One of the most important objectives of the HIPAA Privacy Rule—and the HITECH Act in particular—was to ensure that consumers have easy and affordable access to their own protected health information. The regulations also clarified how and when medical information about a patient could be disclosed to a person’s caregiver, family member, friend, and personal or legal representative.
Yet, confusion and misinformation linger among HIPAA-covered entities that prefer to withhold information from a patient’s friends and representatives just to be on the safe side. After all, while HIPAA has clear guidelines about who can and cannot receive information, it is not a one-size-fits-all regulation since it designates much of the decision making to the covered entity’s “professional judgement.”
In the past, Journal of AHIMA has addressed how consumers can access their own information, as well as access the records of deceased individuals. This article will take a closer look at how exactly HIPAA applies to family, friends, caregivers, and personal representatives.
Defining Caregivers and Personal Representatives
According to the Department of Health and Human Services (HHS), the Privacy Rule does not require a healthcare provider or health plan to share information with your family or friends unless they are your personal representatives. But there are some circumstances in which providers or plans can share your information with family and/or friends. According to the HHS website, these include:
- They are involved in your healthcare or payment for your healthcare
- You tell the provider or plan that it can do so
- You do not object to sharing of the information
- If, using professional judgment, a provider or plan believes that you do not object
For example, a personal representative can pick up medications at a pharmacy for someone else; a doctor can share medical information with the person who accompanies a patient to an appointment; if the patient is incapacitated and no authorization can be obtained, a provider can share information with a friend or relative, though only if it’s in the patient’s best interest.
Carlyn Choate, RHIA, CHPS, MSHI, a privacy and security compliance analyst for a public government agency and a member of AHIMA’s privacy and security practice council, says a good example of this was when her organization treated a 20-year-old woman whose mother was paying the bill. Choate says the medical team was hesitant to give the mother any information about her daughter’s care. Choate advised that if the patient explicitly said “my mom is making the payment” for this encounter then the provider could give the mother treatment information and answer questions about it without authorization from the daughter. If the mother wanted more information about her daughter’s health, outside of the one encounter she was paying for, the daughter would have to provide written or verbal authorization to the provider, Choate says.
“We have to be careful when we say personal representative. What does that mean? You could have a legal personal representative that follows up with the legal work saying you are the person’s power of attorney (POA), but when you have POA, you have different levels of POA, it can be a mother, it can be a daughter, a family member, a friend who has POA, but depending on the level of POA, it’s going to determine upon what they can and can’t receive. They may have a POA that is just financial, but that doesn’t mean it’s healthcare-related,” Choate says.
If an individual has designated someone as their medical POA, providers should keep that documentation on file. But when in doubt, a provider should always ask the patient who it is OK to share information with, and keep their response on file.
Another example of verbal authorization can occur when a doctor’s office follows up with a patient over the phone to schedule an appointment or give test results. If the patient says “In the future, you can give any messages to my husband,” the provider can consider the husband to be a personal representative.
Handling Health Information When a Patient’s Incapacitated
HIPAA falls into grayer area when a patient is incapacitated and cannot give a provider verbal authorization to disclose information to friends or relatives or others who may be involved with a patient’s care. Unless a patient has a designated healthcare POA, the provider must use his or her professional judgement.
“When patient is not present or incapacitated, we can share an individual’s information with friend or family or others involved in their care or payment for care as long as the provider determines, based on professional judgement, on doing so that’s in the best interest of the individual. When there’s someone other than a family or a friend involved, [the provider should] make reasonable determination that the individual is actually involved in his or her payment for care or care,” Choate says.
For example, if a doctor has treated a patient for dementia and has met their primary caregiver in the office or inpatient settings, the doctor may decide to share information with that same caregiver when the patient is incapacitated.
Choate cited a case in which a patient in a physician’s waiting room passed out, which caused the office’s nursing staff to call 911 for an EMS team. After the patient recovered from her illness, she filed a lawsuit against the doctor’s office and EMS staff for discussing her PHI in front of strangers while responding to her emergency. In this case HIPAA protects the nursing staff’s professional judgement to call EMS since it was in the best interest of the patient.
“HIPAA doesn’t want to prohibit that person’s ability to receive care,” Choate says. “It’s not meant to be so restrictive that that person shouldn’t be able to receive care just because they don’t have the ability to communicate.”