Patient’s Guide to HIPAA – Basic Rights: G. Right to Request Restrictions on Uses and Disclosures (FAQ 51 – 53)
You are reading the Patient’s Guide to HIPAA, FAQ 51-53 .
HIPAA Guide Quick Links:
The HIPAA rule defines seven patient rights, one of them is a right to request restrictions on uses and disclosures. Of the rights currently afforded under HIPAA, this is the one with the most restrictions. This page includes all FAQs explaining this right (FAQ 51-53.)
G. Right to Request Restrictions on Uses and Disclosures (FAQ 51 – 53)
FAQ 51: What is the Right to Request Restrictions on Uses and Disclosures?
The right to request restrictions is the least meaningful of the seven HIPAA patient rights. A covered entity must allow a patient to request a restriction on the uses or disclosures of the patient’s information to carry out treatment, payment, or health care operations. A patient can also ask for a restriction on disclosures to a family member, relative, or close personal friend. However, there’s a new element that came with the 2013 changes. You have the firm right to demand (not just request) that a provider not disclose PHI to a health plan if the disclosure is for treatment or payment, the disclosure isn’t required by law, and if the PHI pertains solely to health care for which the patient (or someone on behalf of the patient) paid in full. We’ll explain that new option in the next FAQ. It’s well-intentioned but very messy to use.
You can read later in this document about the scope of permissible uses and disclosures for treatment, payment, and health care operations. (See FAQs 56 & 57.) No covered entity needs your consent to make disclosures for those purposes. Health care operations is a particularly broad term that includes many activities that are in the interest of the covered entity and not necessarily in the interest of the patient.
FAQ 52: Why is the Right to Request Restrictions Almost Meaningless?
The rule does not require a covered entity to agree to a restriction requested by a patient. The covered entity does not have to agree even if the patient’s request is reasonable. Contrast this provision with the right to request confidential communication. A covered entity must agree to a reasonable request for confidential communication. However, if you ask for a restriction on use or disclosure, the covered entity does not have to agree, does not have to state a reason for denying a request, and does not have to even respond to your request. Because it is a patient right without a corresponding obligation on the part of a covered entity, we conclude that the right is almost meaningless.
It gets worse. The rule expressly provides that some restrictions that an institution might agree to are not effective. These are uses or disclosures that are permitted for facility directories (separate rules govern facility directories), to the Department for oversight of the rule, or for any of the scores of other permissible disclosures allowed under the law. Thus, if an institution agrees to your request not to make a discretionary disclosure to the CIA, that agreement is not effective under the rule.
If the unlikely event that a covered entity agreed to a patient request and violated the agreement, OCR might respond to a complaint from a patient. But if OCR took aggressive action, covered entities would see that as a reason not to agree to any restrictions. It’s not clear that any covered entities need more incentive not to agree than they already have.
A patient who had an agreement from a covered entity might be able to enforce an agreement through a complaint about professional misconduct or through a legal action for breach of contract. This is all rather hypothetical because it will be hard to convince any covered entity to agree to your request in the first place. It would be much easier to enforce an agreement if it were in writing.
It is highly unlikely that any large institution will agree to any restriction on use or disclosure. It is conceivable that you might get a small provider – e.g., a psychiatrist in a solo practice – to agree with your request. A bigger institution – especially one with a staff of lawyers – will probably never agree. Frankly, trying to get a voluntary agreement for a large covered entity is not likely to be worth the time and trouble.
The 2013 change offers a new and mandatory restriction. You have the firm right to demand (not just request) that a provider not disclose PHI to a health plan if the disclosure is for treatment or payment, the disclosure isn’t required by law, and if the PHI pertains solely to health care for which the patient (or someone on behalf of the patient) paid in full.
This looks like it is more meaningful than the right to request a restriction. If you meet the terms and make the request properly and in a timely fashion, a covered entity must agree. However, it will be hard for most patients to meet the requirements. As you read the following discussion of the problems with the new mandatory restriction, you will see what we mean.
The PHI must relate to fully paid health care: If a treatment included a service that was partly paid by insurance and partly by the patient, it does not qualify. So if you have surgery for a deviated septum paid for by your health insurance with a little added cosmetic surgery at the same time that you pay for, you cannot make a request to keep the cosmetic surgery restricted. The surgery was not solely paid for by the patient. If you pay for a treatment, but let your insurer pay for a related blood test, it will probably not qualify as a treatment solely paid by you.
Paying in full may be difficult for many patients. At some HMOs, payments by patients for some services are not allowed. Medicare may prohibit providers taking any payment from some patients. Costs may be too much for many patients, and patients paying on their own may not qualify for the negotiated lower prices that health plans pay.
The health care system is complicated and interconnected. You may pay for a service out-of-pocket and tell your doctor not to tell the health plan. Yet if the doctor sends a prescription electronically to a drug store, the drug store may not be aware of the restriction and is likely to automatically query the health plan. The same problem can arise with a laboratory or x-ray facility. A patient seeking to keep treatment information from a health plan will have to think ahead and be adept at finding non-standard ways of managing referrals or ordering tests. Requests to restrict may need to be made in advance of treatment or billing. Covered entities are sure to insist (as the rule allows) that requests be made in writing.
