Can an individual restrict who has access to their protected health information during a medical procedure?

Answer

Yes, if their health care provider agrees to the restriction. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)1 Privacy Rule2 requires covered entities3 to allow individuals4 to request that the covered entities restrict the use and disclosure of their protected health information (PHI) for treatment, payment, or health care operations.5 A covered entity generally is not required to agree to the requested restrictions.6 However, if a covered entity agrees to an individual’s requested restriction, it must comply with the agreed-upon restriction, except for purposes of treating the individual in a medical emergency or under certain other circumstances specified in the Privacy Rule.7 The covered entity must also document the agreed-upon restriction.8

  • Example 1: An individual who is scheduled for abdominal surgery and concerned about medical trainees observing a pelvic exam without their consent, while they are unconscious, may request that a covered health care provider not use or disclose their PHI to medical trainees. If the covered health care provider agrees to the restriction request, the provider may not use or disclose the individual’s PHI to medical trainees, even if the medical trainees are members of the covered health care provider’s workforce, with the result that the medical trainees cannot be in the room with the individual and their PHI, or otherwise have access to the individual’s PHI.9 As such, the restriction would prevent the medical trainees from observing or providing treatment to the individual, except as needed to provide emergency treatment or where another exception applies.

Under the emergency treatment exception, when a patient who requested the restriction is in need of emergency treatment, a covered entity is permitted to use or disclose only the restricted PHI that is needed to provide the emergency treatment.10

  • Example 2: If a covered health care provider previously agreed to a patient’s request to restrict disclosures of their PHI to medical trainees in advance of a planned abdominal surgery (Example 1) and the same individual subsequently presents to the emergency room for chest pain, the health care provider would be permitted to disclose to medical trainees participating in the emergency treatment only the individual’s PHI that is needed to treat the patient for chest pain. The covered entity could not disclose any additional PHI to the medical trainee.

Endnotes

1 Subtitle F of title II of HIPAA, Pub. L. 104–191, 110 Stat. 1936 (Aug. 21, 1996).

2 45 CFR parts 160 and 164 subparts A and E.

3 45 CFR 160.103 (definition of “Covered entity”).

4 45 CFR 160.103 (definition of “Individual”).

5 See 45 CFR 164.522(a)(1)(i)(A).

6 See 45 CFR 164.522(a)(1)(ii). A covered entity must agree to the request of an individual to restrict the disclosure of PHI about the individual to a health plan in certain circumstances. See 45 CFR 164.522(a)(1)(vi).

7 See 45 CFR 164.522(a)(1)(iii) and (v).

8 See 45 CFR 164.522(a)(1)(iii) and 45 CFR 164.530(j).

9 When a patient is receiving treatment, they are typically surrounded by PHI, such as their name on a hospital room door or identification bracelet, notes about their care, real-time displays of heart or lung function, and verbal communications about their health status and health care.

10 See 45 CFR 164.522(a)(1)(iii) and (iv).

Content created by Office for Civil Rights (OCR)
Content last reviewed