A power of attorney (POA) allows someone an individual designates (the person designated is known as the “agent” or “attorney-in-fact”) to make decisions for him or her if he or she becomes incapacitated. This document is sometimes referred to as a healthcare proxy.
A HIPAA power of attorney, is an agent the patient appoints, who then, by the terms of the power of attorney, may act to make medical decisions on the patient’s behalf if the patient is incapacitated.
To act under a HIPAA power of attorney or a healthcare proxy, the agent may require access to patient medical information, including protected health information (PHI).
The HIPAA Privacy Rule places restrictions on a covered entity’s use and disclosure of PHI. Specifically, the Privacy Rule prohibits PHI disclosure to unauthorized people. Therefore, for a HIPAA power of attorney or healthcare proxy to be validly executed by an individual, that individual must be an “authorized person” to whom disclosure can be made. Requirements for HIPAA compliant authorizations in the power of attorney and healthcare contexts, are discussed below.
What Information is Contained in a HIPAA Power of Attorney?
Typically, the proxy named in the power of attorney specifies what kinds of treatment decisions the agent may make when the patient is incapacitated, or when the patient is unable to communicate his or her needs due to a temporary or permanent illness or injury.
A healthcare proxy should contain a provision specifying what medical information of the patient that the agent has access to. The patient may grant broad access to the agent, covering most or all aspects of treatment, or may grant more limited access, restricting access to specific medical emergencies or to specific protected health information.
The patient may insert a clause in the power of attorney to the effect that a covered entity may have to certify that the patient is incapacitated before the proxy can make decisions for the patient.
Does HIPAA Require that a Power of Attorney Contain Specific Language?
HIPAA does not authorize the release of PHI to any family member under any circumstances. Rather, HIPAA authorizes the release of medical information only to a patient’s “personal representative.” A personal representative is defined as a person designated by the patient to act on behalf of the patient in making healthcare decisions. Under HIPAA, the personal representative may be, but need not be, a family member.
The power of attorney for medical records should indicate that the person named as the agent or proxy is also the patient’s “personal representative” for purposes of HIPAA. The power of attorney language may also indicate that the agent may exercise all rights that HIPAA (including the Privacy Rule) allows him or her to exercise, for purposes of making healthcare decisions with the patient. The power of attorney may contain additional HIPAA compliant language, such as language that states the agent is authorized to review the patient’s protected health information, as well as language stating that the agent/personal representative may discuss the patient’s protected health information with the patient’s healthcare providers.
