HIPAA's Privacy Rule grants individuals the right to request restrictions regarding the use and disclosure of their protected health information (PHI) for treatment, payment, and healthcare operations. The law also grants individuals the right to request restrictions for other disclosures, such as those made to family members and persons involved in the individual's care. However, covered entities are not always required to agree with the requested restrictions.
When the covered entity agrees to the restriction, they must adhere to the restriction for all future disclosures. However, the Privacy Rule recognizes that in certain situations, an individual's health and well-being may depend on the unrestricted flow of information.
If a patient has a medical emergency, it may be necessary to share PHI with another healthcare provider to ensure they receive the right treatment promptly. In such cases, the disclosing provider must request that the information be used solely for providing emergency treatment.
Furthermore, there are scenarios in which a covered entity is not required to comply with a patient's request for restriction:
However, there are other scenarios when a covered entity is required to comply with a patient's request for restriction:
See also: What are patient rights under HIPAA?
The HITECH-HIPAA Omnibus Rule states "a covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if the disclosure is for the purposes of carrying out payment or health care operations and not otherwise required by law; and the protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full."
The Omnibus Rule also requires that a statement be included in the Notice of Privacy Practices summarizing the individual's right to a restriction and the covered entity's requirement to accept the restriction to disclose PHI about the individual to a health plan.
However, The Omnibus Rule's new restriction requirements do not change the general obligation of the covered entity to disclose only the information requested by the health plan and the amount of requested information judged to be the "minimum amount necessary" to fulfill the request—unless the patient has agreed to a broader disclosure, like when they are in agreement with the health plan or in an authorization on file with the covered entity.
See also: HIPAA Compliant Email: The Definitive Guide