The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated the creation of privacy standards for personally identifiable health information. The set of privacy regulations promulgated under HIPAA, known as the Privacy Rule (45 CFR Part 164), defines the types of uses and disclosures of an individual’s health information that are permitted by health care providers and health plans. In other words, it determines who can look at and receive an individual’s health information, including family members and friends of the person. The regulations include limits on who can get one’s information, mechanisms for correcting information in an individual’s record, and a requirement to disclose who has seen it. The regulations are enforced by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights. Health care providers and plans covered under the rule are referred to as “covered entities.” The discussion below addresses only adults, not minors, in accordance with the committee’s charge and focus on adults age 65 and older.
The Privacy Rule, along with two related HHS rules addressing security and breach notification, seek to protect the privacy and security of persons seeking or receiving health care. The HIPAA penalties primarily target failures to preserve privacy and security, not failures to disclose information. There are only two mandatory disclosures under the Privacy Rule: disclosure to the individual (and certain representatives authorized by the individual) and disclosure to the Secretary of HHS for purposes of investi-
gating compliance.1 All other disclosures under the Act are permissive and guided by a principle of minimum necessary disclosure.2 Health care providers exercise considerable discretion, and providers tend to be very cautious about disclosure. The Privacy Rule makes no mention of caregivers in its provisions. Instead, it provides someone serving as caregiver with three possible avenues of access to a care recipient’s protected health information.
A caregiver who is the individual’s “personal representative” has the authority, under applicable law, to act on behalf of an individual in making decisions related to health care and has the same rights of access.3 The rule defers to state law to determine who has authority to act on behalf of the individual with respect to health care decisions. There are three primary ways that state law confers authority on another to make health care decisions on behalf of an individual:
- Through health care advance directives, specifically health care powers of attorney. Anyone appointed health care agent or proxy under such a document should have all the rights to access and control of information that the individual has. However, this authority commences only when the advance directive appointing the agent becomes effective. In some states, the appointment of a health care agent can be immediately effective, but in most states the appointment becomes effective only at the point the person loses capacity to make health care decisions. Because many people may need and want their health care proxy to have access to their health infor-
1 45 CFR § 164.502. “Covered entities: Required disclosures. A covered entity is required to disclose protected health information: (i) To an individual, when requested under, and required by § 164.524 or § 164.528; and (ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity’s compliance with this subchapter.”
2 45 CFR § 164.502. “When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
3 45 CFR § 164.502(g). A covered entity must “treat a personal representative as the individual for purposes of this subchapter. . . . If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.” An exception to this rule is provided in cases of suspected abuse, neglect, or endangerment by the personal representative.
mation prior to the point of their losing capacity to make health care decisions, their expectations and the expectations of their appointed proxy may be frustrated.
- Through default surrogate decision-making laws (or case law). Most, but not all, states specify a hierarchy of next of kin who have authority to make health care decisions when no one has been formally appointed. Default surrogates also have all the rights to access and control of information that the individual has. However, it may not always be clear who the default surrogate is, especially where information about the family is limited or there is more than one possible surrogate at the same level of the hierarchy (e.g., multiple adult children). Moreover, some states have no specified hierarchy (e.g., California, Colorado, Hawaii) and depend on identifying the surrogate by consensus. As with health care powers of attorney, the authority of a default surrogate commences only when the individual has lost capacity to make health care decisions.
- Through guardianship law. Judicial proceedings to appoint a guardian are usually a measure of last resort for individuals who have lost capacity to manage their affairs. Courts normally prefer to appoint a close family member as guardian. But, the guardian has only as much or as little authority as the guardianship order specifies.4
Failure of the provider or health plan to disclose information to one’s known and presently authorized personal representative is a violation of the HIPAA Privacy Rule, unless the covered entity has a reasonable belief that either: (1) the individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or (2) treating such person as the personal representative could endanger the individual; and the covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.5
HIPAA AUTHORIZATIONS AND DIRECTED RIGHT TO ACCESS
The second avenue of access is for anyone to whom the individual has given a valid HIPAA authorization or a directed right to access. A HIPAA authorization is a document normally provided by one’s health care provider, signed by the individual, that identifies the scope of information that
4 For deceased individuals, a person appointed executor or administrator of the individual’s estate also bears the status of personal representative.
5 45 CFR § 164.502.
may be disclosed, to whom, and for what purposes, and it meets other specifications under the Privacy Rule. A family caregiver bearing a HIPAA authorization does not stand in the shoes of the individual, as does a personal representative, for the Privacy Rule is permissive and the principle of minimum necessary disclosure applies. Thus, a caregiver relying on a HIPAA authorization may still encounter barriers to access.
A directed right to access is an authorization by the individual to another person to give the person a right of access to one’s personal health information. If given to another, the right of access is mandatory. Health care providers must disclose unless an exception applies. Exceptions are limited to personal notes of mental health care professionals, maintained separately from medical records, and information in connection with a civil, criminal, or administrative action/proceeding. The right to access must be in writing, but its required elements are very simple. It must be signed by the individual, and clearly identify the designated person and where to the send the personal health information (Samuels, 2016).
