Access to confidential data is available only to the following:
individuals within the entity whose work assignments reasonably require access; and
The responsible authority shall establish written procedures to assure that access may be gained only by those parties identified in subpart 2.
In the drafting and administration of those procedures, the responsible authority shall provide measures by which data subjects or their authorized representatives shall be informed, upon request, if they are the subjects of confidential data.
The responsible authority shall not disclose the actual confidential data to the data subjects, but shall inform them whether confidential data concerning them is or is not retained.
The responsible authority shall take reasonable measures to assure that the person making inquiry is actually the individual data subject or the authorized representative of the data subject. Reasonable measures include, but are not limited to:
requiring the inquiring person to appear at the office of the entity to make his/her request;
requiring the inquiring person to provide identification; or
requiring the notarized signature of any data subject who is unable to appear at the offices of the entity.
MS s 13.07
July 13, 2007