45 CFR 164.522 Explained: Your HIPAA Rights to Request Restrictions and Confidential Communications

45 CFR 164.522, a core provision of the HIPAA Privacy Rule, gives you specific control over how your Protected Health Information (PHI) is used, disclosed, and communicated. These rights apply to any Covered Entity—health care providers, health plans, and health care clearinghouses—that handles your PHI.

This guide explains your right to request restrictions on uses and disclosures, the special rule for disclosures to health plans after an Out-of-Pocket Payment, how Emergency Treatment affects restrictions, and how to request Confidential Communications at alternative locations or by alternative means.

Right to Request Restrictions on Uses and Disclosures

You may ask a Covered Entity to restrict how it uses and discloses your PHI for treatment, payment, and Health Care Operations, as well as disclosures to family, friends, or others involved in your care. While entities generally are not required to agree, any accepted restriction becomes binding under the HIPAA Privacy Rule.

What you can ask to be restricted

• Uses and disclosures for payment (for example, billing details shared with a payer).
• Uses and disclosures for Health Care Operations (such as quality review or audits).
• Disclosures to individuals involved in your care or payment for care.

If a restriction is accepted

• The Covered Entity must not use or disclose the restricted PHI except as allowed for Emergency Treatment or when otherwise required by law.
• Systems and staff should be alerted so your restriction is honored across workflows and by relevant business associates.

How to request a restriction

• Submit a clear, written request to the Covered Entity’s privacy office (ask for the HIPAA restriction form if available).
• Identify the exact PHI, encounter, provider, or date range you want restricted, and specify to whom the restriction applies.
• Keep copies of your request and any confirmation for your records.

Ending a restriction

• You may withdraw a restriction in writing (or orally if the entity documents it).
• A Covered Entity may terminate a previously accepted restriction prospectively after informing you; the change cannot retroactively remove protections for PHI already covered.

Disclosure to Health Plans

When you or someone on your behalf makes an Out-of-Pocket Payment in full for a specific item or service, you can require the provider not to disclose PHI about that fully paid service to your health plan for payment or Health Care Operations. This is the one restriction a provider must accept if the conditions are met and no law requires the disclosure.

Key conditions and limits

• The restriction applies only to PHI for the item or service you paid for in full.
• It blocks disclosures to the health plan for payment and Health Care Operations; it does not restrict disclosures for treatment or those required by law.
• The restriction binds only the Covered Entity that received your request (and its business associates). You must make separate requests to other providers, such as outside labs or imaging centers.

How to use this right effectively

• Before the visit, tell registration and billing that you intend to self-pay in full and request the “do not bill plan” restriction for that service.
• Ask that the encounter be segregated or flagged so no claim or post-visit batch file is sent to the plan.
• Pay the full allowed amount and keep receipts; if any balance remains, the restriction may not apply.

Emergency Situations Handling

If a restriction is in place but Emergency Treatment requires access to your restricted PHI, a Covered Entity may disclose what is necessary to ensure your care. After the emergency, the entity should request that the treating provider not further use or disclose the restricted information, and your original restriction remains in effect going forward.

Example: You restricted sharing certain test results. In the ER, those results are disclosed to prevent a drug interaction. Once stabilized, the restriction resumes, and staff must continue to honor it.

Right to Request Confidential Communications

Separate from restrictions, you can require Confidential Communications—having PHI sent by alternative means or to alternative locations. For example, you may direct bills or appointment reminders to a different mailing address, email, portal inbox, or phone number.

• Health care providers must accommodate any reasonable request for Confidential Communications.
• Health plans must accommodate reasonable requests when you clearly state that disclosure could endanger you (for instance, to avoid revealing sensitive services to a policyholder).

Making an effective request

• Submit the request in writing and specify the exact alternative address, number, or method (e.g., email, portal, voicemail).
• Indicate what types of PHI or communications the request covers (claims, EOBs, bills, reminders, test results).
• If communicating with a health plan, include a clear statement that disclosure to the usual address could endanger you.

Conditions on Confidential Communication Requests

Covered Entities may apply limited conditions to ensure they can reach you and handle payment without exposing your PHI. They may not demand an explanation of why you want confidentiality beyond what HIPAA allows for health plans.

• They may require your request in writing and ask you to specify an alternative address or contact method.
• They may ask how payment will be handled, when relevant, so billing does not reveal PHI at the usual address.
• Health plans may require a statement that disclosure could endanger you; providers may not require any such statement.

Covered Entity Obligations

Once a restriction is accepted—or required after an Out-of-Pocket Payment—the Covered Entity must implement it, update systems and workflows, and train workforce members to prevent prohibited disclosures. For Confidential Communications, it must route communications exactly as requested and maintain accurate contact details.

Entities should document all requests and decisions, flag records in the EHR, and ensure business associates observe applicable restrictions. If a restriction is later terminated, entities must notify you and apply the change prospectively only.

Key takeaways

• 45 CFR 164.522 empowers you to shape how your PHI is used, disclosed, and communicated.
• Providers must accept your “do not disclose to the plan” request when you pay in full Out-of-Pocket for a service, unless disclosure is required by law.
• Emergency Treatment can temporarily override a restriction to protect your health, but the restriction resumes afterward.
• Confidential Communications let you choose where and how you receive PHI; providers must accommodate reasonable requests, and plans must do so when endangerment is stated.

FAQs.

What rights does 45 CFR 164.522 grant individuals regarding PHI?

You can request restrictions on certain uses and disclosures of your PHI and require Confidential Communications by alternative means or at alternative locations. If a provider accepts a restriction, it must follow it, and providers must accept a restriction that prevents disclosure to a health plan when you pay Out-of-Pocket in full for a specific service unless disclosure is required by law.

How can individuals request restrictions on disclosures?

Send a written request to the Covered Entity’s privacy office. Specify the PHI, encounter, or service; identify to whom the restriction applies; and state whether it includes payment or Health Care Operations. Keep copies of your request and any acceptance confirmation.

Are covered entities required to agree to all restriction requests?

No. Covered Entities generally may decline, but a provider must agree not to disclose PHI to a health plan for payment or Health Care Operations when you pay Out-of-Pocket in full for that item or service and no law requires the disclosure.

What conditions apply to requests for confidential communications?

Requests may need to be in writing and must specify an alternative address or method, plus how payment will be handled if relevant. Providers must accommodate reasonable requests. Health plans must accommodate reasonable requests when you state that disclosure could endanger you; they may require that endangerment statement but cannot demand other explanations.