Defending Your Clients' Health Care Powers From a HIPAA Attack
Some planners have recently raised an alarm about the adequacy
of commonly used health care powers of attorney. The concern is
that new federal HIPAA privacy rules limiting release of medical
information will make it difficult (maybe even impossible) for
an agent under a conventional health care power to prove that
his or her authority to act has been triggered. This article reviews
the applicable rules and suggests some drafting solutions.
The Background of HIPAA Paranoia
HIPAA is the acronym for the Health Insurance Portability and
Accountability Act of 1996 (42 USC §1320d). Although the
main purpose of HIPAA was to ensure the “portability”
of health insurance when employees changed jobs (or when their
employment ended), it also provided for the issuance of extensive
federal medical privacy rules. Seven years in the making -- these
rules took effect on April 14, 2003 -- and they have caused a
minor storm of anxiety and controversy.
The overall HIPAA privacy rule is that medical providers and
other “covered entities” are prohibited from disclosing
“protected health information” (generally any individually
identifiable health information) unless a specific exception applies,
e.g., for treatment, for certain public purposes, to the patient,
or with the patient’s permission.
But there have been problems. To start, the rules are extremely
lengthy and complicated. Second, the rules are unclear in many
respects. Third, the rules leave it up to medical providers to
create their own policies and procedures. Fourth, in many cases,
providers are required to limit disclosures to the “minimum
necessary.” Finally, and most compelling, there are severe
and frightening civil and criminal penalties for providers who
violate the rules.
The natural effect has been that many providers are clamming
up. To protect themselves from large and unknown risks, they have
focused on the prohibitions and not on the exceptions that allow
disclosure. Where providers do have policies for disclosures they
are usually only for routine treatment and billing, not the more
unusual demands for access by patients, families, and their lawyers
(see “Privacy Reigns: HIPAA Affects Access, Decision Making
and Guardianship Practice,” Lewis Lefko and Kathleen Whitehead,
program material at November 2003 Institute, National Academy
of Elder Law Attorneys).
Nevertheless, specific medical information is widely used in
probate courts, in estate planning and administration, and in
planning for and handling incapacity. Continuing access to such
information now seems threatened by HIPAA (see, for example, “When
Worlds Collide: The Privacy Challenge to Casual Use of Protected
Health Information in Probate Courts and Estate Planning,”
by Ralph Hughes, Estate Planning and California Probate Reporter,
June 2003, Vol. 24, p. 133).
One of such incapacity planning uses of medical information is
in the triggering the authority of an agent under a power of attorney
for health care decisions.
Springing Powers
As all experienced planners know, almost all health care powers
are written as “springing” powers that only go into
effect upon the incapacity of the principal. For example, the
popular Advance Health Care Directive (including a health care
power of attorney) published by the California Medical Association
(CMA) provides in “Authority of Agent”: “If
my primary physician finds that I cannot make my own health care
decisions, I grant my agent full power and authority to make those
decisions for me . . ..” The California Probate Code says,
“Unless otherwise provided in a power of attorney for health
care, the authority of an agent becomes effective only on a determination
that the principal lacks capacity . . .” (§4682).
But such springing powers now look problematic with HIPAA limiting
access to the medical information needed to trigger a person’s
right to act as the principal’s agent. There is certainly
no HIPAA exception allowing disclosure of medical information
for this purpose. As a result, there’s a potential dilemma
that prevents the health care power from ever getting triggered:
the agent can become authorized to receive medical information
only if he can prove that the principal is incapacitated, but
he can prove that the principal is incapacitated only by receiving
information he is not yet authorized to receive. Ralph Hughes
called this the “chicken and egg” problem in his Reporter
article cited above. Thomas J. Murphy calls it a “Catch-22”
in his “Drafting Health Care Powers of Attorney to Comply
with the New HIPAA Regulations,” NAELA News, August 2003,
Volume 15, Issue 4.
California has addressed and resolved this problem in Probate
Code §4732. It reads:
Records of primary physician. A primary physician who makes or
is informed of a determination that a patient lacks or has recovered
capacity, or that another condition exists affecting an individual
health care instruction or the authority of an agent, conservator
of the person, or surrogate, shall promptly record the determination
in the patient’s health care record and communicate the
determination to the patient, if possible, and to a person then
authorized to make health care decisions for the patient.
One can wonder if “then authorized” in the last phrase
means “in that case authorized” (good news) or “already
authorized” (bad news). Fortunately, the California Law
Revision Comments to the statute suggest that the purpose of this
language is to require documentation and communications relating
to “determinations that may trigger the authority of an
agent.”
