Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Right of Individual to Request Restriction of Uses and Disclosures of PHI - § 164.522(a)

    As Contained in the HHS HIPAA Privacy Rules

     

    HHS Regulations as Amended January 2013
    Right of Individual to Request Restriction of Uses and Disclosures of PHI - § 164.522(a)

     

    (a)(1) Standard: Right of an individual to request restriction of uses and disclosures. (i) A covered entity must permit an individual to request that the covered entity restrict:

    (A) Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and

    (B) Disclosures permitted under §164.510(b).

    (ii) Except as provided in paragraph (a)(1)(vi) of this section, a covered entity is not required to agree to a restriction.

    (iii) A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual.

    (iv) If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information.

    (v) A restriction agreed to by a covered entity under paragraph (a) of this section, is not effective under this subpart to prevent uses or disclosures permitted or required under §164.502(a)(2)(ii), §164.510(a) or §164.512.

    (vi) A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if:

    (A) The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and

    (B) The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.

    (2) Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if:

    (i) The individual agrees to or requests the termination in writing;

    (ii) The individual orally agrees to the termination and the oral agreement is documented; or

    (iii) The covered entity informs the individual that it is terminating its agreement to a restriction, except that such termination is:

    (A) Not effective for protected health information restricted under paragraph (a)(1)(vi) of this section; and

    (B) Only effective with respect to protected health information created or received after it has so informed the individual.

    (3) Implementation specification: Documentation. A covered entity must document a restriction in accordance with §160.530(j) of this subchapter.

     

    HHS Description and Commentary From the January 2013 Amendments
    Right of Individual to Request Restriction of Uses and Disclosures of PHI - § 164.522(a)

     

    Section 164.522(a) of the Privacy Rule requires covered entities to permit individuals to request that a covered entity restrict uses or disclosures of their protected health information for treatment, payment, and health care operations purposes, as well as for disclosures to family members and certain others permitted under § 164.510(b).

    While covered entities are not required to agree to such requests for restrictions, if a covered entity does agree to restrict the use or disclosure of an individual’s protected health information, the covered entity must abide by that restriction, except in emergency circumstances when the information is required for the treatment of the individual.

    Section 164.522 also includes provisions for the termination of such a restriction and requires that covered entities that have agreed to a restriction document the restriction in writing.

    Proposed Rule

    Section 13405(a) of the HITECH Act sets forth certain circumstances in which a covered entity now must comply with an individual’s request for restriction of disclosure of his or her protected health information. Specifically, section 13405(a) of the HITECH Act requires that when an individual requests a restriction on disclosure pursuant to § 164.522, the covered entity must agree to the requested restriction unless the disclosure is otherwise required by law, if the request for restriction is on disclosures of protected health information to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full.

    To implement section 13405(a) of the HITECH Act, we proposed a number of changes to the Privacy Rule’s provisions regarding an individual’s right to request restrictions of certain uses and disclosures. First, we proposed at § 164.522(a)(1)(vi) to require a covered entity to agree to a request by an individual to restrict the disclosure of protected health information about the individual to a health plan if: (A) the disclosure is for the purposes of carrying out payment or health care operations and is not otherwise required by law; and (B) the protected health information pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full. In recognition that there are many situations in which family members or other persons may pay for the individual’s treatment, we proposed to include language to the provision to ensure that this requirement not be limited to solely the individual paying for the health care item or service but would also include payment made by another person, other than the health plan, on behalf of the individual.

    We proposed to modify § 164.522(a)(1)(ii), which states that a covered entity is not required to agree to a restriction, to refer to this exception to that general rule. We noted in the NPRM that in cases where an individual has exercised his or her right to restrict disclosure to a health plan under the above circumstances, the covered entity is also prohibited from making such disclosures to a business associate of the health plan, because a covered entity may only disclose protected health information to a business associate of another covered entity if the disclosure would be permitted directly to the other covered entity. We also proposed conforming modifications to § 164.522(a)(2) and (3) regarding terminating restrictions and documentation of restrictions to reflect these new requirements, and to make clear that, unlike other agreed to restrictions, a covered entity may not unilaterally terminate a required restriction to a health plan under § 164.522(a)(1)(ii).

    We provided a number of clarifications, and solicited public comment on a number of issues, regarding these proposed provisions, as follows. We stated that we interpret section 13405(a) as giving the individual a right to determine for which health care items or services the individual wishes to pay out of pocket and restrict. Thus, section 13405(a) would not permit a covered entity to require individuals who wish to restrict disclosures about only certain health care items or services to a health plan to restrict disclosures of protected health information regarding all health care to the health plan. We requested comment on the types of treatment interactions between individuals and covered entities that would make implementing a restriction more difficult and ways to address such difficult situations, such as where an individual wishes to restrict a disclosure regarding a prescription to a health plan but because the provider electronically sends prescriptions to the pharmacy to be filled, the pharmacy may have already billed the health plan by the time the patient arrives at the pharmacy.

    We requested comment generally on whether covered health care providers that know of a restriction should inform other health care providers downstream of such restriction, including pharmacies, and whether technology could facilitate such notification. We requested comment on examples of the types of disclosures that may fall under this “required by law” exception.

    With respect to an individual, or someone on behalf of the individual, paying out of pocket for the health care item or service, we noted that the individual should not expect that this payment would count towards the individual’s out of pocket threshold with respect to his or her health plan benefits. We requested comment on how this provision will function with respect to HMOs, given our understanding that under most current HMO contracts with providers an individual could not pay the provider in full for the treatment or service received. We clarified in the NPRM that if an individual’s out of pocket payment for a health care item or service is not honored (e.g., the individual’s check bounces), the covered entity is not obligated to continue to abide by the requested restriction because the individual has not fulfilled the requirements necessary to obtain the restriction. Additionally, we stated our expectation in such cases that covered entities make some attempt to resolve any payment issues with the individual prior to sending the protected health information to the health plan, such as by notifying the individual that his or her payment did not go through and giving the individual an opportunity to submit payment and requesting comment on the extent to which covered entities must make reasonable efforts to secure payment from the individual prior to billing the health plan.

    We requested comment on the scope of a restriction and in what circumstances it should apply to a subsequent, but related, treatment encounter, such as follow-up care for treatment of a particular condition.

    Overview of Public Comments

    We received many comments on these proposed provisions and our questions as to how they should apply. A number of commenters generally supported the provisions as being an important right for health care consumers. However, many commenters expressed concerns with these new requirements. Many commenters raised concerns with, and requested guidance on, how to operationalize a restriction. Several commenters were concerned with having to create separate records to ensure that restricted data is not inadvertently sent to or accessible by the health plan or to manually redact information from the medical record prior to disclosure to a health plan.

