordance with paragraph (a)(2)
of this section;
    (ii) The individual's right to submit a written statement
disagreeing with the denial and how the individual may file such a
statement;
    (iii) A statement that, if the individual does not submit a
statement of disagreement, the individual may request that the covered
entity provide the individual's request for amendment and the denial
with any future disclosures of the protected health information that is
the subject of the amendment; and
    (iv) A description of how the individual may complain to the
covered entity pursuant to the complaint procedures established in
Sec. 164.530(d) or to the Secretary pursuant to the procedures
established in Sec. 160.306. The description must include the name, or
title, and telephone number of the contact person or office designated
in Sec. 164.530(a)(1)(ii).
    (2) Statement of disagreement. The covered entity must permit the
individual to submit to the covered entity a written statement
disagreeing with the denial of all or part of a requested amendment and
the basis of such disagreement. The covered entity may reasonably limit
the length of a statement of disagreement.
    (3) Rebuttal statement. The covered entity may prepare a written
rebuttal to the individual's statement of disagreement. Whenever such a
rebuttal is prepared, the covered entity must provide a copy to the
individual who submitted the statement of disagreement.
    (4) Recordkeeping. The covered entity must, as appropriate,
identify the record or protected health information in the designated
record set that is the subject of the disputed amendment and append or
otherwise link the individual's request for an amendment, the covered
entity's denial of the request, the individual's statement of
disagreement, if any, and the covered entity's rebuttal, if any, to the
designated record set.
    (5) Future disclosures. (i) If a statement of disagreement has been
submitted by the individual, the covered entity must include the
material appended in accordance with paragraph (d)(4) of this section,
or, at the election of the covered entity, an accurate summary of any
such information, with any subsequent disclosure of the protected
health information to which the disagreement relates.
    (ii) If the individual has not submitted a written statement of
disagreement, the covered entity must include the individual's request
for amendment and its denial, or an accurate summary of such
information, with any subsequent disclosure of the protected health
information only if the individual has requested such action in
accordance with paragraph (d)(1)(iii) of this section.
    (iii) When a subsequent disclosure described in paragraph (d)(5)(i)
or (ii) of this section is made using a standard transaction under part
162 of this subchapter that does not permit the additional material to
be included with the disclosure, the covered entity may separately
transmit the material required by paragraph (d)(5)(i) or (ii) of this
section, as applicable, to the recipient of the standard transaction.
    (e) Implementation specification: Actions on notices of amendment.
A covered entity that is informed by another covered entity of an
amendment to an individual's protected health information, in
accordance with paragraph (c)(3) of this section, must amend the
protected health information in designated record sets as provided by
paragraph (c)(1) of this section.
    (f) Implementation specification: Documentation. A covered entity
must document the titles of the persons or

[[Page 82826]]

offices responsible for receiving and processing requests for
amendments by individuals and retain the documentation as required by
Sec. 164.530(j).

Sec. 164.528  Accounting of disclosures of protected health
information.

