There is a great deal of social change underway in terms of how we collect, use and share information about organizations and people. Privacy seems to be threatened from all sides by many forms of compromise: from cybercriminals seeking to exploit personal information for gain, to we ourselves sharing our own stories through Social Media across the World-Wide Web. Certainly, today there is more information “out there” than ever before, and this is cause for concern.
One of the areas where control is being enforced is over patient information: how it is to be shared, who can have access, what uses can be made of it, what is legal and illegal, who has what rights, and so on. HIPAA, HITECH and Omnibus are the main sources of this control, and much progress has been made to keep correct authorized sharing to that vital minimum that protects and benefits patients. Nevertheless, it remains a very high value target for exploitation, and billions of dollars annually are lost to false claims, identity theft, and now “ransomware” – the latest malware threat to electronically-stored health information.
As serious as these threats are, we must never forget the importance of our normal processes for authorized ways of handling information. In the OCR Audits of 2016, the focus was predominantly on the existence of the documentation that governs our daily programs: policy, procedure, forms, etc. Without these to guide our decisions and workflows, the mishandling of PHI becomes more prevalent, which of course leads to complaints, investigations and ultimately fines.
Part of our dilemma is that we often find ourselves struggling to balance “what is compliant” with what may, from time to time, seem to conflict with “what is best” for the patient. So, to ensure that we are following these regulations on balance with appropriate attention to patient care and safety, I thought it would be timely to revisit certain aspects of the Privacy Rule, and refresh our awareness of its aspects.
This time out I am going to address the “Designated Personal Representative” portion of the Privacy Rule with respect to who these persons are and how we must deal with them, and specifically a point about same-sex couples. I have included the OCR website text below to ensure we refer to the official source.
Please bear in mind that this article is intended to raise awareness of the contents of the Privacy Rule – nothing presented here should be taken as legal advice.
The Basic Issue
Our normal legal recognizes marriage as both a personal and a legal state: meaning, one of a commitment of one person to another (historically, man and woman), and one that accords certain rights and responsibilities to each person in that union. This can be a very expansive discussion, but in the context of this piece, I will confine my remarks to the area of healthcare and its related actions and information.
One particular area of concern is what happens to all this when the couple are a same-sex union. Some states now recognize this, if properly conducted through legal/clergical channels, as a legitimate state of marriage. Many states still do not. For a current listing, the Wikipedia provides this information here: https://en.wikipedia.org/wiki/List_of_U.S._state_laws_on_same-sex_unions. What is also important not note here is that some states grant full spousal rights where others place certain limits on these (you should ensure you are familiar with the conditions in your own state when you draft policy governing how your organization will handle this situation should it arise).
The basic point here is that laws vary, sometimes widely across all jurisdictions where HIPAA applies. With societal conditions in the state of flux they currently are, I have run into an increasing number of clients wanting guidance on this, and I thought it best to research it thoroughly before offering any.
Since there is great variance in the statutes, it often leaves Privacy Officers adrift at sea when they try to sort this out. Their corporate attorneys are often in no better position to direct the institution’s response because the law is simply not black-and-white, but rather leaves all concerned in the position of having to decide for themselves what approach they will take. Knowing that compliance must be achieved, but that patient rights must also be respected, finding the balance can prove to be tricky at times.
A few other things seem pretty clear, however: a) changes in the law seem to follow very slowly when changes in a society occur, and often open doors even while erecting other barriers to the given issue; and b) sometimes when the laws do address such issues and grant the conditions being sought, they often create a maelstrom of paperwork for those attempting to achieve the now permitted result. In either case, the choice we face appears as either a minefield or whitewater rapids. And navigating either one requires caution, a sharp eye, and a clear idea of the best path to follow while trying to avert disaster.
Reading the OCR guidance below, it becomes immediately clear that anyone acting as the personal representative is given certain rights under HIPAA, but that certain conditions and limitations must be observed when doing so. The guidance also actually gives you an acceptable way of correctly and compliantly dealing with this. Please be sure to run this by your Chief Counsel before formalizing it – you need their approval to ensure that both the Law and your Organization will be satisfied with it.
- First, do the above and make sure you know the stance of your State Law on this.
- Second, make sure you ask the right questions of your patient and their partner so that you have a clear and accurate understanding of their situation and their wishes.
- Third, ensure that you know what the necessary things are that will create the workflow you will need: HIPAA Consent, HIPAA Authorization, and any forms you create to be included in the flow to document all the steps.
- Fourth, discuss with your attorneys whether or not a properly worded Power of Attorney executed by the patient will enable you to meet their desires in this regard. If it can do so, this may solve the problem and enable you to achieve the delicate balance you are attempting.
Like many issues of personal rights, this one can be difficult to work through and achieve the right solutions under certain conditions. No law can be expected to deal with every possible situation that might arise, and recognizing this, HIPAA provides a certain degree of latitude to Privacy Officers and their organizations to determine their approach for specific cases and issues. For the sake of your patients in same-sex relationships, taking these steps can make things more convenient by satisfying the legal requirement and removing the disgruntlement this particular case can create.
One thing: the above suggestion is in no way intended to circumvent the law. It is intended only to use existing, legal vehicles and processes to establish a cleaner, easier solution to handle situations where traditional assumptions about spousal or survivor’s rights normally arise. If the law does not prohibit this course outright, it may just be that even with requiring additional paperwork and possible expense, you can simplify dealing with “Personal Representatives” under HIPAA to your and your patient’s compliant advantage.
