HIPAA and your Health Care Power of Attorney
Dateline: April, 2003
Your Health Care Power of Attorney is a document whereby you give your Health Care Representative the authority to make medical decisions for you in the event you are unable to do so. Sweeping new health-care legislation under the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d (“HIPAA”) changes the way that health care providers are allowed to transmit and disseminate your medical information. We recommend that all Health Care Powers of Attorney be updated at this time to incorporate the new HIPAA privacy rules.
HIPAA’s Privacy Rules:
Despite its name, the reason that HIPAA has such wide reaching impact is that it contains detailed privacy rules regarding your medical information. During any recent visits your doctor, dentist or other health care provider, you have probably already been asked to complete a form regarding the handling of your private medical information. This is because the privacy rules under HIPAA became effective April 14, 2003, and any health care provider that maintains or transmits electronic health information must comply with them.
Essentially, the HIPAA privacy rules provide that health care providers must take steps to prevent the unauthorized dissemination of “Protected Health Information” or “PHI”. PHI is defined very broadly as: “[i]ndividually identifiable health information transmitted or maintained in any form or medium, which is held by a covered entity or its business associate[; i]dentifies the individual or offers a reasonable basis for identification[; i]s created or received by a covered entity or an employer[; or r]elates to a past, present, or future physical or mental condition, provision of health care or payment for health care.” 45 C.F.R. § 160.103. A summary of the HIPAA privacy rules can be found at: http://www.hhs.gov/ocr/privacysummary.pdf.
The penalties to health care providers for non-compliance with the HIPAA privacy rules are severe. If there is a general failure to comply with HIPAA, civil fines may be imposed as the rate of $100 per violation, up to a maximum of $25,000 per year. However, if a person knowingly obtains and disseminates PHI, there are criminal penalties of up to a $50,000 fine and 1 year in prison. If the PHI is provided or obtained under false pretenses, there are criminal penalties of up to a $100,000 fine and 5 years in prison. If the PHI is obtained or used for commercial advantage, personal gain or malicious harm, then the criminal penalties increase to a $250,000 fine and 10 years in jail. 42 USC 1320d-5 and 1320d-6.
Why might my Health Care Power of Attorney not be effective under HIPAA?
Health care providers are very concerned that they might transmit PHI, knowingly or unknowingly, in violation of HIPAA and incur the severe penalties discussed above. Accordingly, , the reaction of health care providers is to be extremely cautious about disseminating PHI. The potential fallout of the desire to be cautious is that (i) Health Care Powers of Attorney will be carefully scrutinized by health care providers, and (ii) health care providers will need assurances that providing PHI to a Health Care Representative will not violate HIPAA.
From a legal perspective, your current Health Care Power of Attorney, if well drafted, should be legally sufficient for the health care provider to transmit your PHI to your Health Care Representative. However, the practical problem is that the health care provider may not know what is and is not legally sufficient. Given the penalties at stake, he health care provider may likely err on the side of caution and not provide any PHI to a Health Care Representative unless the Health Care Power of Attorney specifically states that PHI may be transmitted under the HIPAA privacy rules. Given that the need to use a Health Care Power of Attorney usually arises in a crisis situation, you do not want to put your Health Care Representative in the position of having to argue with medical staff right at the time that he or she needs to be making medical decisions for you. Comprehensive estate planning documents must anticipate real life practicalities to be valuable to you.
What can I do so that my Health Care Power of Attorney will operate as I intend, even under HIPAA?
We recommend that all Health Care Powers of Attorney be updated to specifically empower your Health Care Representative to receive your PHI in accordance with HIPAA. This power should be clearly stated so that any health care provider reviewing the power will feel secure that the transmission of the PHI to the Health Care Representative will not be a violation of the privacy rules of HIPAA. While all Health Care Powers of Attorney should be scrutinized to see if they contain provisions regarding HIPAA and PHI, it is unlikely that that any Health Care Powers of Attorney executed in 2001 or earlier will contain such provisions since the final HIPAA privacy regulations were not published until December of 2000.
Contact FSK&S with questions:
If you have any questions about whether your existing Health Care Power of Attorney adequately empowers your Health Care Representative to receive your Protected Health Information or PHI under HIPAA, please contact either Shareholder of our Tax, Trusts and Estates and Elder Law Department: Henry H. Fein by email.
This Article is a service of the Tax, Trusts and Estates and Elder Law Department of Fein, Such, Kahn & Shepard, P.C., 7 Century Drive, Suite 201, Parsippany, NJ 07960. Phone: 973-538-4700. Website: www.feinsuch.com. It does not constitute legal advice nor create an attorney-client relationship. For more information contact Shareholder Steven A. Loeb by email.
© 2003, Fein, Such, Kahn & Shepard, P.C., all rights reserved. Permission is granted to reproduce and redistribute this article so long as (i) the entire article, including all headings and the copyright notice are included in the reproduction, and (ii) no fee or other charge is imposed.