Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. FAQ
  5. 3026-Under HIPAA, may an individual request that a covered entity restrict how it uses or discloses that individual’s protected health information (PHI)?
  • Authorizations (30)
  • Business Associates (41)
  • Compliance Dates (2)
  • Covered Entities (14)
  • Decedents (9)
  • Disclosures for Law Enforcement Purposes (5)
  • Disclosures for Rule Enforcement (1)
  • Disclosures in Emergency Situations (2)
  • Disclosures Required by Law (6)
  • Disclosures to Family and Friends (28)
  • Disposal of Protected Health Information (6)
  • Facility Directories (7)
  • Family Medical History Information (3)
  • FERPA and HIPAA (10)
  • Group Health Plans (3)
  • Incidental Uses and Disclosures (10)
  • Judicial and Administrative Proceedings (8)
  • Minimum Necessary (14)
  • Notice of Privacy Practice (20)
  • Preemption of State Law (10)
  • Privacy Rule: General Topics (12)
  • Protected Health Information (2)
  • Public Health Uses and Disclosures (13)
  • Research Uses and Disclosures (20)
  • Right to an Accounting of Disclosures (8)
  • Right to File a Complaint (1)
  • Right to Request a Restriction (4)
  • Safeguards (13)
  • Security Rule (24)
  • Smaller Providers and Businesses (145)
  • Student Immunizations (8)
  • Transition Provisions (3)
  • Treatment, Payment, and Health Care Operations Disclosures (30)
  • Workers Compensation Disclosures (5)
  • Limited Data Set (6)
  • Marketing (17)
  • Marketing - Refill Reminders (16)
  • Personal Representatives and Minors (12)
  • Right to Access and Research (58)
  • Mental Health (35)
  • Health Information Technology (41)
  • Telehealth (11)

Under HIPAA, may an individual request that a covered entity restrict how it uses or discloses that individual’s protected health information (PHI)?

Answer:

Yes, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule requires covered entities (health plans, health care clearinghouses, or health care providers that conduct standard electronic transactions) to allow individuals to request that a covered entity restrict the use or disclosure of their PHI for treatment, payment, health care operations.This guidance document is not a final agency action and may be rescinded or modified in the discretion of the U.S. Department of Health & Human Services (HHS). Noncompliance with any voluntary standards or suggested practices contained in guidance documents not required by law will not, in itself, result in any enforcement action.45 CFR 164.522(a)(1). The Privacy Rule also grants individuals the right to request restrictions for other uses and disclosures, such as disclosures made to family members or persons involved in the individual’s care.An individual also may request to restrict disclosures to persons involved in the individual’s health care or payment for health care; or disclosures to notify family members or others about the individual’s general condition, location, or death. See 45 CFR 164.522(a)(1)(i).

Although covered entities must allow individuals to request restrictions of the use or disclosure of their PHI in these circumstances, in most cases, covered entities are not required to agree with the requested restrictions.See 45 CFR 164.522(a)(1)(ii). However, a covered entity cannot make certain disclosures of PHI to an individual’s family member or other person involved in the individual’s health care or payment for health care if the individual requests a restriction of such disclosures, because the Privacy Rule generally does not permit such disclosures if the individual objects. See 45 CFR 164.510(b). The Privacy Rule generally allows covered entities to decide whether to agree to a requested restrictionSee 45 CFR 164.522(a)(1)(ii). because, for example, uses and disclosures for treatment, payment, and health care operations purposes are often necessary for providing quality patient care and ensuring efficient payment for health care. If a covered entity agrees to an individual’s requested restriction, the covered entity must comply with the agreed restriction, except for purposes of treating the individual in a medical emergency and certain other circumstances specified in the Privacy Rule.45 CFR 164.522(a)(1)(iii). In addition, a restriction agreed to by a covered entity is not effective under the Privacy Rule to prevent uses or disclosures permitted or required under 45 CFR 164.502(a)(2)(ii) (required disclosures of PHI to HHS when investigating a covered entity’s HIPAA compliance), 45 CFR 164.510(a) (uses or disclosures of PHI for facility directories) or 45 CFR 164.512 (uses and disclosures of PHI for which an authorization or opportunity to agree or object is not required). Covered entities are permitted to agree to such restrictions, but if they do so, the restrictions are not enforceable under this rule. For example, a provider who makes a disclosure under 45 CFR 164.512(j)(1)(i) relating to serious and imminent threats will not be in violation of the Privacy Rule even if the disclosure is contrary to an agreed upon restriction. See 45 CFR 164.522(a)(1)(iii) and (v). For example, a covered health care provider may agree to an individual’s request not to use or disclose PHI related to their treatment for a prostate condition. However, if the individual has a medical emergency, the provider may share PHI about the individual’s prostate condition with another health care provider if the PHI is needed to provide emergency treatment. The disclosing provider must request that the emergency treatment provider not use or disclose the information other than for the purpose of providing the emergency treatment.See 45 CFR 164.522(a)(1)(iv).

A covered entity is required to agree to an individual’s request to restrict the disclosure of their PHI to a health plan when both of the following conditions are met: (1) the disclosure is for payment or health care operations and is not otherwise required by law; and (2) the PHI pertains solely to a health care item or service for which the individual, or a person other than the health plan on behalf of the individual, has paid the covered entity in full.See 45 CFR 164.522(a)(1)(vi). For example, if an individual pays for a reproductive health care visit out-of-pocket in full and requests that the covered health care provider not submit PHI about that visit in a separate claim for follow-up care to their health plan, the provider must agree to the requested restriction.

Content created by Office for Civil Rights (OCR)
Content last reviewed December 28, 2022
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy