- A canonical DSR procedure template that operationalizes the regulatory process — adopt it, adapt the deadlines and routing to your org, and use it as the runbook your team follows for every request.
- The Privacy Rule controls dashboard at Compliance → Privacy, which surfaces every HIPAA Privacy Rule control (§164.520, §164.524, §164.526, §164.528) with response- deadline reminders and status tracking.
- Policy-template annexes that document the rights your org is bound to — the Individual and Data Subject Rights Policy, the Patient Rights Annex, and the Notice of Privacy Practices Annex.
The DSR procedure template
The Data Subject Rights Request Procedure is one of the 64 canonical templates in Regentra’s policy library. It is framework- neutral — the regulatory citations live on the version metadata, not in the body — and covers:- Intake channels and minimum information you must collect
- Identity verification, including elevated verification for authorized agents under CCPA
- Classification against applicable regimes (HIPAA, GDPR, CCPA, state laws) and the deadlines for each
- Data retrieval routing to system owners / data stewards
- Carve-outs and denials with regulatory citations
- Response delivery and recordkeeping
Adopt the procedure template
Go to Compliance → Policies → Canonical Library and search for
Data Subject Rights Request Procedure. Click Adopt to
materialize a copy in your org. Open it in the editor.
Customize routing for your org
Drop in your intake addresses (privacy mailbox, patient portal
URL, CCPA toll-free), your Privacy Officer / DPO contact, and the
internal owners for each downstream data steward role.
Route for review and approval
Click Send for Review. Your Privacy Officer is the typical
reviewer; Compliance Admin can also approve. Once published,
the procedure becomes the binding internal runbook.
Distribute and acknowledge
Wrap the procedure into a policy campaign
targeting your Privacy Officer, intake team, and data stewards.
Their signed acknowledgments become the evidence that the
procedure is operative.
The Privacy Rule controls dashboard
For HIPAA-covered customers, Compliance → Privacy consolidates every Privacy Rule control with its statutory citation and current implementation status. Today the dashboard surfaces four patient- rights controls explicitly:| §ref | Right | Statutory deadline |
|---|---|---|
| §164.524 | Right of Access | 30 days (60 with one extension) |
| §164.526 | Right to Amend PHI | 60 days (90 with one extension) |
| §164.528 | Accounting of Disclosures | 60 days |
| §164.520 | Notice of Privacy Practices | At first service |
Tracking individual requests
Today Regentra does not provide a dedicated per-request DSR record type. Operators use one of the following patterns:- A PSA ticket with a
DSRtag, the requester’s contact details, and the regulatory regime in the subject. SLA timers and assignment workflows on the ticket give you deadline pressure without a bespoke schema. - A row in your DSR procedure’s worksheet appendix — the procedure template includes an example log table you can copy into a spreadsheet or table for low-volume orgs.
- Compliance issues for any request that surfaces an underlying gap (e.g., “we couldn’t retrieve all data because system X has no search-by-subject capability”) so the structural fix is tracked separately from the individual response.
Deadlines by regime
The procedure template ships with the standard deadlines pre-filled:| Regime | Right | Deadline |
|---|---|---|
| HIPAA | Access (§164.524) | 30 days; 60 with one extension |
| HIPAA | Amendment (§164.526) | 60 days; 90 with one extension |
| HIPAA | Accounting (§164.528) | 60 days |
| GDPR | Access, erasure, portability, restriction, objection | 30 days; up to 90 if complex |
| CCPA / CPRA | Know, delete, correct | 45 days; 90 with one extension |
| State laws (CT, VA, CO, UT, TX, OR, DE, IA, IN, TN, NH, NJ, MN, MT, RI) | Varies | Generally 45 days with one 45-day extension |
Related templates
- Individual and Data Subject Rights Policy — the policy-level document that names the rights your org honors and the rule it applies (HIPAA, GDPR, state). Adopt this before the procedure.
- Patient Rights Annex (HIPAA-specific) — the patient-facing rights catalog you incorporate into your Notice of Privacy Practices.
- Notice of Privacy Practices Annex — the patient-facing notice document itself.
- Privacy Program Policy — the umbrella policy that names your Privacy Officer and scopes the program.
Frequently asked questions
Is there a Regentra inbox that auto-collects DSRs?
Is there a Regentra inbox that auto-collects DSRs?
Not today. Intake stays on your own channels (email, web form,
portal). The roadmap item is a first-class DSR record type; until
it ships, use a PSA ticket with a
DSR tag for tracking.How do I evidence to an auditor that we responded on time?
How do I evidence to an auditor that we responded on time?
Combine three artifacts: (1) the published DSR procedure with its
acknowledgment campaign, (2) the response letter you sent to the
requester, and (3) the PSA-ticket timeline showing the receipt,
verification, retrieval, and dispatch timestamps. Attach all three
to the relevant audit request.
Can I deny a request?
Can I deny a request?
Yes, on regulatory grounds — the procedure template enumerates
them (HIPAA: legal proceedings, third-party PHI carve-outs; GDPR:
rights of others, disproportionate effort; CCPA: cannot verify
identity). Document the denial reason and provide appeal
instructions where required.
What if a processor holds some of the data?
What if a processor holds some of the data?
Your Data Processing Agreement template requires processors to
respond to controller-forwarded DSRs within a defined SLA. The
procedure includes a vendor-forward step and tracks the processor
response separately from the in-house retrieval.