    Commenters argued that having to segregate restricted and unrestricted information or redact restricted information prior to disclosure would be burdensome as such a process would generally have to occur manually, and may result in difficulties with ensuring that treating providers continue to have access to the entire medical record.

    Some commenters were concerned specifically with having to manually redact or create separate records prior to a health plan audit, or otherwise with withholding information from a plan during an audit, to ensure a health plan would not see restricted information.

    With respect to the exception to a restriction for disclosures that are required by law, several commenters supported this exception but requested clarification on how such an exception would affect providers’ existing legal obligations.

    Many commenters suggested that providers would be prohibited from receiving cash payment from individuals for items or services otherwise covered by State or Federally funded programs, such as Medicare and Medicaid, and thus, requested that disclosures to such State or Federally funded programs not be eligible for restriction. Similarly, some commenters sought clarification on the effect of this provision where certain State laws prohibit “balance billing,” making it illegal for the provider to bill the patient for any covered services over and above any permissible copayment, coinsurance or deductible amounts. Some commenters asked that we clarify that the “required by law” exception allows providers to disclose protected health information subject to a restriction for Medicare and Medicaid audits, because those insurers require complete, accurate records for audits.

    Other commenters were concerned with applying a restriction to only certain health care items or services provided during a single patient encounter or visit.

    Commenters argued that split billing is not possible for most providers or that it may be obvious to a health plan if one item or service out of a bundle is restricted and that unbundling services may be costly. One commenter suggested that individuals should only be able to restrict certain types of services/treatment (e.g., cosmetic surgery and family planning services) as such services are more easily segregable from other health care services.

    In response to our question regarding available electronic methods through which a prescribing provider could alert a pharmacy that an individual intends to pay out of pocket for a prescription and restrict disclosure to a health plan, commenters indicated they were generally unaware of any system that would alert a pharmacy of restrictions electronically, and many agreed that the cost and burden of flagging records manually would not be feasible for all covered entities. In general, commenters agreed that paper prescriptions would provide individuals with an opportunity to request a restriction when they arrive at the pharmacy. However, commenters also noted that returning to the use of paper prescriptions over electronic prescribing would be a step in the wrong direction, as there are many benefits to electronic prescribing, and it is important not to limit these benefits.

    Almost all of the comments we received regarding the obligation generally of health care providers that know of a restriction to inform downstream health care providers of the restriction argued that it should be the individual’s and not the provider’s responsibility to inform downstream providers of any requested restriction. While a few commenters stated that the provider should bear this responsibility, the majority believed that this obligation would be difficult and burdensome for a provider. Some commenters acknowledged that in time, more advanced electronic and automated systems may allow providers to notify other providers downstream of a restriction, but these commenters stressed that such systems are not widely available at this time.

    With respect to the requirement’s application to health care providers providing care within an HMO context, many commenters expressed support for the suggestion that HMO patients would have to use an out-of-network provider for treatment to ensure that the restricted information would not be disclosed to the HMO.

    Some commenters indicated that State laws and/or provider contracts with an HMO may prohibit the provider from receiving a cash payment from an HMO patient above the patient’s costsharing amount for the health care item or service. Conversely, some commenters stated that individuals should not have to go out-of-network when requesting a restriction and instead, providers could and should treat the services as non-covered services and accept payment directly from the patient. Several commenters also suggested that managed care contracts would have to be revised or renegotiated in order to comply with this provision and as such, ample time for renegotiation should be provided.

    Commenters generally supported the language in the proposed rule making clear that a restriction would apply where an individual requests a restriction, but someone other than the individual (other than the health plan), such as a family member, pays for the individual’s care on behalf of the individual. One commenter asked for clarification that payment by any health plan would not constitute payment out of pocket by the individual. The commenter stated that such clarification was necessary to avoid the situation where an individual has coverage under multiple plans, pays for care with a secondary plan, requests a restriction on disclosure to the primary plan, and then the secondary plan proceeds to obtain reimbursement from the primary plan disclosing the protected health information at issue. Another commenter asked that we clarify that a clinical research participant whose health care services are paid for by a research grant can still qualify for a restriction to the individual’s health plan.

    Most commenters supported not having to abide by a requested restriction in cases where the individual’s method of payment is returned or otherwise does not go through. A few commenters suggested that a covered entity should include information to this effect in its notice of privacy practices. A number of commenters expressed concern with the ability of a provider to bill a health plan for services following an individual’s inability to pay. For example, a provider may find it difficult to be reimbursed for services if the provider did not obtain the plan’s required pre-certification for services because the individual initially agreed to pay out of pocket for the services.

    Several commenters asked for guidance on what constitutes a “reasonable effort” to obtain payment from an individual prior to billing a health plan for health care services where an individual’s original form of payment fails, and argued that the effort required should not be too burdensome on providers. A number of commenters suggested various alternatives. A few commenters suggested that providers should be able to set a deadline for payment and then bill the plan if the patient fails to pay; others requested that the regulation set a specific timeframe in which providers must be paid or the requested restriction is terminated. Some commenters suggested that a “reasonable effort” should be based upon a covered entity making one or two attempts to contact the patient and obtain payment.

    Another commenter recommended that reasonable efforts should require the provider to make a good faith effort to obtain payment based on their usual debt collection practices. Other commenters requested clarification that reasonable efforts would not require a provider sending a bill to a collection agency. Some commenters were generally concerned with requiring a provider to wait too long for payment, as the provider could risk the plan not paying for the treatment if it is billed too late. Certain commenters argued that providers should not have to engage in any attempts to resolve payment issues if an individual’s payment fails prior to billing the health plan for the services. Finally, a number of commenters asked whether a provider could require payment in full at the time of the request for a restriction to avoid payment issues altogether.

    Finally, many commenters responded to the NPRM’s approach to follow-up care.

    The majority of commenters supported the idea that if an individual does not request a restriction and pay out of pocket for follow up care, then the covered entity may disclose the protected health information necessary to obtain payment from the health plan for such follow up care, recognizing that some of the protected health information may relate to and/or indicate that the individual received the underlying health care item or service to which a restriction applied. A few commenters asked whether individual authorization would be required to disclose previously restricted protected health information to a health plan if the individual does not want to restrict the follow up care. A number of commenters expressed support for providers counseling patients on the consequences of not restricting follow-up care. A few commenters were concerned as to how a provider would know when such counseling was needed and what it should include, and asked whether giving the individual a written statement explaining the consequences would suffice.

