GuardWell Compliance
HIPAA

Patient Asks to Restrict Disclosures: Understanding the Right to Restrict Under HIPAA

By GuardWell Compliance Team·May 5, 2026·9 min read

A patient hands your billing coordinator a credit card and says, “I’m paying cash for today’s visit. I don’t want this sent to my insurance.” Your coordinator looks uncertain. Can the practice honor that request? Must it? What if the patient has a high-deductible plan and the claim would count toward their deductible? The right to request restrictions on the use and disclosure of PHI is established in 45 CFR 164.522, and the HITECH Act added a mandatory restriction that many practices still do not handle correctly.

Two Different Restriction Rights

HIPAA actually creates two distinct restriction rights, and confusing them is a common compliance mistake:

1. The General Right to Request Restrictions (45 CFR 164.522(a))

Under the Privacy Rule, any individual may request that your practice restrict the use or disclosure of their PHI for treatment, payment, or healthcare operations. However — and this is the critical point — you are not required to agree to these general restriction requests. They are exactly that: requests. Your practice may evaluate each one and decide whether to accept or decline it.

If you do agree to a restriction, you are bound by it. You must document the restriction and ensure your workforce and systems honor it. The only exception is an emergency treatment situation where the restricted PHI is needed to provide care. Agreeing to a restriction and then violating it is a HIPAA violation.

2. The Mandatory Self-Pay Restriction (45 CFR 164.522(a)(1)(vi))

The HITECH Act created a restriction that is not optional. If a patient pays out of pocket, in full, for a healthcare item or service, and the patient requests that you not disclose PHI related to that item or service to a health plan for payment or healthcare operations purposes, you must comply. This is sometimes called the “self-pay restriction” or the “HITECH restriction.”

The conditions are specific: the patient must pay in full (not a partial payment or copay), the restriction applies only to disclosures to the health plan for payment or healthcare operations (not for treatment), and the PHI subject to the restriction is limited to what relates to the specific item or service that was self-paid.

How the Self-Pay Restriction Works in Practice

Consider a patient who visits your practice for a sensitive procedure and pays the full fee at the time of service. They request that you not submit a claim to their insurer. Under 45 CFR 164.522(a)(1)(vi), you are required to honor that request. You must:

  • Not submit a claim to the patient’s health plan for that specific visit or service
  • Not include information about that service in any reports or data sent to the health plan for payment or healthcare operations
  • Flag the encounter in your EHR so that automated claim submission processes do not inadvertently disclose the information
  • Ensure downstream systems (billing, clearinghouses) are aware of the restriction

The restriction does not prevent you from using or disclosing the information for treatment purposes. If the patient sees another provider and that provider needs the information for clinical care, you may share it. The restriction is narrowly scoped to health plan disclosures for payment and operations.

The EHR Challenge

This is where many practices stumble. Most EHR systems are designed to auto-generate claims for every billable encounter. If a patient exercises the self-pay restriction and your system automatically sends the claim anyway, you have violated HIPAA — even though it was unintentional. Your practice must have a documented process for flagging restricted encounters and ensuring they are excluded from batch claim submissions, explanation of benefits data, and any other health-plan-bound transmissions.

Work with your EHR vendor to understand whether their system supports encounter-level restriction flags. If it does not, you need a manual workaround that is documented, trained on, and audited regularly as part of your risk assessment program.

When You Can Decline a General Restriction Request

For restriction requests that fall outside the mandatory self-pay scenario, you have discretion. Common requests that practices may decline include:

  • A patient asks you not to share records with a specific family member (this may be better handled through authorization and consent processes rather than a formal restriction)
  • A patient asks you to withhold certain diagnoses from claims (unless they are self-paying in full, this is a general request you can evaluate)
  • A patient asks you not to disclose information for treatment purposes to another provider (you can decline, though you should consider the patient’s concerns)

If you decline a general restriction request, no specific written notification format is required by HIPAA, but best practice is to document the request, your decision, and your reasoning in the patient’s file.

Documenting and Tracking Restrictions

Every agreed-upon restriction must be documented, accessible to your billing and clinical staff, and tracked through your compliance program. A restriction that is documented but not communicated to the billing department is effectively useless. Key documentation elements include:

  • Date of the request and the patient’s identity
  • Specific PHI subject to the restriction
  • The entity or type of disclosure being restricted (e.g., specific health plan)
  • Whether the restriction was accepted or declined
  • Staff member responsible for ensuring compliance
  • Any system flags or workflow modifications implemented

Terminating a Restriction

A patient may terminate a restriction at any time by notifying your practice. You may also terminate a restriction if you notify the patient — but termination only applies to PHI created or received after the termination. PHI generated during the restriction period remains subject to the original terms. You cannot retroactively disclose information that was restricted at the time it was created.

Enforcement and Consequences

While OCR has not pursued the self-pay restriction with the same volume of cases as the right of access, the risk is real. A patient whose restricted information is disclosed to an insurer — especially for sensitive services — has a clear basis for an OCR complaint. The violation is straightforward to prove: the patient paid in full, requested the restriction, and the practice disclosed the information anyway. Practices that lack a documented restriction process are particularly vulnerable.

Building restriction handling into your standard intake workflow, training your staff to recognize self-pay restriction requests, and auditing your billing systems for compliance are the most effective preventive measures.

Frequently Asked Questions

If a patient self-pays and requests a restriction, can I still report the encounter to a public health authority?

Yes. The self-pay restriction under 45 CFR 164.522(a)(1)(vi) applies only to disclosures to health plans for payment or healthcare operations. Required disclosures for public health, law enforcement, or other legally mandated purposes are not affected by a patient’s restriction request.

What if the patient only partially pays at the time of the visit?

The mandatory self-pay restriction requires that the patient pay “out of pocket, in full” for the item or service. If the patient makes a partial payment and you intend to bill their insurer for the remainder, the mandatory restriction does not apply. However, the patient may still make a general restriction request, which you are not required to honor.

Does the self-pay restriction apply to subsequent related visits?

The restriction applies only to the specific healthcare item or service for which the patient self-paid in full. A follow-up visit billed to insurance is a separate encounter and is not covered by the prior restriction. Each encounter for which the patient wants to exercise this right must involve full self-payment and a new restriction request.

Can a health plan require us to disclose information that a patient has restricted?

No. The HITECH self-pay restriction overrides a health plan’s contractual rights to the information. If the patient has met the conditions (paid in full and requested the restriction), you are legally prohibited from disclosing the restricted information to the health plan, regardless of your participation agreement with that plan.

right to restrictHIPAA disclosures45 CFR 164.522patient rightsself-pay restriction

Part of our guide to

HIPAA Compliance

See how GuardWell helps medical practices manage hipaa compliance end to end — checklists, policies, training, and audit-ready documentation in one platform.

Ready to simplify compliance?

GuardWell brings HIPAA, OSHA, OIG, and 7 more compliance modules into one affordable platform built for medical practices.

Start Free Trial

Related Articles

HIPAA

HIPAA Compliance Checklist for Small Medical Practices in 2026

A practical HIPAA compliance checklist for small medical practices covering the Privacy Rule, Security Rule, breach notification, risk assessments, and staff training requirements.

Start your compliance journey today

Join practices using GuardWell Compliance to stay ahead of HIPAA audits, OCR enforcement, and state regulatory inspections — $199/month with annual billing. Try free for 7 days.

No setup fees · No contracts · Cancel anytime

GuardWell

Healthcare Compliance Assistant

Hi! I'm GuardWell's sales assistant.

I can answer questions about our healthcare compliance platform, pricing, and features. How can I help?

Powered by GuardWell AI