FAMILY AND FRIENDS
The third avenue of access is for other family and friends who are not formally appointed personal representatives or designated persons under a written authorization, but who are involved in the person’s health care or payment for health care in some way. Under this part of the rule, one’s health care provider may share relevant information about the individual if
- the individual (who is the subject of the confidential information) gives the provider permission to share the information (a person can also prohibit sharing with specified individuals);
- the individual is present and does not object to sharing the information with the other person; or
- the individual is not present, and the provider determines, based on professional judgment, that it is in the individual’s best interest to share information with the other person.
How much information is shared is also a matter of professional judgment, based on the circumstances, but is to be limited to just the information that the person involved needs to know about the person’s care or payment. When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the person asked that individual to be involved in his or her care or payment for care.6
6 45 CFR § 164.510.
The HHS Office for Civil Rights provides the following examples of the third circumstance:
- An emergency room doctor may discuss a person’s treatment in front of the person’s friend if the person asks that her friend come into the treatment room.
- A doctor’s office may discuss a person’s bill with the individual’s adult daughter who is with her father at his medical appointment and has questions about the charges.
- A doctor may discuss the medications a person needs to take with the person’s health aide who has accompanied the person to a medical appointment.
- A doctor may give information about a person’s mobility limitations to the person’s sister who is driving the individual home from the hospital.
- A nurse may discuss a person’s health status with the person’s brother if she informs him that she is going to do so and the person does not object, but a nurse may not discuss a person’s condition with the person’s brother after the person has stated she does not want her family to know about her condition.
Under the Family and Friends Rule, health care providers exercise substantial discretion in determining what, if any, health information can be shared. This discretion can impede caregivers’ access to needed information. Variability in disclosure can depend on the health care provider’s professional knowledge, familiarity with the family, personal attitudes, perceptions, and biases.
Caregiver problems in gaining access to needed health information appear to be fairly common based on anecdotes, but reliable data on the frequency and nature of problems are non-existent. The HHS Office for Civil Rights reported that its enforcement database tracks only breaches of privacy and security, not failures to disclose information.7 Because most failures to disclose information are permissive exercises of discretion, they are not violations of the Privacy Rule.
The Veterans Health Administration (VHA) also complies with HIPAA regulations, as well as other federal laws, and has guidelines for veterans’ facilities that are parallel to those of the HHS Office for Civil Rights (VHA,
7 Committee Briefing, M. Gordon-Nguyen, and C. Heide, HHS Office of Civil Rights, April 28, 2015.
2006). However, in a Privacy Fact Sheet, VHA does address caregivers and how to identify them, although one purpose of the guidance is to identify caregivers who may be eligible to participate in support and educational groups or other VA family support services (VHA Information Access and Privacy Office, 2009).
In summary, caregivers have no special status under the HIPAA Privacy Rule, although their role as caregiver is relevant to providers’ exercise of professional judgment over disclosure. Fulfilling the role of caregiver sometimes requires ready access to much if not all of the person’s health information. The HHS Office for Civil Rights could facilitate caregivers’ access to information if it were to provide administrative guidance to covered entities about the importance of the role of family caregivers and their need for complete and timely access to protected health information. This would encourage providers to exercise their professional judgment in permitting access to information for caregivers, consistent with the best interests of the care recipient. Such guidance under the Privacy Rule would help to establish caregivers as recognized members of the care team.
Training offered in both the public and private sectors on the requirements of the HIPAA Privacy Rule could likewise address the essential role in care delivery and support played by family caregivers, and include guidance on identifying caregivers and sharing information with caregivers more inclusively, consistent with the best interests of the care recipient.
In providing explicit recognition of caregivers, the HHS Office for Civil Rights could note that caregivers are already recognized in other federal laws for various purposes, for example:
- for assistance and support services for caregivers from the U.S. Department of Veterans Affairs [38 USC § 1720G];
- under Social Services Block Grants to States [42 USC § 1397j];
- under the National Family Caregiver Support Program pursuant to the Older Americans Act [42 USC § 3030s-1]; and
- under the Public Health Service’s Lifespan Respite Program for caregivers [42 USC § 300ii].
HHS (U.S. Department of Health and Human Services). 2008a. Health information privacy FAQs number 530.http://www.hhs.gov/hipaa/for-professionals/faq/530/when-doeshipaa-allow-a-health-care-provider-to-dicuss-information-with-family/index.html (accessed June 23, 2016).
HHS. 2008b. Health information privacy FAQs number 536. http://www.hhs.gov/hipaa/forprofessionals/faq/536/may-a-health-care-provider-share-information-with-an-interpreter/index.html (accessed June 23, 2016).
Samuels, J. 2016. Understanding individuals’ right under HIPAA to access their health information. http://www.hhs.gov/blog/2016/01/07/understanding-individuals-right-underhipaa-access-their.html (accessed June 23, 2016).
VHA (Veterans Health Administration). 2006. Handbook 1605.1, Privacy and release of information. Washington, DC: U.S. Department of Veterans Affairs.
VHA Information Access and Privacy Office. 2009. Privacy fact sheet: Sharing information with caregivers. Vol. 09, No. 7. Washington, DC: U.S. Department of Veterans Affairs.
This page intentionally left blank.