Analysis by the AHIMA Policy and Government Relations Team
Rights to Request Privacy Protection for Protected Health Information
Standard: Right of an Individual to Request Restriction of Uses and Disclosures of PHI
The Rule provides a standard (§164.522) that states that "a covered entity must permit an individual to request that the covered entity restrict uses and disclosures of PHI about the individual to carry out treatment, payment, or health care operations" and disclosures related to involvement in an individual’s care. Note, however, that "a covered entity is not required to agree to [such] a restriction" and in some situations, listed elsewhere in the Rule, is prohibited from agreeing to some restrictions.
An obvious requirement is that "a covered entity that agrees to a restriction must document the restriction" in accordance with the Rules documentation requirements.
"A covered entity that agrees to a restriction may not use or disclose PHI." However, if the individual who requested the restriction is in need of emergency treatment, and the restricted PHI is needed to provide such treatment, the covered entity may use the restricted PHI or disclose the PHI to a healthcare provider, to provide such treatment to the individual. In such a situation, the covered entity "must request that such health care provider not further use or disclose the information."
Specifications: Terminating a Restriction
The entity may terminate its agreement to a restriction, if:
- "The individual agrees to or requests the termination in writing;
- The individual orally agrees to the termination and the oral agreement is documented; or
- The covered entity informs the individual that it is terminating its agreement to restriction."
In these cases, "the termination is only effective with respect to PHI created or received after it has so informed the individual.
Standard: Confidential Communication Requirements
"A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of PHI from the covered health care provider by alternative means or at alternative locations." "A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis."
Likewise, "A health plan must permit individuals to request and must accommodate reasonable requests by individual to receive communications of PHI from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger that individual."
Specifications: Conditions on Providing Confidential Communications
A covered entity (in this case either the healthcare provider or the health plan may require the individual to make a request for a confidential communication as described above in writing. "A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual."
Either the covered healthcare provider or the health plan may condition the provision of a reasonable accommodation to the request on:
- When appropriate, information as to how payment, if any will be handled; and
- Specification of an alternative address or other method of contact.
Go to next section, Access of Individuals to Protected Health Information.
Go to previous section, Notice of Privacy Practices for Protected Health Information.
Go to document index.