Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.522(a) - Right of an Individual to Request Restriction of Uses and Disclosures

12/28/2000

Comment: Several commenters supported the language in the NPRM regarding the right to request restrictions. One commenter specifically stated that this is a balanced approach that addresses the needs of the few who would have reason to restrict disclosures without negatively affecting the majority of individuals. At least one commenter explained that if we required consent or authorization for use and disclosure of protected health information for treatment, payment, and health care operations that we must also have a right to request restrictions of such disclosure in order to make the consent meaningful.

Many commenters requested that we delete this provision, claiming it would interfere with patient care, payment, and data integrity. Most of the commenters that presented this position asserted that the framework of giving patients control over the use or disclosure of their information is contrary to good patient care because incomplete medical records may lead to medical errors, misdiagnoses, or inappropriate treatment decisions. Other commenters asserted that covered entities need complete data sets on the populations they serve to effectively conduct research and quality improvement projects and that restrictions would hinder research, skew findings, impede quality improvement, and compromise accreditation and performance measurement.

Response: We acknowledge that widespread restrictions on the use and disclosure of protected health information could result in some difficulties related to payment, research, quality assurance, etc. However, in our efforts to protect the privacy of health information about individuals, we have sought a balance in determining the appropriate level of individual control and the smooth operation of the health care system. In the final rule, we require certain covered providers and permit all covered entities to obtain consent from individuals for use and disclosure of protected health information for treatment, payment, and health care operations (see § 164.506). In order to give individuals some control over their health information for uses and disclosures of protected health information for treatment, payment, and health care operations, we provide individuals with the opportunity to request restrictions of such uses and disclosures.

Because the right to request restrictions encourages discussions about how protected health information may be used and disclosed and about an individual's concerns about such uses and disclosures, it may improve communications between a provider and patient and thereby improve care. According to a 1999 survey on the Confidentiality of Medical Records by the California HealthCare Foundation, one out of every six people engage in behavior to protect themselves from unwanted disclosures of health information, such as lying to providers or avoiding seeking care. This indicates that, without the ability to request restrictions, individuals would have incentives to remain silent about important health information that could have an effect on their health and health care, rather than consulting a health care provider.

Further, this policy is not a dramatic change from the status quo. Today, many state laws restrict disclosures for certain types of health information without patient's authorization. Even if there is no mandated requirement to restrict disclosures of health information, providers may agree to requests for restrictions of disclosures when a patient expresses particular sensitivity and concern for the disclosure of health information.

We agree that there may be instances in which a restriction could negatively affect patient care. Therefore, we include protections against this occurrence. First, the right to request restrictions is a right of individuals to make the request. A covered entity may refuse to restrict uses and disclosures or may agree only to certain aspects of the individual's request if there is concern for the quality of patient care in the future. For example, if a covered provider believes that it is not in the patient's best medical interest to have such a restriction, the provider may discuss the request for restriction with the patient and give the patient the opportunity to explain the concern for disclosure. Also, a covered provider who is concerned about the implications on future treatment can agree to use and disclose sensitive protected health information for treatment purposes only and agree not to disclose information for payment and operation purposes. Second, a covered provider need not comply with a restriction that has been agreed to if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment. This exception should limit the harm to health that may otherwise result from restricting the use or disclosure of protected health information. We encourage covered providers to discuss with individuals that the information may be used or disclosed in emergencies. We require that the covered entity that discloses restricted protected health information in an emergency request that the health care provider that receives such information not further use or re-disclose the information.

Comment: Some health plans stated that an institutionalized right to restrict can interfere with proper payment and can make it easier for unscrupulous providers or patients to commit fraud on insurance plans. They were concerned that individuals could enter into restrictions with providers to withhold information to insurance companies so that the insurance company would not know about certain conditions when underwriting a policy.

Response: This rule does not enhance the ability of unscrupulous patients or health care providers to engage in deceptive or fraudulent withholding of information. This rule grants a right to request a restriction, not an absolute right to restrict. Individuals can make such requests today. Other laws criminalize insurance fraud; this regulation does not change those laws.

Comment: One commenter asserted that patients cannot anticipate the significance that one aspect of their medical information will have on treatment of other medical conditions, and therefore, allowing them to restrict use or disclosure of some information is contrary to the patient's best interest.

