July 01, 2004

What Estate Lawyers Need to Know About HIPAA and “Protected Health Information” (2004, 18:04)

What Estate Lawyers Need to Know About HIPAA and “Protected Health Information”

Probate and Property, July/August 2004, Volume 18, Number 4

By Daniel B. Evans
Daniel B. Evans is in private practice in Philadelphia, Pennsylvania, and is the co-chair of the J-1 Economics & Technology of the Practice Committee. He is the “Technology—Probate” columnist for Probate & Property magazine.


If you’ve been to a doctor or hospital in the last few months, you’ve been asked to sign a piece of paper titled something like “HIPAA Notice of Privacy Practices,” which probably told you all sorts of stuff about your medical records that you either didn’t understand or didn’t really care about. Well, the same federal law that has doctors asking patients to sign all of those pieces of paper also imposes penalties on doctors (and hospitals and other health care providers) who make unauthorized disclosures of “protected health information” about their patients. The new rules mean that health care providers are not going to be talking about (or otherwise disclosing information about) the medical condition of a patient to the families of the patient or the lawyer for the patient. These restrictions on disclosing information can lead to problems when families and lawyers are trying to figure out whether the patient is disabled for purposes of durable powers of attorney, advance medical directives, trusts, employment contracts, and other kinds of contracts and documents.

 

This article explains the history and general provisions of HIPAA and its regulations and discusses how those regulations may affect various estate planning documents and practices.

History and Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), H.R. 3103, Pub. L. No. 104–191, sometimes known as the Kennedy-Kassebaum Bill, had as its primary goals the portability of health insurance coverage from one employer-provided health insurance program to another employer’s health insurance program, as well as the reduction of fraud in Medicaid, Medicare, and other kinds of health insurance. To carry out those goals, HIPAA instituted new standards for recording health care information electronically and new standards governing how that health care information could be shared electronically among health insurers and governmental regulators. Finally, having begun regulating how health care information should be shared, Congress felt it necessary to regulate how health care information should not be shared. Thus a section of HIPAA authorizes the Secretary of Health and Human Services to promulgate regulations on how health care information must be kept confidential and under what circumstances health care information may be disclosed.

To establish standards for health records, 42 U.S.C. § 1320d-2, added by Section 262 of HIPAA, gives the Secretary of Health and Human Services broad discretion in adopting standards to enable health information to be exchanged electronically, as well as security standards for health information. Section § 1320d-2(d)(2) also requires those who maintain or transmit health information to maintain reasonable and appropriate safeguards in order (among other things) “to protect against any reasonably anticipated . . . unauthorized uses or disclosures of health information.”

Section 264 of HIPAA required the Secretary to recommend standards for the privacy of individually identifiable health information, and, if those recommended standards were not enacted as legislation, the Secretary was required to issue regulations addressing:

(1) The rights that an individual who is a subject of individually identifiable health information should have.

(2) The procedures that should be established for the exercise of such rights.

(3) The uses and disclosures of such information that should be authorized or required.

HIPAA § 264(b).

The Secretary published regulations on December 28, 2000, at 65 Fed. Reg. 82,802, then modified the regulations on August 14, 2002, 67 Fed. Reg. 53,182, and the modified regulations became effective April 14, 2003. The regulations can be found at 45 C.F.R. §§ 164.500 et seq.

The penalties for disclosing (or obtaining) “individually identifiable health information” in violation of HIPAA are severe. Under 42 U.S.C. § 1320d-6, as added by Section 262 of HIPAA, a person violating the privacy provisions of HIPAA can be fined not more than $50,000 and imprisoned not more than one year. If the violation is “under false pretenses,” however, then the fine can be $100,000 and the imprisonment can be five years. And if the violation is “with intent to sell, transfer, or use individual identifiable health information for commercial advantage, personal gain, or malicious harm,” the fine can be $250,000 and the imprisonment can be 10 years.

Privacy Regulations

The HIPAA privacy regulations at 45 C.F.R. §§ 164.500 et seq. contain a number of detailed provisions about health information that may be shared or disclosed to carry out treatments, for billing and payments, for health care operations, and for other purposes, but those details are beyond the scope of this article. Estate practitioners, however, should know what “protected health information” means, the circumstances under which information can be disclosed to family members or legal representatives, and what procedural remedies might exist for failure to disclose.

