Implementing HITECH-HIPAA 'Request for Restrictions' Requirement

by Melanie Endicott

In this web series, HIM professionals working in emerging roles give advice on tackling difficult HIM problems.

The HIM Problem

Starting in September 2013, a new HITECH-HIPAA requirement will allow patients to enact a “request for restrictions,” allowing them to sequester certain health information from their health record if they pay for a service out of pocket. Choosing to pay for care and services out of pocket allows patients to keep health information private from insurers—and from the threat of increased premiums. However, this requirement poses a conundrum to HIM professionals whose electronic health records (EHRs) may or may not be able to sequester specified information from the rest of the record.

The Problem Solver

Peg Schmidt, RHIA, CHPS, chief privacy officer, Aurora Health Care, Milwaukee, WI. Aurora has 15 hospitals, over 100 clinics, hundreds of pharmacies, and a home health service as part of its system.

First Steps

First and foremost, says Schmidt, who started devising a strategy for handling this requirement in July, it’s important to read both the preamble and the commentary to the HIPAA rule for background and nuance. Also, Schmidt says providers need to check with their EHR vendor to see if they have a built-in functionality designed to deal with requests for restrictions—hers had a white paper on compliance. Those whose vendors are already working on this could find themselves ahead of the curve on fulfilling this requirement, according to Schmidt.

Then, she assembled a team of people from across multiple departments because as a privacy officer, handling these requests requires skills and resources she doesn’t interact with every day.

“I concentrated on the front end people since they’re the ones that are probably going to be receiving the requests. Are patients going to say this at check in? Or when they’re coming out of their appointments? So we had those groups, we had our billing people, because if this becomes a self-pay [situation], they’re the ones that know how to handle that,” Schmidt explains.

“I have the HIM people because they’re the ones that have to honor any restrictions and recognize them. And then I had our IT people who [have knowledge] specific to our EHRs, and then myself. That was the group that we pulled together to hit all ends of the process.”

The How-To

Schmidt says she and her team still are not exactly sure what types of restriction requests they will receive, but when and if they do, patients will be required to start the process with a written request, “because it’s going to be very hard to isolate exactly what they want to pay for so we want to get that in writing. So we’re modeling it after the self-pay process,” Schmidt says.

She says that her team is in the process of analyzing their vendor’s white paper to determine whether the vendor’s process for flagging protected health information (PHI) is the same as the process Schmidt and her team is envisioning.

Additionally, since Aurora Health is so large and has so many HIM departments, Schmidt wants to keep the team that handles restriction requests small and centralized.

“What we’re doing is also trying to keep the number of people touching this process very contained so we can keep developing them as experts at least initially,” Schmidt says. “But we are going to centralize it with one of our larger HIM departments to be the one to set the restriction flag so they identify which PHI is contained and set the proper flag.”

She says that since they don’t envision the requests becoming very frequent, she wants a small team of experts that know how to enact the process accurately every time.


Schmidt admits that she was stumped when she first learned of this requirement and wondered why a person would make a request for restrictions. Especially since the Affordable Care Act prevents insurers from denying coverage to individuals with pre-existing conditions.

Finally, Schmidt worries that patients don’t realize how diligent they must be when making a restriction request. For example, if a patient chooses to request a restriction for a surgical procedure, they also must request restrictions for all follow-up care, such as lab work, pharmacy service, physical therapy, etc., to keep it from appearing on their records.

“We feel we need to inform the patient about what this really means. We want to put in writing what will or won’t happen based on this, because we think the patient is going to assume a lot of the downstream [restrictions] automatically happen. That could snowball. If you have your visit, your lab, your radiology in one day, it becomes a connected visit. I don’t think patients will grasp that,” Schmidt says.

Still, Schmidt is optimistic that Aurora Health will be prepared to comply with the rule in September.

“We’ve got a plan in place, we’re working through the details, and I think we’re waiting for a test case to come along to understand if we’ve really thought through all the pieces,” she says.

Original source:
Butler, Mary. "Implementing HITECH-HIPAA 'Request for Restrictions' Requirement" (Journal of AHIMA), September 2013.