From the perspective of a covered entity, managing a mandatory request not to tell a health plan can be challenging. A health care provider will have to think how to tag or separate restricted information so that it remains available to those treating patients but does not casually slip off to insurers. Even a provider trying to act in good faith will face problems. All providers will have to think long and hard how to handle mandatory requests.
For most patients, paying in full out-of-pocket is not realistic. Some patients have the ability to pay and will want to use the mandatory restriction provision. It is generally well known that some individuals receiving mental health treatment are zealously protective of their privacy and will pay for their own treatment. Others will also want treatment to be as confidential as possible. For patients who want to make use of the mandatory restriction in the Rule, we tentatively offer this advice.
1. Recognize up front that getting a mandatory restriction to work will require a lot of advance planning. Find out the covered entity’s requirements for a mandatory restriction. Be prepared to make your written request before you make the actual appointment. Come to that appointment with a written request in hand. Have multiple copies of your letter with you. For a large provider, consider talking in advance with the privacy officer to make sure that you can meet the provider’s requirements. A larger provider is more likely to have a formal procedure, and you will want to make sure that you do the things necessary to follow that procedure.
2. If the treatment you need normally requires pre-certification from your health plan, you may need to take action well before your appointment. A provider may routinely seek pre-certification on your behalf if you don’t make it clear that you do not want the information shared with the insurer. Telling your doctor may not be enough if the clerk who handles the pre-certifications does not know. Work this out well in advance with the provider’s administrative staff. Try to talk to the office manager rather than to a receptionist.
3. If you get a referral to a second provider, your request for restriction will not automatically follow with the referral. You have to ask the second provider for a restriction, which may mean doing the same advance work that you did with the first provider. In emergencies, this could prove to be especially difficult or impossible.
4. If you are having an outpatient surgical procedure, it’s possible that the same procedure will involve a surgeon, anesthetist, and a hospital, each of which is a separate provider. Your request may have to be made to each provider separately. There may well be other circumstances in which a single type of treatment involves more than one covered entity. You will have to ask a lot of questions to be sure.
5. If your provider orders lab tests or x-rays, your request for restriction will not automatically be transferred with the sample or order. You will have to make the same request for restriction with each subsequent provider (a lab is a provider). You may want to decline to let your provider take a blood sample to send to the lab. Consider getting an order for a test from the doctor. Take the order to a lab, pay in cash, and don’t let the lab bill your insurance company. Remember, however, that the cash price may be much higher than the insurance price.
6. Make sure that you can pay for your care. If you don’t pay or if your check bounces, a provider may bill your insurance company anyway. If possible, pay for your care at the time of receipt so there is no question about the need to bill your insurer.
7. See if you can arrange for care from a small provider rather than a large provider. A psychiatrist in solo private practice may be much more adept at billing you than a university hospital with many formal procedures, separate billing offices, automated claims submissions, and the like. There’s no guarantee that a small provider will do better, but we guess that you have a better chance.
8. Consider having the treatment you want to keep confidential from your health plan at a health care provider that you don’t see for other types of treatment. If you establish a relationship with a new provider, make it clear that you will pay for the care yourself, then you may be able to not tell the provider about your insurance at all. Try to avoid even sharing your insurance information if you can.
Here’s an example. Suppose that you usually fill your prescriptions at the “ABC Pharmacy” that has your health plan information on file. It could be easy for a pharmacy to accidentally bill your health plan despite your request. It’s also possible that when you fill your next unrestricted prescription, the record of your restricted prescription will go along to the insurer anyway. Avoid the risk, if possible, by filling a restricted prescription at a different pharmacy where you do not do business otherwise. Don’t give the second pharmacy your health plan information.
There’s a real downside here, however. There’s a risk here that if the new drug conflicts with another drug you already are taking, you could have a serious or fatal reaction. It is important to discuss the issue with the prescribing physician. You could encounter the same type of problem if you receive care from one provider that your regular provider does not know about. You could endanger your health or even your life. It’s definitely something to think about.
Second example: if you need treatment for a sexually transmitted disease and you don’t want the information to circulate in the health care payment system, go to a walk-in clinic that takes cash. We can’t advise you to use a pseudonym. We don’t know that it is legal to do so. However, some people do.
9. If the provider is part of a local Health Information Exchange, keeping your information out of a shared record is something to ask about. You don’t have a right to keep PHI from being shared with other providers, but once information is shared, it is more vulnerable to inadvertent disclosure to your insurer. However, as we just pointed out, it is possible that treatments or drugs from different providers could conflict in some way and endanger your life or your health. There’s an advantage when your provider has a more complete medical history.
