How to eat a HIPAA:
Medical Records and the Elder Law Attorney
September 30, 2003

The privacy rules associated with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (See Note 1 below) became effective on April 14, 2003. (See Note 2) Apparently, HIPAA is here to stay and we must learn how to deal with it. HIPAA impacts how patients and caregivers communicate with the medical community, how we, as Elder Law Attorneys communicate with the medical community, and how we advise our clients. What can we, as attorneys, do to better prepare our clients for these inevitable conversations? How we can help our clients is the focus of this article. (See Note 3).

The easiest way to deal with HIPAA is to take it apart one piece at a time and examine it. The patient’s concerns are two-fold. First, the purpose of HIPAA is to preserve privacy. Second, the patient has an interest in accessing the information she needs to participate in the health care decision-making process.

As detailed in An Overview: What is HIPAA, the Rule was designed to stop inappropriate use and disclosure of protected health information (PHI). Under the Rule, a covered entity may not use or disclose PHI except as permitted or required. 45 C.F.R. § 164.502. Releases from the Department of Health and Human Services (DHHS) indicate HIPAA allows the patient to control certain uses and access to PHI. (See Note 4) “If you believe that a person, agency or organization covered under the HIPAA Privacy Rule violated your (or someone else's) health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the Office for Civil Rights (OCR).” (See Note 5). OCR’s Health Information Privacy Complaint Form is available on its website. (See Note 6).

Unfortunately, privacy has a price. The Rule complicated how patients and caregivers communicate with health care providers and how they access treatment information. Essentially, there are two groups of persons seeking access to medical records. The first group consists of patient and surrogate decision-makers. The second group consists of information seekers. In the Elder care setting, both groups may need the assistance of legal counsel to open the door for communications with health care providers.

Health Care Decision-Makers:

Under the Rule, “an individual has a right of access to inspect and obtain a copy of PHI about the individual.” 45 C.F.R. § 164.522(a)(1). (See Note 7) Surrogate decision-makers, known as “Personal Representatives,” must be treated as individuals under the Rule. 45 C.F.R. § 164.502(g)(1). As such, they have the same right to access medical records that individuals have under State law. The defining guide is decision-making capacity. “If under applicable [State] law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this [Rule] with respect to PHI relevant to such personal representative.” 45 C.F.R. § 164.502(g)(2). Personal representatives include persons holding valid health care powers of attorney, guardians, and others who have the power to make health care decisions. In abuse situations, a health care provider may refuse to treat a personal representative as such, 45 C.F.R. § 164.502(g)(5); however, a denial of access premised on that ground is subject to review. 45 C.F.R. § 164.524(a)(3)(iii).

Information Seekers:

Information seekers without decision-making capacity comprise the second group. This second group includes a subgroup of persons who have the same rights of access as the individual: executors and administrators. 45 C.F.R. § 164.502(g)(4). However, most persons who seek information are family members, attorneys and other professionals who cannot participate in the health care decision-making process. Persons the Elder Law Attorney may be asked to assist include concerned family members who may not have a health care power of attorney or, persons other than the designated guardian. During the patient’s life-time, non-decision-makers may not access PHI without a release that is consistent with 45 C.F.R. § 164.508(b). (See Note 8).

Practical Considerations:

Powers of Attorney. HIPAA does not change the way health care decision-making power is conferred. However, a failure to comply with applicable State law may preclude access to health care information so care must be used in drafting and in executing powers of attorney. (See Note 9). A power drawn carelessly, or executed improperly, may render it ineffective.

In his article, Thomas Murphy discusses springing powers of attorney. (See Note 10). Unless the law in your State requires the use of a springing health care power of attorney, springing health care powers should be avoided. The decision-maker’s right of access hinges on, what may be obvious, the right to direct medical treatment. Thus, a person holding a springing power, particularly one requiring a medical showing of incapacity, may be like having a gun with no trigger. Where springing powers cannot be avoided, other triggering mechanisms should be used if possible, such as designating a majority of specified acquaintances as having authority to trigger the power. Alternatively, the agent should be given a HIPAA compliant release that can be used to communicate with health care providers for the purpose of triggering the power.

If the agent should have broad access to the principal’s PHI, then health care powers of attorney should be drafted carefully to permit that access. The Rule limits access to “PHI relevant to such personal representative.” 45 C.F.R. § 164.502(g)(2). DHHS interprets the Rule narrowly, providing the following example: “If a husband has authority only to make health care decisions about his wife in an emergency, he would have the right to access PHI related to that emergency, but he may not have the right to access information about treatment that she had ten years ago.” See Standards for Privacy of Individually Identifiable Health Information, 65 F.R., 82462, 82634 (12/28/00).

     Guardians and Conservators. Orders appointing a Guardian or Conservator should be drawn to expressly grant access to PHI. While this may not be required to grant health care decision-making authority, it will provide clarity for health care providers who are struggling with what HIPAA means.

     Concerned Family Members. Frequently, Elder Law Attorneys counsel families who have made the hard decision of “admitting Mom to a nursing home.” In the context of this representation, they advise family members to visit Mom frequently to ensure that she receives appropriate treatment. Many of these visitors will not have decision-making authority and will not be deemed a personal representative. Although HIPAA allows the health care provider to disclose information to attending family members (45 C.F.R. § 164.510(b)(1)(i)), many providers will err on the side of maintaining privacy in light of sanctions that could be imposed if the Rule is violated. Accordingly, the Elder Law Attorneys should counsel clients and discuss with them whether it is appropriate to provide these caregivers with access to medical records. If so, each caregiver responsible for “checking on Mom” should be given a HIPAA compliant release.

     Attorneys  and Other Professionals. Frequently attorneys and other professionals need access to client PHI. It may be appropriate, depending on the type of representation, to secure a HIPAA release during client intake that will enable the attorney to secure necessary documents.

     Complaints. Recently Richard Campanelli, Director of OCR, was interviewed. (See Note 11). Since April 14, 2003, approximately 1,300 HIPAA complaints have been filed. “The most common complaint is about access to records.” The health care community is still struggling with what HIPAA means and the circumstances under which PHI may be disclosed. Campanelli states: “People need to understand that access to records is required, and they often don’t know it. We call and say, ‘We’re from OCR, and there was a complaint that a person was not given access to medical records when they should have been.’” Thus, after access to PHI is denied, the Elder Law Attorney should first review the documentation used to request the PHI. If, on review, the I’s were dotted and the T’s were crossed, then appropriate “alternative dispute resolution” techniques should be used. (See Note 12). If access is still denied, then the Elder Law Attorney should consider engaging the complaint process.

Conclusion

On September 23, 2003, the U.S. Senate Special Committee on Aging held hearings regarding HIPAA’s impact. (See Note 13). There, Richard Campanelli reiterated that HIPAA was not designed to preclude communication between concerned familiy members and health care providers. Campanelli invited members of Congress to intercede as necessary on the part of constituents. Patient advocates should similarly pave the way to appropriate communications.

As stated in An Overview: What is HIPAA, the Rule is a shield. It is not a sword that health care providers may use to deny access to PHI. The prior analogy, however, may have been too simplistic. For Elder Law Attorneys, HIPAA is more like a lock securing a private room. Appropriate drafting is the key that will open the door for persons who need access to protected health information.

Reference Notes: