Clarifying Confusions Around HIPAA and Power of Attorney

By Kayla Matthews, HealthIT writer and technology enthusiast, Tech Blog
Twitter: @ProductiBytes

The Health Insurance Portability and Accountability Act, or HIPAA, became U.S. law in 1996. Since then, patient privacy has been a top-of-mind concern for health care providers. Among other things, HIPAA made it harder for increasingly digital and mobile patient records to fall into unauthorized hands or be leveraged for fraudulent purposes.

The HIPAA Privacy Rules state that physicians and health insurance entities may not disclose the details of a patient’s situation or condition to third parties. It’s mostly been a success in its goals, but there are growing pains even today.

One of these involves the power of attorney (PoA) and whether a patient’s appointed personal representative has legal access to the information they need to make sound decisions.

Why HIPAA Makes Power of Attorney Complicated
Power of attorney provides an individual with the legal ability to make decisions for others. These include filing lawsuits, investing money, cashing checks or making medical decisions for children or others. A power of attorney can provide “presently effective powers,” or it can be a “springing” PoA, which comes into effect when the patient becomes incapacitated. The person making the decisions is known as an agent.

For a health care agent to make informed decisions about a patient, they must have legal access to the patient’s protected health information (PHI). Under HIPAA Privacy Rules, there are very specific requirements for how that access is legally granted, and not every agent necessarily qualifies.

Before the HIPAA Privacy Rules came into effect, patient documents were highly mobile. They could be shared more-or-less freely between attending physicians, insurance companies, medical facilities and third-party representatives. HIPAA established federal-level laws that raised the bar for the minimum expectations of privacy across the country.

Simply put, it became much harder for protected health information to be disclosed to health care agents and proxies with general powers of attorney.

Imagine a person has been awarded a general power of attorney for a hospitalized patient. If it does not contain a HIPAA clause, they may not be able to make the best decisions for the patient at a time when they need all the information they can get.

How to Avoid Problems With PoA and HIPAA
To avoid problems with HIPAA and PoA, the definition and rights of a health care agent, or proxy at the state level, much match the description of personal representative as laid out in HIPAA. Under HIPAA, only persons named as personal representatives may access PHI to make medical decisions for a patient. Power of attorney documents must match this language to give agents access to PHI.

Additionally, the power of attorney must explicitly grant agency to the personal representative to make decisions in the event of incapacity.

As an example, consider do-not-resuscitate (DNR) instructions. If a patient wants their agent to discontinue life support if they have only a slim chance of recovery, their personal representative must have been given the power to make decisions after incapacity. Just as importantly, they need access to all available medical information, however sensitive, so they can be sure the decision they’re making is the right one.

There are two actions to take to ensure these conditions are met:

  • Draw up a durable power of attorney: Durable powers of attorney do not expire when the patient becomes incapacitated, as general powers of attorney do. This is the most critical time when information must be freely shared.
  • Include a HIPAA waiver: To ensure attending physicians won’t have their hands tied when it comes to sharing PHI with a health care agent, include a HIPAA waiver on power of attorney documents. This specifically waives the patient’s right to protection under HIPAA and permits the agent/personal representative to access it.

Each power of attorney document is different. That means each one can, and must, be explicit about giving presently effective powers to health care agents with HIPAA in mind.

Keep Disclosure in Mind
A HIPAA clause in a durable power of attorney document should mention HIPAA by name and declare that the person in question will act as a personal representative per the act’s guidelines.

Security-mindedness is a must in today’s world, and this is one case where it requires all parties to be aware of the potential catch-22s and pitfalls. It’s possible to be a health care agent under the law but not a personal representative.

It is also possible to have the legal ability to make decisions for an incapacitated patient, but not have access to all relevant medical information. As a result, power of attorney documents must be written with HIPAA Privacy Rules and efficient information disclosure in mind.