Total Medical Compliance logo in white
LOGIN
Total Medical Compliance logo in white
LOGIN
Total Medical Compliance logo in white
LOGIN

The Patient’s Right to Restrict: What You Need to Know

When it comes to HIPAA, one of the lesser-known patient rights is the right to request restrictions on the use and disclosure of their protected health information (PHI). For staff and providers who are just starting to learn about compliance, this right can feel confusing. Do you always have to agree? What happens if you can’t honor the request? And how should you handle the paperwork?

Let’s break it down in simple terms.

What Is the Right to Restrict?

Under the HIPAA Privacy Rule, patients can ask a covered entity (like a physician’s office, clinic, or hospital) to limit how their PHI is used or shared. This might include restrictions on:

  • Using PHI for treatment, payment, or healthcare operations.
  • Disclosing PHI to certain family members, friends, or caregivers.
  • Sending information to a health plan.

 

As a general rule, covered entities do not have to agree to these requests. But there are two very important situations where you must accept them.

The Two Times You Must Accept a Restriction:

  1. When the Patient Pays Out of Pocket in Full

If a patient pays for a service entirely out of pocket and asks you not to share that information with their health plan, you must honor the request.

For example:
A patient schedules a routine lab test that is normally billed to insurance. They decide to pay out of pocket and request that the results not be sent to their health plan. Because the patient covered the full cost themselves, you are required to accept this restriction.

This rule gives patients greater control over what information is reported to their insurer, even for services that would usually be covered.

  1. When the Restriction Is Required by Law or Agreement

Some restrictions may be tied to other federal or state laws.  If the law requires you to honor a restriction, you must comply.

For instance:
Certain state privacy laws around mental health or substance use treatment may demand stricter confidentiality. If a patient asks for a restriction that lines up with these laws, you are required to accept it.

The Role of Documentation

Even if you don’t have to accept the restriction, you must always document the request. This is a key compliance step many new staff overlook.

Here’s why documentation matters:

  1. Transparency – Patients deserve to know their request was taken seriously, even if you cannot honor it.
  2. Accountability – If an auditor or regulator asks, you have a record showing how the request was handled.
  3. Consistency – Documenting all requests helps your organization apply policies fairly across patients.

 

Think of documentation as your “safety net.” Even if you decline the restriction, you’re showing you followed the right process.

How to Handle Restriction Requests in Practice

  • Listen carefully to the patient’s request and clarify what they’re asking.
  • Check the two required situations (out-of-pocket payments and legal requirements).
  • Decide whether to accept or decline the restriction.
  • Document everything, the request, your response, and the reason for your decision.
  • Communicate clearly with the patient so they understand the outcome.

 

The patient’s right to restrict may sound intimidating at first, but the rules are straightforward once you know the basics. You only must agree to restrictions in two cases: when the patient pays in full out of pocket and doesn’t want insurance involved, and when another law requires it. For all other situations, you have the option to decline, but you can never skip documenting the request.

To make things easier for staff, we’ve also created a checklist you can use as a step-by-step guide when these requests come up in real life.