Patient’s Guide to HIPAA – Basic Rights: G. Right to Request Restrictions on Uses and Disclosures (FAQ 51 – 53)
You are reading the Patient’s Guide to HIPAA, FAQ 51-53 .
HIPAA Guide Quick Links:
The HIPAA rule defines seven patient rights, one of them is a right to request restrictions on uses and disclosures. Of the rights currently afforded under HIPAA, this is the one with the most restrictions. This page includes all FAQs explaining this right (FAQ 51-53.)
G. Right to Request Restrictions on Uses and Disclosures (FAQ 51 – 53)
FAQ 51: What is the Right to Request Restrictions on Uses and Disclosures?
The right to request restrictions is the least meaningful of the seven HIPAA patient rights. A covered entity must allow a patient to request a restriction on the uses or disclosures of the patient’s information to carry out treatment, payment, or health care operations. A patient can also ask for a restriction on disclosures to a family member, relative, or close personal friend. However, there’s a new element that came with the 2013 changes. You have the firm right to demand (not just request) that a provider not disclose PHI to a health plan if the disclosure is for treatment or payment, the disclosure isn’t required by law, and if the PHI pertains solely to health care for which the patient (or someone on behalf of the patient) paid in full. We’ll explain that new option in the next FAQ. It’s well-intentioned but very messy to use.
You can read later in this document about the scope of permissible uses and disclosures for treatment, payment, and health care operations. (See FAQs 56 & 57.) No covered entity needs your consent to make disclosures for those purposes. Health care operations is a particularly broad term that includes many activities that are in the interest of the covered entity and not necessarily in the interest of the patient.
FAQ 52: Why is the Right to Request Restrictions Almost Meaningless?
The rule does not require a covered entity to agree to a restriction requested by a patient. The covered entity does not have to agree even if the patient’s request is reasonable. Contrast this provision with the right to request confidential communication. (See FAQs 25-28). A covered entity must agree to a reasonable request for confidential communication. However, if you ask for a restriction on use or disclosure, the covered entity does not have to agree, does not have to state a reason for denying a request, and does not have to even respond to your request. Because it is a patient right without a corresponding obligation on the part of a covered entity, we conclude that the right is almost meaningless.
It gets worse. The rule expressly provides that some restrictions that an institution might agree to are not effective. These are uses or disclosures that are permitted for facility directories (separate rules govern facility directories), to the Department for oversight of the rule, or for any of the scores of other permissible disclosures allowed under the law. Thus, if an institution agrees to your request not to make a discretionary disclosure to the Central Intelligence Agency, that agreement is not effective under the rule.
If the event that a covered entity agreed to a patient request and violated the agreement, OCR might respond to a complaint from a patient. However, if OCR took aggressive action, covered entities would see that as a reason not to agree to any restrictions. Enforcement would only add to the existing disincentive to agree to disclosure restrictions. To be blunt, there is not much in it for a covered entity that agrees not to disclose other than potential liability. A patient who had an agreement from a covered entity might be able to enforce an agreement through a complaint about professional misconduct or through a legal action for breach of contract. This is all rather hypothetical because it will be hard to convince any covered entity to agree to your request in the first place. It would be much easier to enforce an agreement if it were in writing.
It is unlikely that any large institution will agree to any restriction on use or disclosure. It is conceivable that you might get a small provider – e.g., a psychiatrist in a solo practice – to agree with your request. A bigger institution – especially one with a staff of lawyers – will probably never agree. Frankly, trying to get a voluntary agreement for a large covered entity is not likely to be worth the time and trouble. We would be happy if it turns out that we are wrong.
The 2013 change offers a new and mandatory restriction. You have the firm right to demand (not just request) that a provider not disclose PHI to a health plan if the disclosure is for payment or health care operations, the disclosure isn’t required by law, and if the PHI pertains solely to health care for which the patient (or someone on behalf of the patient) paid in full.
This looks like it is more helpful than the right to request a restriction. If you meet the terms and make the request properly and in a timely fashion, a covered entity must agree. However, it will be hard for most patients to meet the requirements. As you read the following discussion of the problems with the new mandatory restriction, you will see what we mean.