    (a) Standard: Right to an accounting of disclosures of protected
health information. (1) An individual has a right to receive an
accounting of disclosures of protected health information made by a
covered entity in the six years prior to the date on which the
accounting is requested, except for disclosures:
    (i) To carry out treatment, payment and health care operations as
provided in Sec. 164.502;
    (ii) To individuals of protected health information about them as
provided in Sec. 164.502;
    (iii) For the facility's directory or to persons involved in the
individual's care or other notification purposes as provided in
Sec. 164.510;
    (iv) For national security or intelligence purposes as provided in
Sec. 164.512(k)(2);
    (v) To correctional institutions or law enforcement officials as
provided in Sec. 164.512(k)(5); or
    (vi) That occurred prior to the compliance date for the covered
entity.
    (2)(i) The covered entity must temporarily suspend an individual's
right to receive an accounting of disclosures to a health oversight
agency or law enforcement official, as provided in Sec. 164.512(d) or
(f), respectively, for the time specified by such agency or official,
if such agency or official provides the covered entity with a written
statement that such an accounting to the individual would be reasonably
likely to impede the agency's activities and specifying the time for
which such a suspension is required.
    (ii) If the agency or official statement in paragraph (a)(2)(i) of
this section is made orally, the covered entity must:
    (A) Document the statement, including the identity of the agency or
official making the statement;
    (B) Temporarily suspend the individual's right to an accounting of
disclosures subject to the statement; and
    (C) Limit the temporary suspension to no longer than 30 days from
the date of the oral statement, unless a written statement pursuant to
paragraph (a)(2)(i) of this section is submitted during that time.
    (3) An individual may request an accounting of disclosures for a
period of time less than six years from the date of the request.
    (b) Implementation specifications: Content of the accounting. The
covered entity must provide the individual with a written accounting
that meets the following requirements.
    (1) Except as otherwise provided by paragraph (a) of this section,
the accounting must include disclosures of protected health information
that occurred during the six years (or such shorter time period at the
request of the individual as provided in paragraph (a)(3) of this
section) prior to the date of the request for an accounting, including
disclosures to or by business associates of the covered entity.
    (2) The accounting must include for each disclosure:
    (i) The date of the disclosure;
    (ii) The name of the entity or person who received the protected
health information and, if known, the address of such entity or person;
    (iii) A brief description of the protected health information
disclosed; and
    (iv) A brief statement of the purpose of the disclosure that
reasonably informs the individual of the basis for the disclosure; or,
in lieu of such statement:
    (A) A copy of the individual's written authorization pursuant to
Sec. 164.508; or
    (B) A copy of a written request for a disclosure under
Secs. 164.502(a)(2)(ii) or 164.512, if any.
    (3) If, during the period covered by the accounting, the covered
entity has made multiple disclosures of protected health information to
the same person or entity for a single purpose under
Secs. 164.502(a)(2)(ii) or 164.512, or pursuant to a single
authorization under Sec. 164.508, the accounting may, with respect to
such multiple disclosures, provide:
    (i) The information required by paragraph (b)(2) of this section
for the first disclosure during the accounting period;
    (ii) The frequency, periodicity, or number of the disclosures made
during the accounting period; and
    (iii) The date of the last such disclosure during the accounting
period.
    (c) Implementation specifications: Provision of the accounting. (1)
The covered entity must act on the individual's request for an
accounting, no later than 60 days after receipt of such a request, as
follows.
    (i) The covered entity must provide the individual with the
accounting requested; or
    (ii) If the covered entity is unable to provide the accounting
within the time required by paragraph (c)(1) of this section, the
covered entity may extend the time to provide the accounting by no more
than 30 days, provided that:
    (A) The covered entity, within the time limit set by paragraph
(c)(1) of this section, provides the individual with a written
statement of the reasons for the delay and the date by which the
covered entity will provide the accounting; and
    (B) The covered entity may have only one such extension of time for
action on a request for an accounting.
    (2) The covered entity must provide the first accounting to an
individual in any 12 month period without charge. The covered entity
may impose a reasonable, cost-based fee for each subsequent request for
an accounting by the same individual within the 12 month period,
provided that the covered entity informs the individual in advance of
the fee and provides the individual with an opportunity to withdraw or
modify the request for a subsequent accounting in order to avoid or
reduce the fee.
    (d) Implementation specification: Documentation. A covered entity
must document the following and retain the documentation as required by
Sec. 164.530(j):
    (1) The information required to be included in an accounting under
paragraph (b) of this section for disclosures of protected health
information that are subject to an accounting under paragraph (a) of
this section;
    (2) The written accounting that is provided to the individual under
this section; and
    (3) The titles of the persons or offices responsible for receiving
and processing requests for an accounting by individuals.

Sec. 164.530  Administrative requirements.