Response: We agree that patients may find it difficult to make such a calculus, and that it is incumbent on health care providers to help them do so. Health care providers may deny requests for or limit the scope of the restriction requested if they believe the restriction is not in the patient's best interest.

Comment: One commenter asked whether an individual's restriction to disclosure of information will be a bar to liability for misdiagnosis or failure to diagnose by a covered entity who can trace its error back to the lack of information resulting from such restriction.

Response: Decisions regarding liability and professional standards are determined by state and other law. This rule does not establish or limit liability for covered entities under those laws. We expect that the individual's request to restrict the disclosure of their protected health information would be considered in the decision of whether or not a covered entity is liable.

Comment: One commenter requested that we allow health plans to deny coverage or reimbursement when a covered health care provider's agreement to restrict use or disclosure prevents the plan from getting the information that is necessary to determine eligibility or coverage.

Response: In this rule, we do not modify insurers' rules regarding information necessary for payment. We recognize that restricting the disclosure of information may result in a denial of payment. We expect covered providers to explain this possibility to individuals when considering their requests for restrictions and to make alternative payment arrangements with individuals if necessary.

Comment: Some commenters discussed the administrative burden and cost of the requirement that individuals have the right to request restrictions and that trying to segregate certain portions of information for protection may be impossible. Others stated that the administrative burden would make providers unable to accommodate restrictions, and would therefore give patients false expectations that their right to request restrictions may be acted upon. One commenter expressed concern that large covered providers would have a particularly difficult time establishing a policy whereby the covered entity could agree to restrictions and would have an even more difficult time implementing the restrictions since records may be kept in multiple locations and accessed by multiple people within the organization. Still other commenters believed that the right to request restrictions would invite argument, delay, and litigation.

Response: We do not believe that this requirement is a significant change from current practice. Providers already respond to requests by patients regarding sensitive information, and are subject to state law requirements not to disclose certain types of information without authorization. This right to request is permissive so that covered entities can balance the needs of particular individuals with the entity's ability to manage specific accommodations.

Comment: Some commenters were concerned that a covered entity would agree to a restriction and then realize later that the information must be disclosed to another caregiver for important medical care purposes.

Response: Some individuals seek treatment only on the condition that information about that treatment will not be shared with others. We believe it is necessary and appropriate, therefore, that when a covered provider agrees to such a restriction, the individual must be able to rely on that promise. We strongly encourage covered providers to consider future treatment implications of agreeing to a restriction. We encourage covered entities to inform others of the existence of a restriction when appropriate, provided that such notice does not amount to a de facto disclosure of the restricted information. If the covered provider subject to the restriction believes that disclosing the protected health information that was created or obtained subject to the restriction is necessary to avert harm (and it is not for emergency treatment), the provider must ask the individual for permission to terminate or modify the restriction. If the individual agrees to the termination of the restriction, the provider must document this termination by noting this agreement in the medical record or by obtaining a written agreement of termination from the individual and may use or disclose the information for treatment. If the individual does not agree to terminate or modify the restriction, however, the provider must continue to honor the restriction with respect to protected health information that was created or received subject to the restriction. We note that if the restricted protected health information is needed to provide emergency treatment to the individual who requested the restriction, the covered entity may use or disclose such information for such treatment.

Comment: Commenters asked that we require covered entities to keep an accounting of the requests for restrictions and to report this information to the Department in order for the Department to determine whether covered entities are showing "good faith" in dealing with these requests.

Response: We require that covered entities that agree to restrictions with individuals document such restrictions. A covered entity must retain such documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. We do not require covered entities to keep a record of all requests made, including those not agreed to, nor that they report such requests to the Department. The decision to agree to restrictions is that of the covered entity. Because there is no requirement to agree to a restriction, there is no reason to impose the burden to document requests that are denied. Any reporting requirement could undermine the purpose of this provision by causing the sharing, or appearance of sharing, of information for which individuals are seeking extra protection.

Comment: One commenter asserted that providers that currently allow such restrictions will choose not to do so under the rule based on the guidance of legal counsel and loss prevention managers, and suggested that the Secretary promote competition among providers with respect to privacy by developing a third-party ranking mechanism.

