QUESTION: The HIPAA privacy rule generally requires a covered entity to treat an individual’s personal representative as the individual. What is a personal representative, and how do we determine if someone is an individual’s personal representative?
ANSWER: Under HIPAA, an individual’s personal representative must be treated as the individual with respect to protected health information (PHI) relevant to the represented person. Under this rule, for example, an individual’s personal representative might exercise the individual’s right to access the individual’s PHI held by a covered entity in a designated record set.
For purposes of HIPAA’s privacy rule, a person is an individual’s personal representative if, under applicable state law, he or she can act on the individual’s behalf in making decisions related to health care. Personal representatives should be able to provide documentation supporting their status under an applicable state law. In fact, HIPAA requires verification of the identity and authority of a person wanting access to PHI if the identity or authority is not already known to a covered entity. HIPAA privacy policies and procedures should require documentation when a person seeks access to PHI as a personal representative.
In responding to those who seek to be treated as personal representatives, you will need to become familiar with the state laws applicable to your organization, and you will also need to know about the specific guidance and exceptions under HIPAA. Following is a summary of some important points:
Power of Attorney. A power of attorney that does not include decisions related to health care in its scope generally is not sufficient to create personal representative status. Similarly, a limited health care power of attorney (for example, one related to a specific treatment) will create personal representative status only with respect to PHI within its scope.
Spouses and Minor Children. An individual’s spouse generally is not the individual’s personal representative for purposes of the HIPAA privacy rule simply by virtue of marital status since in most jurisdictions, one spouse does not automatically have the legal right to make health care decisions on behalf of the other spouse. Parents or guardians who have authority to act on an unemancipated minor’s behalf in making health care decisions generally are personal representatives of the minor with respect to the PHI for that health care. However, there are exceptions to this rule—for example, if an applicable law does not require the parent’s or guardian’s consent before the minor child can obtain a particular health care service. State law must be consulted to determine parental rights in these cases.
Other Exceptions. A covered entity does not have to treat a person as an individual’s personal representative in certain situations involving domestic violence, abuse, neglect, or endangerment of the individual if treating the person as the individual’s personal representative would not be in the individual’s best interest.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXVI.G (“Personal Representatives, Minors, and Spouses”).
Contributing Editors: EBIA Staff.