    Final Rule

    We adopt the modifications to § 164.522 as proposed in the NPRM to implement section 13405(a) of the HITECH Act. In response to questions and comments regarding how to operationalize these requirements, we provide the following clarifications. We clarify that these provisions do not require that covered health care providers create separate medical records or otherwise segregate protected health information subject to a restricted health care item or service. Covered health care providers will, however, need to employ some method to flag or make a notation in the record with respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan. Covered entities should already have in place, and thus be familiar with applying, minimum necessary policies and procedures, which require limiting the protected health information disclosed to a health plan to the amount reasonably necessary to achieve the purpose of the disclosure. Thus, covered entities should already have mechanisms in place to appropriately limit the protected health information that is disclosed to a health plan.

    With respect to commenters who were concerned about providers being able to continue to meet their legal obligations, such as disclosing protected health information to Medicare or Medicaid for required audits, we note that the statute and final rule continue to allow disclosures that are otherwise required by law, notwithstanding that an individual has requested a restriction on such disclosures. Thus, a covered entity may disclose the protected health information necessary to meet the requirements of the law.

    Under the Privacy Rule, “required by law’’ is defined at § 164.103 as a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. For purposes of this definition, “required by law” includes Medicare conditions of participation with respect to health care providers participating in the program, and statutes and regulations that require the production of information if payment is sought under a government program providing public benefits. Therefore, if a covered entity is required by law to submit protected health information to a Federal health plan, it may continue to do so as necessary to comply with that legal mandate. With respect to commenters’ concerns with prohibitions in State law and under Medicare and Medicaid that prevent providers from billing, and receiving cash payment from, an individual for covered services over and above any permissible cost sharing amounts, we provide the following guidance. If a provider is required by State or other law to submit a claim to a health plan for a covered service provided to the individual, and there is no exception or procedure for individuals wishing to pay out of pocket for the service, then the disclosure is required by law and is an exception to an individual’s right to request a restriction to the health plan pursuant to § 154.522(a)(1)(vi)(A) of the Rule. With respect to Medicare, it is our understanding that when a physician or supplier furnishes a service that is covered by Medicare, then it is subject to the mandatory claim submission provisions of section 1848(g)(4) of the Social Security Act (the Act), which requires that if a physician or supplier charges or attempts to charge a beneficiary any remuneration for a service that is covered by Medicare, then the physician or supplier must submit a claim to Medicare. However, there is an exception to this rule where a beneficiary (or the beneficiary’s legal representative) refuses, of his/her own free will, to authorize the submission of a bill to Medicare. In such cases, a Medicare provider is not required to submit a claim to Medicare for the covered service and may accept an out of pocket payment for the service from the beneficiary. The limits on what the provider may collect from the beneficiary continue to apply to charges for the covered service, notwithstanding the absence of a claim to Medicare. See the Medicare Benefit Policy Manual, Internet only Manual pub. 100-2, ch. 15, sect. 40, available at http://www.cms.gov/manuals/Downloads/bp102c15.pdf. Thus, if a Medicare beneficiary requests a restriction on the disclosure of protected health information to Medicare for a covered service and pays out of pocket for the service (i.e., refuses to authorize the submission of a bill to Medicare for the service), the provider must restrict the disclosure of protected health information regarding the service to Medicare in accordance with § 164.522(a)(1)(vi).

    Certain commenters raised concerns with an individual requesting a restriction with respect to only one of several health care items or services provided in a single patient encounter, and a provider being prohibited from unbundling, or it being more costly to unbundle, the services for purposes of billing a health plan. In such cases, we expect providers to counsel patients on the ability of the provider to unbundle the items or services and the impact of doing so (e.g., the health plan still may be able to determine that the restricted item or service was performed based on the context). If a provider is able to unbundle the items or services and accommodate the individual’s wishes after counseling the individual on the impact of unbundling, it should do so. If a provider is not able to unbundle a group of items or services, the provider should inform the individual and give the individual the opportunity to restrict and pay out of pocket for the entire bundle of items or services. Where a provider is not able to unbundle a group of bundled items or services, we view such group of bundled items or services as one item or service for the purpose of applying §164.522(a)(1)(v).

    However, we would expect a provider to accommodate an individual’s request for a restriction for separable and unbundled health care items or services, even if part of the same treatment encounter, such as in the prior example with respect to the patient receiving both treatment for asthma and diabetes. Thus, we decline to provide as a general rule that an individual may only restrict either all or none of the health care items or services that are part of one treatment encounter.

    In response to the question we posed in the NPRM regarding methods through which a provider could electronically (such as through an e-prescribing tool) notify a pharmacist of an individual’s restriction request, the majority of commenters indicated that there currently is not a widely available method for electronically notifying a pharmacy that a patient has requested a restriction. Further, commenters generally argued that it would be costly, burdensome, and unworkable for a provider to attempt to notify all subsequent providers of an individual’s restriction request, particularly given the lack of automated tools to make such notifications, and thus, it should remain the obligation of the individual to notify downstream providers if the individual wants to restrict protected health information to a health plan. We agree that it would be unworkable at this point, given the lack of automated technologies to support such a requirement, to require health care providers to notify downstream providers of the fact that an individual has requested a restriction to a health plan.

    However, we do encourage providers to counsel patients that they would need to request a restriction and pay out of pocket with other providers for the restriction to apply to the disclosures by such providers. In the case of an individual who wants to restrict disclosures to a health plan concerning a prescribed medication, the prescribing provider can provide the patient with a paper prescription to allow the individual an opportunity to request a restriction and pay for the prescription with the pharmacy before the pharmacy has submitted a bill to the health plan. However, while we do not require it, providers are permitted and encouraged to assist individuals as feasible in alerting downstream providers of the individual’s desire to request a restriction and pay out of pocket for a particular health care item or service.

    For example, consider an individual who is meeting with her primary physician and requests a restriction on tests that are being administered to determine if she has a heart condition. If, after conducting the tests, the patient’s primary physician refers the patient to a cardiologist, it is the patient’s obligation to request a restriction from the subsequent provider, the cardiologist, if she wishes to pay out of pocket rather than have her health plan billed for the visit. Although the primary physician in this example would not be required to alert the cardiologist of the patient’s potential desire to request a restriction, we encourage providers to do so if feasible or in the very least, to engage in a dialogue with the patient to ensure that he or she is aware that it is the patient’s obligation to request restrictions from subsequent providers. In response to commenters who were confused about whether the individual or the provider would have the obligation of notifying subsequent providers when a Health Information Exchange is involved, we clarify that the responsibility to notify downstream providers of a restriction request in this situation also remains with the individual, and not the provider.

