Under HIPAA’s Privacy Rule, individuals may request additional restrictions on uses and disclosures of their protected health information. However, covered entities are not bound to agree to any restriction.
If the restriction is accepted, covered entities must abide by it except in emergency situations where a use or disclosure is necessary to provide treatment and those to whom the restricted information is disclosed must be asked not to redisclose it.
It must be noted here that such restrictions do not apply to the broad “fourth class” of uses and disclosures for which no consent, authorization nor opportunity to agree or object is required. These uses and disclosures include:
* Public health
* Neglect or domestic violence reporting
* Health oversight
* Judicial or administrative proceedings
* Law enforcement
* Research under Privacy Board or IRB waiver
* Immediate threats to public safety
* National security
* Government functions
* Uses and disclosures otherwise required by law.
A covered entity may terminate its agreement to a restriction, if the:
* individual agrees to or requests the termination in writing;
* requests such a termination orally (there oral declaration must still be documented); or
* covered entity informs the individual that it is terminating its agreement to a restriction. Here, the termination is only effective for protected health information created or received after the individual has been informed.