The discussions that follow generally use the same terminology as the regulations themselves, with two exceptions. The regulations apply to “covered entities,” a term that includes not only doctors, hospitals, and other health care providers but also health plans, employers, and health care clearinghouses. Because practitioners will most often be dealing with doctors, hospitals, and other health care providers as their source of health information, the discussions below will refer to health care providers even when the regulations refer more broadly to “covered entities.” The regulations also refer to the health information of an “individual,” but for convenience and clarity the discussions below will often refer to the health information of a “patient.”

The regulations apply generally to “protected health information,” defined by 45 C.F.R. § 164.501 as “individually identifiable health information” that is transmitted by electronic media, maintained in any electronic media, or transmitted or maintained in any other form or medium (subject to certain exceptions not relevant here). “Individually identifiable health information” is defined by 42 U.S.C. § 1320d(6) as any information (1) created or received by a health care provider, health plan, employer, or health care clearinghouse that
(2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (3) either identifies the individual or provides a reasonable basis to believe that the information can be used to identify the individual.

These definitions are quite broad and apparently include any information about a patient’s medical condition or treatment, transmitted in any form (including orally).

Protected health information can obviously be disclosed to the patient himself (45 C.F.R. § 164.502(a)(1)(i)) and must be disclosed to the patient (subject to various exceptions, including an exception for psychotherapy notes) if requested by the patient (45 C.F.R. § 164.524). The regulations contain specific provisions for the review of the denial of a patient’s request for protected health information (45 C.F.R. § 164.528), amendments to protect health information (45 C.F.R. § 164.526), and accounting for past disclosures of protected health information (45 C.F.R. § 164.528).

The regulations also specify that, for purposes of disclosure, the patient’s “personal representative” is treated in the same way as the patient, meaning that the personal representative has the same rights and powers as the patient to protected health information. The definition of “personal representative” is a functional definition, because the regulations state that, if a person has the authority to act on behalf of an adult or emancipated minor “in making decisions related to health care,” that person must be treated as the “personal representative” for protected health information “relevant to such personal representation.” 45 C.F.R. § 164.502(g)(2). The issue of who is a “personal representative” is therefore a function of state law, and the information that can be obtained by the personal representative is a function of the health care decisions that can be made by the personal representative under state law.

Similar rules allow a parent, guardian, or other person acting in loco parentis to an unemancipated minor to be treated as the personal representative of the minor for protected health information relevant to health care decisions that may be made by that person under applicable law (45 C.F.R. § 164.502(g)(3)) and allow the executor or administrator of a decedent’s estate to be treated as the personal representative of the decedent (45 C.F.R. § 164.502(g)(4)).

The regulations do not require health care providers to follow state law in all cases, however. A health care provider can refuse to treat a person as a personal representative for a patient if the health care provider has a reasonable belief that the personal representative may have abused the patient or that treating the person as the personal representative could endanger the individual, if the health care provider decides, “in the exercise of professional judgment,” that it is not in the best interests of the patient to treat the person as the personal representative. 45 C.F.R. § 164.502(g)(5). See also 45 C.F.R. §§ 164.512(c)(2)(ii) and 164.524(a)(3)(iii).

Protected health information (other than psychotherapy notes) can also be disclosed in accordance with a “valid authorization” signed by the patient. 45 C.F.R. § 164.508. A valid authorization is a document written in “plain language” (45 C.F.R. § 164.508(c)(2)) and must contain the following information (45 C.F.R. § 164.508(c)(1)):

• A description of the information to be disclosed that identifies the information in a specific and meaningful fashion;

• The name or other specific identification of the health care providers or other persons (or class of persons) authorized to make the requested disclosure;

• The name or other specific identification of the persons (or class of persons) to whom the disclosure may be made;

• The purpose of the requested disclosure (which may be “at the request of” the patient if the patient initiates the request and does not wish to state the purpose);

• An expiration date or an expiration event that relates to the patient or the purpose of the disclosure; and

• The signature of the patient and date. If the authorization is signed by a personal representative of the patient, the document must describe the source of the representative’s authority.

The authorization must also include statements adequate to put the patient on notice that (1) the patient has the right to revoke the authorization in writing, including information explaining how the patient may revoke the authorization; (2) whether or not any treatment, payment, or enrollment is conditioned on the authorization, or the consequences of not signing the authorization (if any); and (3) the potential for disclosed information to be disclosed further because it may no longer be subject to HIPAA regulations once disclosed.

