Right to Request a Restriction

Individuals do not have a right under the Privacy Rule at 45 CFR 164.522(a) to request that a covered entity restrict a disclosure of protected health information about them for workers’ compensation purposes when that disclosure is required by law or authorized by, and necessary to comply with, a workers’ compensation or similar law.

Under the HIPAA Privacy Rule, may a health care provider disclose protected health information about an individual to another provider, when such information is requested for the treatment of a family member of the individual?

Yes, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule requires covered entities (health plans, health care clearinghouses, or health care providers that conduct standard electronic transactions) to allow individuals to request that a covered entity restrict the use or disclosure of their PHI for treatment, payment, health care operations.

Yes, if their health care provider agrees to the restriction. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)1 Privacy Rule2 requires covered entities3 to allow individuals4 to request that the covered entities restrict the use and disclosure of their protected health information (PHI) for treatment, payment, or health care operations.5 A covered entity generally is not required to agree to the requested restrictions.6 However, if a covered entity agrees to an individual’s requested restriction, it must comply with the agreed-upon restriction, except for purposes of treating the individual in a medical emergency or under certain other circumstances specified in the Privacy Rule.7 The covered entity must also document the agreed-upon restriction.8

Endnotes

1 Subtitle F of title II of HIPAA, Pub. L. 104–191, 110 Stat. 1936 (Aug. 21, 1996).

2 45 CFR parts 160 and 164 subparts A and E.

3 45 CFR 160.103 (definition of “Covered entity”).

4 45 CFR 160.103 (definition of “Individual”).

5 See 45 CFR 164.522(a)(1)(i)(A).

6 See 45 CFR 164.522(a)(1)(ii). A covered entity must agree to the request of an individual to restrict the disclosure of PHI about the individual to a health plan in certain circumstances. See 45 CFR 164.522(a)(1)(vi).

7 See 45 CFR 164.522(a)(1)(iii) and (v).

8 See 45 CFR 164.522(a)(1)(iii) and 45 CFR 164.530(j).