This document provides guidance and directives for LifeCare Team members to understand what is – and what is not – allowed when communicating with patients, patient family members, and patient representatives.  In all cases, if there is a concern regarding any communication with outside parties (written or verbal) please direct the question and request to:

Connie Bonis, OTR/L

Medicare Compliance Officer

Quick Reference Summary

You must disclose protected health information to the individual receiving care and to the Secretary of HHS for the purpose of investigating compliance.

The rule defers to state law to determine who has authority to act on behalf of the individual with respect to health care. Under one of these arrangements, the individual has the authority to make healthcare decisions on behalf of the patient.  This includes:

a. Health Care Advance Directive

b. Surrogate Decision Making

c. Guardianship

For all other persons, health information can be shared, but the individual with whom you share the information does not have the right to act on their behalf, meaning that they do not have the right to make healthcare decisions on their behalf.   Examples of when you can share information include:

a. The patient gives you verbal permission

b. The individual is present at the patient's appointment, and the patient does not object.

c. You determine that it is in the patient’s best interest to share.

IN ANY SITUATION IN WHICH YOU DETERMINE THAT AN INDIVIDUAL WHO IS NOT THE PATIENT’S PERSONAL REPRESENTATIVE MAY NOT BE ACTING IN THE PATIENT’S BEST INTERESTS OR WISHES, YOU HAVE THE RIGHT AND OBLIGATION TO STOP SHARING PROTECTED HEALTH INFORMATION.   THIS ALSO APPLIES TO PERSONAL REPRESENTATIVES IF ABUSE OR NEGLECT IS SUSPECTED.  IN THESE CASES, PLEASE ASK FOR GUIDANCE.

Introduction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated the creation of privacy standards for personally identifiable health information. The set of privacy regulations promulgated under HIPAA, known as the Privacy Rule (45 CFR Part 164), defines the types of uses and disclosures of an individual's health information that health care providers and health plans permit. In other words, it determines who can view and receive an individual's health information, including family members and friends. The regulations include limits on who can access an individual's information, mechanisms for correcting information in an individual's record, and a requirement to disclose who has viewed it. The regulations are enforced by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights. Health care providers and plans covered under the rule are referred to as “covered entities.” The discussion below addresses only adults, not minors, in accordance with the committee's charge and focus on adults aged 65 and older.  

The Privacy Rule, along with two related HHS rules addressing security and breach notification, seek to protect the privacy and security of persons seeking or receiving health care. The HIPAA penalties primarily target failures to preserve privacy and security, not failures to disclose information. 

THERE ARE ONLY TWO MANDATORY DISCLOSURES UNDER THE PRIVACY RULE: 

• Disclosure to the individual (and certain representatives authorized by the individual) 

• Disclosure to the Secretary of HHS for purposes of investigating compliance.  

Who Can Act on Behalf of the Patient

A caregiver who is the individual's “personal representative” has the authority, under applicable law, to act on behalf of an individual in making health care decisions and has the same rights of access.  The rule defers to state law to determine who has authority to act on behalf of an individual in health care decisions. 

There are three primary ways that state law confers authority on another to make health care decisions on behalf of an individual:

1. Through health care advance directives, specifically health care powers of attorney. Anyone appointed as a health care agent or proxy under such a document should have the right to access and control the information the individual has. 

2. Through default surrogate decision-making laws (or case law). Most, but not all, states specify a hierarchy of next of kin who have the authority to make health care decisions when no one has been formally appointed. Default surrogates also have all the rights to access and control of information that the individual has.

3. Through guardianship law. Judicial proceedings to appoint a guardian are usually a measure of last resort for individuals who have lost the capacity to manage their affairs. Courts normally prefer to appoint a close family member as guardian. But the guardian has only as much or as little authority as the guardianship order specifies.

NOTE THAT DOCUMENTS MUST BE READ TO ENSURE THAT THEY ARE ACTIVE AND APPLICABLE AT THE TIME TREATMENT IS BEING RENDERED. IN MANY CASES, THESE DOCUMENTS ONLY BECOME EFFECTIVE AT THE POINT THE PERSON LOSES THE CAPACITY TO MAKE HEALTHCARE DECISIONS.

Who Can Have Access to Patient Protected Health Information

There are circumstances in which an individual can have access to a patient’s protected health information.  Note that in these cases, the person does not stand in the shoes of the individual, as does a personal representative, meaning that you can discuss the patient’s information, but they are not authorized to make healthcare decisions.

Examples of situations in which you can disclose protected health information include:

1. Individuals with a valid HIPAA authorization. This document, signed by the individual, identifies the scope of information that may be disclosed, to whom, and for what purposes.

2. Family and friends who are involved in the person’s healthcare but are not formally appointed. In these situations, you can assume that you may share information if and when: 

• The individual (who is the subject of the confidential information) gives the provider verbal  permission to share the information (a person can also prohibit sharing with specified individuals); 

• The individual is present and does not object to sharing the information with the other person. 

• The individual is not present, and the provider, based on professional judgment, determines that it is in the individual's best interest to share information with the other person.

HOW MUCH INFORMATION IS SHARED IS ALSO A MATTER OF PROFESSIONAL JUDGMENT, BASED ON THE CIRCUMSTANCES, BUT IS TO BE LIMITED TO JUST THE INFORMATION THAT THE PERSON INVOLVED NEEDS TO KNOW ABOUT THE PERSON'S CARE OR PAYMENT. WHEN SOMEONE OTHER THAN A FRIEND OR FAMILY MEMBER IS INVOLVED, THE HEALTH CARE PROVIDER MUST BE REASONABLY SURE THAT THE PERSON ASKED THAT INDIVIDUAL TO BE INVOLVED IN HIS OR HER CARE OR PAYMENT FOR CARE.