The regulations also state that a valid authorization should not be combined with “any other document” to create a compound authorization. 45 C.F.R. § 164.508(b)(3). The goal seems to be to prevent confusing a patient by combining two different authorizations for two different purposes into one document. In that case, both the literal language of the regulation and the purpose of the regulation would allow an authorization to be included as part of a larger document (such as a revocable trust, as discussed below) that is related to the authorization but does not include any other authorization for disclosure of health information. Health care providers, however, are required to keep copies of all authorizations (45 C.F.R. § 164.508(b)(6)), and so it would be better to have a short, separate document for the health care provider’s records, rather than a longer document with information about the client’s estate plan (or other affairs) that the health care provider has no business knowing. For both these reasons, it will usually be better to create separate written authorizations whenever an authorization to disclose protected health information is needed.

As can be seen from the foregoing, a family member or friend who is not a “personal representative” may be left in the dark about the medical condition of a spouse, parent, adult child, or other close family member. The regulations seem to recognize only four circumstances in which the medical condition of a patient might be shared with family members or friends (if the patient does not object):

• Protected health information may be disclosed to a family member, other relative, close personal friend, or other person identified by the patient to the extent that the information is directly relevant to the person’s involvement with the patient’s care or payment for the health care. 45 C.F.R. § 164.510(b)(1)(i). This would allow doctors to discuss the relevant aspects of the patient’s care with those who are living with the patient and who will be involved with his or her care, as well as with those who are paying for the health care.

• Protected health information may be disclosed to family members, a personal representative, or another person responsible for the care of the patient to notify them of the patient’s location, general condition, or death. 45 C.F.R. § 164.510(b)(1)(ii). A hospital will not violate federal law if the hospital calls a patient’s next of kin to let them know that the patient is in the hospital and not doing well (or has died).

• Protected health information may be disclosed to others in the presence of the patient if the patient is capable of making medical decisions and the patient (1) consents, (2) does not object (after being given an opportunity to object), or (3) it appears from the circumstances (based on an “exercise of professional judgment”) that the patient does not object. 45 C.F.R. § 164.510(b)(2). Thus, if a doctor visits the patient in the hospital when the family is visiting and a family member asks a question about the patient’s condition, the doctor can answer if the doctor first asks the patient or if the doctor reasonably believes that the patient has no objection.

• If the patient is not present, or there is an emergency or an incapacity, but it is in the “best interests” of the patient, using “professional judgment” and “experience with common practice,” protected health information that is directly relevant to the person’s involvement with the patient’s care, such as allowing the person to pick up prescriptions, medical supplies, or X-rays, may be disclosed. 45 C.F.R. § 164.510(b)(3).

These exceptions seem to be an attempt to formalize the “rules” under which doctors in the past typically advised family members about a patient’s condition.

Although the new rules may cause problems for family members trying to learn about the medical condition of a patient from a doctor, the problems that most estate planning lawyers will confront relate to how the regulations relating to “personal representatives” and “valid authorizations” apply to powers of attorney and other estate planning documents and procedures.

Powers of Attorney

Many practitioners have expressed concerns that durable powers of attorney that include the power to make medical decisions (or durable health care powers of attorney) may need to be rewritten to comply with HIPAA. Several legal groups and individual lawyers have published new language (sometimes very lengthy and complex language) that they recommend be added to forms of powers of attorney. The language of the HIPAA regulations, however, shows that no changes should be needed for powers of attorney that, in conformity with the statutes or court decisions of the relevant state, validly authorize the attorney in fact to make medical decisions for the principal.

As explained above, the regulations under HIPAA require health care providers to treat the personal representative in the same way as the patient, and a “personal representative” is the person who, under applicable law, has the power to make medical decisions for the patient. A properly authorized attorney-in-fact who has the power to make medical decisions for the principal under state law should qualify as a “personal representative” under the regulations and should be entitled to the same medical information as the principal.

Practitioners redrafting powers of attorney to include specific powers relating to health information should also consider that the HIPAA regulations do not contain any provisions that would give any legal effect to a power of attorney created for the purpose of receiving health information or authorizing disclosures of health information. To be a “personal representative,” a person needs to have the authority to make medical decisions for the patient. Once a person has that power, all other powers granted by the document relating to medical information are redundant. Drafting a document to specifically authorize an attorney-in-fact to receive or disclose health information appears to be a waste of paper and ink, because there is no such thing as a “personal representative” of the patient who has the power to authorize disclosures but does not have the power to make medical decisions.