    With respect to HMOs, we clarify that a provider providing care in such a setting should abide by an individual’s requested restriction unless doing so would be inconsistent with State or other law. Thus, if a provider within an HMO is prohibited by law from accepting payment from an individual above the individual’s cost-sharing amount (i.e., the provider cannot accept an out of pocket payment from the individual for the service), then the provider may counsel the individual that he or she will have to use an out-of-network provider for the health care item or service in order to restrict the disclosure of protected health information to the HMO for the health care. Providers operating within an HMO context and who are able under law to treat the health care services to which the restriction would apply as out-of-network services should do so in order to abide by the requested restriction. We would not consider a contractual requirement to submit a claim or otherwise disclose protected health information to an HMO to exempt the provider from his or her obligations under this provision. Further, the final rule provides a 180-day compliance period beyond the effective date of these revisions to the Privacy Rule, during which provider contracts with HMOs can be updated as needed to be consistent with these new requirements. As proposed in the NPRM, under the final rule, a covered entity must apply a restriction not only where an individual pays in full for the healthcare item or service, but also where a family member or other person pays for the item or service on behalf of the individual. We decline to modify the regulation, as suggested by one commenter, to provide that payment from “any” health plan, rather than the one to which the disclosure is restricted, should not constitute payment on behalf of the individual. In response to the commenter’s concern about difficulties in coordination of benefits for individuals with coverage under multiple plans, we note that this provision does not impede a health plan’s ability to disclose protected health information as necessary to another health plan for coordination of benefits. Thus, health plans may continue to make such disclosures.

    Many commenters supported the discussion in the NPRM regarding not abiding by a restriction if an individual’s payment is dishonored. In such cases, we continue to expect that providers will make a reasonable effort to contact the individual and obtain payment prior to billing a health plan. We do not prescribe the efforts a health care provider must make but leave that up to the provider’s policies and individual circumstances. While we require the provider to make a reasonable effort to secure payment from the individual, this requirement is not intended to place an additional burden on the provider but is instead intended to align with its current policies for contacting individuals to obtain an alternative form of payment to one that was dishonored. We do not require that the individual’s debt be placed in collection before a provider is permitted to bill a health plan for the health care services. Further, a provider may choose to require payment in full at the time of the request for a restriction to avoid payment issues altogether. Similarly, where precertification is required for a health plan to pay for services, a provider may require the individual to settle payments for the care prior to providing the service and implementing a restriction to avoid the situation where the provider is unable to be reimbursed by either the individual or the health plan.

    We also recognize that a provider may not be able to implement a restriction where an individual waits until care has been initiated to make such a request, such as in the case of a hospital stay, in which case the individual’s protected health information may have already been disclosed to the health plan.

    With respect to restrictions and follow-up care, we continue to maintain the approach discussed in the NPRM. If an individual has a restriction in place with respect to a health care service but does not pay out of pocket and request a restriction with regard to follow-up treatment, and the provider needs to include information that was previously restricted in the bill to the health plan in order to have the service deemed medically necessary or appropriate, then the provider is permitted to disclose such information so long as doing so is consistent with the provider’s minimum necessary policies and procedures. We also clarify that such a disclosure would continue to be permitted for payment purposes and thus, would not require the individual’s written authorization. However, as we did in the NPRM, we highly encourage covered entities to engage in open dialogue with individuals to ensure that they are aware that previously restricted protected health information may be disclosed to the health plan unless they request an additional restriction and pay out of pocket for the follow-up care.

    Response to Other Public Comments

    Comment: Several commenters asked that the provision be limited to just providers and not to covered entities in general. Commenters also asked for clarification on whether the restriction prohibits providers from giving protected health information to health plans solely for payment or health care operations purposes in such cases or all entities that may receive protected health information for payment or health care operations.

    Response: We clarify that this provision, in effect, will apply only to covered health care providers. However, the provisions of § 164.522(a) apply to covered entities generally and thus, we decline to alter the regulatory text. In response to commenters’ concerns regarding disclosure for payment or health care operations purposes to entities other than the health plan, we clarify that this provision does not affect disclosures to these other entities as permitted by the Privacy Rule.

    Comment: Commenters asked what the liability is for a provider who discloses restricted protected health information to a plan.

    Response: A provider who discloses restricted protected health information to the health plan is making a disclosure in violation of the Privacy Rule and the HITECH Act, which, as with other impermissible disclosures is subject to the imposition of possible criminal penalties, civil money penalties, or corrective action.

    Comment: Several commenters asked that we clarify that the “required by law” exception allows providers to respond to subpoenas, court orders, and judicial proceedings.

    Response: The “required by law” exception in § 164.522(a)(1)(vi) does allow health care providers to respond to court orders and subpoenas issued by a court requiring disclosure of protected health information to a health plan. See the definition of “required by law” at § 164.103. Further, § 164.522(a)(1)(vi) does not affect the disclosure of protected health information to entities that are not health plans and thus, disclosures to these other entities made as required by law, for judicial and administrative proceedings, or for law enforcement activities in accordance with §§ 164.512(a), 164.512(e), and 164.512(f), respectively, continue to be permitted.

    Comment: Several commenters suggested that the final rule be written to ensure that there are no conflicts with the Fair Debt Collection Practices Act and similar State laws regarding the legal obligation to validate a debt that is disputed by a debtor.

    Commenters sought clarification on whether the provider can still disclose protected health information for the recovery of debts.

    Response: The final rule does not impact a provider’s ability to disclose protected health information for payment purposes to a collection agency or otherwise for collection activities related to an individual’s debt to the provider. Section 164.522(a) restricts disclosures to a health plan for payment purposes where the individual has paid out of pocket for the health care item or service that is the subject of the disclosure and requests such a restriction.

    Comment: Commenters asked that we clarify whether payment with a Flexible Spending Account (FSA) or Health Savings Account (HSA) is considered a payment by a person on behalf of the individual.

    Response: An individual may use an FSA or HSA to pay for the health care items or services that the individual wishes to have restricted from another plan; however, in doing so the individual may not restrict a disclosure to the FSA or HSA necessary to effectuate that payment.

    Comment: When a restriction is requested, the provider is also prohibited from making disclosures of the restricted protected health information to the business associate of the health plan. One commenter suggested that the final rule make it the priority of the business associate to inform the provider that they are acting as the business associate of the health plan to ensure provider compliance with the rule.

    Other comments misconstrued the preamble statements on this issue and commented that a provider should be allowed to provide restricted protected health information to its own business associates.

    Response: A provider that is prohibited from disclosing protected health information to a health plan may not disclose such information to the health plan’s business associate. We do not include a requirement that the business associate inform the provider that they are acting as a business associate of the health plan as it is the provider’s responsibility to know to whom and for what purposes it is making a disclosure. We also clarify that a provider is not prohibited from disclosing protected health information restricted from a health plan to its own business associates for the provider’s own purposes.

    Comment: One commenter expressed concern about the number of workforce members who must know about the restriction and indicated that this may create a risk for potential error with regard to the information.

    Response: Covered entities must identify those workforce members or class of persons who need access to particular protected health information, and appropriately train their workforce members as necessary to comply with these new requirements.

