HIPAA, also known as the Health Insurance Portability and Accountability Act
Written by: Michelle C. Berk, Esquire
HIPAA, also known as the Health Insurance Portability and Accountability Act was enacted in 1996. The privacy requirements of Hipaa took effect in April 14, 2003. The citation for these federal regulations is 45 CFR 160.101-160.312 NBAND 164.102-164.534 and 42 USSC 1320d.
HIPAA is the first comprehensive federal law dealing with protection for the privacy of personal health information. The regulations enable individuals to access their health records. This means individuals and their representatives have a right to inspect and copy and also correct their health care information. The law now gives individuals a right to an accounting of certain disclosures.
The regulations provide that an individual’s “personal representative” is fully authorized to represent the individual with respect to uses and disclosures of protected health information as well as the individual’s other rights under the Rule. Some terms and definitions you will see in HIPAA related documents are as follows:
- Covered Entity” is a health care provider including a nursing home, assisted living facility or personal care facility;
- “Health Plans” are health insurance companies;
- “Health Care Clearing Houses” are companies engaged in billing;
- “Business Associations” are legal, actuarial, accounting, consulting, management, administrative, accreditation, data aggregation, financial services, claims processing or administration, billing. A “covered entity” may not disclose protected health information to a “business associate” and may not allow a “business associate” to create or receive protected health information on its behalf unless the covered entity obtains “satisfactory assurances” that the “business associate” will appropriately guard this info.
When a release of information is requested pursuant to a signed patient authorization, there are specific requirements for that document.
Therefore, Powers of Attorney now should contain HIPAA compliant information for the release of patient healthcare information such as:
A description of the information to be used or a description that aids the informant in a specific and meaningful fashion for example:
“I intend for my agent to be treated as I would be with respect to my rights regarding the use and disclosure of my individually identifiable health information or other medical records regarding any past, present or future medical or mental health condition, to include all information relating to the diagnosis and treatment of HIV/AIDS, sexually transmitted diseases, mental illness and drug or alcohol abuse. This release authority applies to any information governed by the Health Insurance Portability and Accountability Act of 1996 (aka HIPAA) 42 USC 1320d and 45 CFR 160-164.”
However, this language will not meet the requirements of Pennsylvania regulations governing the discovery and disclosure of mental health records under Pennsylvania law and mental health facilities and care providers will require language and terms of disclosure in their Authorization which is extremely limited in duration, or the time in which it can be used.
Also, there may be an additional concern about how seniors and their families may react to seeing the HIV/Aids, sexually transmitted disease language. However, to date, I have not seen any reaction from my clients. Further requirements of a sufficient authorization for the release of health information under HIPAA, or to be included in a Power of Attorney that may be used to request health information in addition to or in lieu of presenting a HIPAA authorization follow:
- Name of the person or class of persons authorized to make the requested use or disclosure.
- Name or other specific id of the persons, or class of persons, to whom the covered entity may make the requested use or disclosure (for example: Sunny Acres Assisted Living Facility).
- Description of each purpose of the requested use or disclosure i.e.: application for Social Security disability benefits, or name of lawsuit, caption of the case.
- Expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure (verdict or settlement, grant of benefits.) However do not put the expiration event in your HIPAA release that you incorporate in your Power of Attorney. Instead, use a written revocation as the expiration event. For example, “ The authority of my agent has no expiration date and shall expire only in the event that I revoke the authority in writing and deliver it to my health care provider.”
- Signature of the individual and date: If signed by the Agent named in the Power of Attorney, the Guardian or other authority, you must attach the document such as the actual (copy) of the Power of Attorney or Guardianship Order of the court to the HIPAA Authorization.
Legal counsel should be consulted if any questions or course of action requiring a HIPAA authorization outside the usual course of business is contemplated.