The UW-Madison recognizes a patient’s right to request a restriction to uses and/or disclosures of his/her protected heath information. However, the HIPAA Privacy Rule and HITECH regulations permit covered entities to refuse to agree to any such request for restriction, except in some circumstances when the health information relates solely to a health care item or service paid for by the patient or by a person other than the health plan on behalf of the patient. Due to the nature, volume, and complexity of the uses and disclosures of protected health information within the UW-Madison Health Care Component, part of a large and complex organization, it will rarely be possible for UW-Madison to implement a requested restriction except those required by law.
This document describes how UW-Madison provides patients with an opportunity to request restrictions to the use and/or disclosure of their protected health information:
- For treatment, payment, or health care operations; and/or
- To family and others for involvement in the patient’s care or notification purposes.
- The UW HCC unit informs patients of their right to request restrictions on certain uses and/or disclosures of their PHI in the “Notice of Privacy Practices” (see UW-102 Notice of Privacy Practices (NPP) Distribution and Acknowledgement). In the Notice, it is advisable to indicate that restrictions will rarely be granted except when required to be granted as described below.
- The UW HCC unit must agree to the request of an individual to restrict disclosure of PHI about the individual to a health plan if:
- The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
- The PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the cost of the item or service in full.
- Any such request must be in writing. The UW HCC unit may provide the “Request for Restriction on Use and/or Disclosure of Protected Health Information” to a patient who wishes to request a restriction.
- The written request for restrictions must be forwarded to the designated unit Privacy Coordinator (or designee) for review and determination of final action.
- The UW HCC unit Privacy Coordinator (or designee) is responsible for granting or denying a patient’s request for restrictions. Other staff members may not grant or deny a patient’s request for restrictions.
- The UW HCC unit will refuse or agree to a patient’s request for restrictions on the use and/or disclosure of PHI based on the determination of the UW HCC unit Privacy Coordinator.
When a Request for Restriction Is Denied
If the request for restriction is denied, the UW HCC unit Privacy Coordinator shall notify the patient in writing. The “Sample Letter of Denial for Request for Restrictions” may be used. The UW HCC unit is not required to notify the patient of any reasons for denying the request.
- When a Request for Restriction Has Been Accepted
- The UW HCC unit Privacy Coordinator has the responsibility to assure that the restriction is adhered to.
- The UW HCC unit may use and/or disclose PHI contrary to an accepted restriction if the patient who requested the restriction is in need of emergency treatment and the restricted PHI is needed to provide emergency treatment. If the restricted PHI is disclosed to a health care provider for emergency treatment, the UW HCC unit Privacy Coordinator must request that the health care provider not further use or disclose the information.
- The UW HCC unit Privacy Coordinator will notify the patient in writing when a request for restriction is accepted. The “Sample Letter of Acceptance of Request for Restriction” may be used.
- The letter will include notification to the patient that UW HCC may use and/or disclose PHI in violation of an accepted restriction if the patient is in need of emergency treatment and the restricted PHI is needed to provide emergency treatment, in order to provide such treatment.
- If the restricted PHI is disclosed in an emergency, the UW HCC unit must request that such health care provider not further use of disclose the information.
- The agreement to restrict will be documented in the patient’s medical record and/or identified in an appropriate field in the computerized patient information system.
- The UW HCC unit Privacy Coordinator will notify separately any other departments or entities to which the restriction may apply (e.g., marketing, public relations, administration, billing, etc.).
- The UW HCC unit Privacy Coordinator will notify separately any business associates to which the restriction may apply.
- The UW HCC unit will not use or disclose PHI inconsistent with the accepted restriction except as described above.
- A restriction agreed to by the UW HCC does not apply, under the Privacy Rule, to the following uses or disclosures:
- To the Secretary of the U.S. Department of Health and Human Services to investigate or determine the compliance of UW-Madison with HIPAA;
- Required by law;
- For public health activities;
- Regarding victims of abuse, neglect, violence;
- For health oversight activities;
- For judicial and administrative proceedings;
- For law enforcement purposes;
- About decedents;
- Regarding cadaver organ, eye, tissue donations;
- For research purposes when a waiver of authorization is granted;
- For review preparatory to research;
- For research on decedent’s information;
- To avert a threat to health and safety;
- For certain specialized government functions;
- For worker’s compensation.
- Terminating an Agreed Upon Restriction
- The UW HCC unit may terminate its agreement to a restriction, except for those restrictions required by law as described in I.2. above if:
- The patient agrees to or requests the termination in writing;
- The patient orally agrees to the termination and the oral agreement is documented; or
- The UW HCC unit informs the patient that it has decided to terminate its agreement to a restriction. Such termination is only effective with respect to PHI created or received after the UW HCC unit has informed the patient of its termination of its agreement to the restriction. Any termination of an agreement to a restriction by the UW HCC unit should be made and confirmed in writing.
Consequences for Non-Compliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance.
Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.