     

    HHS Description From the Original Rulemaking
    Right of Individual to Request Restriction of Uses and Disclosures of PHI

     

    We proposed that individuals have the right to request that a covered health care provider restrict the use or disclosure of protected health information for treatment, payment, or health care operations. Providers would not have been required to agree to requested restrictions. However, a covered provider that agreed to a restriction could not use or disclose protected health information inconsistent with the restriction. The requirement would not have applied to permissible uses or disclosures under proposed § 164.510, including uses and disclosures in emergency circumstances under proposed § 164.510(k); when the health care services provided were emergency services; or to required disclosures to the Secretary under proposed § 164.522. We would have required covered providers to have procedures for individuals to request restrictions, for agreed-upon restrictions to be documented, for the provider to honor such restrictions, and for notification of the existence of a restriction to others to whom such protected health information is disclosed.

    In the final rule, we retain the general right of an individual to request that uses and disclosures of protected health information be restricted and the requirement for covered entities to adhere to restrictions to which they have agreed. However, we include some significant changes and clarifications.

    Under the final rule, we extend the right to request restrictions to health plans and to health care clearinghouses that create or receive protected health information other than as a business associate of another covered entity. All covered entities must permit individuals to request that uses and disclosures of protected health information to carry out treatment, payment, and health care operations be restricted and must adhere to restrictions to which they have agreed. A covered entity is not required to agree to a restriction. We note that restrictions between an individual and a covered entity for these or other purposes may be otherwise enforceable under other law.

    Under § 164.522(a)(1)(i)(B), the right to request restrictions applies to disclosures to persons assisting in the individual’s care under § 164.510(b). An individual may request that a covered entity agree not to disclose protected health information to persons assisting with the individual’s care, even if such disclosure is permissible in accordance with § 164.510(b). For example, if an individual requests that a covered entity never disclose protected health information to a particular family member, and the covered entity agrees to that restriction, the covered entity is prohibited from disclosing protected health information to that family member, even if the disclosure would otherwise be permissible under § 164.510(b). We note that individuals additionally have the opportunity to agree or object to disclosures to persons assisting in the individual’s care under § 164.510(b)(2). The individual retains the right to agree or object to such disclosures under § 164.510(b)(2), in accordance with the standards of that provision, regardless of whether the individual has requested a restriction under § 164.522(a). See § 164.510(b) and the corresponding preamble discussion regarding the individual’s right to agree or object to disclosures to persons assisting in the individual’s care.

    In §§ 164.522(a)(1)(iii) and (iv) we clarify the requirements with respect to emergency treatment situations. In emergency treatment situations, a covered entity that has agreed to a restriction may use, or disclose to a health care provider, restricted protected health information that is necessary to provide the emergency treatment. If the covered entity discloses restricted protected health information to a health care provider for emergency treatment purposes, it must request that the provider not further use or disclose the information. We expect covered entities to consider the need for access to protected health information for treatment purposes when considering a request for a restriction, to discuss this need with the individual making the request for restriction, and to agree to restrictions that will not foreseeably impede the individual’s treatment. Therefore, we expect covered entities will rarely need to use or disclose restricted protected health information in emergency treatment situations. We do not intend, however, to adversely impact the delivery of health care. We therefore provide a means for the use and disclosure of restricted protected health information in emergency treatment situations, where an unexpected need for the information could arise and there is insufficient time to secure the individual’s permission to use or disclose the restricted information.

    In § 164.522(a)(1)(v) we clarify that restrictions are not effective under this rule to prevent uses and disclosures required by § 164.502(a)(2)(ii) or permitted under § 164.510(a) (regarding facility directories) or § 164.512 (regarding uses and disclosures for which consent, individual authorization, or opportunity to agree or object is not required). Covered entities are permitted to agree to such restrictions, but if they do so, the restrictions are not enforceable under this rule. For example, a provider who makes a disclosure under § 164.512(j)(1)(i) relating to serious and imminent threats will not be in violation of this rule even if the disclosure is contrary to a restriction agreed to under this paragraph.

    In § 164.522(a)(2) we clarify a covered entity’s ability to terminate a restriction to which it has agreed. A covered entity may terminate a restriction with the individual’s written or oral agreement. If the individual’s agreement is obtained orally, the covered entity must document that agreement. A note in the medical record or similar notation is sufficient documentation. If the individual agrees to terminate the restriction, the covered entity may use and disclose protected health information as otherwise permitted under the rule. If the covered entity wants to terminate the restriction without the individual’s agreement, it may only terminate the restriction with respect to protected health information it creates or receives after it informs the individual of the termination. The restriction continues to apply to protected health information created or received prior to informing the individual of the termination. That is, any protected health information that had been collected before the termination may not be used or disclosed in a way that is inconsistent with the restriction, but any information that is collected after informing the individual of the termination of the restriction may be used or disclosed as otherwise permitted under the rule.

    In § 164.522(a)(3), we clarify that a covered entity must document a restriction to which it has agreed. We do not require a specific form of documentation; a note in the medical record or similar notation is sufficient. The documentation must be retained for six years from the date it was created or the date it was last in effect, whichever is later, in accordance with § 164.530(j).

    We eliminate the requirement from the NPRM for covered entities to inform persons to whom they disclose protected health information of the existence of any restriction on that information. A restriction is only binding on the covered entity that agreed to the restriction. We encourage covered entities to inform others of the existence of a restriction when it is appropriate to do so. We note, however, that disclosure of the existence of a restriction often amounts to a de facto disclosure of the restricted information itself. If a restriction does not permit a covered entity to disclose protected health information to a particular person, the covered entity must carefully consider whether disclosing the existence of the restriction to that person would also violate the restriction.

     

    HHS Response to Comments Received From the Original Rulemaking
    Right of Individual to Request Restriction of Uses and Disclosures of PHI

     

    Comment: Several commenters supported the language in the NPRM regarding the right to request restrictions. One commenter specifically stated that this is a balanced approach that addresses the needs of the few who would have reason to restrict disclosures without negatively affecting the majority of individuals. At least one commenter explained that if we required consent or authorization for use and disclosure of protected health information for treatment, payment, and health care operations that we must also have a right to request restrictions of such disclosure in order to make the consent meaningful.

    Many commenters requested that we delete this provision, claiming it would interfere with patient care, payment, and data integrity. Most of the commenters that presented this position asserted that the framework of giving patients control over the use or disclosure of their information is contrary to good patient care because incomplete medical records may lead to medical errors, misdiagnoses, or inappropriate treatment decisions. Other commenters asserted that covered entities need complete data sets on the populations they serve to effectively conduct research and quality improvement projects and that restrictions would hinder research, skew findings, impede quality improvement, and compromise accreditation and performance measurement.