But there is a problem: this is state law, and HIPAA is federal
law -- which of course prevails in spite of what the state law
requires. Worse, HIPAA regulations expressly state that its rules
preempt state law unless the state law provides “more stringent”
privacy protection, 45 CFR §160.203(b). As a result, it is
far from clear that Probate Code §4732 survives HIPAA’s
tougher restrictions.
One Solution
One solution to this dilemma is for your client’s health
care power to be “currently effective” rather than
springing. Such a solution is recommended in the newly revised
CEB Action Guide, Capacity and Undue Influence: Assessing, Challenging,
and Defending (Fall 2003), p. 27, and also in the Murphy article
above.
Note that in other states a health care power of attorney must
be springing (e.g., Arizona). However, as mentioned above, in
California a health care power is only springing by default; the
language of the power can provide otherwise (Probate Code §4682).
Indeed, a little used provision of the CMA Advance Health Care
Directive allows the principal the “option” to state,
“I want my agent’s authority to make health care decisions
for me to start now, even though I am still able to make them
for myself” (emphasis in original).
Once the agent’s authority is established, it is clear
sailing under the Probate Code. For example, “a person then
authorized to make health care decisions for a patient has the
same rights as the patient to request, receive, examine, copy,
and consent to the disclosure of medical or any other health care
information” (Probate Code §4678). In addition, health
care providers must comply with health care decisions made by
health care agents to the same extent as if the patient had made
the decision with capacity (Probate Code §4733).
Indeed, even the HIPAA rules appear to acquiesce to the authority
of agents. For example, HIPAA’s rules make it clear that
the patient himself has a right to his own medical information
(45 CFR §§164.502(a)(1)(i) and 164.524(a)). Further,
the official comments of the agency that issued the rules make
it clear that an individual’s personal representative has
all the rights of the individual, including uses and disclosure
of protected health information, and all other privacy rights
as well (e.g., granting of authorizations and releases) (“Personal
Representatives,” at www.hhs.gov/ocr/hipaa/privacy.html,
Office of Civil Rights (OCR), Department of Health and Human Services).
Bottom line: you will certainly want to warn your client about
the loss of control, invasion of privacy, and conflicting directions
that might arise from giving an agent immediate authority, but
you will probably want to think a lot more positively about having
your clients elect that option.
Personal Representatives
There is another problem -- even assuming your clients’
agents can prove that they are in fact currently authorized “agents.”
Your clients’ agents will also definitely want to be classified
as “personal representatives” under HIPAA rules. Under
HIPAA a medical provider “must [with limited exceptions]
treat a personal representative as the individual . . .”
(45 CFR §164.502(g)(1)). Are your clients’ agents also
“personal representatives” under HIPAA definitions?
Maybe.
Although HIPAA’s privacy rules include a lengthy section
devoted to definitions (45 CFR §164.501), they do not include
any definition of “personal representative.” Instead,
they merely say that:
If under applicable [state] law a person has authority to act
on behalf of an individual who is an adult . . . in making decisions
related to health care, a covered entity [e.g., medical provider]
must treat such person as a personal representative under this
subchapter with respect to protected health information relevant
to such personal representation. 45 CFR §164.502(g)(2)
Moreover, the HHS Office of Civil Rights’ official comments
on “personal representatives” state that health care
providers must recognize as a “personal representative”
any person with legal authority to make health care decisions
on behalf of the individual, citing a “health care power
of attorney” and stating that the grant of such a health
care power is primarily a matter of state law (see web site address
given above). This seems to clearly encompass an agent under a
health care power -- at least if it is immediately effective.
California Rules
And then there is California law to deal with. California has
its own Confidentiality of Medical Information Act (CMIA), with
its own set of restrictions on release of medical information
(Civil Code §§56-56.37).
CMIA requires the health care provider to disclose medical information
when compelled “by the patient or the patient’s representative”
(Civil Code §56.10(b)(7)), citing the patient’s right
to access his or her own health records under §123100, et
seq., of the Health and Safety Code. Unfortunately the definition
of “patient’s representative” in Health and
Safety Code §123105(e) inexplicably does not include an agent
under a health care power (an omission that cries out for correction).
CMIA does not further directly address the issue of agents under
a health care power. Nevertheless, CMIA does state that “an
authorization for the release of medical information by a provider
of health care . . . shall be valid if it: is signed and dated
by one of the following: . . . (2) The legal representative of
the patient, if the patient is a minor or incompetent” (Civil
Code §56.11(c)(2)). This language is not much help even if
the health care power is immediately effective but the principal
is still “competent.” Nor does it resolve the question
of whether or not the principal is in fact “incompetent”
(which is not defined) for purposes of triggering the authority
of the “legal representative.”