    (a)(1) Standard: Personnel designations. (i) A covered entity must
designate a privacy official who is responsible for the development and
implementation of the policies and procedures of the entity.
    (ii) A covered entity must designate a contact person or office who
is responsible for receiving complaints under this section and who is
able to provide further information about matters covered by the notice
required by Sec. 164.520.
    (2) Implementation specification: Personnel designations. A covered
entity must document the personnel designations in paragraph (a)(1) of
this section as required by paragraph (j) of this section.
    (b)(1) Standard: Training. A covered entity must train all members
of its workforce on the policies and procedures with respect to
protected health information required by this subpart, as necessary and
appropriate for the members of the workforce to

[[Page 82827]]

carry out their function within the covered entity.
    (2) Implementation specifications: Training. (i) A covered entity
must provide training that meets the requirements of paragraph (b)(1)
of this section, as follows:
    (A) To each member of the covered entity's workforce by no later
than the compliance date for the covered entity;
    (B) Thereafter, to each new member of the workforce within a
reasonable period of time after the person joins the covered entity's
workforce; and
    (C) To each member of the covered entity's workforce whose
functions are affected by a material change in the policies or
procedures required by this subpart, within a reasonable period of time
after the material change becomes effective in accordance with
paragraph (i) of this section.
    (ii) A covered entity must document that the training as described
in paragraph (b)(2)(i) of this section has been provided, as required
by paragraph (j) of this section.
    (c)(1) Standard: Safeguards. A covered entity must have in place
appropriate administrative, technical, and physical safeguards to
protect the privacy of protected health information.
    (2) Implementation specification: Safeguards. A covered entity must
reasonably safeguard protected health information from any intentional
or unintentional use or disclosure that is in violation of the
standards, implementation specifications or other requirements of this
subpart.
    (d)(1) Standard: Complaints to the covered entity. A covered entity
must provide a process for individuals to make complaints concerning
the covered entity's policies and procedures required by this subpart
or its compliance with such policies and procedures or the requirements
of this subpart.
    (2) Implementation specification: Documentation of complaints. As
required by paragraph (j) of this section, a covered entity must
document all complaints received, and their disposition, if any.
    (e)(1) Standard: Sanctions. A covered entity must have and apply
appropriate sanctions against members of its workforce who fail to
comply with the privacy policies and procedures of the covered entity
or the requirements of this subpart. This standard does not apply to a
member of the covered entity's workforce with respect to actions that
are covered by and that meet the conditions of Sec. 164.502(j) or
paragraph (g)(2) of this section.
    (2) Implementation specification: Documentation. As required by
paragraph (j) of this section, a covered entity must document the
sanctions that are applied, if any.
    (f) Standard: Mitigation. A covered entity must mitigate, to the
extent practicable, any harmful effect that is known to the covered
entity of a use or disclosure of protected health information in
violation of its policies and procedures or the requirements of this
subpart by the covered entity or its business associate.
    (g) Standard: Refraining from intimidating or retaliatory acts. A
covered entity may not intimidate, threaten, coerce, discriminate
against, or take other retaliatory action against:
    (1) Individuals. Any individual for the exercise by the individual
of any right under, or for participation by the individual in any
process established by this subpart, including the filing of a
complaint under this section;
    (2) Individuals and others. Any individual or other person for:
    (i) Filing of a complaint with the Secretary under subpart C of
part 160 of this subchapter;
    (ii) Testifying, assisting, or participating in an investigation,
compliance review, proceeding, or hearing under Part C of Title XI; or
    (iii) Opposing any act or practice made unlawful by this subpart,
provided the individual or person has a good faith belief that the
practice opposed is unlawful, and the manner of the opposition is
reasonable and does not involve a disclosure of protected health
information in violation of this subpart.
    (h) Standard: Waiver of rights. A covered entity may not require
individuals to waive their rights under Sec. 160.306 of this subchapter
or this subpart as a condition of the provision of treatment, payment,
enrollment in a health plan, or eligibility for benefits.
    (i)(1) Standard: Policies and procedures. A covered entity must
implement policies and procedures with respect to protected health
information that are designed to comply with the standards,
implementation specifications, or other requirements of this subpart.
The policies and procedures must be reasonably designed, taking into
account the size of and the type of activities that relate to protected
health information undertaken by the covered entity, to ensure such
compliance. This standard is not to be construed to permit or excuse an
action that violates any other standard, implementation specification,
or other requirement of this subpart.
    (2) Standard: Changes to policies or procedures. (i) A covered
entity must change its policies and procedures as necessary and
appropriate to comply with changes in the law, including the standards,
requirements, and implementation specifications of this subpart;
    (ii) When a covered entity changes a privacy practice that is
stated in the notice described in Sec. 164.520, and makes corresponding
changes to its policies and procedures, it may make the changes
effective for protected health information that it created or received
prior to the effective date of the notice revision, if the covered
entity has, in accordance with Sec. 164.520(b)(1)(v)(C), included in
the notice a statement reserving its right to make such a change in its
privacy practices; or
    (iii) A covered entity may make any other changes to policies and
procedures at any time, provided that the changes are documented and
implemented in accordance with paragraph (i)(5) of this section.
    (3) Implementation specification: Changes in law. Whenever there is
a change in law that necessitates a change to the covered entity's
policies or procedures, the covered entity must promptly document and
implement the revised policy or procedure. If the change in law
materially affects the content of the notice required by Sec. 164.520,
the covered entity must promptly make the appropriate revisions to the
notice in accordance with Sec. 164.520(b)(3). Nothing in this paragraph
may be used by a covered entity to excuse a failure to comply with the
law.
    (4) Implementation specifications: Changes to privacy practices
stated in the notice. (i) To implement a change as provided by
paragraph (i)(2)(ii) of this section, a covered entity must:
    (A) Ensure that the policy or procedure, as revised to reflect a
change in the covered entity's privacy practice as stated in its
notice, complies with the standards, requirements, and implementation
specifications of this subpart;
    (B) Document the policy or procedure, as revised, as required by
paragraph (j) of this section; and
    (C) Revise the notice as required by Sec. 164.520(b)(3) to state
the changed practice and make the revised notice available as required
by Sec. 164.520(c). The covered entity may not implement a change to a
policy or procedure prior to the effective date of the revised notice.
    (ii) If a covered entity has not reserved its right under
Sec. 164.520(b)(1)(v)(C) to change a privacy practice that is stated in
the notice, the covered entity is bound by the privacy practices as
stated