Response: We believe that providers will do what is best for their patients, in accordance with their ethics codes, and will continue to find ways to accommodate requested restrictions when they believe that it is in the patients' best interests. We anticipate that providers who find such action to be of commercial benefit will notify consumers of their willingness to be responsive to such requests. Involving third parties could undermine the purpose of this provision, by causing the sharing, or appearance of sharing, of information for which individuals are seeking extra protection.

Comment: One commenter said that any agreement regarding patient-requested restrictions should be in writing before a covered provider would be held to standards for compliance.

Response: We agree that agreed to restrictions must be documented in writing, and we require that covered entities that agree to restrictions document those restrictions in accordance with § 164.530(j). The writing need not be formal; a notation in the medical record will suffice. We disagree with the request that an agreed to restriction be reduced to writing in order to be enforced. If we adopted the requested policy, a covered entity could agree to a restriction with an individual, but avoid being held to this agreed to restriction under the rule by failing to document the restriction. This would give a covered entity the opportunity to agree to a restriction and then, at its sole discretion, determine if it is enforceable by deciding whether or not to make a note of the restriction in the record about the individual. Because the covered entity has the ability to agree or fail to agree to a restriction, we believe that once the restriction is agreed to, the covered entity must honor the agreement. Any other result would be deceptive to the individual and could lead an individual to disclose health information under the assumption that the uses and disclosures will be restricted. Under § 164.522, a covered entity could be found to be in violation of the rule if it fails to put an agreed-upon restriction in writing and also if it uses or discloses protected health information inconsistent with the restriction.

Comment: Some commenters said that the right to request restrictions should be extended to some of the uses and disclosures permitted without authorization in § 164.510 of the NPRM, such as disclosures to next of kin, for judicial and administrative proceedings, for law enforcement, and for governmental health data systems. Other commenters said that these uses and disclosures should be preserved without an opportunity for individuals to opt out.

Response: We have not extended the right to request restrictions under this rule to disclosures permitted in § 164.512 of the final rule. However, we do not preempt other law that would enforce such agreed-upon restrictions. As discussed in more detail, above, we have extended the right to request restrictions to disclosures to persons assisting in the individual's care, such as next of kin, under § 164.510(b). Any restriction that a covered entity agrees to with respect to persons assisting in the individual's care in accordance with the rule will be enforceable under the rule.

Comment: A few commenters raised the question of the effect of a restriction agreed to by one covered entity that is part of a larger covered entity, particularly a hospital. Commenters were also concerned about who may speak on behalf of the covered entity.

Response: All covered entities are required to establish policies and procedures for providing individuals the right to request restrictions, including policies for who may agree to such restrictions on the covered entity's behalf. Hospitals and other large entities that are concerned about employees agreeing to restrictions on behalf of the organization will have to make sure that their policies are communicated appropriately to those employees. The circumstances under which members of a covered entity's workforce can bind the covered entity are a function of other law, not of this regulation.

Comment: Commenters expressed confusion about the intended effect of any agreed-upon restrictions on downstream covered entities. They asserted that it would be extremely difficult for a requested restriction to be followed through the health care system and that it would be unfair to hold covered entities to a restriction when they did not agree to such restriction. Specifically, commenters asked whether a covered provider that receives protected health information in compliance with this rule from a physician or medical group that has agreed to limit certain uses of the information must comply with the original restriction. Other commenters expressed concern that not applying a restriction to downstream covered entities is a loophole and that all downstream covered providers and health plans should be bound by the restrictions.

Response: Under the final rule, a restriction that is agreed to between an individual and a covered entity is only binding on the covered entity that agreed to the restriction and not on downstream entities. It would also be binding on any business associate of the covered entity since a business associate can not use or disclose protected health information in any manner that a covered entity would not be permitted to use or disclose such information. We realize that this may limit the ability of an individual to successfully restrict a use or disclosure under all circumstances, but we take this approach for two reasons. First, we allow covered entities to refuse individuals' requests for restrictions. Requiring downstream covered entities to abide by a restriction would be tantamount to forcing them to agree to a request to which they otherwise may not have agreed. Second, some covered entities have information systems which will allow them to accommodate such requests, while others do not. If the downstream provider is in the latter category, the administrative burden of such a requirement would be unmanageable.