However, nominated health care agents do have clear authority
to receive medical determinations of capacity under Probate Code
§4733, quoted above. And health care agents clearly have
the right to receive the principal’s health care information,
and to give instructions, as described above (Probate Code §§4678
and 4733). So, there don’t appear to be serious problems
under state law.
Drafting to Ensure Compliance
To avoid any question about these issues (and to reassure nervous
health care providers), you might want to consider supplementing
your clients’ health care power with explicit authority
that no one could claim is ambiguous. Such language identifies
the nominated agent as a HIPAA “personal representative”
and expressly authorizes receipt of medical information under
CMIA.
It is simple enough to simply define the health care agent as
a “personal representative” for HIPAA and CMIA purposes.
For example, your clients can attach a statement to their health
care powers and reference and incorporate it in “Other or
additional statements of medical treatment desires and limitations”
on page 2 of the CMA form. It might state as follows:
Any agent named herein has authority to act on my behalf in making
decisions related to my health care. Accordingly, any agent named
herein shall be treated as my presently acting and currently authorized
“personal representative” under the privacy rules
of the Health Care Portability and Accountability Act of 1996
(HIPAA), 42 USC §1320d, and implementing regulations at 45
CFR §164.502(g), Personal Representatives. As such, any agent
named herein shall be treated as I would be with respect to my
rights regarding uses and disclosures of protected health information,
as well as all other rights I may have as the individual receiving
medical care. This includes but is not limited to:
All physicians, health care professionals, health plans, hospitals,
clinics, laboratories, pharmacies, or other health care providers
covered by HIPAA, any insurance company, and the Medical Information
Bureau, Inc., or other health care clearinghouse.
Such providers or other entities shall give, disclose, and release
to any agent nominated herein, without restriction, all of my
protected health information, medical records, and other medical
information, past, present, or future.
Finally, for purposes of California law, any agent named herein
shall be treated as my “legal representative,” under
Civil Code §56.11(c)(2) for purposes of authorizing disclosure
of medical information, and as my health care agent for purposes
of the California Probate Code, including but not limited to §§4678,
4732, and 4733.
Amendment or Replacement
Let’s assume that you are convinced by now that your clients
should include additional provisions in their health care powers
1) to make them immediately effective and 2) to make it certain
that the named agent comes within the HIPAA and CMIA definitions
of the person who has a right to medical information. The issue
then arises: amend current health care powers or replace them
with new ones.
To my surprise, in reviewing the relevant statutes for this
article I discovered that it is apparently not possible to amend
an “Advance Directive.” Under the Probate Code it
is possible to revoke them, but there is no mention of any right
to amend them (Probate Code §4695). So, if your clients want
the safety of the provisions suggested above, they are apparently
going to have to execute completely new health care powers --
and you can enjoy the challenge of explaining why the advance
directives and/or health care powers that you have recently prepared
now need to be redone.
Alternatives
Many readers will now be thinking: but what about preserving
client autonomy and control? Won’t clients resist -- shouldn’t
they resist -- a present empowerment of someone else to control
their health care?
My guess is that in the great majority of cases the principal
will be naming a family member in whom he or she has complete
trust and confidence. As mentioned above, attorneys should warn
about the potential problems (and document the warning), but clients
should be given the right to waive the risk if they want.
Where possible conflict may be a concern, planners might want
to consider creating a hybrid power of attorney: partially springing
and partially immediately effective. The power could remain springing,
with the exception that the agent’s authority is immediately
effective with regard accessing information relevant to showing
the principal’s incapacity to make medical decisions. Although
the HIPAA regulations do not appear to address the issue themselves,
OCR’s HIPAA web site commentary makes it clear that the
authority of personal representatives of a patient may be limited
to certain purposes. So such an approach would seem to be available
under HIPAA.
To the Contrary
In the interests of balance and fairness, it should be noted
that many medical providers are often none too fussy about the
niceties of health care powers. Some agents report that their
health care powers are readily accepted even when the principal
still has capacity and the power is springing. Just flashing the
health care power of attorney seems to be sufficient to get whatever
medical information the agent wants. No one ever thought he or
she would be expected to actually read the health care power to
see what it said. Also, in many cases, e.g., after a serious stroke,
the issue of incapacity will not be a close one, and the primary
physician may feel less reluctant to help trigger the agent’s
authority.
However, these are case by case accommodations to convenience
and reality that your clients cannot rely on with certainty. The
language suggested in this article will be a great relief if your
client has the bad luck to run into an anxious, conservative,
and well-informed provider.
Gregory Wilcox, Esq. is an attorney in private practice in
Berkeley, California. Mr. Wilcox would like to thank Linda S.
Durston, Esq., Berkeley, California, for her many useful comments
on earlier drafts of this article.
From the Spring 2004 Legal Network News
Back to Archives
|
