This article was originally published in Probate & Property, Vol. No. 4, p. 20 (July/August 2004). Citations have not been confirmed or updated.
If you’ve been to a doctor or hospital in the last few months, you’ve been asked to sign a piece of paper titled something like “HIPAA Notice of Privacy Practices,” which probably told you all sorts of stuff about your medical records that you either didn’t understand or didn’t really care about. Well, the same federal law that has doctors asking patients to sign all of those pieces of paper also imposes penalties on doctors (and hospitals and other health care providers) who make unauthorized disclosures of “protected health information” about their patients, and that means that health care providers are not going to be talking about (or otherwise disclosing information about) the medical condition of a patient to the families of the patient, or the lawyer for the patient, which can lead to problems when families and lawyers are trying to figure out whether the patient is disabled for purposes of durable powers of attorneys, advance medical directives, trusts, employment contracts, and other kinds of contracts and documents.
This article will therefore explain the history and general provisions of HIPAA and its regulations and discuss how those regulations may affect various estate planning documents and practices.
History and Background
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), H.R. 3103, P.L. 104-191, sometimes known as the Kennedy-Kassebaum bill, had as its primary goals the portability of health insurance coverage from one employer-provided health insurance program to another employer’s health insurance program, as well as the reduction of fraud in Medicaid, Medicare, and other kinds of health insurance and health care costs. In order to carry out those goals, HIPAA instituted new standards for recording health care information electronically, and new standards for how that health care information could be shared electronically among health insurers and governmental regulators. Finally, having begun regulating how health care information should be shared, Congress felt it necessary to regulate how health care information should NOT be shared, and so a section of HIPAA authorizes the Secretary of Health and Human Services to promulgate regulations on how health care information must be kept confidential and under what circumstances health care information may be disclosed.
To establish standards for health records, 42 U.S.C. §1173, added by section 262 of HIPAA, gives the Secretary of Health and Human Services broad discretion in adopting standards to enable health information to be exchanged electronically, as well as security standards for health information. Section 1173(d)(2) also requires those who maintain or transmit health information to maintain reasonable and appropriate safeguards in order (among other things) “to protect against any reasonably anticipated … unauthorized uses or disclosures of health information.”
Section 264 of HIPAA required the Secretary to recommend standards with respect to the privacy of individually identifiable health information and, if those recommended standards were not enacted as legislation, the Secretary was required to issue regulations addressing:
“(1) The rights that an individual who is a subject of individually identifiable health information should have.HIPAA, section 264(b).
(2) The procedures that should be established for the exercise of such rights.
(3) The uses and disclosures of such information that should be authorized or required.”
HIPAA, section 264(b).
The Secretary published regulations on December 28, 2000, at 65 FR 82802, then modified the regulations on August 14, 2002, 67 FR 53182, and the modified regulations became effective April 14, 2003. The regulations can be found at 45 CFR §§164.500 et seq.
The penalties for disclosing (or obtaining) “individually identifiable health information” in violation of HIPAA are severe. Under 42 U.S.C. §1177, as added by section 262 of HIPAA, a person violating the privacy provisions of HIPAA can be fined not more than $50,000 and imprisoned not more than one year. However, if the violation is “under false pretenses,” then the fine can be $100,000 and the imprisonment can be 5 years. and if the violation is “with intent to sell, transfer, or use individual identifiable health information for commercial advantage, personal gain, or malicious harm,” the fine can be $250,000 and the imprisonment can be 10 years.
The HIPAA privacy regulations at 45 CFR §§164.500 et. seq. contain a number of detailed provisions about health information that may be shared or disclosed to carry out treatments, billing and payments, health care operations, and other purposes, and those details are beyond the scope of this article. However, estate practitioners should know what is “protected health information,” the circumstances under which it can be disclosed to family members or legal representatives, and what procedural remedies might exist for failure to disclose.
