Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Privacy Policies & Procedures

Section 9 - Rights to Request Privacy Protection for PHI

 

Title: Right of an Individual to Request Restriction of Uses and Disclosures Policy: PRV-09.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.522(a)(1)
Standard: Right of an Individual to Request Restriction of Uses and Disclosures Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify patient rights regarding restrictions on uses and disclosures of Protected Health Information.

Policy
  1. OSU must permit an individual to request that the covered entity restrict:  §164.522(a)(1)(i)
    • Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and  §164.522(a)(1)(i)(A)
    • Disclosures permitted under § 164.510(b).  §164.522(a)(1)(i)(B)
  2. Except as provided in paragraph (6) of this policy, OSU not required to agree to a restriction.  §164.522(a)(1)(ii)
  3. If OSU agrees to a restriction under paragraph (1) of this policy, then OSU may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, OSU may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual.  §164.522(a)(1)(iii)
  4. If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (3) of this policy, OSU must request that such health care provider not further use or disclose the information.  §164.522(a)(1)(iv)
  5. A restriction agreed to by OSU under this policy, is not effective under the Privacy Rule to prevent uses or disclosures permitted or required under §§ 164.502(a)(2)(ii), 164.510(a) or 164.512.  §164.522(a)(1)(v)
  6. OSU must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if:  §164.522(a)(1)(vi)
    • The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and  §164.522(a)(1)(vi)(A)
    • The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.  §164.522(a)(1)(vi)(B)
Procedure
  1. If an individual requests a restriction, it has to be a valid restriction under this policy, and any other requirements that this policy references.
  2. All such restrictions will be documented in the individuals Medical Record.
  3. All restrictions, except those mentioned in paragraph 6 of this policy do not have to be agreed to by OSU.
  4. The Faculty or Staff member’s best judgment shall be used when determining to agree to such a restriction.  The HIPAA Compliance Office will be available to help determine if or when OSU needs to agree or not agree to a restriction.
  5. Under paragraph 6, if the individual wishes to restrict disclosure to their health plan,
    1. OSU must accept and agree to that disclosure provided that:
      • Payment is made in full at time of rendered service;
        • No discounts are to be made for payment in full.
      • Requested restriction does not violate any other requirement or law.
      • Only the individuals physician can agree to such a request
      • The physician shall inform appropriate staff of such restriction immediately upon payment in full.
        • Please note, if the patient does not request such a restriction, and the patient pays in full, we do not consider that a restriction.  The patient or individual has to request the restriction either in writing or verbally on the date of the encounter before leaving the clinic.
    2. The billing office shall not bill the individuals insurance if the individual paid the full amount of the encounter in question.
      • If the billing office does bill the individual’s insurance, with a documented request on file, and the individual did pay in full, this shall be considered an inappropriate disclosure and the breach notification rules will need to be addressed.
      • All items documented in the individuals Medical Record that pertain to the restricted encounter shall not be released, used or disclosed in any way that would violate such restriction.
      • If the individual’s health plan requests records for the individual, OSU shall not send the restricted records.  OSU staff or Agents need to look for any such restriction before sending records.

top of page top

 

Title: Terminating A Restriction & Documentation Policy: PRV-09.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.522(a)(2)
Standard: Right of an Individual to Request Restriction of Uses and Disclosures Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify the steps necessary to terminate a previously valid restriction.

Policy

OSU may terminate a restriction, if:  §164.522(a)(2)

  1. The individual agrees to or requests the termination in writing;  §164.522(a)(2)(i)
  2. The individual orally agrees to the termination and the oral agreement is documented; or  §164.522(a)(2)(ii)
  3. OSU informs the individual that it is terminating its agreement to a restriction, except that such termination is:  §164.522(a)(2)(iii)
    • Not effective for protected health information restricted under policy PRV-09.01 Right of an Individual to Request Restriction of Uses and Disclosures paragraph (6); and  §164.522(a)(2)(iii)(A)
    • Only effective with respect to protected health information created or received after it has so informed the individual.  §164.522(a)(2)(iii)(B)
  4. Documentation – OSU must document a restriction in accordance with §164.530(j) Documentation of the Privacy Rule.  §164.522(a)(3)
Procedure
  1. If the individual requests a termination of any previous valid restriction, OSU shall terminate the restriction either on date of notification or on date specified by individual.
  2. If the individual terminates or if OSU terminates the restriction verbally, OSU staff shall document in the individuals Medical Record of such termination.
  3. OSU cannot terminate a restriction if it was never valid to begin with.
  4. OSU will terminate a restriction if OSU learns any information provided in regards to the valid restriction was or is false or fraudulent.
  5. Any agreement to restrict or termination of restriction shall be documented in the individuals Medical Record in accordance with PRV-05.01 Documentation of Changes to Policy.

top of page top

 

Title: Confidential Communications Requirements Policy: PRV-09.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.522(b)(1)
Standard: Confidential Communications Requirements Responsibility: Health Care Components
Effective Date: 04/14/2003
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify reasonable secure or confidential methods of communicating with individuals

Policy
  1. OSU must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from their OSU provider by alternative means or at alternative locations.  §164.522(b)(1)(i)
  2. Conditions on Providing Confidential Communications –  §164.522(b)(2)
    • OSU may require the individual to make a request for a confidential communication described in paragraph (1) of this policy in writing.  §164.522(b)(2)(i)
    • OSU may condition the provision of a reasonable accommodation on:  §164.522(b)(2)(ii)
      • When appropriate, information as to how payment, if any, will be handled; and  §164.522(b)(2)(ii)(A)
      • Specification of an alternative address or other method of contact.  §164.522(b)(2)(ii)(B)
    • OSU may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis.  §164.522(b)(2)(iii)
    • A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual.  §164.522(b)(2)(iv)
Procedure
  1. OSU has the ability to communicate with patients via the following methods:
    • Telephone
    • Fax
    • Email
    • Standard Mail
  2. Unless requested by the individual, the default method of communication shall be by telephone.  OSU shall still communicate via the other methods when appropriate, unless the individual requests otherwise.
    • Patient Financial Account statements shall always be sent via Standard First Class Mail.  The individual does not have an option on how to receive such statements.
  3. If an individual requests communication via Fax, the OSU agent shall:
    • Verify the fax number;
    • Verify the requestor’s identity;
    • Use a fax cover sheet with a valid disclaimer.  A template of a fax cover sheet may be found on the OSU HIPAA website.
  4. If an individual requests that communication be via email only, OSU has two options:
    • By default, any protected health information sent in email will automatically be encrypted using OSU’s email encryption software.
    • The individual may request to have their protected health information sent unencrypted\unsecurely.
      • If the individual requests the unsecure method, the OSU Agent shall document in the individual’s Medical Record in a conspicuous place, an account note, or patient communication section of the Record of such request.
      • To send the unencrypted email, the OSU agent just needs to send the email just like any other regular, non-encrypted email.  The encryption software should detect any protected health information and then send an email to the sender/OSU agent asking to either send unencrypted or encrypted or not at all.  The OSU agent needs to select send unencrypted.
Reference

§164.502(h)


top of page top

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube