Requests by Patients for Restrictions on Uses and Disclosures of Protected Health Information

Layout for printing
Policy Number:
UW-123
Old Policy Number:
7.5
Responsible Office:
Office of Compliance

University Policy

Rationale/​Purpose:

In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.

Definitions:
Covered entity
A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
Designated record set
A group of records so designated which are maintained by or for the UW–Madison health care component (UW HCC) and which (1) includes the medical and billing records about individuals maintained by a health care provider; and (2) are used in whole or in part for the health care provider to make decisions about individuals. The term "record" means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a health care provider.
Protected health information (PHI)
Health information or health care payment information, including demographic information collected from an individual, which identifies the individual or can be used to identify the individual. Protected health information does not include student records held by educational institutions or employment records held by employers.
UWMadison health care component (UW HCC)
Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW–Madison Health Care Component for a listing of these units.
Scope:

Applies to all members of the UW HCC. 

Policy:

Policy Summary

UW–Madison recognizes a patient’s right to request a restriction to uses and/or disclosures of their protected health information. However, the HIPAA Privacy Rule and HITECH regulations permit covered entities to refuse to agree to any such request for restriction, except in some circumstances when the health information relates solely to a health care item or service paid for by the patient or by a person other than the health plan on behalf of the patient. Due to the nature, volume, and complexity of the uses and disclosures of protected health information within the UW HCC, part of a large and complex organization, it will rarely be possible for UW–Madison to implement a requested restriction except those required by law.

This policy describes how UW–Madison provides patients with an opportunity to request restrictions to the use and/or disclosure of their protected health information:

  1. For treatment, payment, or health care operations; and/or
  2. To family and others for involvement in the patient’s care or notification purposes.

Policy Detail

  1. General

    1. The UW HCC unit informs patients of their right to request restrictions on certain uses and/or disclosures of their protected health information in the Notice of Privacy Practices (see UW-102 Notice of Privacy Practices (NPP) Distribution and Acknowledgement). In the notice, it is advisable to indicate that restrictions will rarely be granted except when required to be granted as described below.
    2. The UW HCC unit must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if:
      1. The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
      2. The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the cost of the item or service in full.
    3. Any such request must be in writing. The UW HCC unit may provide the Request for Restriction on Use and/or Disclosure of Protected Health Information to a patient who wishes to request a restriction.
    4. The written request for restrictions must be forwarded to the designated unit privacy coordinator (or designee) for review and determination of final action.
    5. The UW HCC unit privacy coordinator (or designee) is responsible for granting or denying a patient’s request for restrictions. Other staff members may not grant or deny a patient’s request for restrictions.
    6. The UW HCC unit will refuse or agree to a patient’s request for restrictions on the use and/or disclosure of protected health information based on the determination of the UW HCC unit privacy coordinator.

  2. When a Request for Restriction Is Denied

    If the request for restriction is denied, the UW HCC unit privacy coordinator will notify the patient in writing. The Sample Letter of Denial for Request for Restrictions may be used. The UW HCC unit is not required to notify the patient of any reasons for denying the request.

  3. When a Request for Restriction Has Been Accepted

    1. The UW HCC unit privacy coordinator has the responsibility to ensure that the restriction is adhered to.
    2. The UW HCC unit may use and/or disclose protected health information contrary to an accepted restriction if the patient who requested the restriction is in need of emergency treatment and the restricted information is needed to provide emergency treatment. If the restricted protected health information is disclosed to a health care provider for emergency treatment, the UW HCC unit privacy coordinator must request that the health care provider not further use or disclose the information.
    3. The UW HCC unit privacy coordinator will notify the patient in writing when a request for restriction is accepted. The Sample Letter of Acceptance of Request for Restriction may be used.
      1. The letter will include notification to the patient that UW HCC may use and/or disclose protected health information in violation of an accepted restriction if the patient is in need of emergency treatment and the restricted information is needed to provide emergency treatment, in order to provide such treatment.
      2. If the restricted protected health information is disclosed in an emergency, the UW HCC unit must request that such health care provider not further use or disclose the information.
    4. The agreement to restrict will be documented in the patient’s medical record and/or identified in an appropriate field in the computerized patient information system.
    5. The UW HCC unit privacy coordinator will notify separately any other departments or entities to which the restriction may apply (e.g., marketing, public relations, administration, billing, etc.).
    6. The UW HCC unit privacy coordinator will notify separately any business associates to which the restriction may apply.
    7. The UW HCC unit will not use or disclose protected health information inconsistent with the accepted restriction except as described above.
    8. A restriction agreed to by the UW HCC does not apply, under the Privacy Rule, to the following uses or disclosures:
      1. To the Secretary of the U.S. Department of Health and Human Services to investigate or determine the compliance of UW–Madison with HIPAA
      2. Required by law
      3. For public health activities
      4. Regarding victims of abuse, neglect, violence
      5. For health oversight activities
      6. For judicial and administrative proceedings
      7. For law enforcement purposes
      8. About decedents
      9. Regarding cadaver organ, eye, tissue donations
      10. For research purposes when a waiver of authorization is granted
      11. For review preparatory to research
      12. For research on decedent’s information
      13. To avert a threat to health and safety
      14. For certain specialized government functions
      15. For worker’s compensation

  4. Terminating an Agreed Upon Restriction

    1. The UW HCC unit may terminate its agreement to a restriction, except for those restrictions required by law as described in I.2. above if:
      1. The patient agrees to or requests the termination in writing;
      2. The patient orally agrees to the termination and the oral agreement is documented; or
      3. The UW HCC unit informs the patient that it has decided to terminate its agreement to a restriction. Such termination is only effective with respect to protected health information created or received after the UW HCC unit has informed the patient of the termination of its agreement to the restriction. Any termination of an agreement to a restriction by the UW HCC unit should be made and confirmed in writing.

Consequences for Noncompliance

Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.

Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.

Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:
External References:

Policy Administration

Approval Authority:
Vice Chancellor for Legal Affairs
Policy Manager:
HIPAA Privacy Officer
Contact:
HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
Effective Date:
04-14-2003
Revised Dates:

09-22-2014: Effective date of the revised policy: 09-22-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.

Retrieved:
04-25-2024 13:01:02