This is the fifth in a series of publications analyzing the changes of the HIPAA Omnibus Rule (Final Rule) released January 17, 2013, and published January 25, 2013 (78 Fed. Reg. 5566). The Final Rule provides broader rights to individuals with respect to their right to request restrictions on the uses and disclosures of their protected health information (PHI) and their right to access PHI. The Final Rule largely adopts the significant changes of the proposed rule regarding these individual rights, thus imposing new and substantial obligations on covered entities to comply with these requirements.


HIPAA requires that covered entities permit individuals to request restrictions on the uses or disclosures of their PHI for treatment, payment, and health care operations purposes, as well as for disclosures to family members and certain other permitted purposes. While covered entities are not required to agree to such requests, if a covered entity does agree to the restriction, then the covered entity must abide by that restriction.

The Final Rule creates an exception to this general rule by providing that a covered entity must comply with an individual’s request to restrict disclosure to a health plan if: (1) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, and (2) the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.

The Department of Health and Human Services (HHS) commentary to the Final Rule clarified the following:

  • Covered entities are not required to create separate medical records or otherwise segregate PHI that is subject to such a restriction. However, covered entities will need to flag or make a notation in the record with respect to the PHI that has been restricted to ensure that such information is not inadvertently disclosed to a health plan for payment or health care operations purposes, such as audits by the health plan (other than those with disclosures required by law, as discussed below).
  • Covered entities remain obligated to make disclosures of this PHI as required by law, as permitted by HIPAA. Thus, if state or other law requires a provider to submit a claim to a health plan and there is no exception for individuals paying out of pocket, then the covered entity may disclose the PHI to the plan. Disclosures required by law for audits are permitted; thus, while a patient may restrict disclosure to CMS as a payor, the covered entity may disclose the restricted PHI to CMS if required under a Conditions of Participation survey.   
  • Covered entities are not required to abide by such a restriction request if the individual does not pay for the service in full (e.g., if the individual’s payment is dishonored). The covered entity would then be permitted to disclose the PHI to the health plan for payment purposes. However, covered entities must make a reasonable effort to contact the individual and obtain payment prior to billing a health plan.
  • If the patient asks to restrict disclosure of some, but not all, services that are bundled, covered entities should unbundle the services to allow the restriction if able to do so. The covered entity is expected to counsel the patient that the health plan may be able to determine that the services not disclosed to the plan were provided based on the context. If a covered entity is not able to unbundle a group of services, then the covered entity must inform the patient and offer the patient the opportunity to restrict and pay out of pocket for the entire bundle of services.
  • Covered entities are only required to restrict the disclosure to the health plan and are not required to notify downstream providers of this restriction. Covered entities are encouraged to counsel patients that the patients are responsible for notifying downstream providers and making additional restriction requests to those providers.


The Final Rule also makes significant changes to an individual’s right to access PHI. HIPAA currently requires, with limited exceptions, that individuals have a right to review or obtain copies of their PHI to the extent such information is maintained in a designated record set. The Final Rule requires the following with respect to electronic PHI:

  • Covered entities must provide an individual with a copy of their PHI that is maintained by the covered entity as electronic PHI in the electronic form and format requested by the individual if such format is readily producible. If the requested format is not readily producible, the covered entity must offer to produce the electronic PHI in at least one readable electronic format.
  • Covered entities are not required to purchase software or hardware to accommodate requests for various types of formats; however, they must be able to provide some form of readable electronic copy.
  • A hard copy may be provided if the requesting individual rejects any of the offered electronic formats.
  • The electronic copy provided must include all electronic PHI held by the covered entity in a designated record set, or appropriate subset if only specific information is requested, at the time the request is fulfilled. If the electronic PHI contains a link to images or data, the images or other data must be included in the electronic copy provided.
  • For covered entities with medical records in mixed media (i.e., some paper and some electronic PHI), a combination of electronic and hard copies may be provided to the individual.
  • If requested by an individual, a covered entity must transmit the electronic copy directly to a third person designated by the individual.

Under the Final Rule, covered entities maintain some autonomy in providing access when security is a concern. HHS clarified that:

  • A covered entity is not required to use an individual’s flash drive or other device to transfer the electronic PHI if the covered entity has security concerns regarding the external portable media.
  • If an individual requests to receive the electronic copy via unencrypted email and secure email is unavailable, the covered entity may decide whether or not to send the electronic copy via unencrypted email. However, if unencrypted email is used, the covered entity must advise the individual of the risk that the information could be read by a third party.

Covered entities may charge reasonable cost-based fees to individuals for providing access to PHI, including providing a copy in electronic format.

  • The following may be included in the fees: (i) labor costs for copying PHI, whether in paper or electronic form, (ii) the costs of supplies for creating electronic media (e.g., discs, flash drives) if the individual requests the copy on portable media, and (iii) postage if the individual requests mailing or delivery of electronic media.
  • Covered entities may not (i) include costs of new technology, maintaining systems for electronic PHI, data access, and storage infrastructure or (ii) charge a retrieval fee (whether a standard fee or actual costs) for electronic copies.
  • Under the state law preemption provisions of HIPAA, a state law imposing lower cost limits would apply. Conversely, if state law permits higher costs, then the lower HIPAA limits would apply.

The Final Rule decreases the total time covered entities have to respond to requests for access from 90 to 60 days by removing the provision allowing an additional 30 days if PHI is not maintained onsite. Covered entities now have 30 days to respond, unless they provide the individual written notice of a one-time extension of up to 30 days, including the reason for the delay and the expected date of completion.

This joint e-Alert from Bricker & Eckler LLP and INCompliance was prepared by Bryn Hunt. Bryn can be reached at 614.227.4823, or Please contact any INCompliance consultantfor more information at or any member of the Bricker & Eckler Health Care Practice Group for more information. This and previous alerts may be accessed at both Bricker & Eckler and INCompliance.