HIPAA Privacy Rule: Right to Request Restriction of Uses and Disclosures of PHI

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Under the HIPAA Privacy Rule, an individual may request that a covered entity restrict how it uses or discloses that individual’s protected health information (PHI). 

HIPAA requires covered entities (health plans, health care clearinghouses, or health care providers that conduct standard electronic transactions) to allow individuals to request that the covered entity restrict the use or disclosure of their PHI for treatment, payment, or healthcare operations. The Privacy Rule also grants individuals the right to request restrictions for other uses and disclosures, such as disclosures made to family members or persons involved in the individual’s care.

While covered entities must allow individuals to request restrictions of the use or disclosure of their PHI in these circumstances, in most cases, covered entities are not required to agree with the requested restrictions. The Privacy Rule generally allows covered entities to decide whether to agree to a requested restriction because, for example, uses and disclosures for treatment, payment, and healthcare operations purposes are often necessary for providing quality patient care and ensuring efficient payment for healthcare. 

If a covered entity agrees to an individual’s requested restriction, the covered entity must comply with the agreed restriction, except for purposes of treating the individual in a medical emergency and certain other circumstances specified in the Privacy Rule.

For example, a covered healthcare provider may agree to an individual’s request not to use or disclose PHI related to their treatment for a prostate condition. However, if the individual has a medical emergency, the provider may share PHI about the individual’s prostate condition with another healthcare provider if the PHI is needed to provide emergency treatment. The disclosing provider must request that the emergency treatment provider not use or disclose the information other than for the purpose of providing the emergency treatment.

A covered entity is required to agree to an individual’s request to restrict the disclosure of their PHI to a health plan when both of the following conditions are met:

(1) the disclosure is for payment or health care operations and is not otherwise required by law; and (2) the PHI pertains solely to a health care item or service for which the individual, or a person other than the health plan on behalf of the individual, has paid the covered entity in full. For example, if an individual pays for a reproductive health care visit out-of-pocket in full and requests that the covered health care provider not submit PHI about that visit in a separate claim for follow-up care to their health plan, the provider must agree to the requested restriction.