Since its initial adoption, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule has granted individuals the right to request restrictions regarding the use and disclosure of their protected health information (PHI) for treatment, payment, and healthcare operations (TPO). The law also grants individuals the right to request restrictions for other disclosures, such as those made to family members. It is up to the covered entities (CEs) to determine whether or not to accept or deny such restriction requests. When the CE agrees to the restriction, the CE must adhere to the restriction for all future disclosures except in the event of an emergency. If the restricted PHI is disclosed to another entity or person for emergency treatment, the CE is required to request that the person or entity receiving the information not further use or disclose this PHI in any manner.
The HITECH-HIPAA Omnibus Rule, effective September 23, 2013, takes request for restrictions one step further, and requires that "a covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if the disclosure is for the purposes of carrying out payment or health care operations and not otherwise required by law; and the protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full."