Skip to Content
Client Payment

Events In the News

Important Compliance Reminder: Individual Rights Under HIPAA

on Thursday, 27 February 2025 in Health Law Alert: Kristin N. Lindgren, Editor

With any change in presidential administration, the country sees a change in policy priorities. This year is no different. Since January 20th, we have seen a number of pronouncements and actions by the administration which have left certain health care providers and patients with a level of uncertainty over the privacy of sensitive health information contained in the medical record. This uncertainty has resulted in requests for amendments to information contained in the record and restrictions of disclosures of the record. Thus, it is a good time to remind covered entities about the nuances in complying with individual rights requests.

First, it is important to know that the Reproductive Health Care Rule is still in effect. Regardless of the apparent lack of enforcement by OCR under the current administration, it remains the law, and covered entities must comply with it. In order to change the regulation, the agency generally must undertake the full rulemaking process, which takes time. For this reason, PHI potentially related to reproductive health care cannot be disclosed for various reasons related to identifying, investigating, or imposing liability on a patient for obtaining legal health care.

Next, HIPAA has long included various rights an individual has over his or her PHI. While these rights may be thought of as a way to further protect an individual whose record contains sensitive information, providers must keep in mind the policies of the organization to ensure rights are being exercised and responded to in a manner that complies with HIPAA.  There has been much focus by OCR over the last few years on the right of an individual to access their record.  We want to focus on the lesser-used individual rights that are now seeing more activity.

Right to Request Restrictions. For example, if a 20 year old patient covered under her parents’ health insurance has an IUD placed at a clinic, the patient may request the procedure not be disclosed to her parents.

      • The clinic should not disclose this PHI directly to a parent of an adult child without the patient’s permission.
      • However, because the patient is on the parents’ health insurance, the parents may find out due to bills submitted to insurance and/or the patient for payment. Clinic staff should be trained to remind patients of this disclosure.
      • On the other hand, in the event the patient is willing to pay out of pocket and requests the procedure not be submitted through insurance, the clinic must comply with the patient’s request to not disclose such PHI to the insurer so long as the patient has paid in full for the service.
      • Practitioners should be trained and reminded of the fact that patients have the right to request restrictions on the dissemination of their PHI and if a patient requests such a restriction in a conversation with the practitioner how to direct patients to the privacy office for further information.

Confidential Communications. As another example, if a woman receives care at a hospital related to a medication abortion, she may ask that the hospital only contact her at her work phone and address.

      • A hospital must accommodate the reasonable request to use an alternative telephone number and address.
      • When an alternative route of communication is requested, staff should ensure the hospital does not use any other phone number or address in the system to contact the patient.

Right to Request Amendments. For example, if a patient received hormone replacement medications at a hospital related to a diagnosis of gender dysphoria, the patient may request the diagnosis be changed due to the potential implications of certain executive orders.

      • The hospital must acknowledge and review such a request.
      • The hospital may deny the patient’s request for a variety of reasons, including that a practitioner determined the information contained in the record is accurate and complete. If the patient’s diagnosis is accurate, it should not be changed.
      • Regardless of whether the hospital accepts or denies the amendment request, the hospital must comply with the response time frame(s) under HIPAA.
      • If the hospital denies the amendment request, the patient must be notified of the denial and of the right to submit a statement of disagreement or to request the hospital include the amendment request and denial documentation with future disclosures.
      • If the hospital accepts an amendment request in whole or in part, there are a series of required steps the hospital must follow to inform certain third parties that the records have been amended.
      • Again, practitioners should be reminded that the privacy office must be involved in any requests for amendment of a patient’s record.

As covered entities manage patients who express concern over the contents of their medical record, it is important that they understand these rights and their limitations. Practitioners and clinical staff should be appropriately trained and reminded of the privacy office’s role in these patient requests so they do not inadvertently fail to meet a requirement of these individuals rights.

Abigail T. Mohs
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design