The ABCs of HIPAA
Having the Proper Authorizations in Place Is a Must
By Sarah E. Dolven
Consider the following two scenarios:
Brenda’s 19-year-old daughter was away at college in another state. One evening, she received a panicked phone call from her daughter’s roommate, informing her that her daughter had been in a car accident and was in the hospital near the college. She immediately telephoned the hospital but was told she could not get any news about her child’s condition, because her child was no longer a minor and had not authorized the release of medical information to her mother.
Malcolm’s wife Margaret suffered a stroke and became incapacitated and was hospitalized for several weeks. When the hospital bill came, the charges were astronomical, and Malcolm was sure Margaret’s health-insurance plan should have covered some of the costs. When Malcolm contacted the insurance company to ask about why certain procedures were not covered, he was told that Margaret’s medical records were protected by HIPAA, and the insurance company could not speak with him without Margaret’s authorization.
With the right planning, these scenarios can be avoided. While the protection of an individual’s medical information is extremely important, sometimes it is equally important for someone to have access to another person’s medical information.
If your loved one is injured or incapacitated, you want to be able to find out what happened and how your loved one is doing, and communicate with their healthcare providers. Without the proper authorization, you will not be able to understand the important medical concerns at issue, and your ability to help and support your loved one will be hampered.
Just What Is HIPAA?
The Health Insurance Portability and Accountability Act was enacted in 1996, and the supporting regulations were rolled out over the next several years, culminating in final modifications in August 2002.
“While the protection of an individual’s medical information is extremely important, sometimes it is equally important for someone to have access to another person’s medical information.”
Prior to the enactment of the current HIPAA privacy laws, a confusing and contradictory patchwork of federal and state laws governed the transmission of, and access to, health information in the U.S. As a result, someone’s health records could be passed without restriction between various providers, insurance companies, and third-party payers without providing notice to, or requiring the authorization of, the individual.
The purpose of HIPAA was essentially twofold. First, the ‘portability’ section of the act safeguarded an individual’s ability to maintain health-insurance coverage when moving between jobs and provided more protection for individuals with pre-existing health conditions by limiting the scope of information that new employers could obtain regarding a person’s health status. Second, and more relevant to this article, the ‘accountability’ section set forth protections for personal identifying information in patient health records, including insurance claims.
At a time when advances in technology were making the electronic sharing of medical records more feasible and efficient, there was a corresponding need to increase protections for this sensitive and confidential medical data and provide people with control over their own healthcare information.
The HIPAA law set broader, more universal protective parameters on the use and release of medical records, among them that patients could find out how their medical information is used. Under HIPAA, patients now had the right to obtain and examine their own health records and to control certain uses of their health information. The law also established safeguards that medical providers and others had to meet in order to protect patient privacy, setting forth a clearer set of rules and directions for providers and those dealing with medical data, including standardizing formats for storage, maintenance, and transmittal of electronic patient records. The law also held violators accountable though civil and criminal penalties.
As estate planners, we often stress to clients that having the proper authorizations in place to protect them in case of incapacity is as important as having a will or trust, if not more so. A validly executed healthcare proxy and durable power of attorney will give your chosen agents the authority to make medical and financial decisions on your behalf when you cannot do so yourself.
However, without a valid HIPAA authorization in place, estate-planning documents may be rendered ineffective. If the language in a durable power of attorney requires proof of the principal’s incapacity before the agent, known as the ‘attorney-in-fact,’ may act, the designated attorney-in-fact may not be able to obtain the required medical proof, and the power of attorney will be useless. Likewise, if a trustee becomes incapacitated, and medical proof of their incapacity is required in order for the successor trustee to take over, the parties are forced to resort to petitioning a court for guardianship or conservatorship of the incapacitated trustee in order to take any action; in the meantime, the trust cannot be administered until court proceedings are concluded and a guardian and conservator are appointed.
A thorough and well-drafted healthcare proxy and durable power of attorney should contain language referencing HIPAA and granting the healthcare agent and the attorney-in-fact authority to access medical records, authorize information disclosures, and participate in medical decisions on the principal’s behalf. In addition to these documents, we recommend that clients execute a separate, universal HIPAA authorization form that applies to all medical providers and handlers of medical data such as HMOs, insurance companies, and government programs such as Medicare and Medicaid.
On this form, clients can include people other than their designated healthcare agent or attorney-in-fact that they wish to have access to their medical information — people like other family members or close friends. For example, you may have listed your spouse and your sibling as your agents in your healthcare proxy and durable power of attorney, but you also want your adult children to be able to get medical information about you in the event that, for example, you have an accident and are hospitalized.
You can give copies of your signed authorization to all of the people you name, so that they can quickly and easily get information, communicate with your doctors and health plans, and give you the care and support you deserve.
Sarah Dolven is an associate in the Trusts and Estates department at Bulkley Richardson; www.bukley.com.