- The PHI must relate to fully paid health care: If a treatment included a service partly paid by insurance and partly by you, the treatment does not qualify. So if you have surgery for a deviated septum paid for by your health insurance with a little added cosmetic surgery at the same time that you pay for, you cannot make a request to keep the cosmetic surgery restricted. You didn’t pay for the surgery solely by yourself. If you pay for a treatment, but let your insurer pay for a related blood test, it will probably not qualify as a treatment solely paid by you. It may be hard at times to tell when a treatment for one purpose ends and another one starts.
- Paying in full may be difficult for many patients. Many patients are not able to afford to pay for their own care. For them, the right will be unavailable. Further, a patient that pays out of pocket may not receive the negotiated lower prices that health plans often pay. The price may be even higher than most patients anticipate. Further, Medicare may prohibit providers taking any payment from some patients, so the option may not be available when a patient on Medicare uses some providers. At some HMOs, payments by patients for some services are not allowed, even if service came from someone outside the HMO. When the health plan is also the provider, the right may not be meaningful unless the patient uses a separate provider.
- The health care system is complicated and interconnected. You may pay for a service out of pocket and tell your doctor not to disclose information to the health plan. Yet if the doctor sends a prescription electronically to a drug store, the drug store may not be aware of the restriction and is likely to automatically query the health plan before the patient has a chance to contact the pharmacy. Even if a patient obtains a paper prescription and takes it to a pharmacy, pharmacies may report the prescription to a pharmacy benefit manager, a state database (e.g., for narcotics), or some other intermediary that can the pharmacy can lawfully disclose the information to. The same problem can arise with a laboratory, x-ray facility, or other provider.
A patient seeking to keep treatment information from a health plan will have to think ahead and be adept at finding non-standard ways of managing referrals or ordering tests. Requests to restrict may need to be made in advance of treatment or billing. Covered entities are sure to insist (as the rule allows) that requests be made in writing, and there could be delays before a provider can add request for disclosure restriction to the patient’s record and make it effective.
From the perspective of a covered entity, managing a mandatory request not to tell a health plan can be challenging. A health care provider will have to think how to tag or separate restricted information so that it remains available to those treating patients but does not casually slip off to insurers. Even a provider trying to act in good faith will face problems. All providers will have to think long and hard how to handle mandatory requests.
For most patients, paying in full out of pocket is not realistic. Some patients have the ability to pay and will want to use the mandatory restriction provision. For example, some individuals receiving mental health treatment are zealously protective of their privacy and pay for their own treatment. Others will also want treatment to be as confidential as possible. For any patient who wants to make use of the mandatory restriction in the Rule, we tentatively offer this advice.
1. Recognize up front that getting a mandatory restriction to work will require a lot of advance planning. Find out the covered entity’s requirements for a mandatory restriction. A provider may require advance notice. Be prepared to make your written request before you make the actual appointment. Come to that appointment with multiple copies of a written request in hand. For a large provider, consider talking in advance to the provider’s privacy officer to make sure that you can meet the provider’s requirements. A larger provider is more likely to have a formal procedure, and you will want to make sure that you do the things necessary to follow that procedure.
2. If your treatment you need normally requires pre-certification from your health plan, you may need to take action well before your appointment. A provider may routinely seek pre-certification on your behalf after you make an appointment if you don’t make it clear that you do not want the information shared with the insurer. Telling your doctor may not be enough if the clerk who handles the pre-certifications did not know about your request. Work this out well in advance with the provider’s administrative staff. Try to talk to the office manager rather than to a receptionist.
3. If you get a referral to a second provider, your request for restriction will not automatically follow with the referral. You have to ask the second provider for a restriction, which may mean doing the same advance work that you did with the first provider. In emergencies, this could prove to be especially difficult or impossible.
4. If you are having an outpatient surgical procedure, it’s possible that the same procedure will involve a surgeon, anesthetist, and a hospital, each of which is a separate provider who bills separately to your health insurer. You are likely to have to make a separate request to each provider. There may well be other circumstances in which a single type of treatment involves more than one covered entity. You will have to ask many questions to be sure.
5. If your provider orders lab tests or x-rays, your request for restriction will not automatically go along with the sample or order. You will have to make the same request for restriction with each subsequent provider (a lab is a provider). You may want to decline to let your provider take a blood sample to send to the lab. Consider getting an order for a test from the doctor. Take the order to a lab, pay in cash, and don’t let the lab bill your insurance company. Remember, however, that the cash price may be much higher than the insurance price. Negotiating an appropriate price may be even more challenging than successfully negotiating a confidentiality request.