We encourage covered entities to explain this limitation to individuals when they agree to restrictions, so individuals will understand that they need to ask all their health plans and providers for desired restrictions. We also require that a covered entity that discloses protected health information to a health care provider for emergency treatment, in accordance with § 164.522 (a)(iii), to request that the recipient not further use or disclose the information.

Comment: One commenter requested that agreed-to restrictions of a covered entity not be applied to business associates.

Response: As stated in § 164.504(e)(2), business associates are acting on behalf of, or performing services for, the covered entity and may not, with two narrow exceptions, use or disclose protected health information in a manner that would violate this rule if done by the covered entity. Business associates are agents of the covered entity with respect to protected health information they obtain through the business relationship. If the covered entity agrees to a restriction and, therefore, is bound to such restriction, the business associate will also be required to comply with the restriction. If the covered entity has agreed to a restriction, the satisfactory assurances from the business associate, as required in § 164.504(e), must include assurances that protected health information will not be used or disclosed in violation of an agreed to restriction.

Comment: One commenter requested clarification that the right to request restrictions cannot be used to restrict the creation of de-identified information.

Response: We found no reason to treat the use of protected health information to create de-identified information different from other uses of protected health information. The right to request restriction applies to any use or disclosure of protected health information to carry out treatment, payment, or health care operations. If the covered entity uses protected health information to create de-identified information, the covered entity need not agree to a restriction of this use.

Comment: Some commenters stated that individuals should be given a true right to restrict uses and disclosures of protected health information in certain defined circumstances (such as for sensitive information) rather than a right to request restrictions.

Response: We are concerned that a right to restrict could create conflicts with the professional ethical obligations of providers and others. We believe it is better policy to allow covered entities to refuse to honor restrictions that they believe are not appropriate and leave the individual with the option of seeking service from a different covered entity. In addition, many covered entities have information systems that would make it difficult or impossible to accommodate certain restrictions.

Comment: Some commenters requested that self-pay patients have additional rights to restrict protected health information. Others believed that this policy would result in de facto discrimination against those patients that could not afford to pay out-of-pocket.

Response: Under the final rule, the decision whether to tie an agreement to restrict to the way the individual pays for services is left to each covered entity. We have not provided self-pay patients with any special rights under the rule.

Comment: Some commenters suggested that we require restrictions to be clearly noted so that insurers and other providers would be aware that they were not being provided with complete information.

Response: Under the final rule, we do not require or prohibit a covered entity to note the existence of an omission of information. We encourage covered entities to inform others of the existence of a restriction, in accordance with professional practice and ethics, when appropriate to do so. In deciding whether or not to disclose the existence of a restriction, we encourage the covered entity to carefully consider whether disclosing the existence is tantamount to disclosure of the restricted protected health information so as to not violate the agreed to restriction.

Comment: A few commenters said that covered entities should have the right to modify or revoke an agreement to restrict use or disclosure of protected health information.

Response: We agree that, as circumstances change, covered entities should be able to revisit restrictions to which they had previously agreed. At the same time, individuals should be able to rely on agreements to restrict the use or disclosure of information that they believe is particularly sensitive. If a covered entity would like to revoke or modify an agreed-upon restriction, the covered entity must renegotiate the agreement with the individual. If the individual agrees to modify or terminate the restriction, the covered entity must get written agreement from the individual or must document the oral agreement. If the individual does not agree to terminate or modify the restriction, the covered entity must inform the individual that it is modifying or terminating its agreement to the restriction and any modification or termination would apply only with respect to protected health information created or received after the covered entity informed the individual of the termination. Any protected health information created or received during the time between when the restriction was agreed to and when the covered entity informed the individual or such modification or termination remains subject to the restriction.

Comment: Many commenters advocated for stronger rights to request restrictions, particularly that victims of domestic violence should have an absolute right to restrict disclosure of information.

Response: We address restrictions for disclosures in two different ways, the right to request restrictions (§ 164.522(a)) and confidential communications (§ 164.522(b)). We have provided all individuals with a right to request restrictions on uses or disclosures of treatment, payment, and health care operations. This is not an absolute right to restrict. Covered entities are not required to agree to requested restrictions; however, if they do, the rule would require them to act in accordance with the restrictions. (See the preamble regarding § 164.522 for a more comprehensive discussion of the right to request restrictions.)

