Patients have the right to request from any University Health Care Component (HCC) specific restrictions on the use or disclosure of Protected Health Information ("PHI") as requested on a "Restriction Request Form". In accordance with federal regulations, (45 CFR Section 164.522(a)), no HCC facility is required to agree to requested restrictions on the use or disclosure of PHI listed on the "Restriction Request Form."
The University’s HCC
- Request for restriction on use or disclosure of PHI
- Agreement or Denial of Request
- Termination of restriction
- Patient: any individual who has received or is receiving services from a HCC.
- Personal Representative: person with a court order appointing them as guardian or with a valid Durable Power of Attorney or an Advance Directive signed by the patient specifying the authority to review and make decisions regarding medical, psychiatric, treatment or habilitation concerns.
- PHI is defined as any information, including demographic information collected from an individual that –
- Is created or received by a healthcare provider, health plan, pharmacy, employer, or health care clearinghouse; and
- Related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and
- Identifies the individual, or
- With respect to which, there is reasonable basis to believe that the information can be used to identify the individual.
- Request for Restriction on Use or Disclosure of PHI
- Patients shall indicate their request for restriction on the use or disclosure of their PHI using the "Restriction Request Form" as attached.
- The requested restrictions must be provided in writing, signed and dated by the patient or personal representative.
- Agreement or Denial of Request
- The Unit Privacy Officer, or designee, must receive the written request. The Unit Privacy Officer shall determine whether it will be approved, with consultation as determined necessary.
- If approved, the HCC must implement the restriction.
- The Unit Privacy Officer or designee will identify the restriction on the face sheet of the patient’s medical record, or in accordance with the HCC’s policy on medical records.
- The HCC’s agreement or refusal of the request shall be documented on the request form, signed and dated by the Unit Privacy Officer or designee.
- The original will be filed in the Medical Record for permanent retention
- A copy of the approved or denied form will be provided to the patient.
- Termination of Restriction
- The HCC may terminate the agreement to a restriction if:
- The patient agrees to or requests the termination in writing.
- The patient orally agrees to the termination, and the oral agreement is documented.
- The HCC informs the patient that it is terminating its agreement to a restriction, and that such termination is only effective with respect to PHI created or received after it has so informed the individual.
- When any of the above criteria are met, the restriction will be removed, and the form will be dated and signed by the Unit Privacy Officer.
- If the restriction was identified in the patient’s medical record, that identification shall be removed by the Unit Privacy Officer or designee.
- Emergency/Other Exception
- If the HCC has agreed to the restriction, but the patient who requested the restriction is in need of emergency treatment, and the restricted PHI is needed to provide the emergency treatment, the HCC may disclose that PHI to a health care provider to provide such treatment.
- If such PHI is disclosed in an emergency situation, the HCC must require that the health care provider to whom the PHI was disclosed not further use or disclose that PHI.
- Other exception may occur or be permitted or required by law. 45 CFR § 522(a)(1)(v). Questions about other permitted exceptions will be referred to the University Privacy Officer and/or legal counsel.
- Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.
- Sanctions. Any person found to have violated the requirements of this policy shall be subject to disciplinary action up to and including dismissal.
HISTORY: Effective March 21, 2003