HIPAA PHI Restriction Request

Summary

Use this HIPAA PHI Restriction Request form for an employer-sponsored group health plan to allow plan participants to request restricted access to their Protected Health Information. This template includes practical guidance, an optional clause, and drafting notes. With limited exceptions, the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA) provides individuals with a legal, enforceable right to ask a covered entity, like a group health plan, to restrict access to the individual’s PHI for (1) uses or disclosures that are necessary for the treatment or payment related to the PHI or in carrying out health care operations (as is usually permitted under 45 C.F.R. § 164.506) and (2)) for uses and disclosures to other individuals involved in the individual’s care, as discussed in 45 C.F.R. § 164.510(b). 45 C.F.R. § 164.522(a)(1)(i). The participant’s right to request a disclosure restriction must be clearly stated in the covered entity’s HIPAA privacy notice. 45 C.F.R. § 164.520(b)(1)(iv)(A). The covered entity is however permitted to deny the request. 45 C.F.R. § 164.522(a)(1)(ii). Even where the covered entity agrees to the restriction, it may later share the restricted information in situations requiring the individual’s emergency treatment. 45 C.F.R. § 164.522(a)(1)(iii). This exception to a restriction usually relates to disclosure to a family member or someone who may otherwise be permitted access to an individual’s PHI. See 45 C.F.R. § 164.510(b) and see Dep’t of Health and Human Services’ (HHS) website. Restrictions may be rescinded and must, in all cases, be documented. 45 C.F.R. § 164.522(a)(2), (3). The right to restrict access is coupled with the obligation of covered entities to accommodate reasonable requests by individuals to receive confidential communications of protected health information by alternative means or at alternative locations. 45 C.F.R. § 164.522(b). The covered entity may condition the accommodation on the individual providing information on how payment will be handled but must always allow an accommodation (or restriction) where the individual or another (other than the health plan) has paid for the treatment in full. 45 C.F.R. § 164.522(a)(1)(vi)(B). See HHS website for more information. Note that de-identified information is not treated as PHI subject to this privacy protection. 45 C.F.R. § 164.502(d). In a fully-insured group health plan the right to restrict access to PHI will rest with the insurer, and not the employer, as fully-insured group health plans are exempt from most of the administrative responsibilities under the HIPAA’s privacy rule. See 45 C.F.R. § 164.530(k) and Dep’t of Health and Human Services: Employer Offering Full-Insured Health Plan. For more information on compliance with HIPAA’s privacy and security rules, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules. For a policy related to restricting access to an individual’s PHI, see HIPAA Privacy and Security Policy, Section III.D. For other HIPAA-related content, see HIPAA Resource Kit.