DEALING WITH HIPAA -- POWERS OF ATTORNEY, RECORD RELEASES, COURT ORDERS AND SUBPOENAS
By Thomas J. Murphy, Esq.
On April 14, 2003, the much-touted privacy rules of the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d, aka HIPAA, took effect. The privacy rules impact everyone's access to health care information so that particular care must now be exercised when drafting documents that affect the release of health care information. Elder law attorneys will most commonly encounter this issue when drafting health care powers of attorney and medical records releases or when attempting to obtain access to a ward's medical records in a guardianship or conservatorship proceeding. This article provides guidance in dealing will all of these issues.
HEALTH CARE POA's AND RECORD RELEASES
After reviewing dozens of newly revised HIPAA notices, record release forms and seminar materials, here are the provisions that I am now inserting in my health care powers of attorney. It reads as follows:
HIPAA Release Authority. I intend for my agent to be treated as I would be with respect to my rights regarding the use and disclosure of my individually identifiable health information or other medical records. This release authority applies to any information governed by the Health Insurance Portability and Accountability Act of 1996 (aka HIPAA), 42 USC 1320d and 45 CFR 160-164. I authorize:
- any physician, healthcare professional, dentist, health plan, hospital, clinic, laboratory, pharmacy or other covered health care provider, any insurance company and the Medical Information Bureau Inc or other health care clearinghouse that has provided treatment or services to me or that has paid for or is seeking payment from me for such services
- to give, disclose and release to my agent, without restriction,
- all of my individually identifiable health information and medical records regarding any past, present or future medical or mental health condition, to include all information relating to the diagnosis and treatment of HIV/AIDS, sexually transmitted diseases, mental illness and drug or alcohol abuse.
The authority given my agent shall supersede any prior agreement that I may have made with my health care providers to restrict access to or disclosure of my individually identifiable health information. The authority given my agent has no expiration date and shall expire only in the event that I revoke the authority in writing and deliver it to my health care provider.
The most useful way to explain this language is to go line-by-line. First, there needs to be a caption that specifically mentions HIPAA. This alone may placate the medical staff. The next language states that the agent should be treated as if he/she was the patient. This is taken verbatim from the regulations and is an overriding but overlooked concept. Likewise, the term "individually identifiable health information" is used throughout the regs rather then "medical records", so I use both terms in the POA. You may also want to include the term "protected health information" or "PHI" since that is the term that seems to be most commonly used by medical staffs when referring to HIPAA. I then cite the applicable statute and regs in case there is a need to review them.
I indicate that this release to applies to all health care providers who are subject to the HIPAA regs. I list most of them as well as the Medical Information Bureau, which is a clearinghouse of patients' medical records that insurance companies use when underwriting policies. It is important that the agent be able to access this information to ascertain the accuracy of those records.
The final bullet point authorizes the release of information for various specified conditions. Note that it does not include psychotherapy, such as notes from counseling sessions or clinical test results, since the regs require that a separate release be issued for those matters.
The regs require an expiration date or "expiration event". Nearly all of the forms I reviewed did provide expiration date, usually in the 18 to 24 month time frame, but I typically do not include one in the health care POAs. To comply with the regs, I use a written revocation as an expiration event.
AVOID SPRINGING POWERS OF ATTORNEY
A great debate has raged for years regarding "springing" POAs, i.e., POAs that only take effect upon the principal's incapacity as determined by the principal's physicians. This has always created a problem since the POA usually requires written reports from one and often two physicians. Obtaining written reports can often be difficult and the triggering terms "incapacity" or "incompetency" are frequently undefined.
Because of this, I have always avoided springing POAs. The HIPAA regs have compounded the problem by creating a Catch-22. A person cannot become an agent under a springing POA until the requisite showing of incapacity has been made. However, a person does not have access to medical records or other information that may indicate incapacity until that person has been appointed agent.
