HIPAA's Privacy Rule grants individuals the right to request restrictions regarding the use and disclosure of their protected health information (PHI) for treatment, payment, and healthcare operations. The law also grants individuals the right to request restrictions for other disclosures, such as those made to family members and persons involved in the individual's care. However, covered entities are not always required to agree with the requested restrictions.
When can covered entities refuse a patient's right to restriction?
When the covered entity agrees to the restriction, they must adhere to the restriction for all future disclosures. However, the Privacy Rule recognizes that in certain situations, an individual's health and well-being may depend on the unrestricted flow of information.
If a patient has a medical emergency, it may be necessary to share PHI with another healthcare provider to ensure they receive the right treatment promptly. In such cases, the disclosing provider must request that the information be used solely for providing emergency treatment.
Furthermore, there are scenarios in which a covered entity is not required to comply with a patient's request for restriction:
- Covered entities must also comply with regulations and requirements set forth by the Department of Health and Human Services (HHS). These regulations may, in some instances, conflict with a patient's request for restrictions.
- The legal requirements covered entities must meet may be prioritized over a patient's request for limitations. For instance, the covered entity might be required to abide by federal or state laws that mandate the sharing of particular health information.
- The covered entity must provide PHI to a health plan for payment or healthcare operations if required by law and isn't subject to the healthcare provider's discretion.
However, there are other scenarios when a covered entity is required to comply with a patient's request for restriction:
- The disclosure of PHI to a health plan is for payment or healthcare operations and is not mandated by law.
- The PHI relates solely to a healthcare item or service for which the individual (or someone other than the health plan on behalf of the individual) has paid the covered entity in full.
See also: What are patient rights under HIPAA?
The HITECH-HIPAA Omnibus Rule
The HITECH-HIPPA Omnibus Rule states "a covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if the disclosure is for the purposes of carrying out payment or health care operations and not otherwise required by law; and the protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full."
The Omnibus Rule also requires that a statement be included in the Notice of Privacy Practices summarizing the individual's right to a restriction and the covered entity's requirement to accept the restriction to disclose PHI about the individual to a health plan.
However, The Omnibus Rule's new restriction requirements do not change the general obligation of the covered entity to disclose only the information requested by the health plan and the amount of requested information judged to be the "minimum amount necessary" to fulfill the request—unless the patient has agreed to a broader disclosure, like when they are in agreement with the health plan or in an authorization on file with the covered entity.
See also: HIPAA Compliant Email: The Definitive Guide
Tshedimoso Makhene