6. Make sure that you can pay for your care. If you don’t pay or if your check bounces, a provider may bill your insurance company anyway. If possible, pay for your care at the time of receipt so there is no question about the need to bill your insurer.
7. See if you can arrange for care from a small provider rather than a large provider. A psychiatrist in solo private practice may be much more adept at billing you than a university hospital with many formal procedures, separate billing offices, automated claims submissions, and the like. There’s no guarantee that a small provider will do better, but we guess that you have a better chance. You certainly have a better chance of conveying your request to everyone in a small office than in a big hospital.
8. Consider having the treatment you want to keep confidential from your health plan at a health care provider that you do not see for other types of treatment. If you establish a relationship with a new provider, make it clear that you will pay for the care yourself. You may be able to avoid telling the provider about your insurance at all. A provider who does not know your insurer will find it hard to disclose information to your insurer. Remember to discuss the price of your care, because insurance companies often pay less than the list price for health care. Some providers may fear that you may not pay the bill, and they may demand health insurance information as a backup.
Here’s an example. Suppose that you usually fill your prescriptions at the “ABC Pharmacy” that has your health plan information on file. It could be easy for a pharmacy to accidentally bill your health plan despite your request. It’s also possible that when you fill your next unrestricted prescription, the record of your restricted prescription will go along to the insurer anyway. Avoid the risk, if possible, by filling a restricted prescription at a different pharmacy where you do not do business otherwise. Don’t give the second pharmacy your health plan information.
There’s a real downside here, however. There’s a risk here that if the new drug conflicts with another drug you already are taking, you could have a serious or fatal reaction. It is important to discuss the issue with the prescribing physician. You could encounter the same type of conflict if you receive care from one provider that your regular provider does not know about. You could endanger your health or even your life. It’s definitely something to consider. You will accomplish nothing if you succeed in protecting your confidentiality and ruining your health or losing your life..
Second example: if you need treatment for a sexually transmitted disease and you don’t want the information to circulate in the health care payment system, go to a walk-in clinic that takes cash. We can’t advise you to use a pseudonym. We don’t know that it is legal to do so. However, some people do. We do not offer legal advice here, but we observe that using a pseudonym when obtaining narcotics may land you in jail.
9. If the provider is part of a local Health Information Exchange, ask about keeping your information out of a shared record system. You don’t have a right to keep one provider from sharing your PHI with other providers, but once information is shared, it is more vulnerable to inadvertent disclosure to your insurer. However, as we just pointed out, it is possible that treatments or drugs from different providers could conflict in some way and endanger your life or your health. There’s an advantage when your provider has a more complete medical history.
10. Remember that the mandatory restriction is new to everyone in the health care system. As should be clear from the above discussion, it raises many complications for patients and for providers. If you happen to be the first person who wants a mandatory restriction, you may have to work carefully with the provider to work out the proper arrangements. Put another way, you may have to be highly motivated and persistent to have your restriction properly honored.
11. Document everything. Keep copies of your restriction request letters. Try to get receipts for the restriction letters. Keep a log of everyone you talked to in every provider’s office and what they said. Write down who you gave your restriction request letter to, what their job is, and when you gave them the letter.
12. Don’t assume that your doctor will remember that you have a restriction demand on file when you show up for a second, third, or tenth visit. Repeat your demand before every appointment, during each visit, and when you check out of the provider’s office. You can’t be too careful. In many offices, providers automatically bill insurers after a visit, and they may do so if you don’t remind everyone about your restriction demand. The right to restrict the flow of information to an insurer is a firm right, not just a request that a provider can decline to honor. You may have to fight to have your rights honored.
13. Unfortunately, we have not yet exhausted the problems presented by the new disclosure restriction mandate. Here’s another possibility. You go to a provider and successfully impose a restriction on disclosure to your health plan. The treatment results in a complication that requires additional treatment, possibly including hospitalization, additional tests, and new prescriptions. If you cannot afford to pay out of pocket for the additional treatment, your health care will begin to receive claims and may ask why you needed the additional treatment It is also likely that the additional treatment itself will identify to the plan something about the treatment that you kept secret.
