[Login]

Managing a Patient’s Right to Request Restrictions of Disclosures to Health Plans

Since its initial adoption, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule has granted individuals the right to request restrictions regarding the use and disclosure of their protected health information (PHI) for treatment, payment, and healthcare operations (TPO). The law also grants individuals the right to request restrictions for other disclosures, such as those made to family members. It is up to the covered entities (CEs) to determine whether or not to accept or deny such restriction requests. When the CE agrees to the restriction, the CE must adhere to the restriction for all future disclosures except in the event of an emergency. If the restricted PHI is disclosed to another entity or person for emergency treatment, the CE is required to request that the person or entity receiving the information not further use or disclose this PHI in any manner.

The HITECH-HIPAA Omnibus Rule, effective September 23, 2013, takes request for restrictions one step further, and requires that “a covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if the disclosure is for the purposes of carrying out payment or health care operations and not otherwise required by law; and the protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.”

This enhancement to the HIPAA Privacy Rule also requires that a statement be included in the Notice of Privacy Practices summarizing the individual’s right to a restriction and the CE’s requirement to accept the restriction to disclose PHI about the individual to a health plan. The Privacy Rule does not include suggestions or requirements for how this restriction is to be implemented, but only stipulates that the CE must have a method to note that the information has been restricted and is not released to the health plan for payment or healthcare operations such as audits.

The Omnibus Rule’s new restriction requirements do not change the general obligation of the CE to disclose only the information requested by the health plan and the amount of requested information judged to be the “minimum amount necessary” to fulfill the request—unless the patient has agreed to a broader disclosure (either in his/her agreement with the health plan or in an authorization on file with the CE).

Covered entities should already have in place the mechanisms for limiting PHI under minimum necessary policies and procedures. This Practice Brief provides guidance to assist organizations in complying with the Omnibus Rule’s new restriction requirements.

Implementing Required Restrictions Poses Operational Challenges

The necessary steps to ensure that the restriction is in place and that the patient understands the requirements for securing a restriction form is a complex process that must be carefully followed. Operational challenges in implementing the restriction may include:

  • Creating a method for identifying the restricted information
  • Defining the process for handling prescriptions (electronic vs. written)
  • Identifying the specific location where a request for restriction may be received (i.e., at check in, after the appointment, after the patient gets home)
  • Defining the time frame that the organization will give the patient to make the payment in full
  • Establishing the process for how dishonored payments are handled (if the patient does not make the agreed upon payments, the Department of Health and Human Services (HHS) does expect the CE to make reasonable attempts prior to disclosing PHI)
  • Outlining the process for sharing restricted PHI with other providers
  • Educating the patient about possible additional costs when seeing other providers if the information restricted is necessary for continuing care
  • Identifying records that have been restricted to avoid inadvertent release of information
  • Defining the process to handle bundled services
  • Identifying contracts with health maintenance organizations (HMO) and other carriers that may need to be updated to reflect the new law
  • Defining the process for handling mandatory billing rules
  • Educating the workforce
  • Ensuring consistent handling and processes

Evaluating Workflow for Challenges

The first step in assessing how the organization will handle a request for restriction is to complete an evaluation of the entire workflow. Organizations will need to review the process for how a request for restriction from the patient may be initiated at their facilities. To comply fully with the rule, the workflow must address the processes including receiving the request, processing and responding to the request (i.e., documenting, notification), identifying the item or service, and termination of the request.

The timeliness of the request must also be considered when designing a process to manage requests for restrictions. For example, a patient may want to restrict disclosures only after receiving a diagnosis that could be considered sensitive, such as HIV-positive or cancer. There are workflow implications for the pre-authorization process by the organization as well as for the billing process. If the request is received too late in the process, the patient should be notified that this information may have already been provided to the health plan.

Additionally, all potential risks of a possible disclosure to a health plan should be identified to ensure that all areas within the organization have been assessed. These risks may include outsourcing vendors and insurance company audits.

Once workflow processes have been thoroughly evaluated and policies and procedures have been defined, staff education will need to occur to ensure that the restrictions are appropriately routed and complied with throughout the entire organization. Communicating with all areas such as registration, patient financial services, health information management (HIM), release of information points, and the healthcare providers is key to ensuring that PHI is not inadvertently disclosed or made available to a health plan for payment and/or operations—resulting in a potential privacy breach for the organization.

Refer to Appendix A [...], for a sample checklist to assist in implementing the restriction request process under the Omnibus Rule.

