Why Do I Need a HIPAA Authorization?
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA), is a Federal law that required the establishment of national standards to protect the privacy of patients’ health care information.
The Privacy Rule, which took effect on April 14, 2003, regulates the use and disclosure of “Protected Health Information.” “Protected Health Information” is defined very broadly as: Individually identifiable health information transmitted or maintained in any form which:
- is held by a covered entity or its business associate;
- identifies the individual or offers a reasonable basis for identification;
- is created or received by a covered entity or an employer; or
- relates to a past, present or future physical or mental condition, provision of health care or payment for health care.
To whom does HIPAA apply?
HIPAA limits “covered entities” from sharing your protected health information. Covered entities include health care providers that conduct transactions in electronic form, health care clearinghouses, and health plans.
Essentially, any health care provider or insurance company that uses computers in the normal course of its business is subject to this law.
What happens if a covered entity violates HIPAA?
Covered entitles that violate HIPAA are subject to civil fines, as well as criminal penalties with possible jail time.
Civil fines range from $100 per violation up to an annual maximum of $25,000 for general violations of HIPAA, and $50,000 per violation up to an annual maximum of $1.5 million in cases of willful violations.
Covered entities that “knowingly” obtain or disclose identifiable health information may face criminal penalties including fines of up to $50,000 and imprisonment for up to one year.
Those that violate HIPAA with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm, face fines of $250,000 and imprisonment for up to ten years.
What does this all mean for you?
Most of us would agree that health care providers and insurance companies should protect our medical information.
However, the penalties associated with violating HIPAA often makes them extremely cautious about sharing medical information with anyone but their patient, even close family members such as spouses and children.
A well-drafted medical power of attorney should arguably be legally sufficient to authorize your health care provider to share your protected medical information with your health care agent.
But if the medical power of attorney does not specifically authorize transmission of your protected health information as required under HIPAA, your health care provider may err on the side of caution and refuse to share this information with your agent, who may need it to make an informed medical decision on your behalf.
Additionally, your health care agent does not have authority to act under your medical power of attorney until your attending physician certifies that you are incompetent, and you may want someone to have access to your records before that time.
For example, you may want your agent to contact your doctor’s office about a question on a bill, or discuss your medical condition with your doctor if you are hospitalized. A HIPAA authorization would allow your agent to do that.
For this reason, most attorneys recommend that their clients sign a separate document that authorizes disclosure of protected health information.
A HIPAA authorization allows you to name an individual who can have access to your medical information so that your health care provider or insurance company have no reservations about sharing your protected medical information with them.