NRPM: Standards for Privacy of Individually Identifiable Health Information. 3. Right to restrict uses and disclosures. (§ 164.506(c))


We propose to permit in § 164.506(c) that individuals be able to request that a covered entity restrict further uses and disclosures of protected health information for treatment, payment, or health care operations, and if the covered entity agrees to the requested restrictions, the covered entity could not make uses or disclosures for treatment, payment or health care operations that are inconsistent with such restrictions, unless such uses or disclosures are mandated by law. This provision would not apply to health care provided to an individual on an emergency basis.

This proposal would not restrict the right of a provider to make an otherwise permissible disclosure under § 164.510, such as a disclosure for public health or emergency purposes. While there is nothing in this proposed rule that would prohibit a provider and an individual from agreeing in advance not to make such disclosures, such an agreement would not be enforceable through this proposed rule.

We should note that there is nothing in this proposed rule that requires a covered entity to agree to a request to restrict, or to treat or provide coverage to an individual requesting a restriction under this provision. Covered entities who do not wish to, or due to contractual obligations cannot, restrict further use or disclosure would not be obligated to treat an individual making a request under this provision. For example, some health care providers could feel that it is medically inappropriate to honor patient requests under this provision. The medical history and records of a patient, particularly information about current medications and other therapies, are often very much relevant when new treatment is sought, and the patient cannot seek to withhold this information from subsequent providers without risk.

Under this proposal, individuals could request broad restrictions on further uses and disclosures for treatment, payment or health care operations, or could request more limited restrictions relating to further uses or disclosures of particular portions of the protected health information or to further disclosures to particular persons. Covered entities could choose to honor the individual’s request, could decline to treat or provide coverage to the individual, or could propose an alternative restriction of further use or disclosure. The covered entity would not be bound by an individual’s request for restriction until its scope has been agreed to by the individual and the provider. Once an agreement has been reached, however, a covered entity that uses or discloses the protected health information resulting from the encounter in any manner that violates such agreement would be in violation of this provision.

We are not proposing to extend this right to individuals receiving emergency medical care, because emergency situations may not afford sufficient opportunity for the provider and patient to discuss the potential implications of restricting further use and disclosure of the resulting medical information. Additionally, a health care provider may not be free to refuse treatment to an emergency patient if the provider does not wish to honor a request to restrict further use or disclosure of health information, leaving the provider in an unfair position where she or he must choose between permitting medical harm to come to the patient or honoring a request that she or he feels may be inappropriate or which may violate the provider’s business practices or contractual obligations. Some health care providers are legally required to treat emergency patients (e.g., hospital emergency rooms), and would have no opportunity to refuse treatment as a result of a request to restrict further use and disclosure under this provision. Under the pressure of an emergency, a provider should not be expected to adhere to the restrictions associated with a particular individual’s information.

Under this proposal, covered entities would not be responsible for ensuring that agreed-upon restrictions are honored when the protected health information leaves the control of the covered entity or its business partners. For example, a provider would not be out of compliance if information she or he disclosed to another provider (consistent with the agreed upon restrictions and with notice of the applicable restrictions on uses and disclosures) is subsequently used or disclosed in violation of the restrictions.

The agreement to restrict use and disclosure under this provision would have to be documented to be binding on the covered entity. In proposed § 164.520, we would require covered entities to develop and document policies and procedures reasonably designed to ensure that the requests are followed, i.e., that unauthorized uses and disclosures are not made.

We note that this proposed rule would not permit covered entities to require individuals to invoke their right to restrict uses and disclosures; only the patient could make a request and invoke this right to restrict.

We considered providing individuals substantially more control over their protected health information by requiring all covered entities to attempt to accommodate any restrictions on use and disclosure requested by patients. We rejected this option as unworkable. While industry groups have developed principles for requiring patient authorizations, we have not found widely accepted standards for implementing patient restrictions on uses or disclosures. Restrictions on information use or disclosure contained in patient consent forms are sometimes ignored because they may not be read or are lost in files. Thus, it seems unlikely that a requested restriction could successfully follow a patient’s information through the health care system -- from treatment to payment, through numerous operations, and potentially through certain permissible disclosures. Instead we would limit the provision to restrictions that have been agreed to by the covered entity.

We recognize that the approach that we are proposing could be difficult because of the systems limitations described above. However, we believe that the limited right for patients included in this proposed rule can be implemented because it only applies in instances in which the covered entity agrees to the restrictions. We assume that covered entities would not agree to restrictions that they are unable to implement.

We considered limiting the rights under this provision to patients who pay for their own health care (or for whom no payment was made by a health plan). Individuals and health care providers that engage in self-pay transactions have minimal effect on the rights or responsibilities of payers or other providers, and so there would be few instances when a restriction agreed to in such a situation would have negative implications for the interests of other health care actors. Limiting the right to restrict to self-pay patients also would reduce the number of requests that would be made under this provision. We rejected this approach however, because the desire to restrict further uses and disclosures arises in many instances other than self-pay situations. For example, a patient could request that his or her records not be shared with a particular physician because that physician is a family friend. Or an individual could be seeking a second opinion and might not want his or her treating physician consulted. Individuals have a legitimate interest in restricting disclosures in these situations. We solicit comment on the appropriateness of limiting this provision to instances in which no health plan payment is made on behalf of the individual.

In making this proposal, we recognize that it could be difficult in some instances for patients to have a real opportunity to make agreements with covered entities, because it would not be clear in all cases which representatives of a covered entity could make an agreement on behalf of the covered entity. There also are concerns about the extent to which covered entities could ensure that agreed-upon restrictions would be followed. As mentioned above, current restrictions contained in patient consent forms are sometimes ignored because the person handling the information is unaware of the restrictions. We solicit comments on the administrative burdens this provision creates for covered entities, such as the burdens of administering a system in which some information is protected by federal law and other information is not.

We would note that we expect that systems for handling patient requests to restrict use and disclosure of information will become more responsive as technology develops. Therefore, we will revisit this provision as what is practicable changes over time. Proposed requirements for documenting internal procedures to implement this proposed provision are included in proposed §164.520. We request comments on whether the final rule should provide examples of appropriate, scalable systems that would be in compliance with this standard.