Preparing to Receive the Request for Restriction

Potential areas of intake for the initial restriction request from the patient will depend on the type of CE. To ensure a patient’s right to this type of restriction, a CE must identify the person(s) or department(s) (i.e., admitting, outpatient registration, HIM, privacy office, or nursing) and other areas that may receive these requests. The request may not be fully processed by the department where the request is received, but they should be able to begin the processing.

Because the request may be received at any point in time, there must be a process in place to notify the patient of any potential conflicts with the timing when the request is received versus when the item may be billed. The following are some considerations when creating the process for receiving requests for restrictions:

  • Admitting or check in:
    • Is there a pre-authorization process in which the information will be or has already been disclosed?
  • Discharge or check out:
    • Is there a pre-authorization process where information has already been disclosed?
    • Have prescriptions been sent to a pharmacy (which often automatically bills the health plan)?
  • Post discharge:
    • Has the service or encounter already been billed?
    • Can a bill hold be put in place?
      • How long will the bill be put on hold—is there a need to make reasonable accommodations for the patient to pay in full?
    • Are the services bundled?
    • Can the services be unbundled?

Defining Documentation for Request for Restrictions

The CE needs to define how the request should be captured, documented, and maintained for organizational use. The request should be documented and retained with the health record and linked to each record of care or the appropriate episode of care. HIPAA requires that the request for restrictions and any correspondence related to the restriction be maintained for six years, though state laws may require a longer retention period. Appendix B [...] is a sample form for requesting a restriction on the disclosure of PHI to a health plan.

An internal database, log, or spreadsheet can also be developed and maintained as a means to document the request and used to keep track of the status of all such requests.

At a minimum, the log should contain:

  • The date the request was received
  • Demographic information about the patient
  • The medical record or account number
  • Date of service/encounter for the request
  • The name of person logging/processing the request
  • Whether the request has been accepted or denied with comments
  • The date the response was provided to the patient or the patient’s personal representative
  • When the notification process was initiated and by whom

Notifying Workforce Members of Restriction

Various methods can be used to alert workforce members that a restriction on disclosures to health plans has been approved. Clear communication must be implemented to effectively manage the health record as well as billing and collection processes. Some method recommendations include:

  • Consider implementing a new pay code for a patient’s account pertaining to a particular visit. For example a new pay code could simply be entered as “Restriction—Self Pay.” Many accounts may be flagged at the inclusion of the phrase “Self-Pay” and with the alert of a restriction, staff would have the knowledge to handle any disclosures in a different manner as outlined by a policy.
  • A completed and approved request for restriction on a disclosure to health plans form must be filed in the episode of care covered by the payment (whether electronic or paper) with easy access to that document. The form must also clearly identify the episode of care covered by the payment.
  • For paper records, a cover sheet may be attached to the front of any record alerting all who have access that a health plan restriction is in place. A color-coded flag on the restriction form or placed on the outside of the chart cover listing the account number that has the restriction in place could also be used.
  • Finding a process or functionality to identify the restriction in an electronic health record (EHR) could be challenging. A method should be developed to alert anyone who accesses the account of a patient who has an approved restriction on the disclosure of certain PHI to health plans. Review the EHR and billing system to determine if any of the following may be utilized:
    • A pop-up window informing the user of the restriction for the specific encounter or item
    • A highlighted tab or section titled “HIPAA Documents” or “Restriction” that is easily identified
    • A color-coded patient name, account number, or demographic section that is easily identified
    • A global document type that will alert release of information and billing

Responding to a Request for Restriction

Once a mechanism for identifying the episode of care has been defined, steps for responding to and executing the request should be delineated. The CE’s designees will review the request and ensure systems are updated and staff is notified as appropriate. Under the Omnibus Rule all requests for restrictions must be accepted. However, there may be times when the request cannot be honored. When a request for restriction is received, one of the first factors to consider is the date of the requested service/encounter. If the pre-authorization or billing has already occurred, the patient should be offered counseling and informed on the reasons why the restriction may not be fully accommodated; otherwise, the request must be accepted. In any case, CEs should consider sending the patient a written notification of acceptance of the restriction.

If the CE cannot comply with the request due to the reasons listed below, the patient should be contacted by phone and should also be provided a reason in writing as to why the restriction may not be accepted. The telephone conversation with the patient should be documented. The acceptance or exception letter should also be retained with the health record.

