Health Information Compliance Alert

Published on Fri Jul 28, 2006 PDF

Read the situation below and decide how you would handle it before you compare it to our expert's advice.

Question: Are we required under HIPAA to honor patients' requests to impose further restrictions on their protected health information?

Answer: Even though HIPAA guarantees patients the right to make restriction requests, it also gives covered entities the right to refuse any and all such requests without providing any reason for denial.

The privacy rule grants patients the right to request further restrictions on uses or disclosures of PHI for treatment, payment and health care operations, as well as on disclosures permitted for involvement in the patient's care. However, just as soon as the regs finish spelling out this right, the rule goes on to state that a "covered entity is not required to agree to a restriction."

So, if covered entities are allowed to stamp "denied" on all restriction requests, wouldn't it make sense for them to do so? Wouldn't that be the easiest policy to employ?

Not necessarily, says Nancy Armatas, an attorney with Popovits & Robinson in Chicago. Keep in mind that HIPAA is really a complaint-driven process, and that "the worst thing that can happen is that you have disgruntled patients," she stresses.

If a patient's request isn't going to compromise care or payment for that care--such as a request to not communicate PHI to a specific family member--you should consider agreeing to the restriction. While issuing a denial would be well within your rights, you run the risk of upsetting a patient by failing to accommodate the reasonable restriction, cautions Armatas.

Bad for business: A blanket denial policy that is likely to jeopardize your relationship with your patients isn't the best tactic for covered entities, agrees attorney Matthew Lapointe with Sheehan, Phinney, Bass & Green in Manchester, NH. It's no secret that it's never a good idea to irritate your patients, he says.

While patients who are denied a reasonable restriction request may not have grounds for complaining to the Department of Health and Human Services, they might be less forgiving of any privacy gaffes that occur down the road. "You've essentially ticked them off, so that the first time you slip up, HHS is going to hear about it," Lapointe surmises.

Entities that fear that agreeing to further PHI restrictions will create new and undue administrative burdens should be aware many providers have been giving these types of privacy protections to their patients long before HIPAA happened, Lapointe adds.

For example: Many obstetrics and gynecological practices are accustomed to handling patients' requests that their medical information not be shared with their partners or spouses, he notes.

In general, agreeing to such restrictions allows your patients to feel more comfortable with your organization.

Lapointe offers the example of one of his clients, an ob-gyn practice. In this instance, one of the practice's patients happened to be very friendly with one of its staff members, he says. The patient requested that the friend not be allowed access to her medical records, and the practice agreed to honor the restriction.

While the difficulty of maintaining the restriction might depend on the staff member's general need to access PHI, entities which value their patients' satisfaction will make the effort to comply with reasonable privacy protection requests, suggests Lapointe.