HIPAA Provisions in Estate Planning Documents

By: Nancy M. Rice , Esquire, CELA

HIPAA, the Healthcare Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d) has received much press recently because of the recent (4/14/03) required implementation of its privacy provisions.

Essentially, the HIPAA privacy rules provide that health care providers must take steps to prevent the unauthorized dissemination of "Protected Health Information" or "PHI". PHI is defined very broadly as: "[i]ndividually identifiable health information transmitted or maintained in any form or medium, which is held by a covered entity or its business associate[; i]dentifies the individual or offers a reasonable basis for identification[; i]s created or received by a covered entity or an employer[; or r]elates to a past, present, or future physical or mental condition, provision of health care or payment for health care." 45 C.F.R. § 160.103.

The penalties to health care providers for non-compliance with the HIPAA privacy rules are severe. If there is a general failure to comply with HIPAA, civil fines may be imposed as the rate of $100 per violation, up to a maximum of $25,000 per year. However, if a person knowingly obtains and disseminates PHI, there are criminal penalties of up to a $50,000 fine and 1 year in prison. If the PHI is provided or obtained under false pretenses, there are criminal penalties of up to a $100,000 fine and 5 years in prison. If the PHI is obtained or used for commercial advantage, personal gain or malicious harm, then the criminal penalties increase to a $250,000 fine and 10 years in jail. 42 USC 1320d-5 and 1320d-6.

The privacy provisions apply to Health Care Providers, Health Care Plans (including Employer self-insurance plans), and "Health Care Clearing Houses."

Technically, HIPAA applies only to health information transacted electronically; however, "electronics" include fax machines and telephones, so not many providers are exempt from its terms.

Perhaps the most important term of art for estate planning attorneys is "Protected Health Information." The definition is very broad. Thus, use of the term in Durable Powers of Attorney, Health Care Powers of Attorney, Advance Directives (and even Fiduciary Powers in Wills and Trusts and Guardianship Orders and Orders to Show Cause, discussed below) is critical.

Health care providers are very concerned that they might violate HIPAA and incur the severe penalties discussed above. Predictably, the reaction of health care providers is to be extremely cautious about disseminating PHI. Thus, estate planning attorneys can expect that Health Care Powers of Attorney and Advance Directives will be carefully scrutinized by health care providers. Providers and their attorneys will be looking for specific language which authorizes the provider to disclose PHI to a Health Care Representative.

Arguably, most well drafted Health Care Powers of Attorney and Advance Directives are legally sufficient to authorize the health care provider to transmit PHI to your Health Care Representative. See 45 CFR 164.502(g) (available online at www.hhs.gov/ocr/hipaa/guidelines/personalrepresentatives.rtf).

As a practical matter, however, the health care provider may not know what is and is not legally sufficient. Given the penalties at stake, the health care provider will likely err on the side of caution and not provide any PHI to a Health Care Representative unless the Health Care Power of Attorney or Advance Directive states specifically that PHI may be transmitted under (and, perhaps, notwithstanding) the HIPAA privacy rules.

Accordingly, it is recommended that the estate planning attorney add provisions to his/her Durable Powers of Attorney (Medical and Financial), and possibly to the "Fiduciary Powers" article in Wills and Trusts, and possibly to all Guardianship Orders to Show Cause (authorizing/releasing certifying physicians) and Guardianship Orders, some version of the following language:

[short form] To exercise all rights under HIPAA and be provided access to all "Protected Health Information" pursuant to (or notwithstanding any provision of) HIPAA.

[long form] I intend for my Agent/Health Care Representative/ Fiduciary to be treated as I would with regard to the use and dissemination of my individually identifiable health information and medical records ("Protected Health Information") . This authority applies to any information governed by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 42 USC 1320d and 45 CFR 160-164. I specifically authorize: any physician, dentist, other health care professional or medical provider, health plan, hospital, clinic, laboratory, pharmacy or other health care provider, any insurance company and the Medical Information Bureau, Inc. or other health care organization that has provided treatment or services to me or that has paid for or is seeking payment from me for such services, to give, disclose and release such Protected Health Information to my Agent/Health Care Representative/Fiduciary; to disclose all of my Protected Health Information regarding any past, present or future medical or mental health condition, to include all information relating to the diagnosis and treatment of HIV/AIDS, sexually transmitted diseases, mental illness and drug or alcohol abuse, to my Agent/Health Care Representative/ Fiduciary;

The estate planning attorney should consider whether to include HIPAA language in both the Financial and Medical Powers of Attorney if the Agent(s) and Health Care Representative(s) are not the same people. Suggested language for the Power of Attorney: "Only to the extent not inconsistent with any Medical Directive or Health Care Power of Attorney signed by me, my Agent may . . . ."

Another caveat: If a Power of Attorney is "springing," you may want to make the HIPAA authorization effective regardless of disability.