The following are examples of scenarios which may require additional patient counseling and reasons for which a request may not be able to be fully accommodated: 

  • The request was made after the date of service occurred and information has already been released to the health plan.
  • The encounter cannot be unbundled and the patient refuses to pay out-of-pocket for the entire encounter. If the encounter can be unbundled, the CE must do so in order to fulfill the request. Unbundling services may result in a higher cost to the patient.
  • The CE made a reasonable effort to secure payment and did not obtain payment in full.
  • The encounter date is related to a worker’s compensation injury or a claim for life insurance or disability insurance benefits.
  • Disclosures that are required by law (i.e., disclosures for audits to Medicare or Medicaid, state or federal reporting requirements, or disclosures to comply with a legal mandate, court order, or similar process).
  • The provider is part of a health maintenance organization and therefore is both provider and health plan.

If the billing has already occurred or the patient is unable or unwilling to pay, the organization may inform the patient on its “minimum necessary” policies regarding information sent to the health plan for payment.

The facility should create an audit process to review charts requested by insurance companies. If a restriction had been accepted, the restricted visits would need to be redacted. For example, if a health plan requests two years of patient information then the health plan should be required to provide dates of service to minimize exposure of restricted visits.

Reviewing Contracts with HMOs and Mandatory Billing

Previous contracts with HMOs do not exempt providers from honoring patient requests for restrictions. Contracts with HMOs must be reviewed and updated to ensure restrictions are honored. In addition, the mandatory submission laws may be avoided when the patient refuses to authorize a submission. There may be other legal mechanisms to avoid submissions and providers must research and utilize these to comply with the restriction request.

Terminating a Restriction to a Health Plan

A CE may terminate a previously agreed-to restriction if:

  1. The individual who requested the restriction requests or agrees in writing that the restriction can be terminated
  2. The CE notifies the individual that the agreed upon restriction is terminated (this only applies to uses or disclosures after the individual has been informed and does not apply to restrictions on disclosures to health plans regarding services for which the individual has paid in full)
  3. The individual orally agrees to the termination, the termination is documented, and a copy of the termination request is provided to the patient (this is not a recommended practice)

Educating Patients on Restriction Limitations

Patients must be told if the restricted item or service is likely to generate other similar services for which the patient would be required to pay for out-of-pocket. For example, if a patient chooses to pay out-of-pocket for a cardiac lab test done by his or her primary care physician and, based on the test, the patient is then referred to a cardiac specialist, the patient would also need to pay out-of-pocket for the specialist’s service. In addition, as mentioned previously, it may be difficult to “unbundle” certain services, so patients may need to be told to seek the entire bundle of services elsewhere.

Finally, the CE should treat each failure of this process as an incident and follow the CE’s breach investigation and notification process.

Handling Dishonored Payments

Policies must be put in place to handle dishonored payments and the patient must be notified of payment expectations. When a request for restrictions is made in a timely manner, the CE will need to outline how and when payments must be made in full. When a patient does not pay in full as agreed upon, HHS expects CEs to make reasonable attempts to work with the patient before releasing a claim to the health plan.

Policies outlining how long the CE will delay submitting a claim, processes for notifying the patient of the timeline, and processes to notify the patient if the payment is not made in full must be included. An awareness of what constitutes a timely claim for each health plan under the various contracts with the CE should be incorporated into any policies and procedures.

Restrictions May Affect Subsequent Visits

If the patient returns for follow-up care and the information from the original restriction is used for the current visit, the patient needs to be notified that the information was used and the patient will once again have to pay out-of-pocket for the current service to ensure the information is not sent to a health plan.

Referral to Other Healthcare Providers

Organizations may want to consider processes for notifying patients that information regarding the restriction to health plans may be released or, in the case of an emergency, may have been released for continuing care and that the patient may want to discuss any restrictions with the recipient. This is not required, but patient engagement and transparency will likely increase patient satisfaction. If the patient is making the request for the disclosure to another provider, this will give the patient the option to consider if the restricted information should be shared.

Electronic Prescriptions Pose Complications

Processes for giving the patient a paper prescription should be put in place. When the patient has requested a restriction, the patient should be informed of their obligation to contact a pharmacy, durable medical equipment vendor, or other healthcare organizations outside of the CE to ensure the health plan does not receive the restricted information. The CE needs to have a process in place to notify other healthcare providers also providing items or services to the patient to know when a restriction has been requested to ensure that all components of the visit are implemented with this restriction in mind.

