HIPAA-potamus Adventures



Federal law protects the privacy of your medical records, but those restrictions create problems for powers of attorney, trusts, shareholder agreements and other business and estate planning documents where changes are dependent on demonstrating that an agent, shareholder or other person is disabled.


What is HIPAA:

HIPAA is the affectionate acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA, as amended (it takes multiple efforts to perfect such complexity), protects your rights to your medical info, "Protected Health Information," or PHI for short. HIPAA assures you access to your medical information, while simultaneously preventing others who should not have access to it from obtaining it. These rules have broad implications to a wide range of personal, estate planning, and business transactions.


Why It's So Important:

Addressing HIPAA, and how your medical info should be disclosed generally, are vitally important. If you're ill, can your daughter-in-law, the genius doc, get to see your patient chart to monitor your care? If you're a successor trustee, and the current trustee is forgetting to pay insurance premiums and respond to correspondence, can you replace her? Your partner is disabled and you need to take over your professional practice, how can you obtain the requisite physician letter mandated in your shareholders' agreement to demonstrate his incompetence trigger the replacement provision? HIPAA needs to be addressed.


What a Medical Provider ("Covered Entity") Must Do:

Any organization (health plan, health care provider, or health clearing house) that routinely handles PHI in any capacity is probably characterized as a "covered entity". A covered entity must provide info to its patients about their privacy rights and how their PHI can be used (notice of privacy practices). It must adopt clear and appropriate privacy policies and procedures for its practice, hospital, or plan. It must train its workforce to understand its privacy procedures. A covered entity must designate a privacy officer responsible for assuring that privacy procedures are adopted and followed. A covered entity must also adopt adequate security procedures for patient records containing individually identifiable PHI.


When Info Can Be Disclosed:

Your health info should be disclosed for medical treatment, payment, and health care operations (no authorization or release is needed). Your medical info should be disclosed to you (prior to HIPAA a patchwork of state and local rules governed this). Your personal representative should have access to your info. A court can order disclosure. The Secretary of the Department of Health and Human Services can access health info for enforcement purposes.


When Info May Not Be Disclosed:

If your doc or other health care professional believes that the disclosure of your health info might endanger your life, jeopardize your physical safety, or cause you or another person (e.g., someone else mentioned in your records) substantial harm, they can refuse in their professional judgment to disclose the info (what third party investor group just bought a big insurance policy on you?).


What Info Can be Disclosed:

Not all information has to be disclosed. Medical providers should only disclose the minimum info necessary to achieve the purpose of the requested disclosure. To protect and limit the scope of what is disclosed you should clearly delineate in any document you execute directing disclosure the specific purpose of the disclosure so that this can be determined. On the other hand, if you're looking to have a child help you with medical decisions, you may expressly want no limit. In such cases broad authorization to release all info should be stated. Be careful with "standard" authorization for the release of PHI, it may be too broad, or too narrow, depending on your objectives.


Mental Health Info:

Psychotherapy notes are not required to be released. 45 CFR 164.524(a) (1). So don't worry Tony, Dr. Jennifer Melfi's notes are safe (even when you asked her out while separated from Carmela!).


Empowering an Agent to Release Your PHI:

There are a myriad of circumstances in which you might want to have an agent ("personal representative" in HIPAA jargon) act on your behalf with regard to HIPAA matters, including authorizing the release of your PHI. 45 CFR 164.502(g) (2).  A personal representative can act with the same authority as if he or she were standing in your shoes. A key issue affecting a myriad of planning issues and documents is what is required of someone to be your HIPAA Personal Representative. "In general, the scope of the personal representative's authority to act for the individual under the Privacy Rule derives from his or her authority under applicable law to make health care decisions for the individual". This definition is quite nettlesome. If a person has broad authority to make health care decisions for another person, such as a parent for a minor child or a legal guardian for an incompetent adult, that person should generally be treated as stepping into the shoes of the minor or ward for HIPAA purposes. Exceptions may apply in instances of abuse or if state law provides to the contrary. "Where the authority to act for the individual is limited or specific to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation."


Can Your Agent Under your Power of Attorney Be Your Personal Representative:

Your agent under your financial power of attorney is not always clearly empowered to make health care related decisions. Although paying medical bills may constitute making decisions related to health care, is it sufficient? The ability to obtain PHI will be limited to those matters pertaining to paying medical bills. How broad of a medical decision making authority should an agent under a power of attorney be granted? At what point might the financial agent's authority conflict with your health care agents? If the only health care decision is the payment of medical bills is that sufficient? For example, if an agent is to make the financial decisions as to which health care facility to pay for, will the agent be entitled to adequate disclosures to make the decision?


Your Executor is Your HIPAA Personal Representative:

An executor of an estate has authority to act on behalf of the decedent with respect to PHI.


Can a Successor Trustee be Your Trustee's Personal Representative:

In the context of a trust agreement, a mechanism could be included mandating that all trustees grant a limited authorization to successor trustees for the purpose of determining if they, the predecessor trustee, are unable to serve, or that those serving as a trustee must, as a condition of serving, provide a release of their PHI to the successor trustees named or appointed under the particular trust. A HIPAA release authorization must acknowledge that the person giving it (i.e., the trustee) can revoke it. There is no assurance it won't be revoked and the mechanism defeated. Perhaps the trust could provide that if the trustee revokes it, then that revocation constitutes a termination of the trustee's position as a trustee. What of the requirement that the successor trustee make health care decisions for the predecessor trustee for the successor to be characterized as the predecessor trustee's HIPAA personal representative? The successor would be granted the authority to make one decision that could be characterized as health care related, specifically, whether the predecessor trustee was mentally and physically capable of serving as trustee. If this constitutes a sufficient health care decision then the authorization requirements of 45 CFR 164.508 may be met. Further, to minimize the offense to any person agreeing to serve as trustee, the medical disclosures could be limited to the minimum information necessary to make this determination. This process raises another issue in that the trust document itself might have to be disclosed. To address this, a separate trustee authorization document could be created, or a memorandum of trust expressly authorized, that embodies the HIPAA related mechanisms.



HIPAA affects a broad range of personal, financial, health care and estate planning transactions. Almost every key estate document, and many key business documents, need to address HIPAA disclosure issues to assure that various trigger mechanisms (succession of fiduciaries, determinations of disability, etc.) can be triggered. The issues, drafting and planning are quite complex.

Our Consumer Webcasts and Blogs

Subscribe to our email list to receive information on consumer webcasts and blogs, for practical legal information in simple English, delivered to your inbox. For more professional driven information, please visit Shenkman Law to subscribe.

Ad Space