In the final rule, we create a new provision that provides individuals with a right to confidential communications, in response to these comments. This provision grants individuals with a right to restrict disclosures of information related to communications made by a covered entity to the individual, by allowing the individual to request that such communications be made to the person at an alternative location or by an alternative means. For example, a woman who lives with an abusive man and is concerned that his knowledge of her health care treatment may lead to additional abuse can request that any mail from the provider be sent to a friend's home or that telephone calls by a covered provider be made to her at work. Other reasonable accommodations may be requested as well, such as requesting that a covered provider never contact the individual by a phone, but only contact her by electronic mail. A provider must accommodate an individual's request for confidential communications, under this section, without requiring an explanation as to the reason for the request as a condition of accommodating the request. The individual does not need to be in an abusive situation to make such requests of a covered provider. The only conditions that a covered provider may place on an individual is that the request be reasonable with respect to the administrative burden on the provider, the request to be in writing, the request specify an alternative address or other method of contact, and that (where relevant) the individual provide information about how payment will be handled. What is reasonable may vary by the size or type of covered entity; however, additional modest cost to the provider would not be unreasonable.

An individual also has a right to restrict communications from a health plan. The right is the same as with covered providers except it is limited to cases where the disclosure of information could endanger the individual. A health plan may require an individual to state this fact as a condition of accommodating the individual's request for confidential communications. This would provide victims of domestic violence the right to control such disclosures.

Comment: Commenters opposed the provision of the NPRM (§ 164.506(c)(1)(ii)(B)) stating that an individual's right to request restrictions on use or disclosure of protected health information would not apply in emergency situations as set forth in proposed § 164.510(k). Commenters asserted that victims who have been harmed by violence may first turn to emergency services for help and that, in such situations, the victim should be able to request that the perpetrator not be told of his or her condition or whereabouts.

Response: We agree with some of the commenters' concerns. In the final rule, the right to request restrictions is available to all individuals regardless of the circumstance or the setting in which the individual is obtaining care. For example, an individual that seeks care in an emergency room has the same right to request a restriction as an individual seeking care in the office of a covered physician.

However, we continue to permit a covered entity to disclose protected health information to a health care provider in an emergency treatment situation if the restricted protected health information is needed to provide the emergency treatment or if the disclosure is necessary to avoid serious and imminent threats to public health and safety. Although we understand the concern of the commenters, we believe that these exceptions are limited and will not cause a covered entity to disclose information to a perpetrator of a crime. We are concerned that a covered provider would be required to delay necessary care if a covered entity had to determine if a restriction exists at the time of such emergency. Even if a covered entity knew that there was a restriction, we permitted this limited exception for emergency situations because, as we had stated in the preamble for § 164.506 of the NPRM, an emergency situation may not provide sufficient opportunity for a patient and health care provider to discuss the potential implications of restricting use and disclosure of protected health information on that emergency. We also believe that the importance of avoiding serious and imminent threats to health and safety and the ethical and legal obligations of covered health care providers' to make disclosures for these purposes is so significant that it is not appropriate to apply the right to request restrictions on such disclosures.

We note that we have included other provisions in the final rule intended to avoid or minimize harm to victims of domestic violence. Specifically, we include provisions in the final rule that allow individuals to opt out of certain types of disclosures and require covered entities to use professional judgment to determine whether disclosure of protected health information is in a patient's best interest (see § 164.510(a) on use and disclosure for facility directories and § 164.510(b) on uses and disclosures for assisting in an individual's care and notification purposes). Although an agreed to restriction under § 164.522 would apply to uses and disclosures for assisting in an individual's care, the opt out provision in § 164.510(b) can be more helpful to a person who is a victim of domestic violence because the individual can opt out of such disclosure without obtaining the agreement of the covered provider. We permit a covered entity to elect not to treat a person as a personal representative (see § 164.502(g)) or to deny access to a personal representative (see § 164.524(a)(3)(iii)) where there are concerns related to abuse. We also include a new § 164.512(c) which recognizes the unique circumstances surrounding disclosure of protected health information about victims of abuse, neglect, and domestic violence.