To identify patient rights regarding restrictions on uses and disclosures of Protected Health Information.
- OSU must permit an individual to request that the covered entity restrict: §164.522(a)(1)(i)
- Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and §164.522(a)(1)(i)(A)
- Disclosures permitted under § 164.510(b). §164.522(a)(1)(i)(B)
- Except as provided in paragraph (6) of this policy, OSU not required to agree to a restriction. §164.522(a)(1)(ii)
- If OSU agrees to a restriction under paragraph (1) of this policy, then OSU may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, OSU may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual. §164.522(a)(1)(iii)
- If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (3) of this policy, OSU must request that such health care provider not further use or disclose the information. §164.522(a)(1)(iv)
- A restriction agreed to by OSU under this policy, is not effective under the Privacy Rule to prevent uses or disclosures permitted or required under §§ 164.502(a)(2)(ii), 164.510(a) or 164.512. §164.522(a)(1)(v)
- OSU must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if: §164.522(a)(1)(vi)
- The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and §164.522(a)(1)(vi)(A)
- The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full. §164.522(a)(1)(vi)(B)
- If an individual requests a restriction, it has to be a valid restriction under this policy, and any other requirements that this policy references.
- All such restrictions will be documented in the individuals Medical Record.
- All restrictions, except those mentioned in paragraph 6 of this policy do not have to be agreed to by OSU.
- The Faculty or Staff member’s best judgment shall be used when determining to agree to such a restriction. The HIPAA Compliance Office will be available to help determine if or when OSU needs to agree or not agree to a restriction.
- Under paragraph 6, if the individual wishes to restrict disclosure to their health plan,
- OSU must accept and agree to that disclosure provided that:
- Payment is made in full at time of rendered service;
- No discounts are to be made for payment in full.
- Requested restriction does not violate any other requirement or law.
- Only the individuals physician can agree to such a request
- The physician shall inform appropriate staff of such restriction immediately upon payment in full.
- Please note, if the patient does not request such a restriction, and the patient pays in full, we do not consider that a restriction. The patient or individual has to request the restriction either in writing or verbally on the date of the encounter before leaving the clinic.
- The billing office shall not bill the individuals insurance if the individual paid the full amount of the encounter in question.
- If the billing office does bill the individual’s insurance, with a documented request on file, and the individual did pay in full, this shall be considered an inappropriate disclosure and the breach notification rules will need to be addressed.
- All items documented in the individuals Medical Record that pertain to the restricted encounter shall not be released, used or disclosed in any way that would violate such restriction.
- If the individual’s health plan requests records for the individual, OSU shall not send the restricted records. OSU staff or Agents need to look for any such restriction before sending records.
To identify reasonable secure or confidential methods of communicating with individuals
- OSU must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from their OSU provider by alternative means or at alternative locations. §164.522(b)(1)(i)
- Conditions on Providing Confidential Communications – §164.522(b)(2)
- OSU may require the individual to make a request for a confidential communication described in paragraph (1) of this policy in writing. §164.522(b)(2)(i)
- OSU may condition the provision of a reasonable accommodation on: §164.522(b)(2)(ii)
- When appropriate, information as to how payment, if any, will be handled; and §164.522(b)(2)(ii)(A)
- Specification of an alternative address or other method of contact. §164.522(b)(2)(ii)(B)
- OSU may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. §164.522(b)(2)(iii)
- A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual. §164.522(b)(2)(iv)
- OSU has the ability to communicate with patients via the following methods:
- Standard Mail
- Unless requested by the individual, the default method of communication shall be by telephone. OSU shall still communicate via the other methods when appropriate, unless the individual requests otherwise.
- Patient Financial Account statements shall always be sent via Standard First Class Mail. The individual does not have an option on how to receive such statements.
- If an individual requests communication via Fax, the OSU agent shall:
- Verify the fax number;
- Verify the requestor’s identity;
- Use a fax cover sheet with a valid disclaimer. A template of a fax cover sheet may be found on the OSU HIPAA website.
- If an individual requests that communication be via email only, OSU has two options:
- By default, any protected health information sent in email will automatically be encrypted using OSU’s email encryption software.
- The individual may request to have their protected health information sent unencrypted\unsecurely.
- If the individual requests the unsecure method, the OSU Agent shall document in the individual’s Medical Record in a conspicuous place, an account note, or patient communication section of the Record of such request.
- To send the unencrypted email, the OSU agent just needs to send the email just like any other regular, non-encrypted email. The encryption software should detect any protected health information and then send an email to the sender/OSU agent asking to either send unencrypted or encrypted or not at all. The OSU agent needs to select send unencrypted.