You might have heard of a federal law entitled the Health Insurance Portability and Accountability Act, commonly referred to as “HIPAA”. Pursuant to HIPAA, the United States Department of Health and Human Services (“DHHS”) enacted regulations concerning the privacy of medical records (“Privacy Rules”). The Privacy Rules enacted by the DHHS apply to individually identifiable health information, defined by the Privacy Rules as “Protected Health Information” (“PHI”). The Privacy Rules attempt to provide national standards for the protection of your PHI.
The Privacy Rules have a big impact on your powers of attorney. These rules are complicated and subject to many exceptions. Even though the Privacy Rules attempt to provide a national standard regarding PHI, they also take into account each state’s own individual laws with respect to a patient’s medical records and the laws regarding the release of PHI. In interpreting the Privacy Rules each state’s individual rules regarding the release of PHI must also be reviewed.
An individual’s right to privacy concerning their individual medical records has been enhanced. However, the entities impacted by HIPAA and the Privacy Rules have been burdened by the implementation of these statutes and rules. The Privacy Rules provide for a fine of One Hundred Dollars ($100.00) even upon an innocent mistake, to be imposed by the DHHS. Additionally, if the release of PHI was found to be egregious, criminal penalties can be enforced by the United States Department of Justice. Due to the penalties that can be levied upon an entity, even for a minor, inadvertent error, the entities are much more hesitant regarding the release of PHI.
The entities that are covered by the Privacy Rules are: health plans, health care clearing houses, and health care providers (“Covered Entities”). The Privacy Rules also impact business associates such as lawyers and accountants. The Covered Entities are charged with the implementation and interpretation of the Privacy Rules.
How Do The Privacy Rules Impact Your Powers of Attorney?
The document used to name someone to act on your behalf is a power of attorney. The Privacy Rules allow you to name an individual to make health care decisions on your behalf. The grant of authority in a power of attorney can either be very broad or limited in scope.
According to the Privacy Rules, an individual named under a power of attorney to make decisions on your behalf is called a “Personal Representative”. Typically we associate the term Personal Representative with someone acting on behalf of a deceased individual in the probate courts. The Privacy Rules coined the term Personal Representative to mean someone acting on your behalf while you are disabled or can no longer make health care decisions for yourself. A Personal Representative would be the person you would associate to be the attorney-in-fact acting under a power of attorney.
The Privacy Rules regarding Covered Entities treat the individual the same as if the individual were making the request himself. As defined by 45 C.F.R. §164.502, “As specified in this paragraph, a covered entity must . . . treat a Personal Representative as the individual for purposes of this subchapter.” The Personal Representative stands in the shoes of the disabled person and acts on his or her behalf.
The Privacy Rules state that the grant of authority under a healthcare power of attorney to make healthcare decisions for artificial life support is limited in its scope. The release of information is therefore limited by the Covered Entities. The Privacy Rules categorize the power of attorney for healthcare decisions regarding artificial life support as a limited health care power of attorney; specific only to artificial life support. The Privacy Rules therefore state that a Covered Entity should not treat the Personal Representative the same as the individual because the authority, pursuant to the Privacy Rules, was limited in scope. This is probably contrary to the person’s intentions.
When attempting to obtain medical records under a power of attorney, many of my clients have run into problems because the Covered Entity has rejected the power of attorney. The Privacy Rules specifically state that the attorney-in-fact named under a power of attorney is the “Personal Representative”, however, when a request is made for medical records, the request is usually reviewed by an individual in the medical records department. Even though the Privacy Rules give the Personal Representative appointed under the power of attorney the authority to access the medical records, if the specific term “Personal Representative” does not appear in the power of attorney, the request is very often denied. The Privacy Rules do not attempt to repeal the authority granted in powers of attorney, however, in practical applications the person reviewing the document is hesitant to release the information due to the fines and other penalties which can be levied under the Privacy Rules. Also, problems with rising malpractice insurance costs for health care providers result in Covered Entities being extremely hesitant to release PHI under a power of attorney.
A Practical Answer
I attended a seminar which was conducted by an in-house counsel for a local hospital. The answer proposed by him is that to satisfy the clerk reviewing the request it is necessary to execute powers of attorney specifically referencing the term Personal Representative as coined under the Privacy Rules. In order to do that, new powers of attorney would need to be drafted on each client’s behalf in order to ensure that a request for PHI will be accepted by a Covered Entity. I am therefore recommending to my clients that they execute new healthcare powers of attorney. Inasmuch as healthcare powers of attorney are now limited in scope pursuant to the Privacy Rules, a new general durable power of attorney should also be executed to ensure the release of PHI. The practical answer of executing new powers of attorney avoids the problem of the “law of the clerk”. Now the person who reviews the request can be satisfied that your Personal Representative has the authority to make the request for PHI. I would invite you to call my office if you would like to schedule a time to execute powers of attorney.
For further information or a full copy of the Privacy Rules, please visit the DHHS website.