10. Remember that the mandatory restriction is new to everyone in the health care system. As should be clear from the above discussion, it raises many complications for patients and for providers. If you happen to be the first person who wants a mandatory restriction, you may have to work carefully with the provider to work out the proper arrangements. Put another way, you may have to be highly motivated and persistent to have your restriction properly honored.
11. Document everything. Keep copies of your restriction request letters. Try to get receipts for the restriction letters. Keep a log of everyone you talked to in every provider’s office and what they said.
12. Don’t assume that your doctor will remember that you have a restriction demand on file when you show up for a second, third, or tenth visit. Repeat your demand before every appointment, during each visit, and when you check out of the provider’s office. You can’t be too careful. In many offices, providers automatically bill insurers after a visit, and they may do so if you don’t remind everyone about your restriction demand. The right to restrict the flow of information to an insurer is a firm right, not just a request that a provider can decline to honor. You may have to fight to have your rights honored.
13. Unfortunately, we have not yet exhausted the problems presented by the new disclosure restriction mandate. Here’s another possibility. You go to a provider and successfully impose a restriction on disclosure to your health plan. The treatment results in a complication that requires additional treatment, possibly including hospitalization, additional tests, and new prescriptions. If you cannot afford to pay out of pocket for the additional treatment, your health care will begin to receive claims and may ask why the additional treatment is needed. It is also possible that the additional treatment itself will identify to the plan something about the treatment that you kept secret.
Here’s another example. You pay out of pocket for a genetic test to see if you have a gene that predisposes you to colon cancer. The test is positive, and you schedule a colonoscopy that you cannot afford to pay for yourself. Your health plan may ask why it should pay for a colonoscopy for someone of your age when the test is only recommended for someone much older. You may be forced to reveal the test and the result that you wanted to keep secret. All the effort and expense that went into keeping the test from your health plan may be wasted in that case.
14. Will a restriction demand really make your health record private? Sadly, the answer is no. Don’t get your expectations raised too much. The restriction only applies to disclosures to health plans. Other disclosures allowed by the Privacy Rule – to public health agencies, researchers, law enforcement, private litigants, the CIA, and others – are not affected in any way by a patient’s restriction. Also unaffected are disclosures to a covered entities business associates, disclosures for health care operations, and disclosures to other health care providers for treatment. Think about that if you want to undertake the efforts to ask for a restriction and make it work. It provides a narrow degree of confidentiality. That may be what you need, but don’t expect any more. Only you can decide if the expense and the effort are worth the limited result.
So why did OCR adopt this messy, complicated, nearly-impossible-to implement change in the Privacy Rule? Because Congress directed the change in the HITECH Act. It’s a well-intentioned provision, but we have many doubts that it will work well in the real world. We will all find out together over the next few years. If a provider does not provide you with the confidentiality required by law, you can complain to OCR. However, any complaint is only likely to exacerbating sharing of the information that you wanted kept secret in the first place.
FAQ 53: Is the Right to Limit Disclosures to Relatives and Friends Meaningless Too?
Not entirely. There is a bit of hope if you want a provider to agree to limit disclosures to relatives and friends. If you tell your doctor or nurse not to talk to a relative, that provider is likely to comply regardless of the rule. The rule doesn’t make those disclosures mandatory. It does, however, make it harder for a patient to obtain or enforce an agreement.
If, for example, you ask your provider not to disclose your diagnosis to your children, the rule requires the provider to document the request. Since formal documentation is less likely to be done for casual requests, any agreement may be unenforceable under the rule. Further, the required formality of the rule allows providers to insist that patients make requests in writing, and most will demand a letter. If you are a patient in a hospital about to receive a visit from a relative, how can you possibly make a written request and get a timely agreement from the hospital?
Even if you do make a written request, the rule doesn’t require any response to your request or any response in a reasonable period. If you are prepared enough to present a formal request at the start of your hospitalization, the hospital could take 30 days or more before it agreed. Your hospitalization will likely have ended well before any response, if you even get a response.
Luckily, while the rule makes these requests to limit disclosure mostly meaningless, the human element that still exists in the health care system may supply what the rule does not. If you make a personal request to your provider, that provider will likely abide by your wishes regardless of the rule and its required formality. Your request may not be legally enforceable under the HIPAA rule, but enforcement may not be important.
Generally, we don’t see much of a reason to bother with formal requests for use and disclosure restrictions, although it remains to be seen if the new right to prevent disclosure to insurers will be meaningful. If you read many notices of privacy practices, you will find that covered entities say that they won’t agree to most requests. That is a polite way of saying that they won’t agree to any requests.
If you want to control disclosures to family members or friends, the formal process under the rule isn’t likely to help you at all. Make your requests orally and informally to your providers, just the same way that patients have always done. Be clear. Be repetitive. Hope for the best. The HIPAA rule does almost nothing for you.
Roadmap: Patient’s Guide to HIPPA: Part 2: Basic Patient Rights: G. Right to Request Restrictions on Uses and Disclosures (FAQ 51 – 53)