Developing Education and Training Programs

CEs may need to develop a strategy to ensure patients, healthcare providers, and other workforce members are well-informed about the restriction policy, compliance, and legal risks. Educational materials may be provided either online or in print, and consumer-directed materials should be written in consumer-oriented terms and language.

Such information may include:

  • Requirements for a written request for restriction
  • Who may request information
  • A restriction policy explanation
  • Description of the content of the health record

Educating Patients on the Right to Restriction

Educating the patient on the enhancement to this individual right is imperative. Patients need to understand the significance of this right and how it impacts them. Developing a printed “Restriction Information” form or flyer to present to a patient or personal representative when a restriction to health plans is requested or incorporating these specifics into current patient rights documentation are two cost effective options for providing patient education rather than using staff time. Providing a printed document also allows the patient to keep the information for their reference and staff could then answer any patient questions if necessary. Some important details suggested for inclusion on the form include:

  • Refer to the HIPAA regulation, including language in easy-to-understand text.
  • State that a request for restriction form will need to be completed and will be filed in the individual’s health record. The patient may also obtain a copy of the form at the time of visit.
  • Explain that for a request to be approved, payment for service provided for that visit must be made in full. The patient must be educated that if the provider is able to unbundle the services, that this may result in a higher cost, or that the plan may be able to guess what is missing (items that are unbundled may be identified by the health plan based on contracts with that health plan). If unbundling is not feasible, then the provider must tell the patient in order to restrict the information that the entire bundle of services must be paid for out-of-pocket, up-front and in full.
  • Explain that when the provider is part of a HMO—and therefore is both provider and health plan—the patient may need to seek services elsewhere to enforce the restriction to the health plan.
  • Consider explaining a process to manage any possible balances for late charges, and describe any time window for payment of any outstanding balance to be made in full before the health plan will be contacted.
  • Clearly state that failure to pay either at the time of service or, in the case of any remaining account balance, within the required time frame could result in remittance to a designated health plan.
  • Explain that the restriction pertains to only this CE and this specific visit.
  • Share that any other/outside provider charges must be managed by the patient with that provider (i.e., anesthesiologist, radiologist, pathologist, physician, imaging center, laboratory).
  • Point out that the patient should request written prescriptions. A pharmacy will automatically get approval from the patients’ health plan prior to filling a prescription that has been called in or ordered electronically. The patient should be informed that it is best for them to manage this in person with the pharmacy and to request self-payment.

Workforce Training on Restrictions

Organizations must ensure all users receive thorough and detailed training on the proper use of the restriction policy. Policies and procedures set the expectation for the workforce, identify the requirements for appropriate behavior, and hold accountable those who will be responsible.

However, a policy is only as strong as the training provided to implement its processes. Developing a detailed policy with clear guidelines for the workforce to follow, and then training on that policy, are both essential. The policies and procedures must be reinforced to ensure proper execution to mitigate and avoid breach situations.

Considerations should include, but are not limited to:

  • Providing educational materials or a possible FAQ document as a go-to reference for staff. Appendix C [...] outlines a list of FAQs that may be utilized for training in an organization.
  • Sharing the patient information flyer with staff so they are aware of the education patients will receive. This will assist with answering questions patients may have.
  • Using a “Lesson in a Box” method—ready-made training materials that organization leadership and managers can use to educate their respective departments or new employees, eliminating any need to recreate training materials on a specific topic. This can include flyers, handouts, e-mails, or presentations used for training staff of all levels.
  • Creating a PowerPoint presentation.
  • Providing a helpdesk or hotline set up to a specific person(s) to respond to any questions that arise.
  • Creating online modules for workforce members to access independently when time permits.
  • Creating organization-wide webinars.
  • Include education on restrictions in annual HIPAA or compliance training.
  • Include education on restrictions in new hire orientation.
  • Include education on restrictions in resident and student orientation.
  • Include education on restrictions in medical staff training during reappointment processes.
  • Provide periodic reminders in newsletters, flyers, e-mails, or educational briefs.

Auditing Restrictions Policies and Procedures Ensures Compliance

Monitoring the process to evaluate whether policies and procedures are being followed and requests for restrictions are being handled in accordance with HIPAA regulations should be incorporated into a privacy officer’s HIPAA compliance program. Compliance may be monitored using performance improvement indicators. Some examples of indicators or audit practices include:

  • Patient complaints related to requests for restrictions
  • Running reports with the request for restriction and reviewing a sampling of cases to ensure the request is being handled appropriately
  • Observations of intake staff to ensure patients are being educated

As with any new process, monitoring effectiveness of the program is important to ensure compliance with the overall implementation of the program. Consider interviewing key staff about how to handle a restriction request.

