What is 45 CFR 164.522 a?

The HIPAA Privacy Rule gives individuals the right to request restrictions on uses and disclosures of their PHI. Healthcare providers must allow individuals to request that the providers restrict specific uses and disclosures. The provider is generally not required to grant the request, but must allow it to be made. The Privacy Rule regulation that gives individuals the right to request restrictions is 45 CFR 164.522 a. 45 CFR 164.522 a is discussed in greater detail below.

What is 45 CFR 164.522 a, and Why Was it Created?

In creating 45 CFR 164.522 a, HHS reviewed survey data about what patients would do to protect themselves from unwanted PHI disclosures. In 1999, a California HealthCare Foundation survey on the topic found that one out of every six patients engaged in behavior to protect themselves from unwanted disclosures of health information. This behavior included lying to providers, or avoiding seeking care altogether. HHS created 164.522 a to encourage individuals to share protected health information with their providers. 

What is 45 CFR 164.522 a? What Restriction Requests are Allowed?

Under 45 CFR 164.522 a, covered entities must allow patients to request restrictions of:

• Uses or disclosures of protected health information about the patient to carry out treatment, payment, or healthcare operations; and
• Disclosures permitted under §164.510(b). 
  • Under 164.510(b)(1)(i), a covered entity may disclose PHI to individuals identified by a patient, including family members, other relatives, close personal friends of the individual, or any other person identified by the patient. The PHI the covered entity may disclose must be directly relevant to:
    • The individual’s involvement with the patient’s healthcare; or
    • Payment related to the patient’s healthcare.
  • Under 164.510(b)(1)(ii), a healthcare provider may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating): a family member, a personal representative of the patient, or another person responsible for the care of the individual, of the following:
    • The individual’s location; 
    • The individual’s general condition; or
    • The individual’s death.

Save for one exception, healthcare providers are not required to agree to a request for restrictions. However, if a healthcare provider does agree to restrict the use or disclosure of an individual’s protected health information, the covered entity must abide by that restriction, except in emergency circumstances when the information is required for the treatment of the individual. If restricted protected health information is disclosed to a healthcare provider for emergency treatment, the initial provider must request that the provider who receives the PHI not further use or disclose it. 

The 164.522 a exception under which a healthcare provider must agree to a request for restrictions is as follows: A provider must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan, if:

• The disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law; and
• The protected health information pertains solely to a healthcare item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.

The rationale for this exception is that individuals who pay for items out-of-pocket, instead of going through insurance, should have the right to keep the details of such payments private.

What is 45 CFR 164.522 a? Terminating a Restriction

A provider may terminate a restriction under several circumstances. A provider may terminate a restriction if the patient agrees to or requests the termination in writing, or, if the individual orally agrees to the termination and the oral agreement is documented.