Right to Restrict Disclosures: Avoid the $25k Billing Fine

Under the HIPAA Privacy Rule, patients have the right to request restrictions on the disclosure of their protected health information (PHI). Section 164.522(a)(1)(vi), added under the HITECH Act, goes a step further if a patient pays in full out-of-pocket, the provider must comply with their request not to disclose the information to their health plan, except where required by law. For small practices, this requirement is often misunderstood or overlooked. This guide explains what this rule means, when it applies, and how to implement it in a way that is practical, compliant, and protects patient trust.

In today’s healthcare landscape, patients are increasingly taking control over their health information and how it’s shared. HIPAA supports this autonomy through several patient rights, including the right to restrict disclosures. While most restriction requests are optional for the provider, one particular provision 45 CFR § 164.522(a)(1)(vi) makes patient consent binding when the patient chooses to pay in full.

This article walks small practices through exactly how to honor this restriction, how to build systems to support it, and what pitfalls to avoid.

From an enforcement perspective, the Office for Civil Rights evaluates compliance with § 164.522(a)(1)(vi) based on whether a provider’s billing systems and workflows actually prevent disclosures to health plans once a valid restriction is in place. OCR investigations frequently focus on automated claims processing, third-party billing vendors, and staff handoffs to determine whether a restriction was operationally enforced. This reflects OCR’s broader enforcement approach, which prioritizes real-world system behavior over policy intent when assessing compliance.

Understanding the Rule

Under § 164.522(a)(1)(vi), a healthcare provider must not disclose PHI about an item or service to a health plan if:

1. The disclosure is for payment or healthcare operations, and

2. The patient (or their representative) has paid in full out-of-pocket, and

3. The patient has requested the restriction in writing

This means that even if your office normally submits claims automatically, you must not send the claim to the insurer for that item or service.

Compliance with § 164.522(a)(1)(vi) is an ongoing operational obligation rather than a one-time administrative step. Covered entities are expected to ensure that restrictions remain effective across billing cycles, system updates, vendor changes, and future encounters related to the restricted service. OCR has consistently emphasized that failures often occur when billing software is upgraded, workflows are outsourced, or staff assume restrictions are temporary rather than persistent.

This restriction applies:

• Only to specific services that were fully paid

• Only to disclosures for payment or healthcare operations

• Not to disclosures required by law (e.g., public health reporting, court orders)

• To all providers, regardless of practice size
  

Practical Example

A patient receives a confidential mental health consultation and pays the full cost out-of-pocket. They then submit a written request asking the provider not to disclose this visit to their insurance company. Under § 164.522(a)(1)(vi), the provider must honor this request and ensure no claim or billing info is sent to the payer.

In 2022, a small dermatology clinic encountered a HIPAA violation after failing to honor a patient’s request for restricted disclosure. The patient had paid in full, out-of-pocket, for a minor cosmetic procedure and submitted a written restriction request under 45 CFR 164.522(a)(1)(vi), asking the clinic not to disclose any information about the visit to their health insurance provider.

While the clinic verbally acknowledged the request, its billing system was programmed to automatically generate claims for all services rendered. No internal controls were in place to flag or separate services tied to patient restrictions. As a result, a claim was submitted to the patient’s insurer, and an Explanation of Benefits (EOB) was mailed to the patient’s home address two weeks later exactly what the patient had sought to prevent.

The patient filed a formal complaint with the Office for Civil Rights (OCR). The investigation revealed several failures: the clinic had no system for reviewing or enforcing written restrictions; no staff member verified the request before the billing cycle was processed; and the third-party billing vendor was never informed of the patient’s directive.

This case highlights the importance of implementing safeguards to track restriction requests, training staff to recognize and act on them, and coordinating with vendors to prevent unauthorized disclosures.

Result: The clinic had to implement corrective action, retrain staff, and paid a $25,000 settlement.

Lesson: Automation can’t replace policy awareness. Small practices must manually flag and process these restrictions.

1. Train Front Desk and Billing Staff

Make sure all staff understand:

• What this right means

• When it applies

• How to document and honor requests

2. Develop a Written Policy

Create a procedure for:

• Receiving written restriction requests

• Logging the payment and service covered

• Flagging the patient’s chart and billing records

• Notifying any third-party billing services

3. Require Upfront Payment

This right only applies when the patient pays in full, out-of-pocket. Ensure that:

• The payment is processed before restricting disclosure

• The restriction applies only to that paid service

4. Use EHR and Billing Alerts

Set up alerts in your EHR or billing system to:

• Flag services that are subject to restrictions

• Block claim generation for those encounters

• Notify billing staff of restriction before submission

5. Document Everything

Keep a copy of:

• The patient’s written request

• The payment receipt

• Notes showing staff honored the request

• Any communications with payers or vendors

Retain documentation for at least six years, per HIPAA’s retention requirement (§ 164.530(j)).

What if the patient forgets to request the restriction?

The provider is not obligated to restrict the disclosure unless the patient formally requests it in writing. Encourage patients to submit the request at the time of payment.

Can this restriction apply to prescriptions?

Yes, but only if the patient pays for the prescription in full and instructs the pharmacy not to bill their health plan. Coordination between provider and pharmacy is essential.

Do I need to honor restrictions retroactively?

No. The restriction applies only going forward from the point of full payment and written request.

Can I deny care if a patient wants to restrict disclosure?

No, but you can require payment in full before honoring the request. If the patient doesn’t pay, the restriction does not apply.

• 45 CFR § 164.522(a)(1)(vi): Patient Restriction of PHI Disclosure

• HHS Summary of Patient Rights Under HIPAA

• OCR HIPAA FAQs on Restrictions

• 45 CFR § 164.522 - Rights to request privacy protection

• HHS Guidance: Right to Restrict Disclosures

• OCR Enforcement: Resolution Agreements and Settlements

• The HITECH Act and Patient Privacy Rights

• NIST SP 800-66: Implementing the HIPAA Security Rule

• HHS: Right of Access Enforcement Initiative Updates

• OCR News: Recent 2025 HIPAA Settlements

• Information Blocking Disincentives Final Rule

• HHS eCFR: Security and Privacy Standards

• HHS Security Risk Assessment (SRA) Tool

In practice, providers that successfully comply with § 164.522(a)(1)(vi) treat patient restriction handling as part of a broader compliance system rather than an isolated request. This right is not optional, it is a legal mandate. Restrictions embedded into billing workflows, reinforced through staff training, and validated during system changes are significantly more defensible during OCR investigations than those managed informally. 

Fortunately, with the right systems, your practice can easily stay compliant. This includes providing clear staff training on recognizing and processing restriction requests, maintaining documentation of those requests in the patient’s record, configuring billing software to suppress automatic claims to insurers when restrictions apply, and ensuring communication with billing vendors.

HIPAA grants patients the right to restrict disclosures to a health plan when services are paid for out of pocket in full, and this obligation is mandatory under 45 CFR 164.522(a)(1)(vi). For small practices, honoring these requests demonstrates respect for patient autonomy while reducing regulatory exposure. With proper documentation, billing controls, and vendor communication in place, practices can meet this requirement consistently and deliver a more private, patient-centered care experience.