Honoring Requests for Restrictions - An Overview

Since the early days of HIPAA, covered entities have been required to alert patients to their right to request restrictions on the use or disclosure of their protected health information (PHI) in their Notice of Privacy Practices, yet covered entities have not been required to honor the request.  Now, under the HITECH Omnibus Final Rule, a covered entity must agree to an individual's request to restrict disclosures of PHI to a health plan if:

• (1) the disclosure is for purposes of payment or healthcare operations and is not otherwise required by law; and
• (2) the PHI pertains solely to healthcare items or services for which the individual, or another person on behalf of the individual, has paid in full. 

Certain providers, and certain states, already have been accommodating patient requests to withhold sensitive information from health plans, either by law or custom, permitting the patient to pay out of pocket for treatment or services. 

There is a fair amount of patient education inherent in this new right. Under HITECH, providers are encouraged to engage in a dialogue with patients to ensure they understand that previously restricted PHI may still be disclosed to the health plan in follow up care unless the patient makes another formal request and pays out of pocket in full (assuming the disclosure is not required by law.) A patient will need to be made aware that s/he will need to make that same request, and pay in full, with other providers as well.

The HITECH guidance discusses that where a provider is able to "unbundle" a group of items of service to honor the request for restriction, it should do so. However, if the provider is unable to unbundle a group of items or services, the provider must inform the patient, and allow the patient to restrict and pay out of pocket for the entire "bundle."

The HITECH guidance also informs us that where the patient is covered by a government payor like Medicaid, and both a) the submission of a claim is required and b) there is no exception or procedure that allows the patient to pay for the service, then the submission of the claim is considered "required by law" and the restriction does not apply. The guidance suggests that under Medicare, the patient/beneficiary is permitted to pay out of pocket, subject to the Medicare limitations noted in Section 40 of the Medicare Benefit Policy (Internet) Manual.

Finally, for now, the HITECH Final Rule eliminates a covered entity’s ability to terminate its agreement to this type of required restriction.

This requirement is effective on March 26, 2013.  The compliance enforcement date is September 23, 2013. 

So, it is time to develop or update your process, and educate appropriate staff members on this new federal mandate. If there is no system yet in place for honoring this type of request for restrictions, providers will need to create one. Additionally, the system will somehow need to flag the restricted PHI to ensure that it is not made available to the health plan for business operations purposes (e.g., if the plan comes in for an audit or review.)

Just one item on your HITECH to-do list, but one that you can certain accomplish.  Don't forget to put this updated patient right into your Notice of Privacy Practices, (another HITECH mandate)!