Under HIPAA, may an individual request that a covered entity restrict how it uses or discloses that individual’s protected health information (PHI)?


Yes, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule requires covered entities (health plans, health care clearinghouses, or health care providers that conduct standard electronic transactions) to allow individuals to request that a covered entity restrict the use or disclosure of their PHI for treatment, payment, health care operations.1 2 The Privacy Rule also grants individuals the right to request restrictions for other uses and disclosures, such as disclosures made to family members or persons involved in the individual’s care.3

Although covered entities must allow individuals to request restrictions of the use or disclosure of their PHI in these circumstances, in most cases, covered entities are not required to agree with the requested restrictions.4 The Privacy Rule generally allows covered entities to decide whether to agree to a requested restriction5 because, for example, uses and disclosures for treatment, payment, and health care operations purposes are often necessary for providing quality patient care and ensuring efficient payment for health care. If a covered entity agrees to an individual’s requested restriction, the covered entity must comply with the agreed restriction, except for purposes of treating the individual in a medical emergency and certain other circumstances specified in the Privacy Rule.6 For example, a covered health care provider may agree to an individual’s request not to use or disclose PHI related to their treatment for a prostate condition. However, if the individual has a medical emergency, the provider may share PHI about the individual’s prostate condition with another health care provider if the PHI is needed to provide emergency treatment. The disclosing provider must request that the emergency treatment provider not use or disclose the information other than for the purpose of providing the emergency treatment.7

A covered entity is required to agree to an individual’s request to restrict the disclosure of their PHI to a health plan when both of the following conditions are met: (1) the disclosure is for payment or health care operations and is not otherwise required by law; and (2) the PHI pertains solely to a health care item or service for which the individual, or a person other than the health plan on behalf of the individual, has paid the covered entity in full.8 For example, if an individual pays for a reproductive health care visit out-of-pocket in full and requests that the covered health care provider not submit PHI about that visit in a separate claim for follow-up care to their health plan, the provider must agree to the requested restriction.

    1. This guidance document is not a final agency action and may be rescinded or modified in the discretion of the U.S. Department of Health & Human Services (HHS). Noncompliance with any voluntary standards or suggested practices contained in guidance documents not required by law will not, in itself, result in any enforcement action.
  • back to note 1
  • 2. 45 CFR 164.522(a)(1).
  • back to note 2
  • 3. An individual also may request to restrict disclosures to persons involved in the individual’s health care or payment for health care; or disclosures to notify family members or others about the individual’s general condition, location, or death. See 45 CFR 164.522(a)(1)(i).
  • back to note 3
  • 4. See 45 CFR 164.522(a)(1)(ii). However, a covered entity cannot make certain disclosures of PHI to an individual’s family member or other person involved in the individual’s health care or payment for health care if the individual requests a restriction of such disclosures, because the Privacy Rule generally does not permit such disclosures if the individual objects. See 45 CFR 164.510(b).
  • back to note 4
  • 5. See 45 CFR 164.522(a)(1)(ii).
  • back to note 5
  • 6. 45 CFR 164.522(a)(1)(iii). In addition, a restriction agreed to by a covered entity is not effective under the Privacy Rule to prevent uses or disclosures permitted or required under 45 CFR 164.502(a)(2)(ii) (required disclosures of PHI to HHS when investigating a covered entity’s HIPAA compliance), 45 CFR 164.510(a) (uses or disclosures of PHI for facility directories) or 45 CFR 164.512 (uses and disclosures of PHI for which an authorization or opportunity to agree or object is not required). Covered entities are permitted to agree to such restrictions, but if they do so, the restrictions are not enforceable under this rule. For example, a provider who makes a disclosure under 45 CFR 164.512(j)(1)(i) relating to serious and imminent threats will not be in violation of the Privacy Rule even if the disclosure is contrary to an agreed upon restriction. See 45 CFR 164.522(a)(1)(iii) and (v).
  • back to note 6
  • 7. See 45 CFR 164.522(a)(1)(iv).
  • back to note 7
  • 8. See 45 CFR 164.522(a)(1)(vi).
  • back to note 8
Content created by Office for Civil Rights (OCR)
Content last reviewed