Add to collection(s) Add to saved
  1. Science
  2. Health Science

Restriction Requests Policy

advertisement 
DRAFT
Version 3: 9/18/14
Based on HIPAA Privacy Rule; 1/25/14 HIPAA Omnibus Rule
HIPAA COW
PRIVACY NETWORKING GROUP
INDIVIDUAL RIGHT TO REQUEST RESTRICTIONS ON HOW PROTECTED
HEALTH INFORMATION IS USED/DISCLOSED FOR TREATMENT, PAYMENT,
AND HEALTHCARE OPERATIONS
Disclaimer:
This Individual Right to Request Restrictions Policy is Copyright  by the HIPAA
Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety
provided that this copyright notice is not removed. When information from this document is
used, HIPAA COW shall be referenced as a resource. It may not be sold for profit or used in
commercial documents without the written permission of the copyright holder. This Individual
Right to Request Restrictions Policy is provided “as is” without any express or implied
warranty. This Individual Right to Request Restrictions Policy is for educational purposes only
and does not constitute legal advice. If you require legal advice, you should consult with an
attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues
related to this Individual Right to Request Restrictions Policy. Therefore, this document may
need to be modified in order to comply with Wisconsin/State law.
****
Policy:
It is the policy of [PROVIDER/PLAN] to honor an individual’s right to request restrictions on
how his or her protected health information (PHI) is used and/or disclosed for the purposes of
treatment, payment, and/or healthcare operations and for disclosures permitted under 45 CFR
164.510(b).
State Preemption Issues:
HIPAA requires a covered entity to permit an individual to request that the covered entity
restrict the use or disclosure of protected health information (PHI) of the individual. See 45
CFR 164.522. The covered entity must comply with the requested restriction if:
 Except as otherwise required by law, the disclosure is to a health plan for purposes of
carrying out payment or health care operations (and is not for purposes of carrying out
treatment); and
 The PHI pertains solely to a health care item or service for which the individual or person
other than the health plan on behalf of the individual has paid the covered entity in full.
Wisconsin Statutes 146.82(2)(a) 3 states the following:
Notwithstanding sub. (1), patient health care records shall be released upon request without
informed consent in the following circumstances:
 To the extent that the records are needed for billing, collection or payment of claims.
2013 Wis. Act 238 (Mental Health Care Coordination Bill a/k/a/ HIPAA Harmonization,
which created Wis. Stat. 146.816 aligned the Wisconsin patient health care records and mental
health treatment records laws found at Wis. Stat. 146.82 and 51.30 with HIPAA requirements
for uses and disclosures regarding treatment, payment or health care operations.
© Copyright HIPAA COW
Page 1 of 8
DRAFT
Version 3: 9/18/14
Based on HIPAA Privacy Rule; 1/25/14 HIPAA Omnibus Rule
. Preemption Analysis Conclusion:
Because of the new Wisconsin law under 2013 Wis. Act 238 and because HIPAA
provides greater rights of protection to individuals, the HIPAA Rule requesting
restriction of disclosure of self-pay services to a health plan prevails.
NOTE: Although not required by law, some organizations may wish to implement a formal
denial process. The final rule requires all covered entities to permit individuals to make the
request but does not require a covered entity to agree to a restriction.
Attachments to Policy:
 Attachment A: Sample Request for Restrictions
 Attachment B: Sample Letter of Approval for Request for Restrictions
 Attachment C: Sample Letter of Denial for Request for Restrictions
Procedures:
General:
1. The [PROVIDER/PLAN] will inform individuals of their right to request restrictions on
how their PHI is used and/or disclosed for treatment, payment, and healthcare operations
in their published “Notice of Privacy Practices.”
2. The individual has the right to request restrictions. [PROVIDER/PLAN] may require the
request to be in writing (Attachment A). [PROVIDER/PLAN]’s Privacy Officer (or
designee) reviews each request and makes a determination of final actions.
