WPF Report — Paying out of Pocket to Protect Health Privacy: A New but Complicated HIPAA Option; A Report on the HIPAA Right to Restrict Disclosure
The report Paying out of Pocket to Protect Health Privacy: A New but Complicated HIPAA Option; A Report on the HIPAA Right to Restrict Disclosure was published January 30, 2014.
Report authors: Bob Gellman and Pam Dixon
You are at the report main page, where you can download the full report in PDF format or navigate to parts of the report in full text below.
Read the Report Front Matter and Introduction, below
Jump to other sections of the report: I. Introduction | II. Background | III. Advice for Patients Seeking to Pay in Full and Request a Restriction | IV. Conclusion | V. Resources | Appendix
The Report in Brief
The HIPAA health privacy rule was updated in September 2013. One of the changes in the rule is a new provision called “Pay Out of Pocket,” also called the “Right to Restrict Disclosure.” This provision gives patients the right to request that their health care provider not report or disclose their information to their health insurers when they pay for medical services in full. This new right is important. However, the new right will take effort and planning for patients to utilize effectively. This substance of this report is about the new patient right to restrict disclosure, and how to navigate it to protect health privacy.
About the Authors
Robert Gellman is a privacy and information policy consultant in Washington DC. (www.bobgellman.com.) Pam Dixon is the Founder and Executive Director of the World Privacy Forum and a privacy researcher. Gellman and Dixon are the authors of Online Privacy A Reference Handbook (ABC CLIO, 2011) as well as co-authors and authors of numerous and well-regarded privacy-focused research, articles, and analysis.
About the World Privacy Forum
The World Privacy Forum is a non-profit public interest research and consumer education group focused on the research and analysis of privacy-related issues. The Forum was founded in 2003 and has published significant privacy research and policy studies in the area of health, online and technical privacy issues, self-regulation, financial, identity, and biometrics among other areas. For more information please visit www.worldprivacyforum.org.
I. Introduction and Summary
One of the most-discussed provisions in the changes to the HIPAA health privacy rule that became effective September 23, 2013, is the right for a patient to prevent a provider from reporting information to a health insurer if the patient pays in full. The new right sounds useful and may be helpful to some patients, but the pay-in-full option is laden with complexity. That is the subject of this report.
The new right has several prerequisites. A patient has the firm right to demand that a health care provider not disclose the patient’s protected health information (PHI) to the patient’s health plan if these conditions are met:
- The patient makes a Request to Restrict disclosure;
- The disclosure is to a health plan for payment or health care operations;
- The disclosure is not required by law, and
- The protected health information pertains solely to health care for which the patient (or someone on behalf of the patient) has paid for in full out of pocket.
Given these requirements, is the pay-in-full option a meaningful new way that patients can protect their privacy, or is it not likely to help anyone? The truth lies somewhere in between. Some patients may be able to protect their privacy, but the new right will be difficult to exercise. Health care providers will find it challenging to comply when patients pay in full for their care and insist on privacy. Both patients and providers will benefit greatly from advance planning.
This report describes what patients should consider doing to exercise their right to restrict with new paid-in-full privacy option. The report will also be useful to health care providers who are trying to figure out how to comply with patient demands.
The federal rules governing health privacy and security are known as HIPAA, which stands for the Health Insurance Portability and Accountability Act. The Department of Health and Human Services acting through the Office of Civil Rights is responsible for the HIPAA privacy and security rules.
Looking Back: The Pre-2013 Right to Request Confidentiality
The privacy rule as it existed before the September 2013 amendment that added the pay-in-full option also gave patients a limited right to request
confidentiality in two ways. One is the right to request confidential communications. This is a real right because a covered entity must grant a reasonable request. So if a patient asks to be contacted at home rather than at work, the covered entity will almost certainly have to agree. This right continues unchanged by the 2013 provision.
The second old way to request confidentiality also remains in place. It allows a patient to request restrictions on uses and disclosures from health care providers and health plans covered by the rule. But this right has not been especially meaningful. Under the provision, a covered entity — or health care provider — had to allow a patient to request a restriction on the use or disclosure of the patient’s information to carry out treatment, payment, or health care operations. A patient could also ask for a restriction on disclosures to a family member, relative, or close personal friend.
This right has not received a lot of attention because the rule does not require a covered entity to agree to a restriction requested by a patient. It is therefore an abridged right. When HHS updated HIPAA, it added the new right to restrict when paying out of pocket. It also left both of the old rights to request confidentiality in place just as they were.
