National Academies Press: OpenBook

Families Caring for an Aging America (2016)

Chapter: Appendix H: HIPAA and Caregivers' Access to Information

« Previous: Appendix G: Caregiving Stories
Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×

Appendix H

HIPAA and Caregivers’ Access to Information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated the creation of privacy standards for personally identifiable health information. The set of privacy regulations promulgated under HIPAA, known as the Privacy Rule (45 CFR Part 164), defines the types of uses and disclosures of an individual’s health information that are permitted by health care providers and health plans. In other words, it determines who can look at and receive an individual’s health information, including family members and friends of the person. The regulations include limits on who can get one’s information, mechanisms for correcting information in an individual’s record, and a requirement to disclose who has seen it. The regulations are enforced by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights. Health care providers and plans covered under the rule are referred to as “covered entities.” The discussion below addresses only adults, not minors, in accordance with the committee’s charge and focus on adults age 65 and older.

The Privacy Rule, along with two related HHS rules addressing security and breach notification, seek to protect the privacy and security of persons seeking or receiving health care. The HIPAA penalties primarily target failures to preserve privacy and security, not failures to disclose information. There are only two mandatory disclosures under the Privacy Rule: disclosure to the individual (and certain representatives authorized by the individual) and disclosure to the Secretary of HHS for purposes of investi-

Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×

gating compliance.1 All other disclosures under the Act are permissive and guided by a principle of minimum necessary disclosure.2 Health care providers exercise considerable discretion, and providers tend to be very cautious about disclosure. The Privacy Rule makes no mention of caregivers in its provisions. Instead, it provides someone serving as caregiver with three possible avenues of access to a care recipient’s protected health information.

PERSONAL REPRESENTATIVES

A caregiver who is the individual’s “personal representative” has the authority, under applicable law, to act on behalf of an individual in making decisions related to health care and has the same rights of access.3 The rule defers to state law to determine who has authority to act on behalf of the individual with respect to health care decisions. There are three primary ways that state law confers authority on another to make health care decisions on behalf of an individual:

  1. Through health care advance directives, specifically health care powers of attorney. Anyone appointed health care agent or proxy under such a document should have all the rights to access and control of information that the individual has. However, this authority commences only when the advance directive appointing the agent becomes effective. In some states, the appointment of a health care agent can be immediately effective, but in most states the appointment becomes effective only at the point the person loses capacity to make health care decisions. Because many people may need and want their health care proxy to have access to their health infor-

___________________

1 45 CFR § 164.502. “Covered entities: Required disclosures. A covered entity is required to disclose protected health information: (i) To an individual, when requested under, and required by § 164.524 or § 164.528; and (ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity’s compliance with this subchapter.”

2 45 CFR § 164.502. “When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

3 45 CFR § 164.502(g). A covered entity must “treat a personal representative as the individual for purposes of this subchapter. . . . If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.” An exception to this rule is provided in cases of suspected abuse, neglect, or endangerment by the personal representative.

Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×
  1. mation prior to the point of their losing capacity to make health care decisions, their expectations and the expectations of their appointed proxy may be frustrated.

  2. Through default surrogate decision-making laws (or case law). Most, but not all, states specify a hierarchy of next of kin who have authority to make health care decisions when no one has been formally appointed. Default surrogates also have all the rights to access and control of information that the individual has. However, it may not always be clear who the default surrogate is, especially where information about the family is limited or there is more than one possible surrogate at the same level of the hierarchy (e.g., multiple adult children). Moreover, some states have no specified hierarchy (e.g., California, Colorado, Hawaii) and depend on identifying the surrogate by consensus. As with health care powers of attorney, the authority of a default surrogate commences only when the individual has lost capacity to make health care decisions.
  3. Through guardianship law. Judicial proceedings to appoint a guardian are usually a measure of last resort for individuals who have lost capacity to manage their affairs. Courts normally prefer to appoint a close family member as guardian. But, the guardian has only as much or as little authority as the guardianship order specifies.4

Failure of the provider or health plan to disclose information to one’s known and presently authorized personal representative is a violation of the HIPAA Privacy Rule, unless the covered entity has a reasonable belief that either: (1) the individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or (2) treating such person as the personal representative could endanger the individual; and the covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.5

HIPAA AUTHORIZATIONS AND DIRECTED RIGHT TO ACCESS

The second avenue of access is for anyone to whom the individual has given a valid HIPAA authorization or a directed right to access. A HIPAA authorization is a document normally provided by one’s health care provider, signed by the individual, that identifies the scope of information that

___________________

4 For deceased individuals, a person appointed executor or administrator of the individual’s estate also bears the status of personal representative.