3. [PROVIDER/PLAN] may approve an individual’s request to restrict disclosure of PHI
about the individual for purposes of treatment, payment or health care operations,
disclosure to person’s involved in the individual’s health care, or disclosure to notify
family members or others about the individual’s general condition, location or death. 1
Except in cases of treatment in an emergency situation or as otherwise noted herein,
[PROVIDER/PLAN] is not required to agree to the restriction request.
When a Request for Restriction(s) Is Accepted:
1. [PROVIDER]2 must3 approve an individual’s request to restrict disclosure of PHI about
the individual to a health plan (or the health plan’s business associate)4 if:
1
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
In the preamble to the Omnibus Rule, the Department of Health and Human Services clarified that this provision
regarding requests to restrict disclosures relating to items or services paid for in full by an individual (or someone
other than a health plan on the individual’s behalf) applies only to covered health care providers. See 78 Fed. Reg.
at 5630 (Jan. 25, 2013).
3
Effective February 18, 2010, the American Recovery and Reinvestment Act (ARRA) allowed an individual the
right to request that a healthcare provider must comply with the individual’s request for restriction of disclosure to a
Health plan for purposes of payment or healthcare operations when the PHI pertains to a service for which the
healthcare provider has been paid in full by the individual “out of pocket.” The permissive nature of this ARRA
restriction request was modified to a mandated restriction (when requested by the individual) in the Omnibus Rule.
4
Note: This restriction does not apply to [PROVIDER/PLAN]’s disclosure to [PROVIDER/PLAN]’s business
associate(s) for [PROVIDER/PLAN]’s own purposes.
2
© Copyright HIPAA COW
Page 2 of 8
DRAFT
Version 3: 9/18/14
Based on HIPAA Privacy Rule; 1/25/14 HIPAA Omnibus Rule
2.
3.
4.
5.
6.
7.
8.
5
A. The disclosure is for the purpose of carrying out payment or health care
operations and is not otherwise required by law 5; and
B. The PHI pertains solely to a health care item or service for which the
individual (or a person other than the health plan on behalf of the individual) has
paid the [PROVIDER] in full (“Out-of-Pocket Restrictions”). 6
[PROVIDER] will notify the individual of the approval of the request to restrict a
disclosure to the health plan. (See Attachment B for sample letter).
[PROVIDER/PLAN] will inform the individual of any potential consequences of the
restriction (e.g., with regard to Out-of-Pocket restrictions, the ability of [PROVIDER] to
unbundle the items or services and the impact of doing so, the individual’s obligation to
notify downstream providers, the individual’s obligation to request restrictions regarding
follow-up care, and whether the individual will need to use an out-of-network provider in
order to restrict the disclosure of PHI to a health maintenance organization).
[PROVIDER/PLAN] will inform the individual that the [PROVIDER/PLAN] will
comply with the agreed restriction with the following exceptions:
A. In an emergency treatment situations when [PROVIDER] may use or disclose
information to a health care provider for providing treatment. [PROVIDER] will
request the emergency treatment provider not further use or disclose the
information.
B. The restrictions are terminated by either [PROVIDER/PLAN] or the individual.
C. To the extent applicable, if restrictions prevent uses or disclosures permitted
or required under 164.502(a)(2)(ii), 164.510(a) or 164.512.
If the agreed upon restriction hampers treatment, the [PROVIDER] may ask the
individual to modify or revoke the restriction. [PROVIDER] may require written
agreement to the modification/ revocation or document the individual’s oral agreement.
A notice of restriction will be made in writing in the individual’s record and/or
identified in an appropriate field in the computerized information system.
[PROVIDER/PLAN] will notify separately any other departments to which the
restriction may apply (e.g., marketing, public relations, administration, foundation, etc.)
and if necessary, ensure that the individual’s name is removed from all applicable
mailing lists.
As appropriate, [PROVIDER] will notify separately any other business associates to
which the restriction may apply. However, [PROVIDER] is not required to notify all
downstream entities of an individual’s Out-of-Pocket restriction.
