PERSONAL REPRESENTATIVES

A caregiver who is the individual's “personal representative” has the authority, under applicable law, to act on behalf of an individual in making decisions related to health care and has the same rights of access.³ The rule defers to state law to determine who has authority to act on behalf of the individual with respect to health care decisions. There are three primary ways that state law confers authority on another to make health care decisions on behalf of an individual:

1.

Through health care advance directives, specifically health care powers of attorney. Anyone appointed health care agent or proxy under such a document should have all the rights to access and control of information that the individual has. However, this authority commences only when the advance directive appointing the agent becomes effective. In some states, the appointment of a health care agent can be immediately effective, but in most states the appointment becomes effective only at the point the person loses capacity to make health care decisions. Because many people may need and want their health care proxy to have access to their health information prior to the point of their losing capacity to make health care decisions, their expectations and the expectations of their appointed proxy may be frustrated.

2.

Through default surrogate decision-making laws (or case law). Most, but not all, states specify a hierarchy of next of kin who have authority to make health care decisions when no one has been formally appointed. Default surrogates also have all the rights to access and control of information that the individual has. However, it may not always be clear who the default surrogate is, especially where information about the family is limited or there is more than one possible surrogate at the same level of the hierarchy (e.g., multiple adult children). Moreover, some states have no specified hierarchy (e.g., California, Colorado, Hawaii) and depend on identifying the surrogate by consensus. As with health care powers of attorney, the authority of a default surrogate commences only when the individual has lost capacity to make health care decisions.

3.

Through guardianship law. Judicial proceedings to appoint a guardian are usually a measure of last resort for individuals who have lost capacity to manage their affairs. Courts normally prefer to appoint a close family member as guardian. But, the guardian has only as much or as little authority as the guardianship order specifies.⁴

Failure of the provider or health plan to disclose information to one's known and presently authorized personal representative is a violation of the HIPAA Privacy Rule, unless the covered entity has a reasonable belief that either: (1) the individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or (2) treating such person as the personal representative could endanger the individual; and the covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative.⁵

HIPAA AUTHORIZATIONS AND DIRECTED RIGHT TO ACCESS

The second avenue of access is for anyone to whom the individual has given a valid HIPAA authorization or a directed right to access. A HIPAA authorization is a document normally provided by one's health care provider, signed by the individual, that identifies the scope of information that may be disclosed, to whom, and for what purposes, and it meets other specifications under the Privacy Rule. A family caregiver bearing a HIPAA authorization does not stand in the shoes of the individual, as does a personal representative, for the Privacy Rule is permissive and the principle of minimum necessary disclosure applies. Thus, a caregiver relying on a HIPAA authorization may still encounter barriers to access.

A directed right to access is an authorization by the individual to another person to give the person a right of access to one's personal health information. If given to another, the right of access is mandatory. Health care providers must disclose unless an exception applies. Exceptions are limited to personal notes of mental health care professionals, maintained separately from medical records, and information in connection with a civil, criminal, or administrative action/proceeding. The right to access must be in writing, but its required elements are very simple. It must be signed by the individual, and clearly identify the designated person and where to the send the personal health information (Samuels, 2016).

FAMILY AND FRIENDS

The third avenue of access is for other family and friends who are not formally appointed personal representatives or designated persons under a written authorization, but who are involved in the person's health care or payment for health care in some way. Under this part of the rule, one's health care provider may share relevant information about the individual if

1.

the individual (who is the subject of the confidential information) gives the provider permission to share the information (a person can also prohibit sharing with specified individuals);

2.

the individual is present and does not object to sharing the information with the other person; or

3.

the individual is not present, and the provider determines, based on professional judgment, that it is in the individual's best interest to share information with the other person.