[[Page 82828]]

in the notice with respect to protected health information created or
received while such notice is in effect. A covered entity may change a
privacy practice that is stated in the notice, and the related policies
and procedures, without having reserved the right to do so, provided
that:
    (A) Such change meets the implementation the requirements in
paragraphs (i)(4)(i)(A)-(C) of this section; and
    (B) Such change is effective only with respect to protected health
information created or received after the effective date of the notice.
    (5) Implementation specification: Changes to other policies or
procedures. A covered entity may change, at any time, a policy or
procedure that does not materially affect the content of the notice
required by Sec. 164.520, provided that:
    (i) The policy or procedure, as revised, complies with the
standards, requirements, and implementation specifications of this
subpart; and
    (ii) Prior to the effective date of the change, the policy or
procedure, as revised, is documented as required by paragraph (j) of
this section.
    (j)(1) Standard: Documentation. A covered entity must:
    (i) Maintain the policies and procedures provided for in paragraph
(i) of this section in written or electronic form;
    (ii) If a communication is required by this subpart to be in
writing, maintain such writing, or an electronic copy, as
documentation; and
    (iii) If an action, activity, or designation is required by this
subpart to be documented, maintain a written or electronic record of
such action, activity, or designation.
    (2) Implementation specification: Retention period. A covered
entity must retain the documentation required by paragraph (j)(1) of
this section for six years from the date of its creation or the date
when it last was in effect, whichever is later.
    (k) Standard: Group health plans. (1) A group health plan is not
subject to the standards or implementation specifications in paragraphs
(a) through (f) and (i) of this section, to the extent that:
    (i) The group health plan provides health benefits solely through
an insurance contract with a health insurance issuer or an HMO; and
    (ii) The group health plan does not create or receive protected
health information, except for:
    (A) Summary health information as defined in Sec. 164.504(a); or
    (B) Information on whether the individual is participating in the
group health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan.
    (2) A group health plan described in paragraph (k)(1) of this
section is subject to the standard and implementation specification in
paragraph (j) of this section only with respect to plan documents
amended in accordance with Sec. 164.504(f).

Sec. 164.532  Transition provisions.