    Response: We acknowledge that widespread restrictions on the use and disclosure of protected health information could result in some difficulties related to payment, research, quality assurance, etc. However, in our efforts to protect the privacy of health information about individuals, we have sought a balance in determining the appropriate level of individual control and the smooth operation of the health care system. In the final rule, we require certain covered providers and permit all covered entities to obtain consent from individuals for use and disclosure of protected health information for treatment, payment, and health care operations (see § 164.506). In order to give individuals some control over their health information for uses and disclosures of protected health information for treatment, payment, and health care operations, we provide individuals with the opportunity to request restrictions of such uses and disclosures.

    Because the right to request restrictions encourages discussions about how protected health information may be used and disclosed and about an individual’s concerns about such uses and disclosures, it may improve communications between a provider and patient and thereby improve care. According to a 1999 survey on the Confidentiality of Medical Records by the California HealthCare Foundation, one out of every six people engage in behavior to protect themselves from unwanted disclosures of health information, such as lying to providers or avoiding seeking care. This indicates that, without the ability to request restrictions, individuals would have incentives to remain silent about important health information that could have an effect on their health and health care, rather than consulting a health care provider.

    Further, this policy is not a dramatic change from the status quo. Today, many state laws restrict disclosures for certain types of health information without patient’s authorization. Even if there is no mandated requirement to restrict disclosures of health information, providers may agree to requests for restrictions of disclosures when a patient expresses particular sensitivity and concern for the disclosure of health information.

    We agree that there may be instances in which a restriction could negatively affect patient care. Therefore, we include protections against this occurrence. First, the right to request restrictions is a right of individuals to make the request. A covered entity may refuse to restrict uses and disclosures or may agree only to certain aspects of the individual’s request if there is concern for the quality of patient care in the future. For example, if a covered provider believes that it is not in the patient’s best medical interest to have such a restriction, the provider may discuss the request for restriction with the patient and give the patient the opportunity to explain the concern for disclosure. Also, a covered provider who is concerned about the implications on future treatment can agree to use and disclose sensitive protected health information for treatment purposes only and agree not to disclose information for payment and operation purposes. Second, a covered provider need not comply with a restriction that has been agreed to if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment. This exception should limit the harm to health that may otherwise result from restricting the use or disclosure of protected health information. We encourage covered providers to discuss with individuals that the information may be used or disclosed in emergencies. We require that the covered entity that discloses restricted protected health information in an emergency request that the health care provider that receives such information not further use or re-disclose the information.

    Comment: Some health plans stated that an institutionalized right to restrict can interfere with proper payment and can make it easier for unscrupulous providers or patients to commit fraud on insurance plans. They were concerned that individuals could enter into restrictions with providers to withhold information to insurance companies so that the insurance company would not know about certain conditions when underwriting a policy.

    Response: This rule does not enhance the ability of unscrupulous patients or health care providers to engage in deceptive or fraudulent withholding of information. This rule grants a right to request a restriction, not an absolute right to restrict. Individuals can make such requests today. Other laws criminalize insurance fraud; this regulation does not change those laws.

    Comment: One commenter asserted that patients cannot anticipate the significance that one aspect of their medical information will have on treatment of other medical conditions, and therefore, allowing them to restrict use or disclosure of some information is contrary to the patient’s best interest.

    Response: We agree that patients may find it difficult to make such a calculus, and that it is incumbent on health care providers to help them do so. Health care providers may deny requests for or limit the scope of the restriction requested if they believe the restriction is not in the patient’s best interest.

    Comment: One commenter asked whether an individual’s restriction to disclosure of information will be a bar to liability for misdiagnosis or failure to diagnose by a covered entity who can trace its error back to the lack of information resulting from such restriction.

    Response: Decisions regarding liability and professional standards are determined by state and other law. This rule does not establish or limit liability for covered entities under those laws. We expect that the individual’s request to restrict the disclosure of their protected health information would be considered in the decision of whether or not a covered entity is liable.

    Comment: One commenter requested that we allow health plans to deny coverage or reimbursement when a covered health care provider’s agreement to restrict use or disclosure prevents the plan from getting the information that is necessary to determine eligibility or coverage.

    Response: In this rule, we do not modify insurers’ rules regarding information necessary for payment. We recognize that restricting the disclosure of information may result in a denial of payment. We expect covered providers to explain this possibility to individuals when considering their requests for restrictions and to make alternative payment arrangements with individuals if necessary.

    Comment: Some commenters discussed the administrative burden and cost of the requirement that individuals have the right to request restrictions and that trying to segregate certain portions of information for protection may be impossible. Others stated that the administrative burden would make providers unable to accommodate restrictions, and would therefore give patients false expectations that their right to request restrictions may be acted upon. One commenter expressed concern that large covered providers would have a particularly difficult time establishing a policy whereby the covered entity could agree to restrictions and would have an even more difficult time implementing the restrictions since records may be kept in multiple locations and accessed by multiple people within the organization. Still other commenters believed that the right to request restrictions would invite argument, delay, and litigation.

    Response: We do not believe that this requirement is a significant change from current practice. Providers already respond to requests by patients regarding sensitive information, and are subject to state law requirements not to disclose certain types of information without authorization. This right to request is permissive so that covered entities can balance the needs of particular individuals with the entity’s ability to manage specific accommodations.

    Comment: Some commenters were concerned that a covered entity would agree to a restriction and then realize later that the information must be disclosed to another caregiver for important medical care purposes.

    Response: Some individuals seek treatment only on the condition that information about that treatment will not be shared with others. We believe it is necessary and appropriate, therefore, that when a covered provider agrees to such a restriction, the individual must be able to rely on that promise. We strongly encourage covered providers to consider future treatment implications of agreeing to a restriction. We encourage covered entities to inform others of the existence of a restriction when appropriate, provided that such notice does not amount to a de facto disclosure of the restricted information. If the covered provider subject to the restriction believes that disclosing the protected health information that was created or obtained subject to the restriction is necessary to avert harm (and it is not for emergency treatment), the provider must ask the individual for permission to terminate or modify the restriction. If the individual agrees to the termination of the restriction, the provider must document this termination by noting this agreement in the medical record or by obtaining a written agreement of termination from the individual and may use or disclose the information for treatment. If the individual does not agree to terminate or modify the restriction, however, the provider must continue to honor the restriction with respect to protected health information that was created or received subject to the restriction. We note that if the restricted protected health information is needed to provide emergency treatment to the individual who requested the restriction, the covered entity may use or disclose such information for such treatment.

    Comment: Commenters asked that we require covered entities to keep an accounting of the requests for restrictions and to report this information to the Department in order for the Department to determine whether covered entities are showing "good faith" in dealing with these requests.