Here’s another example. You pay out of pocket for a genetic test to see if you have a gene that predisposes you to colon cancer. The test is positive, and you schedule a colonoscopy that you cannot afford to pay for yourself. Your health plan may ask why it should pay for a colonoscopy for someone of your age when the test is only recommended for someone much older. You may be forced to reveal the test and the result that you wanted to keep secret. All the effort and expense that went into keeping the test from your health plan may be wasted in that case.
14. Will a restriction demand really make your health record completely private? Sadly, the answer is no. Don’t get your expectations raised too much. The restriction only applies to disclosures to health plans. Other disclosures allowed by the Privacy Rule – to public health agencies, researchers, law enforcement, private litigants, the CIA, and others – are not affected in any way by a patient’s restriction. Also unaffected are disclosures to other health care providers for treatment. Think about that if you want to undertake the efforts to ask for a restriction and make it work. The right to restrict provides a narrow degree of confidentiality. That may be what you need, but don’t expect any more. Only you can decide if the expense and the effort are worth the limited result.
So why did OCR adopt this messy, complicated, nearly-impossible-to implement change in the Privacy Rule? Because Congress directed the change in the HITECH Act. It’s a well-intentioned provision, but we have many doubts that it will work well in the real world. We will all find out together over the next few years. If a provider does not provide you with the confidentiality required by law, you can complain to OCR. However, any complaint is only likely to exacerbating sharing of the information that you wanted kept secret in the first place.
In this FAQ, we emphasized the burden that falls on a patient who wants confidentiality. We observe that HIPAA place most of the responsibility on provider. We think that providers must do a lot of work to be able to honor patient requests. That is what the law demands. However, a patient who wants privacy must anticipate the problems that a provider faces in honoring a request. The patient will suffer if the request is not handled properly. Indeed, the patient whose request is not successfully handled by a provider will pay twice. First, the patient will lose privacy protection available under law. Second, the patient will pay for care that a health insurer might have paid for otherwise. A patient will do well to approach a confidentiality request as a joint effort by the patient and the provider.
FAQ 53: Is the Right to Limit Disclosures to Relatives and Friends Meaningless Too?
Not entirely. There is a bit of hope if you want a provider to agree to limit disclosures to relatives and friends. If you tell your doctor or nurse not to talk to a relative, that provider is likely to comply regardless of the rule. The rule doesn’t make those disclosures mandatory. It does, however, make it harder for a patient to obtain or enforce an agreement.
If, for example, you ask your provider not to disclose your diagnosis to your children, the rule requires the provider to document the request. Since formal documentation is less likely to be done for casual requests, any agreement may be unenforceable under the rule. Further, the required formality of the rule allows providers to insist that patients make requests in writing, and most will demand a letter. If you are a patient in a hospital about to receive a visit from a relative, how can you possibly make a written request and get a timely agreement from the hospital?
Even if you do make a written request, the rule doesn’t require any response to your request or any response in a reasonable period. If you are prepared enough to present a formal request at the start of your hospitalization, the hospital could take 30 days or more before it agreed. Your hospitalization will likely have ended well before any response, if you even get a response.
Luckily, while the rule makes these requests to limit disclosure mostly meaningless, the human element that still exists in the health care system may supply what the rule does not. If you make a personal request to your provider, that provider will likely abide by your wishes regardless of the rule and its required formality. Your request may not be legally enforceable under the HIPAA rule, but enforcement may not be important.
Generally, we don’t see much of a reason to bother with formal requests for use and disclosure restrictions, although it remains to be seen if the new right to prevent disclosure to insurers will be meaningful. If you read many notices of privacy practices, you will find that covered entities say that they won’t agree to most requests. That is a polite way of saying that they won’t agree to any requests.
If you want to control disclosures to family members or friends, the formal process under the rule isn’t likely to help you at all. Make your requests orally and informally to your providers, just the same way that patients have always done. Be clear. Be repetitive. Hope for the best. The HIPAA rule does almost nothing for you.
Roadmap: Patient’s Guide to HIPPA: Part 2: Basic Patient Rights: G. Right to Request Restrictions on Uses and Disclosures (FAQ 51 – 53)