May 2013 Volume 9 Number 9

The Right to Obtain Restrictions Under the HIPAA/HITECH Rule:
A Return to the Ethical Practice of Medicine

By Jim Pyles, Powers, Pyles, Sutter & Verville, P.C., Washington, D.C.

AuthorThe Individual’s Right to Restrict Disclosure of Health Information

The HIPAA/HITECH Final Omnibus Rule issued on January 25, 2013 restores the right for Americans to retain some control over the disclosure of their health information as part of the “floor” of federal privacy protections afforded by HIPAA.1 Under the new rule, individuals have a right to obtain restrictions on the disclosure of health information in electronic or any other form to a health plan for payment or healthcare operations with respect to specific items and services for which the individual has paid the covered entity out of pocket in full.2 Such requests for restrictions must be granted by the covered entity unless disclosure is required by law. Covered entities must also include this right in their notices of privacy practices.3 The guidance in the preamble states that only healthcare providers are required to include such a statement in their notices of privacy practices; however, the language of the statute and the regulation itself states that the notice requirement applies to covered entities.4 The new rule became effective March 26, and covered entities must be in compliance by no later than September 23, 2013.5

Covered entities are not required by this rule to maintain separate health records or segregate restricted health information, but they must “employ some method to flag or make a notation in the record” that disclosure of certain information has been restricted.6 Providers are not required to alert downstream providers that the disclosure of certain information is restricted, but they are “permitted and encouraged” to assist individuals in alerting downstream providers of the individual’s desire to restrict the disclosure of certain information.7 Disclosures to Medicare for survey and payment purposes continue to be permitted, but Medicare beneficiaries will have a right to restrict disclosures if they elect to not file a claim with Medicare and pay for covered services out of pocket. Individuals must request additional restrictions and pay out of pocket if they wish to restrict the disclosure of information about follow up care.8 Where a number of health services are paid for as part of a bundled payment, the individual still has the right to pay privately for certain services and obtain restrictions, and providers must do their best to unbundle the services to permit the private payment of specific items and services. If the services cannot be unbundled, then the individual must be given the opportunity to pay privately and obtain restrictions on the entire bundle of services. Providers operating in an HMO may have to provide services out of network in order to permit individuals to pay privately and obtain restrictions. Individuals have the right to obtain restrictions on the disclosure of services even if the payment is by a family member or other person or from a health savings account (“HSA”) or flexible savings account (“FSA”).9 Providers that disclose health information contrary to an agreement for restrictions will be in violation of the privacy rule and be subject to possible criminal and civil penalties and corrective action.

A New Rule or a Return to the Ethical Practice of Medicine?

Some commenters and provider associations raised concerns that the right to obtain restrictions on the disclosure of certain health information could delay implementation of an interoperable electronic health information system because current systems do not have the capability to track information to ensure that it remains private.10 However, the right of individuals to assert some control over the disclosure of their health information has been a core principle of the standards for the ethical practice of medicine and psychiatry for centuries, has long been recognized under Constitutional law and the common law of tort and is a “common belief” and expectation of most patients and consumers.11

Prior to the HIPAA/HITECH rule changes, the HIPAA privacy rule conferred a right on individuals to request restrictions on the disclosure of their health information but effectively eviscerated that right by also providing that “a covered entity is not required to agree to a restriction.”12 This giving with one hand while taking away with the other made somewhat more sense under the HIPAA privacy rule as originally issued by the Clinton Administration because it conformed to the traditional practice prescribed in standards of professional ethics under which an individual’s identifiable health information could not be used or disclosed for routine purposes (defined as treatment, payment and healthcare operations) without the individual’s consent.13 Thus, the rather meaningless right to request, but not obtain, restrictions applied essentially to non-routine uses and disclosures.

In August 2002, however, the Department of Health and Human Services (“HHS”) under the Bush Administration reversed the rule issued by the Clinton Administration and eliminated from the floor of federal privacy protections the individual’s right of consent for routine uses and disclosures, replacing that right with “regulatory permission” granted by HHS to use and disclose an individual’s health information for routine purposes regardless of the individual’s wishes or objections.14 HHS also confirmed that more privacy protective state laws and professional standards remain in effect.15

That policy reversal left individuals with the meaningless right to request restrictions as the principal means under the HIPAA privacy rule of protecting their right to health information privacy. It also put the “regulatory permission” of the amended HIPAA privacy rule in direct conflict with standards of professional ethics—covered entities were authorized by the privacy rule to do precisely what their standards of professional ethics prohibited them from doing. The amended HIPAA privacy rule also created strong disincentives for practitioners to incorporate standards of ethics into their privacy practices by (a) requiring practitioners to include in their notices of privacy practices the uses and disclosures permitted by the privacy rule even if they decided to adopt stronger protections,16 and (b) subjecting practitioners to criminal and civil penalties if they adopted the stronger privacy standards of their professional ethics and then were found to have violated them.17