Additional Detail on the Pre-2013 Right to Request Confidentiality
Under the old right to request limits on uses and disclosures, as just discussed, the Privacy Rule does not require the covered entity to grant the request. It gets even worse – the covered entity does not have to agree even if the patient’s request is reasonable. Not only does a covered entity not have to agree to a patient request, the covered entity does not have to state a reason for denying the request, or even to respond to the request. Because it is a patient right without a corresponding obligation on the part of a covered entity, we conclude that the right is almost meaningless.
Additionally, this old section of the rule expressly provides that some restrictions that an institution might agree to are not effective. An agreement to restrict uses or disclosures permitted: 1) for facility directories (separate rules govern facility directories); 2) to the Department for oversight of the rule; or 3) for any of the scores of other permissible disclosures allowed under the law are not enforceable under the rule. Thus, if an institution agrees to a request not to make a discretionary disclosure to the Central Intelligence Agency (a permissible disclosure for national security purposes that surprises almost everyone), that agreement may not be meaningful.
If the event that a covered entity agreed to a patient request and violated the agreement, OCR might respond to a complaint from a patient. However, if OCR took aggressive action, covered entities would see that as a reason not to agree to any restrictions. Enforcement would only add to the existing disincentive to agree to disclosure restrictions. To be blunt, there is not much in it for a covered entity that agrees not to disclose other than potential liability.
A patient who had an agreement from a covered entity might be able to enforce an agreement through a complaint about professional misconduct or through a legal action for breach of contract. This is all rather hypothetical because it will be hard to convince any covered entity to agree to a request in the first place. It would be much easier to enforce an agreement if it were in writing.
It is unlikely that a large institution will agree to any restriction on use or disclosure. It is conceivable that a small provider – e.g., a psychiatrist in a solo practice – might agree to a patient request. A bigger institution – especially one with a staff of lawyers – will probably never agree. We are not sure that trying to get a voluntary agreement for a large covered entity would be worth the time and trouble for most patients. We would be pleasantly surprised if it turns out that we are wrong. In essence, the pre-2013 right to request confidentiality is not a particularly productive or meaningful right to assert. The new HIPAA Right to Restrict Disclosure, however, is meaningful, and worth discussing as a viable patient privacy option.
The New Pay-in-Full Option and Right to Restrict Disclosure
The 2013 change offers a new and mandatory restriction. A patient has the firm right to demand, not just request, that a provider not disclose PHI to a health plan if the disclosure is to a health plan for payment or health care operations; the disclosure isn’t required by law; and if the PHI pertains solely to health care for which the patient (or someone on behalf of the patient) paid in full.
At first glance, this looks like it is more helpful than the right to request a restriction. If a patient meets the terms and makes the request properly and in a timely fashion, a covered entity must agree and must comply. However, it will be challenging for many patients to meet the requirements. The following discussion of the new mandatory restriction illustrates the potential hurdles for patients.
The PHI must relate to fully paid health care
If a treatment included a service partly paid by insurance and partly by the patient, the treatment does not qualify as fully paid by the patient. If a patient has surgery for a deviated septum paid for by the patient’s health insurance with a little added cosmetic surgery at the same time that the patient pays for, the patient cannot make a request to keep the cosmetic surgery restricted. The patient did not pay for the surgery solely by himself or herself. If a patient pays for a treatment, but lets the insurer pay for a related blood test, it will probably not qualify as a treatment solely paid by the patient. It may be hard at times to tell when a treatment for one purpose ends and another one starts.
Paying in full may be a cost burden for many patients
Many patients are not able to afford to pay for their own care. For them, the right will be unavailable. Further, a patient that pays out of pocket may not receive the negotiated lower prices that health plans often pay. The price may be even higher than most patients anticipate. Further, Medicare may prohibit providers taking any payment from some patients, so the option may not be available when a patient on Medicare uses some providers. At some HMOs, payments by patients for some services are not allowed, even if service came from someone outside the HMO. When the health plan is also the provider, the right may not be meaningful unless the patient uses a separate provider.
The health care system is complex and interconnected
A patient may pay for a service out of pocket and tell the provider not to disclose information to the health plan. Yet if the doctor sends a prescription electronically to a drug store, the drug store may not be aware of the restriction and is likely to automatically query the health plan before the patient has a chance to contact the pharmacy. Even if a patient obtains a paper prescription and takes it to a pharmacy, pharmacies may report the prescription to a pharmacy benefit manager, a state database (e.g., for narcotics), or some other intermediary that the pharmacy can lawfully disclose the information to. The same problem can arise with a laboratory, x-ray facility, or other provider.
