HIPAA-potamus Adventures

Summary:

Federal law protects the privacy of your medical
records, but those restrictions create problems for powers of attorney, trusts,
shareholder agreements and other business and estate planning documents where
changes are dependent on demonstrating that an agent, shareholder or other
person is disabled.

What is HIPAA:

HIPAA is the affectionate acronym for the Health
Insurance Portability and Accountability Act of 1996. HIPAA, as amended (it
takes multiple efforts to perfect such complexity), protects your rights to
your medical info, “Protected Health Information,” or PHI for short. HIPAA assures you access to your medical
information, while simultaneously preventing others who should not have access
to it from obtaining it. These rules have broad implications to a wide range of
personal, estate planning, and business transactions.

Why It’s So Important:

Addressing HIPAA, and how your medical info should be disclosed generally, are
vitally important. If you’re ill, can your daughter-in-law, the genius doc, get
to see your patient chart to monitor your care? If you’re a successor trustee,
and the current trustee is forgetting to pay insurance premiums and respond to
correspondence, can you replace her? Your partner is disabled and you need to
take over your professional practice, how can you obtain the requisite
physician letter mandated in your shareholders’ agreement to demonstrate his
incompetence trigger the replacement provision? HIPAA needs to be addressed.

What a Medical Provider
(“Covered Entity”) Must Do:

Any organization (health plan, health care
provider, or health clearing house) that routinely handles PHI in any capacity
is probably characterized as a “covered entity“. A covered entity must provide info to its
patients about their privacy rights and how their PHI can be used (notice of
privacy practices). It must adopt clear and appropriate privacy policies and
procedures for its practice, hospital, or plan. It must train its workforce to
understand its privacy procedures. A covered entity must designate a privacy
officer responsible for assuring that privacy procedures are adopted and
followed. A covered entity must also adopt adequate security procedures for
patient records containing individually identifiable PHI.

When Info Can Be
Disclosed:

Your health info should be disclosed for medical treatment,
payment, and health care operations (no authorization or release is needed).
Your medical info should be disclosed to you (prior to HIPAA a patchwork of
state and local rules governed this). Your personal representative should have
access to your info. A court can order disclosure. The Secretary of the
Department of Health and Human Services can access health info for enforcement
purposes.

When Info May Not Be
Disclosed:

If your doc or other health care professional believes that the
disclosure of your health info might endanger your life, jeopardize your
physical safety, or cause you or another person (e.g., someone else mentioned
in your records) substantial harm, they can refuse in their professional
judgment to disclose the info (what third party investor group just bought a
big insurance policy on you?).

What Info Can be
Disclosed:

Not all information has to be disclosed. Medical providers
should only disclose the minimum info necessary to achieve the purpose of the
requested disclosure. To protect and limit the scope of what is disclosed you
should clearly delineate in any document you execute directing disclosure the
specific purpose of the disclosure so that this can be determined. On the other
hand, if you’re looking to have a child help you with medical decisions, you
may expressly want no limit. In such cases broad authorization to release all
info should be stated. Be careful with “standard” authorization for the release
of PHI, it may be too broad, or too narrow, depending on your objectives.

Mental Health Info:

Psychotherapy notes are not required to be released. 45 CFR 164.524(a) (1). So
don’t worry Tony, Dr. Jennifer Melfi’s notes are safe (even when you asked her
out while separated from Carmela!).

Empowering an Agent to
Release Your PHI:

There are a myriad of circumstances in which you might
want to have an agent (“personal representative” in HIPAA jargon) act on your
behalf with regard to HIPAA matters, including authorizing the release of your
PHI. 45 CFR 164.502(g) (2).  A
personal representative can act with the same authority as if he or she were
standing in your shoes. A key issue affecting a myriad of planning issues and
documents is what is required of someone to be your HIPAA Personal
Representative. “In general, the scope of the personal
representative‘s authority to act
for the individual under the Privacy Rule derives from his or her authority
under applicable law to make health care decisions for the individual”. This
definition is quite nettlesome. If a person has broad authority to make health
care decisions for another person, such as a parent for a minor child or a
legal guardian for an incompetent adult, that person should generally be
treated as stepping into the shoes of the minor or ward for HIPAA purposes.
Exceptions may apply in instances of abuse or if state law provides to the
contrary. “Where the authority to act for the individual is limited or specific
to particular health care decisions, the personal representative is to be
treated as the individual only with respect to protected health information
that is relevant to the representation.”

Can Your Agent Under
your Power of Attorney Be Your Personal Representative:

Your agent under
your financial power of attorney is not always clearly empowered to make health
care related decisions. Although paying medical bills may constitute making
decisions related to health care, is it sufficient? The ability to obtain PHI
will be limited to those matters pertaining to paying medical bills. How broad
of a medical decision making authority should an agent under a power of
attorney be granted? At what point might the financial agent’s authority
conflict with your health care agents? If the only health care decision is the
payment of medical bills is that sufficient? For example, if an agent is to
make the financial decisions as to which health care facility to pay for, will
the agent be entitled to adequate disclosures to make the decision?

Your Executor is Your
HIPAA Personal Representative:

An executor of an estate has authority to
act on behalf of the decedent with respect to PHI.

Can a Successor Trustee
be Your Trustee’s Personal Representative:

In the context of a trust
agreement, a mechanism could be included mandating that all trustees grant a
limited authorization to successor trustees for the purpose of determining if
they, the predecessor trustee, are unable to serve, or that those serving as a
trustee must, as a condition of serving, provide a release of their PHI to the
successor trustees named or appointed under the particular trust. A HIPAA
release authorization must acknowledge that the person giving it (i.e., the
trustee) can revoke it. There is no assurance it won’t be revoked and the
mechanism defeated. Perhaps the trust could provide that if the trustee revokes
it, then that revocation constitutes a termination of the trustee’s position as
a trustee. What of the requirement that the successor trustee make health care
decisions for the predecessor trustee for the successor to be characterized as
the predecessor trustee’s HIPAA personal representative? The successor would be
granted the authority to make one decision that could be characterized as
health care related, specifically, whether the predecessor trustee was mentally
and physically capable of serving as trustee. If this constitutes a sufficient
health care decision then the authorization requirements of 45 CFR 164.508 may
be met. Further, to minimize the offense to any person agreeing to serve as
trustee, the medical disclosures could be limited to the minimum information necessary
to make this determination. This process raises another issue in that the trust
document itself might have to be disclosed. To address this, a separate trustee
authorization document could be created, or a memorandum of trust expressly
authorized, that embodies the HIPAA related mechanisms.

Conclusion:

HIPAA
affects a broad range of personal, financial, health care and estate planning
transactions. Almost every key estate document, and many key business
documents, need to address HIPAA disclosure issues to assure that various
trigger mechanisms (succession of fiduciaries, determinations of disability,
etc.) can be triggered. The issues, drafting and planning are quite complex.