How much information is shared is also a matter of professional judgment, based on the circumstances, but is to be limited to just the information that the person involved needs to know about the person's care or payment. When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the person asked that individual to be involved in his or her care or payment for care.⁶

The HHS Office for Civil Rights provides the following examples of the third circumstance:

• An emergency room doctor may discuss a person's treatment in front of the person's friend if the person asks that her friend come into the treatment room.
• A doctor's office may discuss a person's bill with the individual's adult daughter who is with her father at his medical appointment and has questions about the charges.
• A doctor may discuss the medications a person needs to take with the person's health aide who has accompanied the person to a medical appointment.
• A doctor may give information about a person's mobility limitations to the person's sister who is driving the individual home from the hospital.
• A nurse may discuss a person's health status with the person's brother if she informs him that she is going to do so and the person does not object, but a nurse may not discuss a person's condition with the person's brother after the person has stated she does not want her family to know about her condition.

When a language interpreter is needed, information can generally be disclosed to the interpreter according to regulatory guidance (HHS, 2008a,b).

Under the Family and Friends Rule, health care providers exercise substantial discretion in determining what, if any, health information can be shared. This discretion can impede caregivers' access to needed information. Variability in disclosure can depend on the health care provider's professional knowledge, familiarity with the family, personal attitudes, perceptions, and biases.

Caregiver problems in gaining access to needed health information appear to be fairly common based on anecdotes, but reliable data on the frequency and nature of problems are non-existent. The HHS Office for Civil Rights reported that its enforcement database tracks only breaches of privacy and security, not failures to disclose information.⁷ Because most failures to disclose information are permissive exercises of discretion, they are not violations of the Privacy Rule.

The Veterans Health Administration (VHA) also complies with HIPAA regulations, as well as other federal laws, and has guidelines for veterans' facilities that are parallel to those of the HHS Office for Civil Rights (VHA, 2006). However, in a Privacy Fact Sheet, VHA does address caregivers and how to identify them, although one purpose of the guidance is to identify caregivers who may be eligible to participate in support and educational groups or other VA family support services (VHA Information Access and Privacy Office, 2009).

In summary, caregivers have no special status under the HIPAA Privacy Rule, although their role as caregiver is relevant to providers' exercise of professional judgment over disclosure. Fulfilling the role of caregiver sometimes requires ready access to much if not all of the person's health information. The HHS Office for Civil Rights could facilitate caregivers' access to information if it were to provide administrative guidance to covered entities about the importance of the role of family caregivers and their need for complete and timely access to protected health information. This would encourage providers to exercise their professional judgment in permitting access to information for caregivers, consistent with the best interests of the care recipient. Such guidance under the Privacy Rule would help to establish caregivers as recognized members of the care team.

Training offered in both the public and private sectors on the requirements of the HIPAA Privacy Rule could likewise address the essential role in care delivery and support played by family caregivers, and include guidance on identifying caregivers and sharing information with caregivers more inclusively, consistent with the best interests of the care recipient.

In providing explicit recognition of caregivers, the HHS Office for Civil Rights could note that caregivers are already recognized in other federal laws for various purposes, for example:

• for assistance and support services for caregivers from the U.S. Department of Veterans Affairs [38 USC § 1720G];
• under Social Services Block Grants to States [42 USC § 1397j];
• under the National Family Caregiver Support Program pursuant to the Older Americans Act [42 USC § 3030s-1]; and
• under the Public Health Service's Lifespan Respite Program for caregivers [42 USC § 300ii].

REFERENCES

• HHS (U.S. Department of Health and Human Services). Health information privacy FAQs number 530. 2008a. [June 23, 2016]. http://www​.hhs.gov/hipaa​/for-professionals​/faq/530/when-doeshipaa-allow-a-health-care-provider-to-dicuss-information-with-family/index.html.
• HHS. Health information privacy FAQs number 536. 2008b. [June 23, 2016]. http://www​.hhs.gov/hipaa​/forprofessionals​/faq/536/may-a-health-care-provider-share-information-with-an-interpreter​/index.html.
• Samuels J. Understanding individuals' right under HIPAA to access their health information. 2016. [June 23, 2016]. http://www​.hhs.gov/blog​/2016/01/07/understanding-individuals-right-underhipaa-access-their.html.
• VHA (Veterans Health Administration). Handbook 1605.1, Privacy and release of information. Washington, DC: U.S. Department of Veterans Affairs; 2006.
• VHA Information Access and Privacy Office. Privacy fact sheet: Sharing information with caregivers. Washington, DC: U.S. Department of Veterans Affairs; 2009.