The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that protects patients’ privacy. The law limits how health plans, including Medicare and Medicaid, health care providers, and other entities share protected health information (PHI). Your PHI may include personal details such as your Social Security number, billing records, address, lab test results, or prescriptions.
HIPAA authorizes the release of medical information to the patient and the person(s) designated as their personal representative. It also has some flexibility that allows medical providers to disclose information to a person who is involved in a patient’s care. (The HIPAA rules allow disclosure only of information that is relevant to the caregiver’s involvement in the patient’s care.)
While this caregiver policy usually works well, “usually” is the operative word. This is why it can be important to sign what is known as a HIPAA release form. It gives specific written authorization to all people who may be involved in a patient’s care. This can be particularly key if, for example, there is more than one caregiver for the patient.
Under HIPAA, covered health care entities can only share PHI for treatment, payment, and health care operations. In other cases, an entity such as a hospital must obtain the patient’s consent to share information with others.
HIPAA Release Form
A hospital may obtain consent to release your PHI through a HIPAA release form. Signing a HIPAA authorization form allows the hospital to disclose protected health information that HIPAA would otherwise shield. The form typically states who can have access to the information.
Note that if a physician suspects abuse, neglect, or domestic violence by your personal representative, they have the right to refuse to disclose to them your PHI, in order to support your best interests.
Reasons to Sign a HIPAA Release
While signing a release abridges your privacy, it can help ensure that designated individuals in your life can receive information about your health.
A release lets your provider give your health information to a specified third party, such as:
- A family member assisting with health care decision-making and care
- An attorney helping you with a personal injury or workers’ compensation claim
The minimum necessary standard applies even after the release. Under this standard, health care providers can only share the information required to accomplish a specific goal.
What Does the HIPAA Authorization Form Include?
The law requires HIPAA consent forms to specify the following:
- The information that will be disclosed
- Those who may make the disclosure
- The individuals who may access the information
- The reason for the disclosure
- An end of the disclosure period (This can be either an expiration date or an expiration “event.” For instance, this event could be the patient’s discharge from the hospital.)
- The signature of the patient or their representative
Individuals generally have the right to revoke authorization.
Disclosure to Personal Representatives and Family Members
According to the U.S. Department of Health and Human Services (DHHS), your personal representative may inspect and receive a copy of your protected health information from a HIPAA-covered health care provider or health plan.
Your personal representative is someone you legally authorize to act on your behalf in making health care decisions. Parents are typically personal representatives of minor children. If you have named an agent under a health care power of attorney in your estate plan, that individual may be your personal representative.
A Note on Terminology and Federal vs. State Law
The terms used for these types of documents and individuals can vary depending on where you live. Health care agents may be more commonly referred to as health care proxies in some states. Likewise, a health care power of attorney may be called an advance directive or a medical power of attorney.
To make matters more complicated, HIPAA rules, which are governed by federal law, may in some instances conflict with state laws. As the DHHS explains, whether a person “has a right to access the individual’s PHI … generally depends on whether that person has the authority under state law to act on behalf of the individual.” With certain exceptions, HIPAA regulations typically take precedence unless state law is more stringent.
Under HIPAA, a valid health care power of attorney should be sufficient to authorize a loved one to access your health information. You may also use a HIPAA release to share information with a loved one.
HIPAA and a Health Care Power of Attorney in Your Estate Plan
A power of attorney for health care is a legal document. When you execute a health care power of attorney as part of your estate plan, you appoint a trusted individual as your health care agent. You can also name a successor.
When you create a health care power of attorney, you can determine your agent’s level of authority and information access.
Compared to relying on HIPAA authorization forms alone, having a valid health care power of attorney in place can be beneficial for several reasons:
- While HIPAA authorization forms limit information sharing only to what is necessary, you can give your loved one broader access to information with a health care power of attorney, or provide specific limitations.
- Having a health care power of attorney prepares you for future unforeseen health events. You might be unable to communicate or make decisions if you become severely ill. When you have appointed a health care agent, this person can step in, make decisions, and receive information about your health.
- You can detail your wishes for medical decisions in a health care power of attorney.
When drafting a health care power of attorney, consider including HIPAA authorization. The document should include a provision about access to medical information. It will outline to whom in your life a health care entity is permitted to disclose your PHI.
You could give your agent broad access. Or, you could restrict their access to specific protected health information. You can also put limits on when the agent can have access to your information.
Consult With Your Attorney
If you are considering signing a HIPAA release to share health information with a loved one, consider also having a health care power of attorney. Your attorney can help you create a power of attorney that gives your loved one access to HIPAA-protected information and protects your interests.