SUBJECT:RIGHT TO REQUEST RESTRICTIONS
PURPOSE:The organization must provide individuals with the right to request restrictions on the use and disclosure of his or her PHI. While the organization is not required to permit the requested restrictions, it is required to permit the request. If the organization agrees to the requested restrictions, it may not make uses or disclosures that are inconsistent with such restrictions, unless such uses or disclosures are mandated by law. This policy is designed to provide guidance and to ensure compliance with all applicable laws related to providing individuals with the right to request restrictions on the use and disclosure of their PHI.
POLICY:The organization will establish procedures for individuals to request restrictions on the organization’s use and disclosure of his or her PHI in accordance with 45 CFR 164.522.
- The organization shall permit its patients to request that it restrict uses and disclosures of PHI to carry out the organization’s treatment, payment, and health care operations activities and to request that it restrict disclosures related to the involvement of an individual in the patient’s health care or for notification purposes. Patients may request such restrictions by completing a Request for Additional Privacy Protections form, attached as Exhibit F.
- Upon receipt of a completed Request for Additional Privacy Protections form, the original shall be filed in, and shall become a permanent part of, the patient’s medical record and a copy shall be provided to the patient.
- The completed form shall be provided to the appropriate Medical Records Officer who shall make a determination regarding whether to agree to the requested restrictions.
- If the Medical Records Officer agrees to such restrictions, he or she shall document the same on the Response to Request for Additional Privacy Protections and shall provide a copy of the Response to the patient. In addition, the restrictions shall be documented and prominently noted in the patient’s medical record.
- If the Medical Records Officer does not agree to such restrictions, it shall document the basis for the denial by completing the Response to Request for Additional Privacy Protections, shall provide the patient with a copy of the Request, and shall file the same in the patient’s medical record.
- If the organization has agreed to restrictions on its use and disclosure of PHI in accordance with paragraph 1, above, and the restricted PHI is needed to provide emergency treatment to the individual to whom the restriction relates, the organization may use the restricted PHI, or it may disclose such information to a health care provider, in order to provide treatment to the individual. If the PHI is disclosed to a health care provider pursuant to this paragraph 3, the staff member making the disclosure shall request that such health care provider not further use or disclose the information provided.
- If the organization agrees to a restriction on its use and disclosure of PHI in accordance with paragraph 1, above, it may terminate such restriction if:
- The patient agrees to or requests the termination in writing;
- The patient orally agrees to the termination and a staff member documents such oral agreement in the patient’s medical record; or
- The organization informs the patient that it is terminating its agreement to a restriction; provided that, in such instance, the termination shall only be effective with respect to PHI created or received after the patient has been informed of the termination.
- Any agreed upon restriction shall not be effective as to any:
- Disclosures required by the Secretary of the Department of Health and Human Services to investigate or determine the organization’s compliance with HIPAA;
- Uses necessary to maintain a directory of individuals in the organization’s facility and disclosures related thereto; and
- Uses and disclosures for which the organization is not required to obtain an authorization or provide an opportunity to object.