A patient seeking to keep treatment information from a health plan must think ahead and be adept at finding non-standard ways of managing referrals or ordering tests. Requests to restrict may need to be made in advance of treatment or billing. Covered entities are sure to insist (as the rule allows) that requests be made in writing, and there could be delays before a provider can add request for disclosure restriction to the patient’s record and make it effective.
From the perspective of a covered entity, managing a mandatory request not to tell a health plan can be challenging. A health care provider will have to think how to tag or separate restricted information so that it remains available to those treating patients but does not casually slip off to insurers. Even a provider trying to act in good faith will face problems. All providers will have to think long and hard how to handle mandatory requests. Shared electronic health records may only make the challenges greater.
III. Advice for Patients Seeking to Pay in Full and Request a Restriction
For most patients, paying in full out of pocket is not realistic. Some patients have the ability to pay and will want to use the mandatory restriction provision. For example, some individuals receiving mental health treatment are zealously protective of their privacy and pay for their own treatment. For any patient who wants to make use of the mandatory restriction in the HIPAA health privacy rule, we tentatively offer this advice.
Obtain the Procedures for Making a Request to Restrict Disclosure
First, find out the covered entity’s procedures and requirements for a mandatory restriction. We are noticing that some providers have begun putting “Right to Restrict Disclosure to Health Plan” notices in their Notice of Privacy Practices, or privacy policies. Some providers are listing the new right along with the other rights patients have under HIPAA. An example of what this can look like comes from the HIPAA page at the University of Texas, San Antonio (http://www.uthscsa.edu/hipaa/patientrights.asp). Even if your health care provider does not have a clear notice describing how to make a request to restrict disclosure, they are still required to follow the law.
Advance Planning is a Must
Recognize up front that getting a mandatory restriction to work will require a lot of advance planning. If you have found the provider’s written procedure for requesting a restriction on disclosure, that will be helpful. Because some providers may require advance notice, be prepared to make your written restriction request before you make the actual appointment. Come to that appointment with multiple copies of the written request in hand. For a large provider, consider talking in advance to the provider’s privacy officer to make sure that you can meet the provider’s requirements. A larger provider is more likely to have a formal procedure, and you will want to make sure that you do the things necessary to follow that procedure. Understand that the providers may have a litany of steps for you to follow.
Take Care of Pre-Certification Requirements
If your treatment requires pre-certification from your health plan, you need to take action well before your appointment. A provider may routinely seek pre-certification on your behalf after you make an appointment if you do not make it clear that you do not want the information shared with the insurer and do not need pre-certification because you plan to pay for the treatment in full out of pocket. Telling your doctor during an office visit may not be enough if the clerk who handled the pre-certification did not know about your request. Work this out well in advance with the provider’s administrative staff. Try to talk to the office manager rather than to a receptionist.
Handling Referrals to Another Health Care Provider
If you get a referral to a second provider, your request for restriction will not automatically follow with the referral. You have to ask the second provider for a restriction, which may mean doing the same advance work that you did with the first provider. In emergencies, this could prove to be especially difficult or impossible.
Outpatient Surgical Procedure Precautions
If you are having an outpatient surgical procedure, it is possible that the same procedure will involve a surgeon, anesthetist, and a hospital, each of which is a separate health care provider who bills separately to your health insurer. You are likely to have to make a separate request to each provider. There may well be other circumstances in which a single type of treatment involves more than one covered entity. You will have to ask many questions to be sure.
Lab Tests and Imaging (X-Rays, MRI, etc.)
If your provider orders lab tests or x-rays, your restriction request will not automatically go along with the sample or order. You will have to make the same restriction request with each subsequent provider (a lab is a health care provider). You may want to decline to let your provider send a blood sample to the lab. Consider getting an order for a test from the doctor. Take the order to a lab, bring a request letter, pay in cash, and do not let the lab bill your insurance company. Remember, however, that the cash price may be much higher than the insurance price. Negotiating an appropriate price may be even more challenging than successfully negotiating a confidentiality request.
Ensure Funds are Available
Make sure that you can pay for your care. Be prepared to pay for all or part of your treatment in advance to assure the provider that services will be paid for. If you do not pay in full or if your check bounces, a provider may bill your insurance company anyway. If possible, pay for your care at the time of receipt so there is no question about the need to bill your insurer. Be prepared for additional and unexpected costs, for example, hidden lab or medication fees.
Smaller Providers May be More Nimble With Help
See if you can obtain care from a small provider rather than a large provider. A psychiatrist in solo private practice may be much more adept at billing you than a university hospital with many formal procedures, separate billing offices, automated claims submissions, and the like. There’s no guarantee that a small provider will do better, but we guess that you have a better chance. You certainly have a better chance of conveying your request to everyone in a small office than in a big hospital.