The discussions that follow generally use the same terminology as the regulations themselves, with two exceptions. The regulations apply to “covered entities,” which includes not only doctors, hospitals, and other health care providers but also health plans, employers, and health care clearinghouses. Because practitioners will most often be dealing with doctors, hospitals, and other health care providers as their source of health information, the discussions below will refer to health care providers even when the regulations refer more broadly to “covered entities.” The regulations also refer to the health information of an “individual,” but for convenience and clarity the discussions below will often refer to the health information of a “patient.”
The regulations apply generally to “protected health information,” which is defined by 45 CFR §164.501 as “individually identifiable health information” that is either transmitted by electronic media, maintained in any electronic media, or transmitted or maintained in any other form or medium (subject to certain exceptions not relevant here). “Individually identifiable health information” is defined by 42 USC §1171(6) as any information (1) created or received by a health care provider, health plan, employer, or health care clearinghouse that (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (3) either identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
These definitions are quite broad, and would apparently include any information about a patient’s medical condition or treatment, transmitted in any form (including orally).
Protected health information can obviously be disclosed to the patient himself (45 CFR §164.502(a)(1)(i)) and must be disclosed to the patient (subject to various exceptions, including an exception for psychotherapy notes) if requested by the patient (45 CFR §164.524). There are specific provisions for the review of the denial of a patient’s request for protected health information (45 CFR §164.528), amendments to protect health information (45 CFR §164.526), and accounting for past disclosures of protected health information (45 CFR §164.528).
The regulations also specify that, for purposes of disclosure, the patient’s “personal representative” is treated in the same way as the patient, meaning that the personal representative has the same rights and powers as the patient to protected health information. The definition of “personal representative” is a functional definition, because the regulations state that, if a person has the authority to act on behalf of an adult or emancipated minor “in making decisions in relation to health care,” that person must be treated as the “personal representative” with respect to protected health information “relevant to such personal representation.” 45 CFR §164.502(g)(2). The issue of who is a “personal representative” is therefore a function of state law, and the information that can be obtained by the personal representative is a function of the health care decisions that can be made by the personal representative under state law.
Similar rules allow a parent, guardian, or other person acting in loco parentis to an unemancipated minor to be treated as the personal representative of the minor with respect to protected health information relevant to health care decisions that may be made by that person under applicable law (45 CFR §164.502(g)(3)) and allow the executor or administrator of a decedent’s estate to be treated as the personal representative of the decedent (45 CFR §164.502(g)(4)).
However, the regulations do not require health care providers to follow state law in all cases. A health care provider can refuse to treat a person as a personal representative for a patient if the health care provider has a reasonable belief that the personal representative may have abused the patient, or that treating the person as the personal representative could endanger the individual, if the health care provider decides, “in the exercise of professional judgment,” that it is not in the best interests of the patient to treat the person as the personal representative. 45 CFR §164.502(g)(5). See also, 45 CFR §164.512(c)(2)(ii) and §164.524(a)(3)(iii).
Protected health information (other than psychotherapy notes) can also be disclosed in accordance with a “valid authorization” signed by the patient. 45 CFR §164.508. A valid authorization is a document written in “plain language” (45 CFR §164.508(c)(2) and must contain the following information (45 CFR §164.508(c)(1)):
- A description of the information to be disclosed that identifies the information in a specific and meaningful fashion;
- The name or other specific identification of the health care providers or other persons (or class of persons) authorized to make the requested disclosure;
- The name or other specific identification of the persons (or class of persons) to whom the disclosure may be made;
- The purpose of the requested disclosure (which may be “at the request of” the patient if the patient initiates the request and does not wish to state the purpose);
- An expiration date or an expiration event that relates to the patient or the purpose of the disclosure; and
- The signature of the patient and date. If the authorization is signed by a personal representative of the patient, the document must describe the source of the representative’s authority.
The authorization must also include statements adequate to put the patient on notice that (a) the patient has the right to revoke the authorization in writing and how the patient may revoke the authorization, (b) whether or not any treatment, payment, or enrollment is conditioned on the authorization, or the consequences of not signing the authorization (if any), and (c) the potential for disclosed information to be disclosed further because it may no longer be subject to HIPAA regulations once disclosed.