The HIPAA Privacy Rule establishes a foundation of Federally-protected rights which permit individuals to control certain uses and disclosures of their protected health information. Along with these rights, the Privacy Rule provides individuals with the ability to access and amend this information, and the right to an accounting of certain disclosures. The Department recognizes that there may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf with respect to these rights. Under the Rule, a person authorized (under State or other applicable law, e.g., tribal or military law) to act on behalf of the individual in making health care related decisions is the individual’s “personal representative.” Section 164.502(g) provides when, and to what extent, the personal representative must be treated as the individual for purposes of the Rule. In addition to these formal designations of a personal representative, the Rule at 45 CFR 164.510(b) addresses situations in which family members or other persons who are involved in the individual’s health care or payment for care may receive protected health information about the individual even if they are not expressly authorized to act on the individual’s behalf.
How the Rule Works
General Provisions. Subject to certain exceptions, the Privacy Rule at 45 CFR 164.502(g) requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the Rule.
The personal representative stands in the shoes of the individual and has the ability to act for the individual and exercise the individual’s rights. For instance, covered entities must provide the individual’s personal representative with an accounting of disclosures in accordance with 45 CFR 164.528, as well as provide the personal representative access to the individual’s protected health information in accordance with 45 CFR 164.524 to the extent such information is relevant to such representation. In addition to exercising the individual’s rights under the Rule, a personal representative may also authorize disclosures of the individual’s protected health information.
In general, the scope of the personal representative’s authority to act for the individual under the Privacy Rule derives from his or her authority under applicable law to make health care decisions for the individual. Where the person has broad authority to act on the behalf of a living individual in making decisions related to health care, such as is usually the case with a parent with respect to a minor child or a legal guardian of a mentally incompetent adult, the covered entity must treat the personal representative as the individual for all purposes under the Rule, unless an exception applies. (See below with respect to abuse, neglect or endangerment situations, and the application of State law in the context of parents and minors). Where the authority to act for the individual is limited or specific to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation.
For example, a person with an individual’s limited health care power of attorney regarding only a specific treatment, such as use of artificial life support, is that individual’s personal representative only with respect to protected health information that relates to that health care decision. The covered entity should not treat that person as the individual for other purposes, such as to sign an authorization for the disclosure of protected health information for marketing purposes. Finally, where the person has authority to act on the behalf of a deceased individual or his estate, which does not have to include the authority to make decisions related to health care, the covered entity must treat the personal representative as the individual with respect to protected health information relevant to such personal representation (e.g., an executor of an estate has the right to access all of the protected health information of the decedent relevant to these responsibilities).1 State or other law should be consulted to determine the authority of the personal representative to receive or access the individual’s protected health information.
Who Must Be Recognized as the Individual’s Personal Representative. The following chart displays who must be recognized as the personal representative for a category of individuals:
|If the Individual Is:||The Personal Representative Is:|
|An Adult or|
An Emancipated Minor
|A person with legal authority to make health care decisions on behalf of the individual|
Examples: Health care power of attorney
Exceptions: See abuse, neglect, and endangerment situations discussion below.
|An Unemancipated Minor||A parent, guardian, or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor child|
Exceptions: See parents and unemancipated minors, and abuse, neglect and endangerment situations discussion below.
|Deceased||A person with legal authority to act on behalf of the decedent or the estate (not restricted to persons with authority to make health care decisions)|
Examples: Executor or administrator of the estate
Parents and Unemancipated Minors. In most cases under the Rule, a parent, guardian, or other person acting in loco parentis (collectively, “parent”) is the personal representative of the minor child and can exercise the minor’s rights with respect to protected health information, because the parent usually has the authority to make health care decisions about his or her minor child.
However, the Privacy Rule specifies three circumstances in which the parent is not the “personal representative” with respect to certain health information about his or her minor child. These exceptions generally track the ability of certain minors to obtain specified health care without parental consent under State or other laws, or standards of professional practice. In these situations, the parent does not control the minor’s health care decisions, and thus under the Rule, does not control the protected health information related to that care. The three exceptional circumstances when a parent is not the minor’s personal representative are:
- When State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service;
Example: A State law provides an adolescent the right to obtain mental health treatment without the consent of his or her parent, and the adolescent consents to such treatment without the parent’s consent.
- When someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent;
Example: A court may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself.
- When a parent agrees to a confidential relationship between the minor and a health care provider.
Example: A physician asks the parent of a 16-year-old if the physician can talk with the child confidentially about a medical condition and the parent agrees.
Regardless, however, of whether a parent is the personal representative of a minor child, the Privacy Rule defers to State or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In doing so, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent it is permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent, or providing a parent with access to such information, when and to the extent it is prohibited under State or other laws (including relevant case law).
In cases in which State or other applicable law is silent concerning parental access to the minor’s protected health information, and a parent is not the personal representative of a minor child based on one of the exceptional circumstances described above, a covered entity has discretion to provide or deny a parent with access under 45 CFR 164.524 to the minor’s health information, if doing so is consistent with State or other applicable law, and provided the decision is made by a licensed health care professional in the exercise of professional judgment.
Abuse, Neglect, and Endangerment Situations. When a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse, or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual. For example, if a physician reasonably believes that providing the personal representative of an incompetent elderly individual with access to the individual’s health information would endanger that individual, the Privacy Rule permits the physician to decline to provide such access.
1Note that the Privacy Rule does not apply to the health information of an individual who has been deceased for more than 50 years; thus, a personal representative need not authorize disclosures of the decedent’s health information nor does a personal representative have rights under the Privacy Rule with respect to such information.