Print Page   |   Contact Us   |   Sign In   |   Join the ICS
Article Search
Information Articles: Legal

Patients’ Right to Direct Provider Not to Submit a Claim to Health Plan

Wednesday, June 13, 2018   (1 Comments)
Posted by: Adrienne J. Hersh, JD
Share |


Patients’ Right to Direct Provider Not to Submit a Claim to Health Plan


May a patient direct a health care provider not to submit a claim to the patient’s health plan for a particular service?  Is an in-network doctor required to submit a claim when the patient has directed otherwise?  The answers to these questions are usually “yes.” 


The HITECH/HIPAA Omnibus Final Rule of 2013 strengthened the right of an individual to restrict a physician’s disclosure of protected health information to a health care plan. This means that, in most cases, patients have the right to pay personally for health care fees and to direct a provider not to submit a claim to the patient’s health plan.  If certain conditions are met, the physician must honor the patient’s request.  To comply with the rule, physician offices must have in place procedures and documents, as detailed below. *


Overview:  Patient’s Right to Restrict Health Information in General

In general, covered entities are limited in the use and disclosure they may make of a patient’s protected health information (PHI). Nonetheless, some uses and disclosures are permitted without the patient’s consent:  those required for treatment, payment or health care operations.


Providers may make disclosures to family and friends without consent under some circumstances.  If the patient is present and has the capacity to make health care decisions, a provider may disclose PHI if he or she:  1) obtains patient consent; or 2) gives the patient the opportunity to object and the patient does not object; or 3) decides from the circumstances, based on professional judgment, that the patient does not object.  For example, if a patient brings a friend to an appointment and asks to have the friend remain present for the health care consultation, the provider may assume the patient does not object.  If the patient is not present or is incapacitated, a provider may disclose PHI if, based on professional judgment, disclosure is in the patient’s best interest.


In addition, covered entities may use or disclose PHI without consent if required by law, such as public health reporting requirements, abuse reporting, criminal or administrative investigations, research, covered entities that are government programs providing public benefits, and for workers’ compensation.


In most situations other than those described above, patients must give specific written authorization to disclose PHI.


Restriction of Information – The Old Rule vs. the Current Rule

Even though HIPAA has always permitted providers to use and disclose PHI without patient consent for treatment, payment, and health care operations, patients had a right only to request restrictions on the uses or disclosures of protected health information for such purposes.  However, in the past, providers were not required to agree to a restriction and were obligated only to honor any restrictions to which they voluntarily agreed.


The general rule remains that patients may request restrictions and providers may, but are not obligated, to agree.  However, the Final Rule created an exception to a provider’s right to withhold his or agreement.  The provider must agree to an individual’s request to restrict the disclosure of protected health information if: 1) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, and 2) the disclosure information pertains to care for which the individual has paid out of pocket.  In other words, a patient who prefers not to disclose a particular condition to his or her health plan now has the right not only to ask, but to direct you, not to submit information or a claim to the plan if the patient or another person pays your fee in full, and the other conditions are met.  (Note that the “unless otherwise required by law” provision still allows health care providers to disclose PHI to health plans when directed by court orders and subpoenas.  Similarly, the new rule does not affect disclosure of information to entities other than health plans.  Thus, providers are still permitted to disclose PHI in response to subpoenas in judicial, administrative and law enforcement proceedings, including PHI that the patient has directed not to disclose to a health plan.)


Most provider agreements that pre-dated the HITECH rule required the provider to submit claims for all covered services to the health plan.  However, because the law and rules under HITECH prohibit providers from submitting claims to a health plan when so requested by a patient, providers must comply with the rule.  Presumably, health plans will modify their agreements to comply with the law.  In the meantime, providers who have concerns about disparities between their provider agreements and the law may wish to contact their network liaisons to discuss this issue.  It is a HIPAA violation to submit a claim to a health plan when the patient has directed otherwise and has paid out of pocket.


