Federal law protects the privacy of your medical records, but the restrictions it creates can cause problems for powers of attorneys, trusts, shareholder agreements and other business and estate planning documents where changes are dependent on demonstrating that an agent, shareholder or other person is disabled.
HIPAA is the affectionate acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA, as amended (it takes multiple efforts to perfect such complexity), protects your rights to your medical information, “Protected Health Information,” or PHI for short. HIPAA assures you have access to your medical information, while simultaneously preventing others who should not have access to it from obtaining it. These rules have broad implications to a wide range of personal planning, estate planning, and business transactions.
Addressing HIPAA, and, in general, how your medical information should be disclosed, are vitally important. If you are ill, can your daughter-in-law, who happens to be a genius doctor, get to see your patient chart to monitor your care? If you are a successor trustee, and the current trustee is forgetting to pay insurance premiums and respond to correspondence, can you replace her? If your partner is disabled, and you need to take over your professional practice, how can you obtain the requisite physician letter mandated in your shareholders’ agreement to demonstrate his incompetence to trigger the replacement provision? HIPAA needs to be addressed.
Any organization (health plan, health care provider, or health clearing house) that routinely handles PHI in any capacity is probably characterized as a “covered entity”. A covered entity must provide information to its patients about their privacy rights, and how their PHI can be used (notice of privacy practices). It must adopt clear and appropriate privacy policies and procedures for its practice, hospital, or plan. It must train its workforce to understand its privacy procedures. A covered entity must designate a privacy officer responsible for assuring that privacy procedures are adopted and followed. A covered entity must also adopt adequate security procedures for patient records containing individually identifiable PHI.
Your health information should be disclosed for medical treatment, payment, and health care operations (no authorization or release is needed). Your medical information should be disclosed to you (prior to HIPAA a patchwork of state and local rules governed this). Your personal representative should also have access to your information. A court can order disclosure. The Secretary of the Department of Health and Human Services can access health information for enforcement purposes.
If your doctor or other health care professional believes that the disclosure of your health information might endanger your life, jeopardize your physical safety, or cause you or another person (e.g., someone else mentioned in your records) substantial harm, they can refuse in their professional judgment, to disclose the information (such as what third party investor group just bought a big insurance policy on you?).
Not all information has to be disclosed. Medical providers should only disclose the minimum amount of information necessary to achieve the purpose of the requested disclosure. To protect and limit the scope of what is disclosed, you should clearly delineate, in any document you execute directing disclosure the specific purpose of the disclosure so that this can be determined. On the other hand, if you are looking to have a child help you with medical decisions, you may expressly want no limit. In such cases broad authorization to release all information should be stated. Be careful with “standard” authorization for the release of PHI, it may be too broad, or too narrow, depending on your objectives.
Psychotherapy notes are not required to be released. 45 CFR 164.524(a) (1). So don’t worry Tony, Dr. Jennifer Melfi’s notes are safe (even when you asked her out while separated from Carmela!).
There are a myriad of circumstances in which you might want to have an agent (“personal representative” in HIPAA jargon) act on your behalf with regard to HIPAA matters, including authorizing the release of your PHI. 45 CFR 164.502(g) (2). A personal representative can act with the same authority as if he or she were standing in your shoes. A key issue affecting a myriad of planning issues and documents is what is required of someone to be your HIPAA Personal Representative. “In general, the scope of the personal representative’s authority to act for the individual under the Privacy Rule derives from his or her authority under applicable law to make health care decisions for the individual.” This definition is quite nettlesome. If a person has broad authority to make health care decisions for another person, such as a parent for a minor child, or a legal guardian for an incompetent adult, that person should generally be treated as stepping into the shoes of the minor or ward for HIPAA purposes. Exceptions may apply in instances of abuse, or if state law provides to the contrary. “Where the authority to act for the individual is limited or specific to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation.”
Your agent under your financial power of attorney is not always clearly empowered to make health care related decisions. Although paying medical bills may constitute making decisions related to health care, is this financial power sufficient to make other health-related decisions? The ability to obtain PHI will be limited to those matters pertaining to paying medical bills. How broad of a medical decision making authority should an agent under a power of attorney be granted? At what point might the financial agent’s authority conflict with your health care agents? If, for example, an agent is to make the financial decisions as to which health care facility to pay for, will the agent be entitled to adequate disclosures to make the decision?
An executor of an estate has authority to act on behalf of the decedent with respect to PHI.
In the context of a trust agreement, a mechanism could be included mandating that all trustees grant a limited authorization to successor trustees for the purpose of determining if they, the predecessor trustee, are unable to serve, or that those serving as a trustee must, as a condition of serving, provide a release of their PHI to the successor trustees named or appointed under the particular trust. A HIPAA release authorization must acknowledge that the person giving it (i.e., the trustee) can revoke it. There is no assurance it will not be revoked and the mechanism defeated. Perhaps the trust could provide that if the trustee revokes it, then that revocation constitutes a termination of the trustee’s position as a trustee. What if the requirement that the successor trustee makes health care decisions for, the predecessor trustee for the successor, is to be characterized as the predecessor trustee’s HIPAA personal representative? The successor would be granted the authority to make one decision that could be characterized as health care related, specifically, whether the predecessor trustee was mentally and physically capable of serving as trustee. If this constitutes a sufficient health care decision then the authorization requirements of 45 CFR 164.508 may be met. Furthermore, to minimize the offense to any person agreeing to serve as trustee, the medical disclosures could be limited to the minimum information necessary to make this determination. This process raises another issue in that the trust document itself might have to be disclosed. To address this, a separate trustee authorization document, or a memorandum of trust expressly authorized, that embodies the HIPAA related mechanisms could be created.
HIPAA affects a broad range of personal, financial, health care and estate planning transactions. Almost every key estate document, and many key business documents, needs to address HIPAA disclosure issues to assure that various trigger mechanisms (succession of fiduciaries, determinations of disability, etc.) can be triggered. The issues, drafting and planning are quite complex.
Subscribe to our email list to receive information on consumer webcasts and blogs, for practical legal information in simple English, delivered to your inbox. For more professional driven information, please visit Shenkman Law to subscribe.