Patients Rights for Restrictions When Paying Out-of-Pocket


September 4, 2013 – On September 23, 2013, the Modifications to the HIPAA Privacy Security Enforcement and Breach Notification Under the HITECH/GINA Acts (Final Rule) will be in effect for patients who pay for a service out-of-pocket in full and instruct the provider to not disclose PHI associated with that service to their health plan.


AdvantEdge published information on this rule in our Compliance Alert issued in May 2013, in our Summer 2013 Leading Edge Newsletter and yesterday through our new Ask Jean: Compliance Q & A  to inform our clients of their and our obligation to enforce this ruling.  The Compliance Alert suggests detailed processes you may put in place to inform AdvantEdge of these patients services.


AdvantEdge has contacted all our clients with regards to this ruling via our updated Business Associate Agreement (BAA).  The italicized paragraph below is the contract language from the AdvantEdge BAA


(i)            Subject to receiving notice as described below, Business Associate [AdvantEdge] agrees to abide by any restriction on the use or disclosure of PHI agreed to by Covered Entity [Client], including without limitation agreements required by HIPAA not to disclose an item or service paid for entirely out-of-pocket by an individual to a Health Plan for payment or health care operations purposes, unless such disclosure is required by law. Covered Entity acknowledges that, in the view of Business Associate’s obligation to promptly submit claims in accordance with the Service Agreement, such notice must be promptly provided to Business Associate in writing. Covered Entity will reimburse Business Associate for reasonable labor and materials costs incurred in special processing necessary to comply with any such agreed upon restriction


We want to stress that billing this service(s) would be an unauthorized disclosure constituting a breach. This may subject the provider and/or AdvantEdge to a penalty, which could be quite substantial if the OCR (Office of Civil Rights) determines the conduct was reckless (usually due to incomplete or non-compliant HIPAA privacy and security policies).


It is imperative that each provider practice work with AdvantEdge to devise a process to inform us of patients who paid out-of-pocket in full  and who do not want to inform their health insurance carrier of these services with you.


If you have any questions or need help setting up a protocol to comply with this ruling, please contact your Client Manager or contact our Chief Compliance Officer, Jeanne Gilreath at


A link to the final rule is provided here;