    Response: We require that covered entities that agree to restrictions with individuals document such restrictions. A covered entity must retain such documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. We do not require covered entities to keep a record of all requests made, including those not agreed to, nor that they report such requests to the Department. The decision to agree to restrictions is that of the covered entity. Because there is no requirement to agree to a restriction, there is no reason to impose the burden to document requests that are denied. Any reporting requirement could undermine the purpose of this provision by causing the sharing, or appearance of sharing, of information for which individuals are seeking extra protection.

    Comment: One commenter asserted that providers that currently allow such restrictions will choose not to do so under the rule based on the guidance of legal counsel and loss prevention managers, and suggested that the Secretary promote competition among providers with respect to privacy by developing a third-party ranking mechanism.

    Response: We believe that providers will do what is best for their patients, in accordance with their ethics codes, and will continue to find ways to accommodate requested restrictions when they believe that it is in the patients' best interests. We anticipate that providers who find such action to be of commercial benefit will notify consumers of their willingness to be responsive to such requests. Involving third parties could undermine the purpose of this provision, by causing the sharing, or appearance of sharing, of information for which individuals are seeking extra protection.

    Comment: One commenter said that any agreement regarding patient-requested restrictions should be in writing before a covered provider would be held to standards for compliance.

    Response: We agree that agreed to restrictions must be documented in writing, and we require that covered entities that agree to restrictions document those restrictions in accordance with § 164.530(j). The writing need not be formal; a notation in the medical record will suffice. We disagree with the request that an agreed to restriction be reduced to writing in order to be enforced. If we adopted the requested policy, a covered entity could agree to a restriction with an individual, but avoid being held to this agreed to restriction under the rule by failing to document the restriction. This would give a covered entity the opportunity to agree to a restriction and then, at its sole discretion, determine if it is enforceable by deciding whether or not to make a note of the restriction in the record about the individual. Because the covered entity has the ability to agree or fail to agree to a restriction, we believe that once the restriction is agreed to, the covered entity must honor the agreement. Any other result would be deceptive to the individual and could lead an individual to disclose health information under the assumption that the uses and disclosures will be restricted. Under § 164.522, a covered entity could be found to be in violation of the rule if it fails to put an agreed-upon restriction in writing and also if it uses or discloses protected health information inconsistent with the restriction.

    Comment: Some commenters said that the right to request restrictions should be extended to some of the uses and disclosures permitted without authorization in § 164.510 of the NPRM, such as disclosures to next of kin, for judicial and administrative proceedings, for law enforcement, and for governmental health data systems. Other commenters said that these uses and disclosures should be preserved without an opportunity for individuals to opt out.

    Response: We have not extended the right to request restrictions under this rule to disclosures permitted in § 164.512 of the final rule. However, we do not preempt other law that would enforce such agreed-upon restrictions. As discussed in more detail, above, we have extended the right to request restrictions to disclosures to persons assisting in the individual’s care, such as next of kin, under § 164.510(b). Any restriction that a covered entity agrees to with respect to persons assisting in the individual’s care in accordance with the rule will be enforceable under the rule.

    Comment: A few commenters raised the question of the effect of a restriction agreed to by one covered entity that is part of a larger covered entity, particularly a hospital. Commenters were also concerned about who may speak on behalf of the covered entity.

    Response: All covered entities are required to establish policies and procedures for providing individuals the right to request restrictions, including policies for who may agree to such restrictions on the covered entity’s behalf. Hospitals and other large entities that are concerned about employees agreeing to restrictions on behalf of the organization will have to make sure that their policies are communicated appropriately to those employees. The circumstances under which members of a covered entity’s workforce can bind the covered entity are a function of other law, not of this regulation.

    Comment: Commenters expressed confusion about the intended effect of any agreed-upon restrictions on downstream covered entities. They asserted that it would be extremely difficult for a requested restriction to be followed through the health care system and that it would be unfair to hold covered entities to a restriction when they did not agree to such restriction. Specifically, commenters asked whether a covered provider that receives protected health information in compliance with this rule from a physician or medical group that has agreed to limit certain uses of the information must comply with the original restriction. Other commenters expressed concern that not applying a restriction to downstream covered entities is a loophole and that all downstream covered providers and health plans should be bound by the restrictions.

    Response: Under the final rule, a restriction that is agreed to between an individual and a covered entity is only binding on the covered entity that agreed to the restriction and not on downstream entities. It would also be binding on any business associate of the covered entity since a business associate can not use or disclose protected health information in any manner that a covered entity would not be permitted to use or disclose such information. We realize that this may limit the ability of an individual to successfully restrict a use or disclosure under all circumstances, but we take this approach for two reasons. First, we allow covered entities to refuse individuals’ requests for restrictions. Requiring downstream covered entities to abide by a restriction would be tantamount to forcing them to agree to a request to which they otherwise may not have agreed. Second, some covered entities have information systems which will allow them to accommodate such requests, while others do not. If the downstream provider is in the latter category, the administrative burden of such a requirement would be unmanageable.

    We encourage covered entities to explain this limitation to individuals when they agree to restrictions, so individuals will understand that they need to ask all their health plans and providers for desired restrictions. We also require that a covered entity that discloses protected health information to a health care provider for emergency treatment, in accordance with § 164.522 (a)(iii), to request that the recipient not further use or disclose the information.

    Comment: One commenter requested that agreed-to restrictions of a covered entity not be applied to business associates.

    Response: As stated in § 164.504(e)(2), business associates are acting on behalf of, or performing services for, the covered entity and may not, with two narrow exceptions, use or disclose protected health information in a manner that would violate this rule if done by the covered entity. Business associates are agents of the covered entity with respect to protected health information they obtain through the business relationship. If the covered entity agrees to a restriction and, therefore, is bound to such restriction, the business associate will also be required to comply with the restriction. If the covered entity has agreed to a restriction, the satisfactory assurances from the business associate, as required in § 164.504(e), must include assurances that protected health information will not be used or disclosed in violation of an agreed to restriction.

    Comment: One commenter requested clarification that the right to request restrictions cannot be used to restrict the creation of de-identified information.

    Response: We found no reason to treat the use of protected health information to create de-identified information different from other uses of protected health information. The right to request restriction applies to any use or disclosure of protected health information to carry out treatment, payment, or health care operations. If the covered entity uses protected health information to create de-identified information, the covered entity need not agree to a restriction of this use.

    Comment: Some commenters stated that individuals should be given a true right to restrict uses and disclosures of protected health information in certain defined circumstances (such as for sensitive information) rather than a right to request restrictions.

