Patient Rights Explained: Restriction of Uses and Disclosures of PHI

For Hospitals
Facebook
Twitter
LinkedIn

Ordinarily, you can use and disclose patient information as needed to carry out everyday tasks, such as treatment, payment, and healthcare operations. However, patients have the right to restrict these uses and disclosures of their protected health information (PHI). Let’s look at an overview of your main responsibilities when a patient asks for a restriction of their PHI.

When must you agree to a restriction of PHI?

The only times that you must agree to a restriction request is when the disclosure is to a health plan and is:

  1. For the purpose of carrying out payment or healthcare operations that are not required by law, AND
  2. Only pertinent to a health care item or service that the individual or other person has already paid for in full.

When are restrictions of PHI optional?

If the above situation doesn’t apply, you have the prerogative to decide whether or not you will agree to the restriction.

When you agree to a restriction of PHI, you are not allowed to violate the restriction unless the patient needs emergency care and you need to use the restricted information for their treatment. In this case, you may use the PHI or disclose it to a provider. If you disclose it to a provider, you must also request that they don’t further use or disclose the information beyond treating the patient.

Additionally, when the information is being used for workers’ compensation purposes as required by law, patient’s do not have the right to a restriction.

How do you terminate a restriction of PHI?

You may end a restriction of PHI in the following circumstances:

  1. The patient agrees to or requests it in writing
  2. The patient agrees orally, and you’ve documented it
  3. Your organization informs the patient that you’ll end the restriction

Make sure you document all patient requests for a restriction of the uses and disclosures of their PHI, as well as your responses to the patient. Maintain documentation for six years.

READ MORE: Patient Rights Explained: HIPAA Right of Access

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Telehealth

Is the Telehealth you’ve adopted secure?

Many patients and providers who would not have normally considered telehealth as a regular way to access healthcare are now utilizing the services. Many patients are afraid to go the hospital or doctor office in fear of exposing themselves and loved ones to Covid-19. Luckily, doctors can still reach their patients and provide medical care online. After this pandemic is over, many suspect that telehealth will still be sticking around. Now may be a good time to consider how to make your telehealth services more secure.

Read More »
Double Extortion

Double Extortion-What it is and how you can prevent it

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »