I am continuing my explanation of incapacity documents. In this post I will discuss the HIPAA Authorization, and why we prepare one for every estate plan.
Congress passed the Health Insurance Portability and Accountability Act, commonly known as HIPAA, in 1996. The U.S. Department of Health and Human Services then created the HIPAA Privacy Rule as a set of standards to implement the requirements of HIPAA. The Privacy Rule permits you to control the use and disclosure of your Protected Health Information (“PHI”). PHI includes information that relates to your past, present, or future physical or mental health or condition, health care, or payment for health care. There are several different “identifiers” that constitute PHI. They include everything from your name to your license plate number.
The Privacy Rule requires covered entities to treat your personal representative just as they would treat you. A personal representative is anyone who has authority to act on your behalf under state law. So, if someone has the power to make decisions under your Health Care Power of Attorney (“HCPOA”), he or she is considered a personal representative. But if your HCPOA names an Agent who may act only when you are unable to make decisions, that person is not considered a personal representative until his or her authority springs into effect. Covered entities may also disclose PHI to an individual pursuant to a written authorization that complies with several requirements specified in the rule. If you have neither named an Agent under a HCPOA nor signed such an authorization, then a guardian with the authority to make health care decisions or the default decision-maker under state law will be considered a personal representative.
There are also safeguards built into the Privacy Rule in the case of abuse or neglect. A health care provider is not required to disclose your PHI if the provider reasonably believes that you have been or may be the victim of domestic violence, abuse, or neglect by a person authorized to receive the information, and that such disclosure would not be in your best interest. The rule also permits covered entities to disclose reports of child abuse or neglect to public health authorities or other appropriate government authorities as authorized under state law.
Based on this background, there are two reasons why we prepare a separate HIPAA Release. First, you may wish to allow certain people to receive information without giving them the authority to make decisions. For instance, you may wish to give a child in college or the spouse of an older child the authority to talk to your doctors, but not the authority to make health care decisions. The second reason is that you may want someone to have access to your PHI before your HCPOA becomes effective. Determining when you no longer have the ability to make decisions is not always easy. You may be able to maximize autonomy and control by involving a trusted family member or friend in the process of making health care decisions as you age. It is also a good idea to consider giving that person the authority to talk with your doctors and other professional advisors if it appears that you could be in danger of exploitation or other harm. It is best to make that decision now, while you possess your full faculties.