In most states, it is possible to draft around this dilemma. But a significant number of states only allow for health care POAs or proxies that take effect upon the written certification of incapacity by the treating physician. Under HIPAA, this amounts to a prohibited disclosure of medical records. It is unclear how this problem will be resolved. I am aware that some practitioners in these states are drafting a separate patient advocate designation form that, in effect, creates a limited POA as to the release of medical records rather than all health care decisions. Other practitioners are including a release provision in the financial POAs. It remains to be seen how the courts and health care providers in those states will view such maneuvers.
"STAND-ALONE" MEDICAL RECORD RELEASES
The healthcare POA grants decision-making authority to another person. But our clients will typically want other family members and friends to have access to doctors and their staffs during a hospitalization but who are not acting in a decision-making capacity. As a result, I am seeing widespread use of "stand-alone" releases by elder law attorneys. The release is limited to visitation and to speaking with the medical staff. It does not authorize access to medical records. For ease of use, the release is only a one-page document.
The release will list family members and friends. It should also include the attorney and members of the law firm and the employees of the client's church or synagogue. The specific release provision should read as follows:
HIPAA Release Authority. I authorize my doctors and all other health care providers and their staffs who are involved in my health care treatment to release information regarding my location, my medical condition, my diagnosis and prognosis and any other information about me, to include individually identifiable health information, that is deemed important by my providers to those persons named above. This authority is intended by me to allow my health care providers and their staff to freely converse and communicate, both orally and in writing, with the persons named above.
This document does not grant health care decision-making authority and does not in any way affect, inhibit or otherwise limit the authority granted in any existing healthcare power of attorney that I may have completed.
This document is effective immediately and is durable so that it is not affected by any subsequent incapacity.
SUCCESSOR TRUSTEES
A problem similar to the springing POAs will arise with successor trustees who can assume the duties of trustees upon the incapacity of the predecessor trustee. The successor trustee must be able to prove incapacity as provided in the trust agreement but may not be able to do so since he/she is only the designated trustee-to-be. He/she is not yet the trustee.
My suggestion in drafting around this problem is to add a paragraph in the article of the trust agreement dealing with successor trustees that reads as follows:
HIPAA Release Provision. When in the process of determining a Grantor's or Trustee's incapacity, all individually identifiable health information and medical records may be released to the person who is nominated as Successor Trustee, to include any written opinion relating to my incapacity that the person so nominated may have requested. This release authority applies to any information governed by the Health Insurance Portability and Accountability Act of 1996 (aka HIPAA), 42 USC 1320d and 45 CFR 160-164, and applies even if that person has not yet been appointed Successor Trustee.
PSYCHOTHERAPY NOTES
The regs require that any release authority pertaining to psychotherapy notes must be in a separate document that deals only with psychotherapy notes. Psychotherapy notes include notes taken "during a private counseling session or a group, joint or family counseling sessions and that are separated from the rest of the individual's medical record". The regs specify that this does not include medication prescriptions or the results of clinical tests.
COURT ORDERS
The process for obtaining medical records through court orders has been impacted by HIPAA. Elder law attorneys will most often deal with this in a guardianship proceeding when attempting to gain access to a ward's medical records or to obtain a physician's opinion as to the incapacity of the ward. It has been my experience that such an order, usually obtained at the very outset of the proceedings, is granted as a matter of course.
This may no longer be the case in view of the new HIPAA requirements. Disclosure is permitted in response to a court order but is limited to that information "expressly authorized" by the order.
This means care must be used in two aspects. One is the obvious need for greater specificity in a court order. It has been my experience that court orders typically require the ward's doctor to submit a report or to grant access to the ward's medical records to the ward's attorney. The better HIPAA-compliant practice is to specify the information sought. One useful approach is that used in my state of Arizona where a detailed questionnaire is supplied that inquires into diagnosis, prognosis, medications, assistance in ADLs and so on. The order should specifically refer to the questionnaire.
