Explosive growth in digital health over the last few years means there are many developers and managers who haven’t worked under HIPAA before. This guide is written for startups (and small businesses operating online) who could use some help with the basics of HIPAA compliance.
(1) Standard: Right of an individual to request restriction of uses and disclosures.
(i) A covered entity must permit an individual to request that the covered entity restrict:
(A) Uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations; and
(B) Disclosures permitted under § 164.510(b).
(ii) Except as provided in paragraph (a)(1)(vi) of this section, a covered entity is not required to agree to a restriction.
(iii) A covered entity that agrees to a restriction under paragraph (a)(1)(i) of this section may not use or disclose protected health information in violation of such restriction, except that, if the individual who requested the restriction is in need of emergency treatment and the restricted protected health information is needed to provide the emergency treatment, the covered entity may use the restricted protected health information, or may disclose such information to a health care provider, to provide such treatment to the individual.
(iv) If restricted protected health information is disclosed to a health care provider for emergency treatment under paragraph (a)(1)(iii) of this section, the covered entity must request that such health care provider not further use or disclose the information.
(v) A restriction agreed to by a covered entity under paragraph (a) of this section, is not effective under this subpart to prevent uses or disclosures permitted or required under § 164.502(a)(2)(ii), 164.510(a) or 164.512.
(vi) A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if:
(A) The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
(B) The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.
(2) Implementation specifications: Terminating a restriction. A covered entity may terminate a restriction, if:
(i) The individual agrees to or requests the termination in writing;
(ii) The individual orally agrees to the termination and the oral agreement is documented; or
(iii) The covered entity informs the individual that it is terminating its agreement to a restriction, except that such termination is:
(A) Not effective for protected health information restricted under paragraph (a)(1)(vi) of this section; and
(B) Only effective with respect to protected health information created or received after it has so informed the individual.
(3) Implementation specification: Documentation. A covered entity must document a restriction in accordance with § 160.530(j) of this subchapter.
(1) Standard: Confidential communications requirements.
(i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations.
(ii) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual.
(2) Implementation specifications: Conditions on providing confidential communications.
(i) A covered entity may require the individual to make a request for a confidential communication described in paragraph (b)(1) of this section in writing.
(ii) A covered entity may condition the provision of a reasonable accommodation on:
(A) When appropriate, information as to how payment, if any, will be handled; and
(B) Specification of an alternative address or other method of contact.
(iii) A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis.
(iv) A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual.
[65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53271, Aug. 14, 2002; 78 FR 5701, Jan. 25, 2013]