If the information is released after a restriction has been requested and the care has been paid for in advance, the provider may be subject to criminal penalties, civil money penalties, or corrective action for making an impermissible disclosure under the Privacy Rule.

Appendices

Three appendices are available in this online version of the Practice Brief.

Appendix A—Checklist for Implementing the Request for Restriction to a Health Plan

This checklist is designed for implementing an organization-wide process when a Request for Restrictions from Payers has been received from a patient.

Assess the entire “workflow” for receiving a request for restriction of disclosures to a health plan. Consider the following:

  • Identification of the specific area of intake the request will be received from the patient
  • Identification of areas for potential “disclosures” of protected health information to the payer/health plan (should a restriction be in place). Some examples are: billing, insurance company audits, quality improvement, etc.
  • Release of Information practices including the in-house or vendor system, or any other point of release to ensure appropriate identification of restriction

Determine the method to identify the patient record to communicate to the organization that a request for restriction to payers is in place.

Define the area of intake for the patient to be educated, and the initial request be received, reviewed, and executed.

Define how the request will be documented ( i.e., form, letter from the patient, verbal request from the patient) and how the request will be entered into the system.

Determine the steps for how the request will be responded to and executed.

Define the process for how a request for restriction may be terminated.

Establish the process for educating the patient regarding request for restrictions to payers. Consider development of a patient pamphlet or brochure, including education on information that is used for treatment in subsequent visits. Areas to consider:

  • Problem List
  • Medication List
  • Allergy List
  • History documentation (i.e., medical, family, social)

Patients need to be notified that the restriction must be requested for each subsequent visit that is paid for in full.

Define the method for how workforce members will be notified when a request for restriction is accepted; the staff must be made aware to prevent potential inadvertent releases to the health plan.

Develop organization-wide policies and procedures and the education communication plan. Ensure policies are disseminated and updated as changes are made to the process.

Educate all staff/areas that require training on the process (i.e., admissions, release of information, billing, care providers). Ensure all areas are updated if changes are made to the process.

Incorporate a process to audit and monitor compliance in the organization’s HIPAA Compliance Program.

Appendix B—Sample Restriction Request Form

FACILITY LOGO/NAME

Medical Record Number:

Restriction Request – Out-of-Pocket Payment: All sections of this form MUST be completed to be valid

Patient Name: Date of Birth: / /

Address: City: State:

Zip Code: Telephone:

I am requesting that XX (Name of CE) restrict my protected health information from my insurance provider for my visit scheduled for / / .

By completing this form, I understand that:

  • I am required to pay, in-full, or the majority of the projected amount for my services before they occur or this request will be null and void and my insurance may be billed without notice and I may be billed for any additional charges that must be paid within thirty (30) days of my service
  • This form only covers the XX’s (professional and facility) portion of the bill and that I may need to contact the following areas to ensure they do not send my PHI to my insurance company:
    • My provider – Physicians and nurse practitioners bill separately from the hospital and I will need to contact their billing group, <physicians billing group name/number here > to obtain a restriction on their billings
    • Pharmacy – I will need to ask my prescribing provider to provide me with a paper prescription to ensure that my medication is not billed or disclosed to my health plan
    • Lab – I understand that some lab tests are done by an external vendor and I may have to contact one of them to obtain a restriction from their billing:
      • LabCorp –
      • Quest Diagnostics –
  • During future visits to XX Medical Centers, providers may reference this restricted visit in their notes and that those documents may be sent to my insurance provider to justify payment for those future visits. XX will not redact or alter those notes to reflect this restriction request
  • This restriction request covers this, and only this particular visit, and if follow-up care is needed that I want this information restricted, I will need to fill out another form to cover each one of those visits
  • As federal law changes, the rules around this restriction may change as well

Signature

I request XX (Name of CE) to restrict the use or disclosure of my protected health information as specified above.

Patient/Authorized Representative Signature:

Date: / /

Printed Name of Authorized Requestor:

Relationship to Patient:

Date received: / /

Date payment received: / /

**Once completed, please either hand-deliver or fax this form to Health Information Management at
<insert address, phone and fax here>**

Appendix C—Patient’s Right to Request Restriction to Health Plan
Frequently Asked Questions

What is the Covered Entity’s (CE) obligation to this rule?