The second point is to make sure the order complies with your state's civil procedure rules. For instance, this will usually require that the judge sign the order. A minute entry or a pleading issued by the court clerk is not sufficient.
SUBPOENAS
The process for obtaining medical records through the issuance of subpoenas has been greatly impacted by HIPAA yet it has received surprisingly little attention. Elder law attorneys will most often deal with this in a will contest or in a contested guardianship proceeding. The new requirements are quite lengthy and detailed and will require considerable additional efforts by the attorney issuing the subpoena.
The thrust of the HIPAA regs in this regard mandate that the health care provider who has been served with a subpoena must be given "satisfactory assurance" by the attorney issuing the subpoena that "reasonable efforts" have been made to notify the patient of the request made in the subpoena.
The regs are very specific about what must be provided. Accompanying the subpoena must be a written statement setting forth the following:
- a good faith attempt was made to provide written notice to the patient or, if the patient's location is unknown, that a notice was mailed to the patients last known address.
- the written notice contained sufficient information about the litigation to permit the patient to raise an objection
- the time to raise an objection has elapsed, and
- no objections have been filed or that any objection has been resolved.
The exact contents of this statement will likely depend on your state's civil procedure rules since the HIPAA regs do not define any of these terms. For instance, the time period to object could range from 14 to 30 days, depending on the time afforded for responsive pleadings in your state. Another typical requirement is that is requesting party will provide a copy of what it received to the patient. The statement may also need to be in form of an affidavit or verification.
The regs also provide for an alternative method of proving satisfactory assurance by means of a "qualified protective order". This order can be either issued by the court or entered as a stipulation by the parties. Its terms must prohibit the parties from disclosing the medical records for any purpose other than for the litigation and, after the litigation has ended, the parties must agree to destroy all copies of the records or return them to the health care provider.
Oddly, the HIPAA regs only require an attempt to obtain such an order. The regs clearly do not require that the order actually be issued. What the regs appear to envision is that the release of medical records is permitted if a motion for the order is pending but not yet ruled upon by the court.
As a practical matter, the easiest method to deal with this is to simply obtain release authority from the patient. Absent that, the best practice is to send a draft copy of the subpoena to the patient or their counsel informing them that the subpoena will be issued and served unless the patient objects within a specified period of time. Once the time has elapsed and the subpoena is issued, a copy of all of the above should be provided to the health care provided together with a cover letter stating that the subpoena complies with HIPAA.
BEST INTERESTS OF THE PATIENT
One hugely overlooked aspect of HIPAA is that the regs provide an exception to the privacy rules if a healthcare provider believes that disclosure of information is in the patent's best interest. The regs state that when a person is not available or is incapacitated or an emergency exists, the provider "may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care".
When all else fails, this provision can be critical. For instance, elder law attorneys will encounter this when attempting to gain information to determine whether a person is incapacitated and in need of a guardianship. If no records release exists, the attorney should use this regulatory provision to obtain the information. Likewise, our clients can assert this provision if they are family members or close friends with whom the patient would normally share such information.
With everyone's attention focused at the outset on strict compliance with the technical requirements of HIPAA, health care providers lost sight of this crucial component of HIPAA. However, with the passage of time, it is my sense that health care providers are slowly becoming aware of this important provision and hence more willing to disclose information when the otherwise requisite permission was not or cannot be obtained.
WHERE TO GO FOR HELP
There are many aspects of HIPAA that are not covered by this article. The best source of information is the "OCR Privacy Brief, Summary of the HIPAA Privacy Rules" found on the HHS's website, www.hhs.gov/ocr/privacysummary.pdf, which has nearly 500 FAQs and many useful links. There is also an excellent HIPAA web blog, located at http://hipaablog.blogspot.com/.
Thomas J. Murphy is the principal of Murphy Law Firm, Inc. located in Phoenix, Arizona. His practice emphasizes probate, estate planning and elder law. He can be reached at (480) 838-4838 or tjmurphy@globalcrossing.net.