5 45 CFR § 164.502.

Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×

may be disclosed, to whom, and for what purposes, and it meets other specifications under the Privacy Rule. A family caregiver bearing a HIPAA authorization does not stand in the shoes of the individual, as does a personal representative, for the Privacy Rule is permissive and the principle of minimum necessary disclosure applies. Thus, a caregiver relying on a HIPAA authorization may still encounter barriers to access.

A directed right to access is an authorization by the individual to another person to give the person a right of access to one’s personal health information. If given to another, the right of access is mandatory. Health care providers must disclose unless an exception applies. Exceptions are limited to personal notes of mental health care professionals, maintained separately from medical records, and information in connection with a civil, criminal, or administrative action/proceeding. The right to access must be in writing, but its required elements are very simple. It must be signed by the individual, and clearly identify the designated person and where to the send the personal health information (Samuels, 2016).

FAMILY AND FRIENDS

The third avenue of access is for other family and friends who are not formally appointed personal representatives or designated persons under a written authorization, but who are involved in the person’s health care or payment for health care in some way. Under this part of the rule, one’s health care provider may share relevant information about the individual if

  1. the individual (who is the subject of the confidential information) gives the provider permission to share the information (a person can also prohibit sharing with specified individuals);
  2. the individual is present and does not object to sharing the information with the other person; or
  3. the individual is not present, and the provider determines, based on professional judgment, that it is in the individual’s best interest to share information with the other person.

How much information is shared is also a matter of professional judgment, based on the circumstances, but is to be limited to just the information that the person involved needs to know about the person’s care or payment. When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the person asked that individual to be involved in his or her care or payment for care.6

___________________

6 45 CFR § 164.510.

Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×

The HHS Office for Civil Rights provides the following examples of the third circumstance:

  • An emergency room doctor may discuss a person’s treatment in front of the person’s friend if the person asks that her friend come into the treatment room.
  • A doctor’s office may discuss a person’s bill with the individual’s adult daughter who is with her father at his medical appointment and has questions about the charges.
  • A doctor may discuss the medications a person needs to take with the person’s health aide who has accompanied the person to a medical appointment.
  • A doctor may give information about a person’s mobility limitations to the person’s sister who is driving the individual home from the hospital.
  • A nurse may discuss a person’s health status with the person’s brother if she informs him that she is going to do so and the person does not object, but a nurse may not discuss a person’s condition with the person’s brother after the person has stated she does not want her family to know about her condition.

When a language interpreter is needed, information can generally be disclosed to the interpreter according to regulatory guidance (HHS, 2008a,b).

Under the Family and Friends Rule, health care providers exercise substantial discretion in determining what, if any, health information can be shared. This discretion can impede caregivers’ access to needed information. Variability in disclosure can depend on the health care provider’s professional knowledge, familiarity with the family, personal attitudes, perceptions, and biases.

Caregiver problems in gaining access to needed health information appear to be fairly common based on anecdotes, but reliable data on the frequency and nature of problems are non-existent. The HHS Office for Civil Rights reported that its enforcement database tracks only breaches of privacy and security, not failures to disclose information.7 Because most failures to disclose information are permissive exercises of discretion, they are not violations of the Privacy Rule.

