HIPAAdvisor: Q & A with Steve Fox, Esq.

Can an Individual Ensure Against Unwanted PHI Uses?

QUESTION: Please explain a patient's rights under HIPAA to prohibit covered entities from making unwanted use or disclosure of their protected health information (PHI). If patients have the unilateral right to control the manner and purpose for which their PHI is used or disclosed, what will prevent covered entities from having as many different use and disclosure policies as they have patients?

ANSWER: Covered entities are not required to tailor their use or disclosure of PHI according to an individual patient's preference. Although individuals have the right to request restrictions on use and disclosure of their PHI, this right isn't without limitation.

Under HIPAA, individuals may request restrictions on treatment, payment, or health care related uses and disclosures of their PHI; however, a covered entity is not required to comply with these requests unless it explicitly agrees to do so. In all but the most unusual cases, it is likely that a covered entity will not choose to comply with individual requests for restrictions. Rather, it will direct patients to its Notice of Privacy Practices for an explanation of how PHI will be utilized.

Even if a covered entity elects to agree upon a patient-specific limitation on its use of PHI, there are exceptions to the efficacy of any agreed upon restriction. They are ineffectual to prevent:

• government disclosures required for compliance determinations,
  
  
• uses and disclosures for facility directories, and
  
  
• uses and disclosures for which consent, individual authorization, or an opportunity to agree or object are not required.

Covered entities are permitted to agree to restrictions related to these uses and disclosures, but if they do so, the restrictions will not be enforceable under the Privacy Rule (the "Rule"). For example, a provider who makes a disclosure related to serious and imminent threats will not be in violation of the Rule even if disclosure is contrary to a restriction agreed to by the provider. Moreover, in emergency treatment situations where there is insufficient time to secure permission, covered entities may make otherwise restricted uses or disclosures of PHI as necessary to provide treatment.

Additionally, covered entities may terminate any agreed upon restriction with or without the individual's consent. Restrictions that are terminated without consent are only applicable to PHI created or received after the individual is informed of the termination. Any information collected before the restriction was terminated may not be used or disclosed in a way that is inconsistent with the restriction, but any information that is collected after informing the individual of the termination of the restriction may be used or disclosed as otherwise permitted under the rule.

In order to insure that restrictions do not interfere with the delivery of care, the need to access PHI for treatment purposes should be taken into account when considering an individual's requested restriction. Covered entities should never bind themselves to restrictions that could potentially interfere with patient care.

Read past HIPAA Legal Q/A articles.

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.