The regulations also state that a valid authorization should not be combined with “any other document” to create a compound authorization. 45 CFR §164.508(b)(3). The goal seems to be to prevent confusing a patient by combing two different authorizations for two different purposes into one document. In that case, both the literal language of the regulation and the purpose of the regulation would allow an authorization to be included as part of a larger document (such as a revocable trust, as discussed below) that is related to the authorization but does not include any other authorization for disclosure of health information. However, health care providers are required to keep copies of all authorizations (45 CFR §164.508(b)(6)), and so it would be better to have a short, separate document for the health care provider’s records, rather than a longer document with information about the client’s estate plan (or other affairs) that the health care provider has no business knowing. For both these reasons, it will usually be better to create separate written authorizations whenever an authorization to disclose protected health information is needed.
As can be seen from the foregoing, a family member or friend who is not a “personal representative” may be left in the dark about the medical condition of a spouse, parent, adult child, or other close family member. The regulations seem to recognize only four circumstances in which the medical condition of a patient might be shared with family members or friends (if the patient does not object):
- Protected health information may be disclosed to a family member, other relative, close personal friend, or other person identified by the patient to the extent that the information is directly relevant to the person’s involvement with the patient’s care or payment for the health care. 45 CFR §164.510(b)(1)(i). This would allow doctors to discuss the relevant aspects of the patient’s care with those who are living with the patient and who will be involved with her care, as well as with those who are paying for the health care.
- Protected health information may be disclosed to family members, a personal representative, or another person responsible for the care of the patient in order to notify them of the patient’s location, general condition, or death. 45 CFR §164.510(b)(1)(ii). So it will not be a violation of federal law for a hospital to call a patient’s next of kin to let them know that the patient is in the hospital and not doing well (or has died).
- Protected health information may be disclosed to others in the presence of the patient if the patient is capable of making medical decisions and the patient (i) consents, (ii) does not object (after being given an opportunity to object) or (iii) it appears from the circumstances (based on an “exercise of professional judgment”) that the patient does not object. 45 CFR §164.510(b)(2). So, when the doctor visits the patient in the hospital and the family is visiting and a family member asks a question about the patient’s condition, the doctor can answer if the doctor first asks the patient or if the doctor reasonably believes that the patient has no objection.
- If the patient is not present, or there is an emergency or an incapacity, but it is in the “best interests” of the patient, using “professional judgment” and “experience with common practice,” protected health information may be disclosed that is directly relevant to the person’s involvement with the patient’s care, such as allowing the person to pick up prescriptions, medical supplies, or X-rays. 45 CFR §164.510(b)(3).
These exceptions seem to be an attempt to formalize the “rules” under which doctors in the past typically advised family members about a patient’s condition.
Although these new rules may cause problems for family members trying to learn about the medical condition of a patient from a doctor, the problems that most estate lawyers will confront will relate to how the regulations relating to “personal representatives” and “valid authorizations” apply to powers of attorney and other estate planning documents and procedures.
Powers of Attorney
Many practitioners have expressed concerns that durable powers of attorney that include the power to make medical decisions (or durable health care powers of attorney) may need to be rewritten to comply with HIPAA. Several legal groups and individual lawyers have published new language (sometimes very lengthy and complex language) that they recommend be added to forms of powers of attorney. However, the language of the HIPAA regulations show that no changes should be needed for Pennsylvania powers of attorney that follow the statutory definitions for powers relating to medical care.
By statute, Pennsylvania allows a principal to empower an agent to “authorize medical and surgical procedures,” which means that the agent “may arrange for and consent to medical, therapeutical and surgical procedures for the principal, including the administration of drugs.” 20 Pa.C.S. §5603(h)(2).