To make sure that an attorney-in-fact under a durable power of attorney has access to health information, it might be possible to write a broad “valid authorization” in favor of the attorney, but that may be contrary to the spirit and structure of the regulations. The regulations are consistent with the principle that a person who has the power to make medical decisions for a patient should be entitled to the same medical information as the patient, but the regulations seem to be hostile (or at least suspicious) of disclosures by written authorizations. As explained above, written authorizations are supposed to be “specific” in what is to be disclosed, for what purpose, from whom, to whom, and for how long. A broad general authorization to disclose all medical information from all sources, with no time limit, might not be valid under the regulations (or at least may raise enough of a question about the application of the regulations that health care providers may hesitate before honoring such a document).

Most of the problems that are being encountered with health care professionals, HIPAA, protected health information, and powers of attorney are undoubtedly due to the newness of the regulations and unfamiliarity with their scope and application. Many of these problems should disappear with time so that, in the long run, the best way to make sure that an attorney-in-fact under a power of attorney has access to all medical information is to make sure that the attorney-in-fact has the power to make all medical decisions, and not through additional wording in waivers or authorizations.

“Springing” Powers

A “springing” power of attorney (a power that takes effect only on the disability of the principal) may create new problems under HIPAA, because an incapacitated principal cannot authorize access to the medical information needed to prove that the principal is incapacitated.

To avoid court proceedings and litigation—the purpose of most, if not all, powers of attorney—many springing powers state that the principal shall be deemed to be disabled on the written opinions of some specific number of physicians. But under the HIPAA regulations, the principal’s physicians are prohibited from disclosing information about the principal’s medical condition without the permission of the principal or the personal representative of the principal. The principal cannot give permission because the principal is already incapacitated. The attorney-in-fact under the power of attorney is not the “personal representative” and cannot give permission, because the attorney will have the power to make medical decisions for the principal only after the power of attorney becomes effective and the power of attorney will not be effective until after the physicians have given their opinions.

The best solutions to this Catch-22 are to either (1) stop using springing powers or (2) arrange for the principal to sign a separate “valid authorization” along with any springing power, so that the principal’s physicians are authorized to disclose the protected health information relevant to whether or not the principal is suffering from a disability. See the discussion above of “valid authorizations” under 45 C.F.R. § 164.508.

Health Care Declarations (“Living Wills”)

Many advance health care declarations (or “living wills”) appoint an attorney-in-fact or “surrogate” to make health care decisions in the event that the declaration becomes effective (which is usually when the signer has become incompetent and is either in a terminal condition or in a state of “permanent unconsciousness”).

Consistent with the HIPAA regulations, an attorney-in-fact or “surrogate” appointed under an advance health care declaration will not be treated like the declarant for all disclosure purposes, but will be treated as a “personal representative” only after the advance health care declaration becomes effective. Usually the declaration becomes effective only after the declarant is incompetent or unable to communicate his or her wishes and is in a terminal condition or in a state of permanent unconsciousness. (The laws on this may vary from state to state.) Until the declaration is actually effective, however, health care providers could refuse to provide medical information to the surrogate named in the declaration. So, for example, if the patient is incompetent but not yet in a terminal condition, the surrogate might not be entitled to medical information. Furthermore, because the authority of the surrogate could be seen as limited in scope (that is, the surrogate is only authorized to decide whether a medical treatment will unnecessarily prolong life or is necessary to relieve pain), a health care provider could limit the disclosures of protected health information to the surrogate to the information relevant to those decisions.

Whether limitations on the information and authority of a surrogate under an advance health care declaration are a problem depends on how practitioners and their clients see the role of the surrogate. If it is believed to be necessary or advisable for a family member to have full access to all medical information even before a patient might be incompetent or in a terminal condition, the best solution is to make sure that a durable power of attorney with the authority to make medical decisions, or a durable health care power of attorney, is in force rather than to attempt to revise or re-word an advance health care declaration.

Guardianship Proceedings

Like “springing” powers of attorney, guardianship proceedings themselves may be subject to an additional procedural hurdle to authorize the physicians of the alleged incapacitated person to testify in court and to disclose protected health information.