Operational Considerations in the Physician Office

When the current rule was proposed, many providers commented about the difficulty of complying.  The rule requires differing treatment for certain information, and only for certain purposes, within a patient’s record.  Consider the case in which a patient does not want you to submit a claim to the health plan for one condition, but wants claims submitted for everything else.  Even trickier is when a patient directs you not to bill the health plan for one procedure related to a particular condition, but wants you to bill the plan for all other procedures for the same condition.  It is easy to understand a physician’s concern about the administrative challenges this PHI restriction could present in the office.


The Department of Health and Human Services has not listed specific steps that health care offices must take, but the agency has published the following general guidance to assist providers in complying with the rule:

  • Covered entities should already have had in place procedures for receiving patient requests for restrictions, even if the covered entity generally has declined such requests.  The only difference between these procedures and the requirements under the current rule is that, in most cases, the provider must honor a self-pay patient’s request not to submit information and a claim to a health plan.  
  • Covered entities do not need to maintain separate health records or segregate restricted health information, but they must “employ some method to flag or make a notation in the record” to make certain this information is not inadvertently provided to a health care plan (for example, in a claim submission or post-payment audit).
  • Providers are not required to alert downstream providers that the disclosure of certain information is restricted, but they are “permitted and encouraged” to remind patients to alert downstream providers of the patient’s desire to restrict the disclosure of certain information.
  • Disclosures to Medicare for survey and payment purposes continue to be permitted, but Medicare beneficiaries will have a right to restrict disclosures if they elect not to file a claim with Medicare and pay for covered services out of pocket. Individuals must request additional restrictions and pay out of pocket if they wish to restrict the disclosure of information about follow up care.
  • Where a number of health services are bundled for billing purposes, the individual still has the right to pay privately for certain of the services and direct the provider not to bill those services to the health plan.  In that situation, providers must do their best to unbundle the services to permit the patient to pay out of pocket for specific items and services. If the provider is not able to unbundle the services, then he or she must advise the patient that the services cannot be unbundled and give the patient the opportunity to pay for the entire bundle of services.
  • Providers operating in an HMO may have to provide services out of network in order to permit individuals to pay privately and obtain restrictions.
  • The right to restrict information to a health plan does not attach if the service is not paid in full.  For example, if a credit card is declined or a check is returned for insufficient funds, the provider may disclose PHI and submit the claim to the health plan, after making reasonable efforts to obtain payment from the patient.

Recommended Notice of Privacy Practices Form and Request for Restriction Form

A covered entity provider must include information about the right to restrict information in the Notice of Privacy Practices.  All Notices of Privacy Practices must reflect the patient’s right to restrict PHI to a health plan. 


HHS has provided a Model Notice of Privacy Practices form that complies with the updated rule.  A template for the form is available in various formats at  This form incorporates all major aspects of patient rights regarding protected health information, including the right to restrict information to a health plan.   Because the compliance date for the Omnibus Rule was September 23, 2013, it is strongly recommended that you make sure your Notice includes the right to restrict.


In addition to the new Model Notice of Privacy Practices form, the ICS recommends providers make available a Restriction Request Form for patients who have specific requests to restrict information.  Using a form will ensure that your office gathers standard information from the patient and will document the patient’s request for the file.  HHS has not provided a model Restriction Request Form.  However, the ICS has a template PHI Restriction Request Form available to ICS members on its website.


An Ounce of Prevention vs. Sanctions for Non-Compliance

HHS has noted that a provider who improperly discloses PHI to a health plan is making a disclosure in violation of the Privacy Rule and the HITECH Act.  As with other impermissible disclosures, this action is subject to possible criminal penalties, civil money penalties and corrective action.  Of course, it is preferable to put proper procedures in place than to have to deal with sanctions for non-compliance. New regulations may appear confusing at first, but generally once these procedures are established in your office, they will become routine.  As always, the ICS is a helpful resource to assist you with practice compliance issues.


*The information in this article pertains to physicians who are “covered entities” under HIPAA.  Therefore, the terms “covered entities,” “physicians,” health care providers,” and “practices” are used interchangeable and all are presumed to be covered entities under HIPAA.


Note:  ICS members may view a a list of policies, procedures and documents that physicians should have in place under the HITECH/HIPAA Omnibus Rule here.




David A. Johnson DC says...
Posted Friday, June 15, 2018
Thank you for the informative article.

Membership Software Powered by YourMembership  ::  Legal