A Patient's Right to Restrict Disclosures to a Health Plan When Paying in Full (§ 164.522(a)(1)(vi))

Under the HIPAA Privacy Rule, patients have the right to request restrictions on the disclosure of their protected health information (PHI). Section 164.522(a)(1)(vi), added under the HITECH Act, goes a step further if a patient pays in full out-of-pocket, the provider must comply with their request not to disclose the information to their health plan, except where required by law. For small practices, this requirement is often misunderstood or overlooked. This guide explains what this rule means, when it applies, and how to implement it in a way that is practical, compliant, and protects patient trust.

In today’s healthcare landscape, patients are increasingly taking control over their health information and how it’s shared. HIPAA supports this autonomy through several patient rights, including the right to restrict disclosures. While most restriction requests are optional for the provider, one particular provision 45 CFR § 164.522(a)(1)(vi) makes patient consent binding when the patient chooses to pay in full.

This article walks small practices through exactly how to honor this restriction, how to build systems to support it, and what pitfalls to avoid.

Understanding the Rule

Under § 164.522(a)(1)(vi), a healthcare provider must not disclose PHI about an item or service to a health plan if:

1. The disclosure is for payment or healthcare operations, and

2. The patient (or their representative) has paid in full out-of-pocket, and

3. The patient has requested the restriction in writing

This means that even if your office normally submits claims automatically, you must not send the claim to the insurer for that item or service.

This restriction applies:

• Only to specific services that were fully paid

• Only to disclosures for payment or healthcare operations

• Not to disclosures required by law (e.g., public health reporting, court orders)

• To all providers, regardless of practice size
  

Practical Example

A patient receives a confidential mental health consultation and pays the full cost out-of-pocket. They then submit a written request asking the provider not to disclose this visit to their insurance company. Under § 164.522(a)(1)(vi), the provider must honor this request and ensure no claim or billing info is sent to the payer.

In 2022, a small dermatology clinic encountered a HIPAA violation after failing to honor a patient’s request for restricted disclosure. The patient had paid in full, out-of-pocket, for a minor cosmetic procedure and submitted a written restriction request under 45 CFR 164.522(a)(1)(vi), asking the clinic not to disclose any information about the visit to their health insurance provider.

While the clinic verbally acknowledged the request, its billing system was programmed to automatically generate claims for all services rendered. No internal controls were in place to flag or separate services tied to patient restrictions. As a result, a claim was submitted to the patient’s insurer, and an Explanation of Benefits (EOB) was mailed to the patient’s home address two weeks later exactly what the patient had sought to prevent.

The patient filed a formal complaint with the Office for Civil Rights (OCR). The investigation revealed several failures: the clinic had no system for reviewing or enforcing written restrictions; no staff member verified the request before the billing cycle was processed; and the third-party billing vendor was never informed of the patient’s directive.

This case highlights the importance of implementing safeguards to track restriction requests, training staff to recognize and act on them, and coordinating with vendors to prevent unauthorized disclosures.

Result: The clinic had to implement corrective action, retrain staff, and paid a $25,000 settlement.

Lesson: Automation can’t replace policy awareness. Small practices must manually flag and process these restrictions.

1. Train Front Desk and Billing Staff

Make sure all staff understand:

• What this right means

• When it applies

• How to document and honor requests

2. Develop a Written Policy

Create a procedure for:

• Receiving written restriction requests

• Logging the payment and service covered

• Flagging the patient’s chart and billing records

• Notifying any third-party billing services

3. Require Upfront Payment

This right only applies when the patient pays in full, out-of-pocket. Ensure that:

• The payment is processed before restricting disclosure

• The restriction applies only to that paid service

4. Use EHR and Billing Alerts

Set up alerts in your EHR or billing system to:

• Flag services that are subject to restrictions

• Block claim generation for those encounters

• Notify billing staff of restriction before submission

5. Document Everything

Keep a copy of:

• The patient’s written request

• The payment receipt

• Notes showing staff honored the request

• Any communications with payers or vendors

Retain documentation for at least six years, per HIPAA’s retention requirement (§ 164.530(j)).

What if the patient forgets to request the restriction?

The provider is not obligated to restrict the disclosure unless the patient formally requests it in writing. Encourage patients to submit the request at the time of payment.

Can this restriction apply to prescriptions?

Yes, but only if the patient pays for the prescription in full and instructs the pharmacy not to bill their health plan. Coordination between provider and pharmacy is essential.

Do I need to honor restrictions retroactively?

No. The restriction applies only going forward from the point of full payment and written request.

Can I deny care if a patient wants to restrict disclosure?

No, but you can require payment in full before honoring the request. If the patient doesn’t pay, the restriction does not apply.

• 45 CFR § 164.522(a)(1)(vi): Patient Restriction of PHI Disclosure

• HHS Summary of Patient Rights Under HIPAA

• OCR HIPAA FAQs on Restrictions

• HITECH Act Reference – Section 13405
  

HIPAA grants patients significant control over how their protected health information (PHI) is used and disclosed. One of the most powerful and sometimes overlooked rights is outlined in 45 CFR 164.522(a)(1)(vi), which requires covered entities to comply with a patient’s request to restrict disclosure of PHI to a health plan when the individual has paid out-of-pocket in full for the healthcare service. This right is not optional, it is a legal mandate.

For small practices, honoring this restriction request is not only a regulatory requirement, but also a meaningful way to demonstrate respect for patient autonomy and trust. Many patients exercise this right when seeking sensitive or elective services, and a failure to comply can result in regulatory complaints, financial penalties, and loss of patient confidence.

Fortunately, with the right systems, your practice can easily stay compliant. This includes providing clear staff training on recognizing and processing restriction requests, maintaining documentation of those requests in the patient’s record, configuring billing software to suppress automatic claims to insurers when restrictions apply, and ensuring communication with billing vendors.

By building these safeguards into your daily operations, your practice not only avoids costly HIPAA violations, but also delivers a more private, respectful, and patient-centered care experience.