HIPAA Compliance Plan
« Previous PageHIPAA Survival Guide Table of ContentsNext Page »

Download a FREE copy of our Breach Notification Training Module.


§ 164.522 Rights to request privacy protection for protected health information

Introductory Comment: This is yet another section with lots of detail and numerous exceptions. The individual has a right to make certain kinds of requests, but as it turns out, the provider need not agree to the request. However, once a provider agrees to a request then other duties are triggered.

(a) (1) Standard: Right of an individual to request restriction of uses and disclosures.

(i) A Covered Entity must permit an individual to request that the Covered Entity restrict use or disclosure of Protected Health Information about the individual to carry out treatment, payment or health care operations and restrictions related to family members, friends, etc. (§164.510(b)).

(ii) A Covered Entity is not required to agree to a restriction.

(iii) In general, a Covered Entity that agrees to a restriction may not use or disclose Protected Health Information in violation of such restriction, except in the case of an emergency.

(iv) If restricted Protected Health Information is disclosed for emergency treatment, the Covered Entity must request that no subsequent disclosure, beyond the scope required for emergency treatment, be disclosed.

(v) A restriction agreed to by a Covered Entity does not prevent uses or disclosures permitted or required by certain other parts of the PR (§§164.502(a)(2)(ii), 164.510(a) or 164.512).

(2) Implementation specifications: Terminating a restriction.

(3) Implementation specifications: Documentation.

HIPAA Survival Guide Note

As discussed above, if you agree to a restriction then other duties are triggered, including specific steps that must be taken to terminate a restriction and to document existing restrictions. Wherever practical, it may be prudent simply to not agree to restrictions unless absolutely necessary.

(b) (1) Standard: Confidential communications requirements. In general, a provider must permit individuals to request and must accommodate reasonable requests to receive Protected Health Information by alternate means or locations.

(2) Implementation specifications: Conditions on providing confidential communications.

HIPAA Survival Guide Note

Note: There are additional requirements regarding conditions for providing confidential communications. Since reasonable requests must be honored a provider will need to understand which conditions are allowed and which are not.

Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.

« Previous PageHIPAA Survival Guide Table of ContentsNext Page »