As explained above, the regulations under HIPAA require health care providers to treat the personal representative in the same way as the patient, and a “personal representative” is the person who, under applicable law, has the power to make medical decisions for the patient. A properly authorized agent under a power of attorney is a person who, under Pennsylvania law, has the power to make medical decisions for the principal, so the agent should be entitled to the same medical information as the principal.
Practitioners redrafting powers of attorney to include specific powers relating to health information should also consider that the HIPAA regulations make no provisions whatsoever for a “power of attorney” to receive health information or to authorize disclosures of health information. In order to be the “personal representative,” a person needs to have the authority to make medical decisions for the patient. Once a person has that power, all other powers granted by the document are superfluous. Authorizing an agent to receive or disclose health information is simply a waste of paper and ink, because there is no such thing as a “personal representative” of the patient who has the power to authorize disclosures but does not have the power to make medical decisions.
In order to make sure that an agent under a durable power of attorney has access to health information, it might be possible to write a broad “valid authorization” in favor of the agent, but that may be contrary to the spirit and structure of the regulations. The regulations are consistent with the principle that a person who has the power to make medical decisions for a patient should be entitled to the same medical information as the patient, but the regulations are hostile (or at least suspicious) of disclosures by written authorizations. As shown above, written authorizations are supposed to be “specific” in what is to be disclosed, for what purpose, from whom, to whom, and for how long. A broad general authorization to disclose all medical information from all sources, with no time limit, might not be valid under the regulations (or at least the regulations provide reasons for health care providers to hesitate before honoring such a document).
Most of the problems that are being encountered with health care professionals, HIPAA, protected health information, and powers of attorney are undoubtedly due to the newness of the regulations and the uncertainty of their application. Many of these problems should disappear with time so that, in the long run, the best way to make sure that an agent under a power of attorney has access to all medical information is to make sure that the agent has the power to make all medical decisions, and not through additional wording in waivers or authorizations.
A “springing” power of attorney (that takes effect only upon the disability of the principal) may create new problems under HIPAA, because how is an incapacitated principal going to be able to authorize access to the medical information needed to prove that the principal is incapacitated?
In order to avoid court proceedings and litigation (which is the purpose of most if not all powers of attorney), many springing powers state that the principal shall be deemed to be disabled upon the written opinions of some specific number of physicians. But under the HIPAA regulations, the principal’s physicians are prohibited from disclosing information about the principal’s medical condition without the permission of the principal or the personal representative of the principal. The principal can’t give permission because the principal is already incapacitated. The agent under the power of attorney is not the “personal representative,” and can’t give permission, because the agent will have the power to make medical decisions for the principal only after the power of attorney becomes effective and the power of attorney will not be effective until after the physicians have given their opinions.
The best solutions to this dilemma are either (a) stop using springing powers or (b) arrange for the principal to sign a separate “valid authorization” along with any springing power, so that the principal’s physicians are authorized to disclose the protected health information relevant to whether or not the principal is suffering from a disability. See the discussion above of “valid authorizations” under 45 CFR §164.508.
Health Care Declarations (“Living Wills”)
Following the model of the Pennsylvania statute (20 Pa.C.S. §5404(b)), most advance health care declarations in Pennsylvania appoint a “surrogate” to make health care decisions in the event that the signer is “incompetent and in a terminal condition or in a state of permanent unconsciousness.”
Consistent with the HIPAA regulations, a “surrogate” appointed under an advance health care declaration is not going to be treated like the declarant for all disclosure purposes, but is going to be treated as a “personal representative” only after the advance health care directive becomes effective, which is only after the declarant is “incompetent and in a terminal condition or in a state of permanent unconsciousness.” Because the authority of the surrogate could be seen as limited in scope (i.e., the surrogate is only authorized to decide whether a medical treatment will unnecessarily prolong life or is necessary to relieve pain), a health care provider could limit the disclosures of protected health information to the surrogate to the information relevant to those decisions.
