|November 2, 2008|
Previously published by The Pennsylvania Law Weekly on Spring 2009
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is vast.
- When Congress enacted HIPAA on August 21, 1996, however, one of its critical concerns was protecting the privacy of the average American citizen. Prior to HIPAA's enactment, medical records had become increasingly accessible as a result of technological advances that contributed widespread information sharing.
- HIPAA targeted the potential for fraudulent or improper disclosure and transmission of medical records. In doing so HIPAA has created a challenge for lawyers in Pennsylvania who seek to protect the rights of clients who need to exercise Powers of Attorney for their loved ones within the HIPAA environment.
One of HIPAA's requirements was the establishment of the Privacy Rules.
- Prior to the HIPAA Privacy Rules (which were enacted in their current form on August 14, 2002), there was a confusing mélange of federal and state laws to govern the transmission of, and access to, health information. Under these pre-existing laws, an individual's health information could be shared freely between doctors, hospitals, insurers, and third party payers, without either notice to, or authorization from, the individual.
- In an attempt to curtail this free disclosure of personal health information, the HIPAA Privacy Rules set federal minimum standards for the disclosure of an individual's private health information. The rules attempt to strike a balance between the necessary disclosures of health care information and the privacy interests of those who seek medical care.
- Given that the health care marketplace is diverse, the rules are designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.
Historically, health care providers have accepted Powers of Attorney readily, without questioning their validity.
- In the post-HIPAA world, however, one can expect a higher level of scrutiny. In fact, the HIPAA Privacy Rules can potentially create a conflict with respect to the traditional language of Powers of Attorney. Thus, to be effective, Powers of Attorney should be drafted to comply with the requirements of the Privacy Rules.
- The Privacy Rules protect all individually identifiable health information (defined as Protected Health Information or PHI) of an individual held or transmitted by covered entities (defined as health care providers who transmit any health information in electronic form). Although the Privacy Rules allow certain uses and disclosures of such information without the consent of the Individual or that Individual's Personal Representative (defined as a person who has the present authority to make health care decisions for that Individual), the HIPAA Privacy Rules, with few exceptions, proscribe the disclosure of PHI unless the Individual or the Personal Representative authorizes it in writing.
The Granting of Authority
- Powers of Attorney are designed to allow an individual the ability to grant authority to another in order to allow the Agent to act on behalf of the Principal. Powers of Attorney can be drafted to be effective now (current powers) or effective in the future occurrence of a specific event (springing powers). Pennsylvania law (20 Pa.C.S. § 5602(h) and (i)) allows the Principal under the Power of Attorney to grant the Agent the power to authorize "my admission to a medical, nursing, residential or similar facility and to enter into agreements for my care and the power to authorize medical and surgical procedures." While Powers of Attorney can be drafted to provide for a wide variety of situations, this article is limited to the impact that the Privacy Rules have on General Durable Powers of Attorney that are presently effective.
- If a Power of Attorney grants the Agent the present ability to make health care decisions on behalf of the Principal, the Agent qualifies as the Personal Representative under the HIPAA Privacy Rules. However, if a Power of Attorney does not grant the Agent the present ability to make health care decisions on behalf of the Principal to the Agent, the Agent is not considered the Personal Representative under the HIPAA Privacy Rules, regardless of the scope of the health and medical authority otherwise granted to the Agent.
- In order to be effective under HIPAA, the specific authority granted to the Personal Representative (Agent) under the state defined Power of Attorney rules thus must be consistent with the definition of Personal Representative under the federally defined HIPAA Privacy Rules. Under the Privacy Rules, a Power of Attorney that is intended to allow the Personal Representative (Agent) the power to access medical records, to authorize information disclosures, and to participate in medical decisions on behalf of the Principal, but not drafted to allow the Personal Representative (Agent) the presently effective power to make health care decisions on behalf of the Principal, may be technically deficient, and the Agent may lack the critical necessary powers to act on behalf of the Principal in time of need. Although some health care professionals may rely upon a Power of Attorney that is not drafted to comply with the Privacy Rules, they do so at their own peril.
The Effective Clause
- To address this issue of presently effective powers, I use the following clause in clients' Durable General Powers of Attorney, as well as in Advance Directives for Health Care: "to have and utilize the presently effective power and authority to act in accordance with and pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), its attendant Privacy Rules, 45 CFR Part 164, and/or other federal and state legislation, by having the presently effective power and authority to make any and all health care decisions on my behalf; to give informed consent for any and all health care decisions on my behalf; to be deemed to be my Personal Representative; to act in any and all matters as my Personal Representative; to obtain any and all of my Protected Health Information; to consent to the disclosure and use of any and all of my Protected Health Information; and to have the presently effective power and authority to effectuate any and all of the above."
- As stated previously, this article is limited to the impact that the HIPAA Privacy Rules have on General Durable Powers of Attorney that are presently effective. In light of the fact that the determination of capacity is central to the effectiveness of a Power of Attorney (as well as to many other legal documents), the HIPAA Privacy Rules should not create problems for health care purposes if the Agent possesses the presently effective ability to make health care decisions on behalf of a Principal. With a properly drafted Power of Attorney, if the Principal becomes incapacitated, the authority of the Agent is not interrupted.
- Conversely, the authority of the Agent will be interrupted if the Power of Attorney is not presently effective and a determination of capacity is required to be made. This situation exists, for example, when an Agent is to act under a Springing Power of Attorney or when a Successor Trustee is to act under a Trust Agreement.
- As these scenarios are outside the realm of this article, I would suggest referring to the article, HIPAA-POA: The Effect on Healthcare Power of Attorney by Stephen H. Frishberg, Esquire. This article is contained in the PBI Publication No. 2004-3355, 11th Annual Estate Law Institute.
Estate planners must stay ahead of the basic definitions and tenets of the HIPAA Privacy Rules.
- Knowledge of the precise meanings of Protected Health Information, Personal Representative, and other HIPAA terms, and how they impact our practice are fundamental to our role as counselors. A Power of Attorney is a highly effective document when drafted correctly. Only with the proper wording in light of HIPAA, the Privacy Rules, and the changing practice of today's health care profession, will the Power of Attorney remain the powerful tool it is mean to be.