    Response: We are concerned that a right to restrict could create conflicts with the professional ethical obligations of providers and others. We believe it is better policy to allow covered entities to refuse to honor restrictions that they believe are not appropriate and leave the individual with the option of seeking service from a different covered entity. In addition, many covered entities have information systems that would make it difficult or impossible to accommodate certain restrictions.

    Comment: Some commenters requested that self-pay patients have additional rights to restrict protected health information. Others believed that this policy would result in de facto discrimination against those patients that could not afford to pay out-of-pocket.

    Response: Under the final rule, the decision whether to tie an agreement to restrict to the way the individual pays for services is left to each covered entity. We have not provided self-pay patients with any special rights under the rule.

    Comment: Some commenters suggested that we require restrictions to be clearly noted so that insurers and other providers would be aware that they were not being provided with complete information.

    Response: Under the final rule, we do not require or prohibit a covered entity to note the existence of an omission of information. We encourage covered entities to inform others of the existence of a restriction, in accordance with professional practice and ethics, when appropriate to do so. In deciding whether or not to disclose the existence of a restriction, we encourage the covered entity to carefully consider whether disclosing the existence is tantamount to disclosure of the restricted protected health information so as to not violate the agreed to restriction.

    Comment: A few commenters said that covered entities should have the right to modify or revoke an agreement to restrict use or disclosure of protected health information.

    Response: We agree that, as circumstances change, covered entities should be able to revisit restrictions to which they had previously agreed. At the same time, individuals should be able to rely on agreements to restrict the use or disclosure of information that they believe is particularly sensitive. If a covered entity would like to revoke or modify an agreed-upon restriction, the covered entity must renegotiate the agreement with the individual. If the individual agrees to modify or terminate the restriction, the covered entity must get written agreement from the individual or must document the oral agreement. If the individual does not agree to terminate or modify the restriction, the covered entity must inform the individual that it is modifying or terminating its agreement to the restriction and any modification or termination would apply only with respect to protected health information created or received after the covered entity informed the individual of the termination. Any protected health information created or received during the time between when the restriction was agreed to and when the covered entity informed the individual or such modification or termination remains subject to the restriction.

    Comment: Many commenters advocated for stronger rights to request restrictions, particularly that victims of domestic violence should have an absolute right to restrict disclosure of information.

    Response: We address restrictions for disclosures in two different ways, the right to request restrictions (§ 164.522(a)) and confidential communications (§ 164.522(b)). We have provided all individuals with a right to request restrictions on uses or disclosures of treatment, payment, and health care operations. This is not an absolute right to restrict. Covered entities are not required to agree to requested restrictions; however, if they do, the rule would require them to act in accordance with the restrictions. (See the preamble regarding § 164.522 for a more comprehensive discussion of the right to request restrictions.)

    In the final rule, we create a new provision that provides individuals with a right to confidential communications, in response to these comments. This provision grants individuals with a right to restrict disclosures of information related to communications made by a covered entity to the individual, by allowing the individual to request that such communications be made to the person at an alternative location or by an alternative means. For example, a woman who lives with an abusive man and is concerned that his knowledge of her health care treatment may lead to additional abuse can request that any mail from the provider be sent to a friend’s home or that telephone calls by a covered provider be made to her at work. Other reasonable accommodations may be requested as well, such as requesting that a covered provider never contact the individual by a phone, but only contact her by electronic mail. A provider must accommodate an individual’s request for confidential communications, under this section, without requiring an explanation as to the reason for the request as a condition of accommodating the request. The individual does not need to be in an abusive situation to make such requests of a covered provider. The only conditions that a covered provider may place on an individual is that the request be reasonable with respect to the administrative burden on the provider, the request to be in writing, the request specify an alternative address or other method of contact, and that (where relevant) the individual provide information about how payment will be handled. What is reasonable may vary by the size or type of covered entity; however, additional modest cost to the provider would not be unreasonable.

    An individual also has a right to restrict communications from a health plan. The right is the same as with covered providers except it is limited to cases where the disclosure of information could endanger the individual. A health plan may require an individual to state this fact as a condition of accommodating the individual’s request for confidential communications. This would provide victims of domestic violence the right to control such disclosures.

    Comment: Commenters opposed the provision of the NPRM (§ 164.506(c)(1)(ii)(B)) stating that an individual's right to request restrictions on use or disclosure of protected health information would not apply in emergency situations as set forth in proposed § 164.510(k). Commenters asserted that victims who have been harmed by violence may first turn to emergency services for help and that, in such situations, the victim should be able to request that the perpetrator not be told of his or her condition or whereabouts.

    Response: We agree with some of the commenters’ concerns. In the final rule, the right to request restrictions is available to all individuals regardless of the circumstance or the setting in which the individual is obtaining care. For example, an individual that seeks care in an emergency room has the same right to request a restriction as an individual seeking care in the office of a covered physician.

    However, we continue to permit a covered entity to disclose protected health information to a health care provider in an emergency treatment situation if the restricted protected health information is needed to provide the emergency treatment or if the disclosure is necessary to avoid serious and imminent threats to public health and safety. Although we understand the concern of the commenters, we believe that these exceptions are limited and will not cause a covered entity to disclose information to a perpetrator of a crime. We are concerned that a covered provider would be required to delay necessary care if a covered entity had to determine if a restriction exists at the time of such emergency. Even if a covered entity knew that there was a restriction, we permitted this limited exception for emergency situations because, as we had stated in the preamble for § 164.506 of the NPRM, an emergency situation may not provide sufficient opportunity for a patient and health care provider to discuss the potential implications of restricting use and disclosure of protected health information on that emergency. We also believe that the importance of avoiding serious and imminent threats to health and safety and the ethical and legal obligations of covered health care providers' to make disclosures for these purposes is so significant that it is not appropriate to apply the right to request restrictions on such disclosures.

    We note that we have included other provisions in the final rule intended to avoid or minimize harm to victims of domestic violence. Specifically, we include provisions in the final rule that allow individuals to opt out of certain types of disclosures and require covered entities to use professional judgment to determine whether disclosure of protected health information is in a patient’s best interest (see § 164.510(a) on use and disclosure for facility directories and § 164.510(b) on uses and disclosures for assisting in an individual’s care and notification purposes). Although an agreed to restriction under § 164.522 would apply to uses and disclosures for assisting in an individual’s care, the opt out provision in § 164.510(b) can be more helpful to a person who is a victim of domestic violence because the individual can opt out of such disclosure without obtaining the agreement of the covered provider. We permit a covered entity to elect not to treat a person as a personal representative (see § 164.502(g)) or to deny access to a personal representative (see § 164.524(a)(3)(iii)) where there are concerns related to abuse. We also include a new § 164.512(c) which recognizes the unique circumstances surrounding disclosure of protected health information about victims of abuse, neglect, and domestic violence.