A covered entity must agree to an individual’s request to restrict disclosure to health plan if the individual or person on individual’s behalf pays for the item or service out of pocket in full:

  • For payment or healthcare operations
  • Unless required by law

Does a CE have to separate those medical records under this restriction?

The provisions do not require that covered healthcare providers create separate medical records or otherwise segregate protected health information subject to a restricted healthcare item or service.

If a CE does not have to segregate records how will they know what is restricted?

Healthcare providers will need to employ some method to flag or make a notation in the record with respect to the PHI that has been restricted to ensure such information is not inadvertently sent to or made accessible to the health plan for payment or healthcare operations such as audits by the health plan.

What about Medicare and other disclosures required by law?

The final rule continues to allow disclosures that are otherwise required by law, notwithstanding that an individual has requested a restriction.

  • If a provider is required by State or other law to submit a claim to a health plan for a covered service, and there is no exception or procedure for individuals wishing to pay out of pocket for the service, then the disclosure is required by law and is an exception to the right to request a restriction.
  • There is an exception to the Medicare rule where a beneficiary refuses to authorize the submission of a bill to Medicare. In such cases a provider is not required to submit a claim to Medicare for the service.

How do I handle a request to restrict a service or item that may be bundled with others?

Providers are expected to counsel patients on the ability of the provider to unbundle items or services and the impact of doing so. If a provider is able to unbundle the item or service and accommodate the individual’s wishes it should do so. If a provider is unable to unbundle items or services then the individual should be given the opportunity to restrict and pay out of pocket for the entire bundle of times or services.

  • Items that are unbundled may be identified by the payer based on contracts.

What is a CE’s obligation to inform other providers involved in the care of a request?

Although not required, providers are encouraged to counsel patients that they would need to request a restriction and pay out of pocket with other downstream providers for the restrictions to apply to the disclosures by such providers.

  • In cases concerning a prescribed medication, the prescribing provider can provide the patient with a paper prescription to allow the individual an opportunity to request a restriction and pay the pharmacy before it has submitted a bill to the health plan.

What if the individual fails to pay for the service or item?

Providers are required to make a reasonable effort to secure payment from the individual, prior to billing a health plan. Providers may choose to require payment in full at the time of the request for a restriction.

Reference

Department of Health and Human Services. “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.” Federal Register 78, no. 17. January 25, 2013. http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

References

California Hospital Association. “2013 California Health Information Privacy Manual (6th edition).” 2013. http://www.calhospital.org/privacy.

Department of Health and Human Services. “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.” Federal Register 78, no. 17 (January 25, 2013). http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/html/2013-01073.htm.

Department of Health and Human Services. “Standards for the Privacy of Individually Identifiable Health Information; Final Rule. 45 CFR Parts 160 through 164.” Federal Register 65, no. 250 (December 28, 2000). www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf.

Department of Health and Human Services. “Summary of the HIPAA Privacy Rule.” www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html.

Hall, Render, Killian, Heath, and Lyman. “The HIPAA Final Omnibus Rule’s Impact on an Individual’s Rights to Request Restrictions When Paying Out-of-Pocket.” 2012. http://www.hallrender.com/health_care_law/library/articles/1394/021413HIPAA.html.

Prepared By

Barb Beckett, RHIT, CHPS
Ben Burton, JD, MBA, RHIA, CHP, CHC
Kenneth D. Clyburn, RHIA
Katherine Downing, MA, RHIA, CHPS, PMP
Barry S. Herrin, Esq., CHPS, FACHE, FAHIMA
Sharon Lewis, MBA, RHIA, CHPS, CPHQ, FAHIMA
Deanna Panzarella, CHPS
Sharon Slivochka, RHIA
Diana Warner, MS, RHIA, CHPS, FAHIMA

Acknowledgements

Rose Marie Grave, RHIT, CPEHR, RAC-CT
Lesley Kadlec, MA, RHIA
Deanna Peterson, MHA, RHIA, CHPS
Theresa Rihanek, MHA, RHIA, CCS
Angela Dinh Rose, MHA, RHIA, CHPS, FAHIMA
Peg Schmidt, RHIA, CHPS

The information contained in this practice brief reflects the consensus opinion of the professionals who developed it. It has not been validated through scientific research.

Article citation:
AHIMA Work Group. "Managing a Patient’s Right to Request Restrictions of Disclosures to Health Plans" Journal of AHIMA 85, no.4 (April 2014): [extended web version].