“Required by law” is defined in 45 CFR § 164.103, but “required by law” also includes: (i) Medicare Conditions of
Participation; (ii) other statutes that require the production of information if payment is sought under a government
program providing public benefits; (iii) state or other law requiring a provider to submit a claim to a health plan and
there is no exception/procedure for individuals wishing to pay out-of-pocket in full for the service. However, for
Medicare beneficiaries, a request for restriction on the disclosure of PHI to Medicare for services paid for out-ofpocket in full (i.e., the beneficiary refuses to authorize the submission of a bill to Medicare for the service), the
provider must restrict the disclosure of PHI regarding the service.
6
[PROVIDER/PLAN] may choose to require payment in full at the time of the request for a restriction or at the time
of precertification.
© Copyright HIPAA COW
Page 3 of 8
DRAFT
Version 3: 9/18/14
Based on HIPAA Privacy Rule; 1/25/14 HIPAA Omnibus Rule
9. [PROVIDER/PLAN] will not use or disclose PHI inconsistent with the agreed
restriction, nor will its business associates until the restriction is terminated either by
[PROVIDER/PLAN], as applicable, or the individual. 7
10. With regard to Out-of-Pocket restrictions, [PROVIDER] will flag or make a notation in
the record with respect to restricted PHI to insure such information is not inadvertently
sent to or made accessible to the restricted health plan (or the health plan’s business
associates) for any payment or health care operations purposes (including health plan
audits).
11. [PROVIDER/PLAN] will restrict use and/or disclosure of PHI consistent with the status
of the restriction in effect on the date it is used or disclosed.
When a Request for Restriction Is Denied:
1. If the request for restriction is denied, [PROVIDER/PLAN] notifies the individual. (See
Attachment C for a sample letter.)
Termination:
1. The individual agrees to or requests the termination in writing.
2. If the [PROVIDER/PLAN] wants to terminate the agreement, the individual must agree
to the termination in writing or an oral agreement must be documented in accordance
with 164.530(j). The [PROVIDER/PLAN] notifies the individual that the termination will
be effective with respect to only that PHI created or received after the individual was
notified by [PROVIDER/PLAN].
Record Retention:
1. All documentation associated with this procedure will be maintained in writing or in
electronic format for at least six (6) years from the date of its creation or the date when it
was last in effect, or if longer depending on state laws, whichever is later.
7
[PROVIDER/PLAN] may not terminate an Out-of-Pocket request unless the individual does not pay out-of-pocket
for the relevant item or service. In situations in which an individual has a restriction in place with respect to a health
care item or service but does not pay out-of-pocket and who requests a restriction regarding follow-up treatment, if
the PROVIDER/PLAN needs to include PHI that was previously restricted in the bill in order to have the service
deemed medically necessary or appropriate, PROVIDER/PLAN is permitted, without the individual's authorization,
to disclose such information consistent with PROVIDER/PLAN's minimum necessary policies and procedures.
© Copyright HIPAA COW
Page 4 of 8
DRAFT
Version 3: 9/18/14
Based on HIPAA Privacy Rule; 1/25/14 HIPAA Omnibus Rule
Version History:
Current Version: 9/18/14
Prepared by:
Reviewed by:
 Jodie Swoboda,
 Privacy Networking Group
Marshfield Clinic
 Barbara Zabawa, Center
for Health Law Equity,
LLC, WPS Health
Insurance
 Jennifer Rust Anderson,
Group Health Cooperative
of Eau Claire
 Dawn Paulson, UW Health
 Meghan O’Connor, von
Briesen & Roper, s.c.
 Wendy Ostrander, Beaver
Dam Community Health
 Cathy Hansen, St. Croix
Regional Medical Center
Content Changed:
Review and revision to
address updates due to HIPAA
Omnibus Rule.
Previous Version: January 2010
Prepared by:
Reviewed by:
 Nancy Davis, Ministry
 Privacy Networking Group
Health Care,
 Chrisann Lemery, WEA
Trust
Original Version: February 2003
Prepared by:
Reviewed by:
 Gale Coleman, Elder Care  Privacy Networking Group
of Dane County;
 Nancy Davis, Ministry
Health Care
© Copyright HIPAA COW
Page 5 of 8
DRAFT
Version 3: 9/18/14
Based on HIPAA Privacy Rule; 1/25/14 HIPAA Omnibus Rule
ATTACHMENT A
SAMPLE REQUEST FOR RESTRICTIONS ON USE/DISCLOSURE OF PHI FOR
TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
Name of Individual:
Date of Birth:
Address:
Telephone: (H)
(W)
ID # of Individual: _____________
I am requesting a restriction on the use/disclosure of my health information in the manner
described below. I understand that [PROVIDER] may deny this request for any reason. If my request
is approved, I understand that the restriction will not apply in case of an emergency.