The Veterans Health Administration (VHA) also complies with HIPAA regulations, as well as other federal laws, and has guidelines for veterans’ facilities that are parallel to those of the HHS Office for Civil Rights (VHA,

___________________

7 Committee Briefing, M. Gordon-Nguyen, and C. Heide, HHS Office of Civil Rights, April 28, 2015.

Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×

2006). However, in a Privacy Fact Sheet, VHA does address caregivers and how to identify them, although one purpose of the guidance is to identify caregivers who may be eligible to participate in support and educational groups or other VA family support services (VHA Information Access and Privacy Office, 2009).

In summary, caregivers have no special status under the HIPAA Privacy Rule, although their role as caregiver is relevant to providers’ exercise of professional judgment over disclosure. Fulfilling the role of caregiver sometimes requires ready access to much if not all of the person’s health information. The HHS Office for Civil Rights could facilitate caregivers’ access to information if it were to provide administrative guidance to covered entities about the importance of the role of family caregivers and their need for complete and timely access to protected health information. This would encourage providers to exercise their professional judgment in permitting access to information for caregivers, consistent with the best interests of the care recipient. Such guidance under the Privacy Rule would help to establish caregivers as recognized members of the care team.

Training offered in both the public and private sectors on the requirements of the HIPAA Privacy Rule could likewise address the essential role in care delivery and support played by family caregivers, and include guidance on identifying caregivers and sharing information with caregivers more inclusively, consistent with the best interests of the care recipient.

In providing explicit recognition of caregivers, the HHS Office for Civil Rights could note that caregivers are already recognized in other federal laws for various purposes, for example:

  • for assistance and support services for caregivers from the U.S. Department of Veterans Affairs [38 USC § 1720G];
  • under Social Services Block Grants to States [42 USC § 1397j];
  • under the National Family Caregiver Support Program pursuant to the Older Americans Act [42 USC § 3030s-1]; and
  • under the Public Health Service’s Lifespan Respite Program for caregivers [42 USC § 300ii].

REFERENCES

HHS (U.S. Department of Health and Human Services). 2008a. Health information privacy FAQs number 530.http://www.hhs.gov/hipaa/for-professionals/faq/530/when-doeshipaa-allow-a-health-care-provider-to-dicuss-information-with-family/index.html (accessed June 23, 2016).

HHS. 2008b. Health information privacy FAQs number 536. http://www.hhs.gov/hipaa/forprofessionals/faq/536/may-a-health-care-provider-share-information-with-an-interpreter/index.html (accessed June 23, 2016).

Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×

Samuels, J. 2016. Understanding individuals’ right under HIPAA to access their health information. http://www.hhs.gov/blog/2016/01/07/understanding-individuals-right-underhipaa-access-their.html (accessed June 23, 2016).

VHA (Veterans Health Administration). 2006. Handbook 1605.1, Privacy and release of information. Washington, DC: U.S. Department of Veterans Affairs.

VHA Information Access and Privacy Office. 2009. Privacy fact sheet: Sharing information with caregivers. Vol. 09, No. 7. Washington, DC: U.S. Department of Veterans Affairs.

Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×

This page intentionally left blank.

Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×
Page 339
Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×
Page 340
Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×
Page 341
Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×
Page 342
Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×
Page 343
Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×
Page 344
Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×
Page 345
Suggested Citation:"Appendix H: HIPAA and Caregivers' Access to Information." National Academies of Sciences, Engineering, and Medicine. 2016. Families Caring for an Aging America. Washington, DC: The National Academies Press. doi: 10.17226/23606.
×
Page 346
Families Caring for an Aging America Get This Book
×
Buy Paperback | $75.00 Buy Ebook | $59.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Family caregiving affects millions of Americans every day, in all walks of life. At least 17.7 million individuals in the United States are caregivers of an older adult with a health or functional limitation. The nation's family caregivers provide the lion's share of long-term care for our older adult population. They are also central to older adults' access to and receipt of health care and community-based social services. Yet the need to recognize and support caregivers is among the least appreciated challenges facing the aging U.S. population.

Families Caring for an Aging America examines the prevalence and nature of family caregiving of older adults and the available evidence on the effectiveness of programs, supports, and other interventions designed to support family caregivers. This report also assesses and recommends policies to address the needs of family caregivers and to minimize the barriers that they encounter in trying to meet the needs of older adults.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!