§164.524(d) Implementation specifications: Denial of access. If the covered entity denies access, in whole or in part, to protected health information, the covered entity must comply with the following requirements. (1) Making other information accessible. The covered entity must, to the extent possible, give the individual access to any other protected health information requested, after excluding the protected health information as to which the covered entity has a ground to deny access.

§164.524(d)(2) Denial. The covered entity must provide a timely, written denial to the individual, in accordance with paragraph (b)(2) of this section. The denial must be in plain language and contain:
(i) The basis for the denial;
(ii) If applicable, a statement of the individual’s review rights under paragraph (a)(4) of this section, including a description of how the individual may exercise such review rights; and
(iii) A description of how the individual may complain to the covered entity pursuant to the complaint procedures in §164.530(d) or to the Secretary pursuant to the procedures in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in §164.530(a)(1)(ii).

Audit Inquiry

Has the covered entity implemented policies and procedures that ensure that an individual receives a timely, written denial that contains all mandated elements?
Inquire of management.

Obtain and review policies and procedures to determine if they comply with the established performance criterion.

Obtain and review a sample of denied access requests.