What is a HIPAA Power of Attorney?
A HIPAA Power of Attorney is most often an authorization granting a member of an individual’s family access to the individual’s Protected Health Information in order to make healthcare and payment decisions on behalf of the individual. Different procedures may apply depending on the terminology used in the authorization, the individual’s wishes, state laws, and the circumstances in which the HIPAA Power of Attorney is triggered.
Understanding what is a HIPAA Power of Attorney can be a particularly complicated area of HIPAA compliance. This is because the terminology used in a Healthcare Power of Attorney may allow an individual’s “agent” to make healthcare and payment decisions on behalf of the individual, but the terminology might not permit healthcare providers to treat the agent as a personal representative of the individual for HIPAA purposes.
In this case, it will not be possible to disclose more than the minimum necessary Protected Health Information (PHI) to the agent (in order to make healthcare and payment decisions), nor provide the agent with full access to the individual’s PHI. However, if the healthcare provider is in possession of an individual’s Healthcare Directive – and the individual has not expressed otherwise – it is permissible to disclose the Directive to the agent.
HHS Guidance on Healthcare Power of Attorney Authorizations
The Department of Health and Human Services (HHS) has published guidance that helps resolve compliance issues when Healthcare Power of Attorney authorizations are ambiguous. The guidance states that if a Healthcare Power of Attorney is in effect – and there is no terminology in the authorization to state otherwise – the person(s) named in the authorization (the agent(s)) can be regarded as personal representative(s) of the individual for HIPAA purposes.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
When an agent is considered to have HIPAA Power of Attorney, they have the same rights to access PHI as the individual – unless a healthcare provider “in the exercise of professional judgement” believes it is not in the best interests of the individual to treat the agent as their personal representative (see §164.502(g)(5)). This may happen if the individual is the victim of abuse, neglect, or violence, or if the healthcare provider believes treating the agent as a personal representative may endanger the individual.
Individuals also have the right to request privacy protections for PHI (see §164.522(a)(1)). Some individuals may use this right to request that certain types of PHI are withheld from an agent with a HIPAA Power of Attorney. For example, PHI relating to Substance Use Disorders or reproductive health. If a healthcare provider agrees to the restriction, and an exemption does not apply (i.e., for emergency treatment), it is not permissible to disclose restricted PHI to a HIPAA Power of Attorney.
How State Laws Affect a HIPAA Power of Attorney
In many cases, a HIPAA Power of Attorney executed in one state should be accepted in another. However, different states can have different regulations about what should be included in a Power of Attorney authorization, what limitations apply to an agent’s authority, and whether the HIPAA Power of Attorney remains in force should a court appoint a guardian. In some states, a HIPAA Power of Attorney can be terminated verbally, or automatically when a husband and wife divorce.
Most healthcare providers that participate in Medicare or Medicaid are required to inform patients of what state laws affect Healthcare Directives and HIPAA Power of Attorney authorizations under the Patient Self-Determination Act 1990 (see §489.102). If an individual is incapacitated at the time of admission or at the start of care, the information must be provided to a family member and repeated to the individual when they regain the capacity to make healthcare decisions.
Obtaining Power of Attorney in an Emergency
In most cases, a Power of Attorney is effective at the time the authorization form is signed or is triggered when a patient lacks the capacity to make healthcare decisions. However, there are occasions in which no Healthcare Directive or Power of Attorney exists. In these circumstances, if an incapacitated individual is an unemancipated minor, a parent, guardian, or other person acting in loco parentis assumes the role of personal representative.
If an incapacitated individual is a legal adult, forty-one jurisdictions have provisions allowing for the appointment of a default surrogate for medical decision making in the absence of an agent. Twenty-eight of those have a “surrogacy ladder” that determines the order in which agents should be approached depending on their kinship or affinity to the incapacitated individual. It is important healthcare providers are aware which provisions apply in which jurisdictions to avoid impermissible disclosures of PHI.
Because of the potential for impermissible disclosures of PHI, it is recommended that healthcare providers who are unsure about their HIPAA obligations when dealing with agents, personal representatives, and surrogates seek legal advice from a HIPAA compliance professional.
