Ordinarily, you can use and disclose patient information as needed to carry out everyday tasks, such as treatment, payment, and healthcare operations. However, patients have the right to restrict these uses and disclosures of their protected health information (PHI). Let’s look at an overview of your main responsibilities when a patient asks for a restriction of their PHI.
When must you agree to a restriction of PHI?
The only times that you must agree to a restriction request is when the disclosure is to a health plan and is:
- For the purpose of carrying out payment or healthcare operations that are not required by law, AND
- Only pertinent to a health care item or service that the individual or other person has already paid for in full.
When are restrictions of PHI optional?
If the above situation doesn’t apply, you have the prerogative to decide whether or not you will agree to the restriction.
When you agree to a restriction of PHI, you are not allowed to violate the restriction unless the patient needs emergency care and you need to use the restricted information for their treatment. In this case, you may use the PHI or disclose it to a provider. If you disclose it to a provider, you must also request that they don’t further use or disclose the information beyond treating the patient.
Additionally, when the information is being used for workers’ compensation purposes as required by law, patient’s do not have the right to a restriction.
How do you terminate a restriction of PHI?
You may end a restriction of PHI in the following circumstances:
- The patient agrees to or requests it in writing
- The patient agrees orally, and you’ve documented it
- Your organization informs the patient that you’ll end the restriction
Make sure you document all patient requests for a restriction of the uses and disclosures of their PHI, as well as your responses to the patient. Maintain documentation for six years.
Are you up to date with HIPAA?
Check out our cheat sheet for staying up to date with changing regulations!