The push to eliminate the individual’s right of consent came principally from health insurance plans while consumers, patient organizations and many practitioner groups generally supported retaining the right of consent.18 Both HHS under the Clinton Administration and the National Committee on Vital and Health Statistics concluded after extensive research that standards of professional ethics “of virtually all health professionals” require patient consent for the disclosure of an individual’s identifiable health information.19 Particularly vigorous objections to the elimination of the right of consent came from the mental health practitioner community, which pointed to HHS’s findings that each year more than two million Americans with mental illness do not obtain needed treatment “due to privacy fears.”20 Mental health practitioners had previously secured a right to contract with Medicare beneficiaries who wanted to pay privately for healthcare services and not have a claim filed with Medicare in order to protect their privacy.21 Those concerns continued to be raised with members of Congress when the HITECH Act was under consideration.22

Congress Moves to Restore Trust and Certainty

To address the concerns that the lack of a right of consent was creating a barrier to access to mental health and treatment of other stigmatizing diseases, Congress included provisions in the HITECH Act that (a) provided a right to obtain restrictions on the disclosure of health information where an individual pays out of pocket in full, and (b) required the HIT Policy Committee to make recommendations for technologies that segment and protect from disclosure “specific and sensitive individually identifiable health information with the goal of minimizing the reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns.”23 The Omnibus Rule restoring a limited right to obtain restrictions implements the first Congressional mandate, but no rule has yet been issued or proposed implementing the second.

Restoring the right of individuals to control the disclosure of their personal health information also begins to realign the HIPAA/HITECH laws with the right to privacy recognized in Constitutional and tort law.24 Recent research shows that 60 percent of the public does not believe privacy laws are adequate to protect their right to privacy, and more than 80 percent of the regulated healthcare industry does not understand their obligations because of the complexity of the health privacy laws.25 Realigning the HIPAA/HITECH rules with standards of ethics, Constitutional law and prevailing tort law should restore the public’s trust that their right to health information privacy will be protected and provide the regulated industry with greater certainty about their duties in protecting that right.

As President Obama (a former constitutional law professor) stated recently:

One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever.26

Nowhere is this statement more accurate than in the healthcare delivery system. Indeed as HHS found when the HIPAA privacy rule was issued initially, “the entire health care system is built upon the willingness of individuals to share the most intimate details of their lives with their health care providers.”27 Accordingly, the right to pay out of pocket to protect health information privacy is a small but significant step toward restoring the ethical practice of medicine and public trust which is the foundation of the healthcare system in America.


78 Fed. Reg. at 5628 (January 25, 2013).


45 C.F.R. § 164. 522(a)(1)(vi).


45 C.F.R. § 164.520(b)(1)(iv).


HITECH Act, section 13405(a); 45 C.F.R. § 164.522(a)(1)(vi) (as amended).


78 Fed. Reg. at 5566.


78 Fed. Reg. at 5628.


78 Fed. Reg. at 5629.


78 Fed. Reg. at 5630.

978 Fed. Reg. at 5630.

78 Fed. Reg. at 5629.

11See HHS finding, 65 Fed. Reg. at 82,472 (December 28, 2000).
1245 C.F.R. § 164.522(a)(1)(ii), 65 Fed. Reg. at 82,822.
1345 C.F.R. § 164.506 (2000).
1467 Fed. Reg. at 53,210 (August 14, 2002).
1567 Fed. Reg. at 53,197.
1645 C.F.R § 164.520(b)(1)(ii).
1745 C.F.R § 164.520(b)(2).
1867 Fed. Reg. at 53,210.
1965 Fed. Reg. at 82,472; Letter from National Committee on Vital and Health Statistics to HHS Secretary Michael O. Leavitt (June 22, 2006).
2065 Fed. Reg. at 82,779. HHS made similar findings with respect to individuals with cancer, HIV/AIDS, sexually transmitted diseases and other stigmatizing disorders. 65 Fed. Reg. at 82,776-778.
21See 42 U.S.C. § 1395a(b).
22Letter from the American Psychoanalytic Association to Senators Daniel K. Inouye and Thad Cochran (Jan. 26, 2009).

HITECH Act, sections 13405(a); 3002(b)(2)(B). The HIT Policy Committee was established by the HITECH Act to make policy recommendations to the Secretary of HHS regarding the implementation of a nationwide electronic health information system. See HITECH Act, section 3002(a).


See findings to this effect (a) by HHS: “[p]rivacy is a fundamental right” protected by the Constitution, 65 Fed. Reg. at 82,464; (b) by Congress: “the right to privacy is a personal and fundamental right protected by the Constitution of the United States,” section 2 Pub. L. 93-579, the Privacy Act of 1974; (c) by federal courts: Ferguson v. City of Charleston, 532 U.S. 67 (2001); Whalen v. Roe, 429 U.S. 589 (1977); U.S. v. Scott, 424 F.3d 888 (9 th Cir. 2005); Douglas v. Dobbs, 419 F.3d 1097 (10 th Cir. 2005); Tucson Woman’s Clinic v. Eden, 371 F.3d 1173 (9 th Cir. 2004). (See also, U.S. v. Jones, 132 S. Ct. 945 (Jan. 23, 2012), a constitutional right to privacy can be recognized based on the original intent at the time the Constitution was adopted or on a “reasonable expectation” of privacy today).


“The Financial Impact of Breached Protected Health Information,” American National Standards Institute, pp. 23, 37 (March 2012).

26Statement of President Barack Obama, The White House (February 23, 2012).
2765 Fed. Reg. 82,467 (Dec. 28, 2000).

The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.