DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
The HIPAA Privacy Rule "Right to request privacy protection for PHI" provision. This provision contains two distinct rights - (1) the right of an individual to request restriction of uses and disclosures of PHI, and (2) the right of an individual to request confidential communications - that is, the right to request (and to have a covered entity to accommodate a reasonable request) to receive communications from a covered entity by alternative means or at alternative locations. The article discusses the first of the two rights, the right of an individual to request restrictions of uses and disclosures of PHI. The second of the two rights, the right of an individual to receive communications of PHI from a covered entity by alternative means or at alternative locations, is discussed in separate article that can be accessed here.
What is the Right to Request Restriction of Uses and Disclosures of PHI?
Under the HIPAA Privacy "Right to Request Privacy Protection for PHI" rule, an individual may request that a covered entity restrict how it uses or discloses that individual’s protected health information (PHI).
Under the "request restriction of uses and disclosures of PHI" provision, HIPAA covered entities (health plans, health care clearinghouses, or health care providers that conduct standard electronic transactions) must allow allow individuals to request that the covered entity restrict the use or disclosure of their PHI for treatment, payment, or healthcare operations. This provision also grants individuals the right to request restrictions for other uses and disclosures, such as disclosures made to family members or persons involved in the individual’s care.
Must a Covered Entity Agree to a Request to Restrict Uses and Disclosures of PHI?
While covered entities must allow individuals to request restrictions of the use or disclosure of their PHI as noted above, in most cases, covered entities are not required to honor with the requested restrictions. The Privacy Rule generally allows covered entities to decide whether to agree to a requested restriction because, for example, uses and disclosures for treatment, payment, and healthcare operations purposes are often necessary for providing quality patient care and ensuring efficient payment for healthcare.
If a covered entity agrees to an individual’s requested restriction, the covered entity must comply with the agreed restriction, except in two situations discussed below.
Emergency Treatment
if the individual who requested the restriction is in need of emergency treatment and the restricted PHI is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual.
If restricted PHI is disclosed to a health care provider for such emergency treatment, the covered entity must request that such health care provider not further use or disclose the information.
For example, a covered entity may agree to an individual’s request not to use or disclose PHI related to their treatment for a prostate condition. However, if the individual has a medical emergency, the provider may share PHI about the individual’s prostate condition with another healthcare provider if the PHI is needed to provide emergency treatment. The disclosing provider must request that the emergency treatment provider not use or disclose the information other than for the purpose of providing the emergency treatment.
Certain Payment or Healthcare Operations Disclosures to Health Plans
A covered entity is required to agree to an individual’s request to restrict the disclosure of their PHI to a health plan when both of the following conditions are met:
(1) the disclosure is for payment or health care operations and is not otherwise required by law; and (2) the PHI pertains solely to a health care item or service for which the individual, or a person other than the health plan on behalf of the individual, has paid the covered entity in full.
For example, if an individual pays for a reproductive health care visit out-of-pocket in full and requests that the covered health care provider not submit PHI about that visit in a separate claim for follow-up care to their health plan, the provider must agree to the requested restriction.
What are the Rules for Termination of Restrictions?
A covered entity may terminate a restriction, if:
(i) The individual agrees to or requests the termination in writing;
(ii) The individual orally agrees to the termination and the oral agreement is documented; or
(iii) The covered entity informs the individual that it is terminating its agreement to a restriction
Such termination is:
(1) Not effective for PHI restricted under 165.522 paragraph (a)(1)(vi) of this section; and
(2) Only effective with respect to protected health information created or received after the covered entity has informed the individual that it is terminating its agreement to a restriction. has so informed the individual.
Covered entities must document restrictions.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article