The HIPAA regulations specifically recognize judicial proceedings as an authorized disclosure. 45 C.F.R. § 164.512(e). But the regulations draw a distinction between an order of the court and a subpoena, and health care providers are not necessarily required to comply with subpoenas unless certain conditions are met. See 45 C.F.R. § 164.512(e)(1)(ii). To obtain a court order and not just a subpoena, the lawyer may need to file a petition and get a preliminary order for the disclosure of medical records and the testimony of physicians before an actual hearing on the issue of incapacity can be held. The necessity of this step will ultimately depend on whether health care providers are willing to honor a subpoena in guardianship proceedings or whether they will require a court order. Only time will tell what policies or attitudes the health care industry will adopt.

Trust Agreements

Like “springing” powers of attorney, many revocable trusts provide for the removal of the grantor as trustee, for changes in distributions, or for other consequences on the disability of the grantor. And, once again, many documents define the “disability” of the grantor in terms of an opinion by physicians that the physicians may not be willing to provide without compliance with HIPAA.

It would seem that there could be four possible solutions to this problem.

One possible solution is to change the language of the revocable trust so that a failure of the trustee to authorize the release of the medical information necessary for the opinion of the physicians would itself become an event causing the grantor to be removed as trustee or otherwise considered to be disabled for the purpose of the trust. So, if the grantor were unable or unwilling to authorize the release of the medical information, the disability provisions would automatically take effect.

Another possible solution is to arrange for a separate authorization for the disclosure of the protected health information needed for the opinion of the physicians. Although a broad and unlimited authorization might not be a “valid authorization” under the regulations, an authorization for the specific purpose of determining disability within the meaning of the trust document should be specific enough to pass muster under anything but the most stringent reading of the regulations.

A third possible solution is to include an authorization for the disclosure of the necessary health information within the trust agreement itself. As discussed above, this is not recommended because the health care provider that discloses the health information will then be required to keep a copy of the trust document (45 C.F.R. § 164.508(b)(6)), which seems like a needless disclosure of the client’s estate planning documents.

Finally, the revocable trust could provide that one or more designated family members (or family friends or other disinterested parties) will make the determination of disability. If the decision maker is someone not covered by HIPAA, and if the determination can be made without access to health information protected by HIPAA, then the HIPAA requirements will not block a determination that the grantor should step down as trustee. Of course, this solution potentially offers less protection to the grantor of the trust, because the determination of disability will depend not on a professional opinion but on the conclusion of someone close to the grantor that the grantor can no longer function as a trustee. Often, however, family members or others close to the grantor will be aware that the grantor should no longer manage the trust, even without technical medical information. If the grantor has family members or friends who can be trusted to make this determination, this strategy offers a simplified process.

Employment and Other Contracts

Other documents related to estate planning may include definitions of disability or a need for medical determinations, including employment agreements with disability benefits, shareholder or partnership agreements that allow or require transfers of business interests on disability, and possibly even antenuptial agreements or separation agreements. In each case, practitioners will need to reconsider how to get the necessary authorizations for the disclosure of health information.

When providing evidence of disability will benefit the individual, then it would seem that very little needs to be done except to make sure that the individual has executed a durable power of attorney that includes the power to make medical decisions.

The more difficult cases will be those in which it is to the benefit of other parties to demonstrate the disability of the individual and to the benefit of the individual to contest the existence of a disability. In those cases the best drafting solutions will probably follow the suggestions made above for revocable trusts. That is, the documents could be drafted so as to put the burden of proof on the individual and for the other parties to the contracts to be able to claim the existence of a disability if the individual is unable (or unwilling) to execute a valid authorization to disclose the necessary health information. Alternatively, the individual could sign a valid authorization for the disclosure of health information when the contract is signed, so that the other parties to the contract may be able to obtain the necessary health information when needed, or third parties who are not covered by HIPAA could be entrusted with the determination of disability.

Conclusions

Like many new laws, the HIPAA privacy regulations are causing confusion and uncertainty. But contrary to the fears of many practitioners, durable powers of attorney that give the attorney-in-fact the power to make medical decisions should be honored under HIPAA and should allow the attorney-in-fact both access to protected health information and the power to authorize disclosures of protected health information. Other problems that practitioners may encounter should be solvable either with separate written authorizations for the disclosure of protected health information, with revised provisions in trusts and contractual agreements that recognize the problems of obtaining health information by reallocating burdens of proof and presumptions relating to health and competency, or by entrusting determinations of incapacity to third parties who are not health care providers restricted by the HIPAA privacy regulations.