Think About Seeking a New Provider for Out of Pocket Treatments
Consider having the treatment you want to keep confidential from your health plan at a health care provider that you do not see for other types of treatment. If you establish a relationship with a new provider, make it clear that you will pay for the care yourself. You may be able to avoid telling the provider about your insurance at all. A provider who does not know your insurer will find it hard to disclose information to your insurer. Remember to discuss the price of your care, because insurance companies often pay less than the list price for health care. Some providers may fear that you may not pay the bill, and they may demand advance payment or health insurance information as a backup.
Here’s an example. Suppose that you usually fill your prescriptions at the “ABC Pharmacy” that has your health plan information on file. It could be easy for that pharmacy to accidentally bill your health plan despite your request. It is also possible that when you fill your next unrestricted prescription, the record of your restricted prescription will go along to the insurer anyway. Sometimes these errors can happen due to the highly automated processes in place at pharmacies. Avoid the risk, if possible, by filling a restricted prescription at a different pharmacy where you do not do business otherwise. Don’t give the second pharmacy your health plan information.
There’s a real downside here, however. There’s a risk here that if the new drug conflicts with another drug you are already taking, you could have a serious or fatal reaction. It is important to discuss these issues with the prescribing physician. You could encounter the same type of conflict if you receive care from one provider that your regular provider does not know about. You could endanger your health or even your life. It’s definitely something to consider. You will accomplish nothing if you succeed in protecting your confidentiality and ruining your health or losing your life.
Second example: if you need treatment for a sexually transmitted disease and you do not want the information to circulate in the health care payment system, go to a walk-in clinic that takes cash. We cannot advise you to use a pseudonym. We do not know that it is legal to do so. However, some people do. We do not offer legal advice here, but we observe that using a pseudonym when obtaining narcotics may land you in jail.
Be Watchful of Health Information Exchanges
If the provider is part of a local Health Information Exchange, ask about keeping your information out of the shared record system. You do not have a right to keep one provider from sharing your information with other providers, but once information is shared, it is more vulnerable to inadvertent disclosure to your insurer. However, as we just pointed out, it is possible that treatments or drugs from different providers could conflict in some way and endanger your life or your health. There’s an advantage when your provider has a more complete medical history.
Mandatory Restriction is New, and You May be First in Line
Remember that the mandatory restriction is new to everyone in the health care system. As should be clear from the above discussion, it raises many complications for patients and for providers. If you happen to be the first person who requests a mandatory restriction, you may have to work carefully with the provider to work out the proper arrangements. Put another way, you may have to be highly motivated and persistent to have your restriction properly honored. It is your right, however, whether the provider is familiar with it or not.
Keep Copies of Your Restriction Request Letters
Document everything. Keep copies of your restriction request or demand letters. Try to get a receipt for the restriction letters from each provider. Keep a log of everyone you talked to in every provider’s office and what they said. Write down who you gave your restriction request letter to, what their job is, and when you gave them the letter.
Repeat Your Restriction Request Before Each Appointment
Don’t assume that your doctor will remember that you have a restriction demand on file when you show up for a second, third, or tenth visit. Repeat your demand before every appointment, during each visit, and when you check out of the provider’s office. You cannot be too careful. In many offices, providers automatically bill insurers after a visit, and they may do so if you do not remind everyone about your restriction demand. The right to restrict the flow of information to an insurer is a firm right, not just a request that a provider can decline to honor. You may have to fight to have your rights honored.
Complications That Require the Use of Insurance
Unfortunately, we have not yet exhausted the hurdles presented by the new disclosure restriction mandate. Here’s another possibility. You go to a provider and successfully impose a restriction on disclosure of your information to your health plan. The treatment results in a medical complication that requires additional treatment, possibly including hospitalization, additional tests, and new prescriptions. If you cannot afford to pay out of pocket for all of the additional treatment, your health care provider will begin to receive claims and may ask why you needed the additional treatment. It is likely that the additional treatment itself will identify to the plan something about the treatment that you kept secret.
Here’s another example. You pay out of pocket for a genetic test to see if you have a gene that predisposes you to colon cancer. The test is positive, and you schedule a colonoscopy that you cannot afford to pay for yourself. Your health plan may ask why it should pay for a colonoscopy for someone of your age when colonoscopies are recommended only for someone much older. You may be forced to reveal the test and the result that you wanted to keep from being disclosed to the insurer. All the effort and expense that went into keeping the test from your health plan may be wasted in that case.