    (a) Standard: Effect of prior consents and authorizations.
Notwithstanding other sections of this subpart, a covered entity may
continue to use or disclose protected health information pursuant to a
consent, authorization, or other express legal permission obtained from
an individual permitting the use or disclosure of protected health
information that does not comply with Secs. 164.506 or 164.508 of this
subpart consistent with paragraph (b) of this section.
    (b) Implementation specification: Requirements for retaining
effectiveness of prior consents and authorizations. Notwithstanding
other sections of this subpart, the following provisions apply to use
or disclosure by a covered entity of protected health information
pursuant to a consent, authorization, or other express legal permission
obtained from an individual permitting the use or disclosure of
protected health information, if the consent, authorization, or other
express legal permission was obtained from an individual before the
applicable compliance date of this subpart and does not comply with
Secs. 164.506 or 164.508 of this subpart.
    (1) If the consent, authorization, or other express legal
permission obtained from an individual permits a use or disclosure for
purposes of carrying out treatment, payment, or health care operations,
the covered entity may, with respect to protected health information
that it created or received before the applicable compliance date of
this subpart and to which the consent, authorization, or other express
legal permission obtained from an individual applies, use or disclose
such information for purposes of carrying out treatment, payment, or
health care operations, provided that:
    (i) The covered entity does not make any use or disclosure that is
expressly excluded from the a consent, authorization, or other express
legal permission obtained from an individual; and
    (ii) The covered entity complies with all limitations placed by the
consent, authorization, or other express legal permission obtained from
an individual.
    (2) If the consent, authorization, or other express legal
permission obtained from an individual specifically permits a use or
disclosure for a purpose other than to carry out treatment, payment, or
health care operations, the covered entity may, with respect to
protected health information that it created or received before the
applicable compliance date of this subpart and to which the consent,
authorization, or other express legal permission obtained from an
individual applies, make such use or disclosure, provided that:
    (i) The covered entity does not make any use or disclosure that is
expressly excluded from the consent, authorization, or other express
legal permission obtained from an individual; and
    (ii) The covered entity complies with all limitations placed by the
consent, authorization, or other express legal permission obtained from
an individual.
    (3) In the case of a consent, authorization, or other express legal
permission obtained from an individual that identifies a specific
research project that includes treatment of individuals:
    (i) If the consent, authorization, or other express legal
permission obtained from an individual specifically permits a use or
disclosure for purposes of the project, the covered entity may, with
respect to protected health information that it created or received
either before or after the applicable compliance date of this subpart
and to which the consent or authorization applies, make such use or
disclosure for purposes of that project, provided that the covered
entity complies with all limitations placed by the consent,
authorization, or other express legal permission obtained from an
individual.
    (ii) If the consent, authorization, or other express legal
permission obtained from an individual is a general consent to
participate in the project, and a covered entity is conducting or
participating in the research, such covered entity may, with respect to
protected health information that it created or received as part of the
project before or after the applicable compliance date of this subpart,
make a use or disclosure for purposes of that project, provided that
the covered entity complies with all limitations placed by the consent,
authorization, or other express legal permission obtained from an
individual.
    (4) If, after the applicable compliance date of this subpart, a
covered entity agrees to a restriction requested by an individual under
Sec. 164.522(a), a subsequent use or disclosure of

[[Page 82829]]

protected health information that is subject to the restriction based
on a consent, authorization, or other express legal permission obtained
from an individual as given effect by paragraph (b) of this section,
must comply with such restriction.

Sec. 164.534  Compliance dates for initial implementation of the
privacy standards.

    (a) Health care providers. A covered health care provider must
comply with the applicable requirements of this subpart no later than
February 26, 2003.
    (b) Health plans. A health plan must comply with the applicable
requirements of this subpart no later than the following date, as
applicable:
    (1) Health plans other than small health plans--February 26, 2003.
    (2) Small health plans--February 26, 2004.
    (c) Health care clearinghouses. A health care clearinghouse must
comply with the applicable requirements of this subpart no later than
February 26, 2003.
[FR Doc. 00-32678 Filed 12-20-00; 11:21 am]
BILLING CODE 4150-04-P