 The restrictions I am requesting are from visits/encounters that were paid for by me out of pocket.
Description of Specific Health Information to be Restricted:
Persons/Organizations Restricted from Use/Disclosure:
Signature of Individual:
Date:
Name of Personal Representative (if applicable):
Signature of Personal Representative:
Date:
Relationship to Individual:
When complete, forward to Privacy Officer/designee for determination.
*****************************************************************************
Date Request Reviewed:
Position Titles of Reviewers:
Request is:  Approved Denied
Reason for Denial:
Final Action Taken:
Privacy Officer’s/Designee’s Signature:
© Copyright HIPAA COW
Date:
Page 6 of 8
DRAFT
Version 3: 9/18/14
Based on HIPAA Privacy Rule; 1/25/14 HIPAA Omnibus Rule
ATTACHMENT B
Sample Letter of Approval for Request for Restrictions
Dear
:
On (DATE), you submitted the following request for restrictions to the use/disclosure of your
protected health information for the purposes of treatment, payment and health care operations.
The Privacy Officer/designee has reviewed your request and it has been approved with the
following exceptions (AND MODIFICATIONS):
1. In an emergency treatment situations we may use or disclose information to a health care
provider for providing treatment. We will request the emergency treatment provider not
further use or disclose the information.
2. The restrictions are terminated by either you or by us.
**You should note that if your request for restriction relates to an item or service that you or
someone on your behalf (other than a health plan) has paid in full, you must notify other
providers of this restriction request, as well as renew this request if you require any follow-up
care. 8
(ADD IN ANY MODIFICATIONS)
If you agree to the above modifications to your request, please forward written approval to me
within five business days or call me at
.
Finally, while we are approving your request, the following is a potential consequence(s) of the
restriction.
.
If you have questions about this correspondence or wish to terminate the restriction, please
contact me at
.
Sincerely,
Privacy Officer/Designee
8
HMO providers that are prohibited by law from accepting payment from an individual above the individual’s costsharing amount may want to include information in the approval of request for restrictions that the individual that
will have to use an out-of-network provider for the health care item or service in order to restrict the disclosure of
PHI to the HMO for the health care. See 78 Fed. Reg. at 5629 (Jan. 25, 2013).
© Copyright HIPAA COW
Page 7 of 8
DRAFT
Version 3: 9/18/14
Based on HIPAA Privacy Rule; 1/25/14 HIPAA Omnibus Rule
ATTACHMENT C
Sample Letter of Denial for Request for Restrictions
Dear
:
On (DATE), you submitted the following request for restrictions to the use/disclosure of your
protected health information for the purposes of treatment, payment and health care operations.
.
Each request is reviewed subject to the limitations outlined in HIPAA Federal Standards for
Privacy of Individually Identifiable Health Information (45 CFR Parts 160 & 164).
The Privacy Officer/designee has reviewed your request and it has been denied for the following
reason(s):
If you would like to discuss your privacy concerns, please contact me at
.
Sincerely,
Privacy Officer/Designee
© Copyright HIPAA COW
Page 8 of 8
Related documents
Understanding HIPAA Compliance
Understanding HIPAA Compliance
Risk Assessment
Risk Assessment
“You have the Right”
“You have the Right”
the HIPAA quiz
the HIPAA quiz
Presentation Slides
Presentation Slides
Subset
Subset
HIPAA Steering Committee - East Carolina University
HIPAA Steering Committee - East Carolina University
HIPAA Annual Training
HIPAA Annual Training
Handout: Some notes on functions and notation
Handout: Some notes on functions and notation
Download
advertisement