Whether limitations on the information and authority of a “surrogate” are a problem depends on how practitioners themselves see the role of the surrogate. If it is believed to be necessary or advisable for a family member to have full access to all medical information even before a patient might be incompetent or in a terminal condition, the best solution is to make sure that there is in force a durable power of attorney with the authority to make medical decisions, or a durable health care power of attorney, rather than attempting to revise or re-word an advance health care declaration.
Like “springing” powers of attorney, guardianship proceedings themselves may be subject to an additional procedural hurdle in order to authorize the alleged incapacitated person’s physicians to testify in court (and necessarily disclose protected health information).
The HIPAA regulations specifically recognize judicial proceedings as an authorized disclosure. 45 CFR 164.512(e). However, the regulations draw a distinction between an order of the court and a subpoena, and health care providers are not necessarily required to comply with subpoenas unless certain conditions are met. See 45 CFR §164.512(e)(1)(ii). In order to get a court order (and not just a subpoena), it may be necessary to file a petition and get a preliminary order for the disclosure of medical records and the testimony of physicians before there is an actual hearing on the issue of incapacity. This will ultimately depend on whether health care providers are willing to honor a subpoena in guardianship proceedings or whether they will require a court order, and only time will tell what policies or attitudes the health care industry will adopt.
Like “springing” powers of attorney, many revocable trusts provide for the removal of the grantor as trustee, changes in distributions, or other consequences upon the disability of the grantor. And, once again, many documents define the “disability” of the grantor in terms of an opinion by physicians that the physicians will not be willing to provide without compliance with HIPAA.
It would seem that there could be three possible solutions to this problem.
One possible solution is to change the language of the revocable trust so that a failure of the trustee to authorize the release of the medical information necessary for the opinion of the physicians would itself become an event causing the grantor to be removed as trustee or otherwise considered to be disabled for the purpose of the trust. So, if the grantor were unable or unwilling to authorize the release of the medical information, the disability provisions would automatically take effect.
Another possible solution is to arrange for a separate authorization for the disclosure of the protected health information needed for the opinion of the physicians. Although a broad and unlimited authorization might not be a “valid authorization” under the regulations, an authorization for the specific purpose of determining disability within the meaning of the trust document should be specific enough to pass muster under anything but the most stringent reading of the regulations.
A third possible solution is to include an authorization for the disclosure of the necessary health information within the trust agreement itself. As discussed above, this is not recommended because the health care provider that discloses the health information will then be required to keep a copy of the trust document (45 CFR §164.508(b)(6)), which seems like a needless disclosure of the client’s estate plan.
Employment and Other Contracts
There are other documents related to estate planning that may include definitions of disability or a need for medical determinations, including employment agreements with disability benefits, shareholder or partnership agreements that allow or require transfers of business interests upon disability, and possibly even antenuptial agreements or separation agreements. In each case, practitioners will need to reconsider how to get the necessary authorizations for the disclosure of health information.
Where it is to the benefit of the individual to provide the evidence of disability, then it would seem that very little needs to be done except to make sure that the individual has a durable power of attorney that includes the power to make medical decisions.
The more difficult case is that in which it is to the benefit of other parties to demonstrate the disability of the individual, and in those cases the best drafting solutions will probably follow the suggestions made above with respect to revocable trusts. That is, that the documents be drafted so as to put the burden of proof on the individual and for the other parties to the contracts to be able to claim the existence of a disability if the individual is unable (or unwilling) to execute a valid authorization to disclose the necessary health information. Or that the individual signed a valid authorization for the disclosure of health information when the contract is signed, so that the other parties to the contract may be able to obtain the necessary health information when needed.
Like many new laws, the HIPAA privacy regulations are causing confusion and uncertainty. However, contrary to the fears of many practitioners, durable powers of attorney that give the agent the power to make medical decisions should continue to be honored under HIPAA and should allow the agent both access to protected health information and the power to authorize disclosures of protected health information. Other problems that practitioners may encounter should be solvable with separate authorizations for the disclosure of protected health information, as well as trust and contractual agreements that recognize the problems of obtaining health information and reallocate the resulting burdens and presumptions.