The Right to Restrict Applies only to Health Plan Disclosures
Will a restriction demand really make your health record completely private? Sadly, the answer is no. Don’t get your expectations raised too much. The restriction only applies to disclosures to health plans. Other disclosures allowed by the Privacy Rule – for example, to public health agencies, researchers, law enforcement, private litigants, the CIA, and others. These disclosures are not affected in any way by a patient’s request for restriction.
Also unaffected are disclosures to other health care providers for treatment purposes. For example, your medical information can still be shared with other doctors or hospitals. The right to restrict provides a narrow degree of confidentiality. That may be what you need, but don’t expect any more. Only you can decide if the expense and the effort are worth the result.
So why did the HHS Office of Civil Rights adopt this messy, complicated change in the Privacy Rule? OCR did it because Congress directed the change in the HITECH Act. It is a well-intentioned provision, but we have concerns that it will not work smoothly in the real world. We will all find out together over the next few years. If a provider does not provide you with the confidentiality required by law, you can complain to the Office of Civil Rights. We are aware that some patients may not be comfortable making a complaint about a sensitive health issue that they wanted kept secret in the first place.
In this report, we emphasize the burden that falls on a patient who wants confidentiality. We observe that HIPAA places most of the responsibility on providers. We think that providers must do a lot of work to be able to honor patient requests. That is what the law demands. However, a patient who wants privacy must anticipate the problems that a provider faces in honoring a request. The patient will suffer if the request is not handled properly.
Indeed, the patient whose request is not successfully handled by a provider will pay twice. First, the patient will lose privacy protections and rights available under law. Second, the patient will pay for care that a health insurer might have paid for otherwise. A patient will do well to approach a confidentiality request as a joint effort by the patient and the provider.
Our conclusion is that while it is now legally possible for a patient to demand that their protected health information not be shared with a health plan, making a demand should not be done casually. A patient should assess whether the need for extra confidentiality is important, consider whether personal funds are available to pay for the treatment, plan ahead to make the request, determine what the provider’s requirements are, and be persistent. Only those who proceed thoughtfully and carefully are likely to benefit from the new HIPAA Pay-in-Full Option.
World Privacy Forum’s A Patient’s Guide to HIPAA, http://www.worldprivacyforum.org/hipaa/index.html.
Office of Civil Rights FAQs on HIPAA, http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html.
Full Text of the HIPAA Rules, http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf.
World Privacy Forum’s Medical Identity Theft Resources, http://www.worldprivacyforum.org/medicalidentitytheft.html.
World Privacy Forum’s Health Information Exchange FAQ and videos,
World Privacy Forum’s Health Information Exchange map for Californians,
The Privacy Rights Clearinghouse has a selection of fact sheets on medical privacy, (http://www.privacyrights.org/medical.htm#FactSheets).
Appendix: Text of the HIPAA Rule Governing the Right to Request Privacy Protections
§ 164.522 Rights to request privacy protection for protected health information.
(a)(1) Standard: Right of an individual to request restriction of uses and disclosures.
(i) A covered entity must permit an individual to request that the covered entity restrict:
(A) Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and
(B) Disclosures permitted under § 164.510(b).
(ii) Except as provided in paragraph (a)(1)(vi) of this section, a covered entity is not required to agree to a restriction.
(iii) A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual.
(iv) If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information.
(v) A restriction agreed to by a covered entity under paragraph (a) of this section, is not effective under this subpart to prevent uses or disclosures permitted or required under §§ 164.502(a)(2)(ii), 164.510(a) or 164.512.
(vi) A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if:
(A) The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
(B) The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.
(2) Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if:
(i) The individual agrees to or requests the termination in writing;
(ii) The individual orally agrees to the termination and the oral agreement is documented; or
(iii) The covered entity informs the individual that it is terminating its agreement to a restriction, except that such termination is:
(A) Not effective for protected health information restricted under paragraph (a)(1)(vi) of this section; and
(B) Only effective with respect to protected health information created or received after it has so informed the individual.
(3) Implementation specification: Documentation. A covered entity must document a restriction in accordance with § 160.530(j) of this subchapter.
(b)(1) Standard: Confidential communications requirements.
(i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations.
(ii) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual.
(2) Implementation specifications: Conditions on providing confidential communications.
(i) A covered entity may require the individual to make a request for a confidential communication described in paragraph (b)(1) of this section in writing.
(ii) A covered entity may condition the provision of a reasonable accommodation on:
(A) When appropriate, information as to how payment, if any, will be handled; and
(B) Specification of an alternative address or other method of contact.
(iii) A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis.
(iv) A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual.
Version 1.0: First Public release January 30, 2014.
Copyright Bob Gellman and Pam Dixon.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. https://creativecommons.org/licenses/by-nc-sa/3.0/legalcode