Protecting Your Privacy and Access to Personal Health Information and HIPAA

The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. 1320d and 45 C.F.R. 160-164, is a federal law that protects your privacy by preventing the unauthorized dissemination of Personal Health Information (PHI). HIPAA privacy rules are nationally recognized and serve to safeguard your PHI, but HIPAA may also adversely affect you and your family during a medical crisis. The reason you could be adversely affected by enforcement of this federal law is that, due to serious penalties, healthcare providers are extremely cautious to not violate HIPAA guidelines. However, with proper planning, and the drafting of appropriate documents, you and your family can satisfy healthcare professionals’ concerns about HIPAA adherence and have access to your PHI when needed.

When determining if they can legally disclose PHI, healthcare providers must consider HIPAA national guidelines and state laws.  State laws may provide more privacy protection of PHI and have even more rigorous standards to protect your privacy. According to Florida Statutes, “the medical condition of a patient may not be discussed with, any person other than the patient or the patient’s legal representative or other health care practitioners and providers involved in the care or treatment of the patient, except upon written authorization of the patient.” (Fla. Stat. 456.057(7)(a)):

Administrative fines and criminal penalties for HIPAA violations and disclosing PHI without proper a release can be imposed on healthcare providers at $100 per violation, up to a maximum amount of $25,000 per year. Someone knowingly obtaining and disseminating PHI, may face a criminal penalty of one year in prison and a $50,000 fine. If PHI is obtained or provided using false measures, individuals can face criminal penalties 5 years in prison and a $100,000 fine. Severe criminal penalties of up to 10 years in prison and up to a $250,000 fine can be imposed on by persons who obtain or use PHI for commercial advantage, personal gain or malicious harm.

While there is no private cause of action for a HIPAA violation, individuals who feel their healthcare provider has improperly disclosed their PHI is to file a formal complaint with the Department of Health and Human Services, Office for Civil Rights (OCR) at:

With such penalties at stake, it is understandable that healthcare providers and insurance companies are very concerned that they do not violate HIPAA or incur the severe penalties discussed above. Clearly, the reaction of many healthcare providers is to be overly cautious about disseminating PHI. As such, Elder Law and Estate Planning attorneys can expect that your Advance Directives will be carefully scrutinized by health care providers. Healthcare providers, and their attorneys, look for specific language that authorizes the healthcare provider to disclose your PHI to personal representatives.

Creating documents that allow health-care professionals to share your Personal Health Information (PHI) with a representative, or representatives, of your choice in the event of a medical crisis is a solution that helps the healthcare providers protect your privacy under HIPAA and state privacy guidelines—and ensures that your loved ones can be closely involved with your healthcare in the event of a serious medical situation.

Another important area of concern about HIPAA and state privacy laws for you to consider is the ability of your loved ones to access your medical information post mortem. Without your wishes being expressly stated and clearly documented, it could be possible that there will be a need for probate, and the court costs that are associated with probate, just for your loved ones to acquire your medical records in the event of your death. A properly-drafted HIPAA Release should endeavor to name and authorize your designee(s) to act as “personal representative(s)” post-mortem to obtain any of your records protected by HIPAA and any comparable Florida medical privacy laws, without the requirement of any separate Court proceeding, order, appointment, or probate. Some healthcare providers still might require formal Letters of Administration from the Probate Court on the advice of their own legal counsel, which is a much more expensive proposition to your surviving family (i.e., Probate of your Estate).  However, a simple written statement of your own personal intent and specific authorization for your healthcare providers to share your PHI for a period up to five years after your death with your designee(s), makes clear your own wishes and directions, notwithstanding normal HIPAA restrictions and other privacy considerations.

You are wise to consult with your Elder Law/Estate Planning Attorney to discuss drafting an Authorization for Release of Medical Information, which enables medical professionals to freely share information with the person(s) you designate. Your HIPAA release should also be coordinated with your Living Will and Healthcare Surrogate Designation, and with any Preneed Guardian Designation made by you.  Also, most current Trusts and Durable Powers of Attorney contemplate your Successor Trustee(s) and Attorney(s)-in-Fact to have signed and delivered basic HIPAA releases to you or to their named successor in office, to ease the succession of your designated fiduciaries if one of them becomes totally or substantially incapacitated and unable to continue to serve as named in your estate planning documents.

Don’t be a victim of one size fits all planning.  Know your legal rights about HIPAA by consulting Elder Law/Estate Planning attorney and act accordingly!