Does power of attorney grant access to PHI?

While HIPAA protects the privacy of a patient's health records, a properly executed Power of Attorney (PoA) document can grant an individual the legal authority to access and make healthcare decisions on behalf of the patient. This requires healthcare organizations to know how to handle circumstances where a PoA accesses patient data.

What is power of attorney?

A PoA is a legal document that gives one person the authority to make decisions for another person when they can't make those decisions themselves. These decisions can be about many things, like managing money, handling legal matters, or making healthcare choices. 

There are different types of power of attorney, and they can start working right away or only when the person becomes unable to make decisions. 

The person who gets this power is called the "agent" or "attorney-in-fact." For instance, if you're sick and can't talk to the doctor, the person you've given power of attorney for healthcare can talk to the doctor for you and make decisions about your treatment. It's a way to make sure your wishes are followed when you can't express them yourself.

Is there a difference between power of attorney and personal representative under HIPAA

A power of attorney is a legal document that grants one person (the agent or attorney-in-fact) the authority to make decisions for another person (the principal) in various areas of life, such as managing finances, handling legal matters, or making healthcare choices. The scope and authority of a PoA can vary, and it can either become effective immediately or "spring" into effect when the principal becomes unable to make decisions. PoA is a broader legal concept used for various decision-making purposes.

A personal representative, on the other hand, is a specific term used to refer to individuals who have the legal authority, under applicable state law, to make healthcare decisions for a patient. Personal representatives are granted rights under HIPAA to access the patient's PHI, including medical records, and make healthcare decisions on behalf of the patient. HIPAA defines the rules and requirements for personal representatives regarding the privacy and security of patient health information.

While both PoA and personal representatives involve decision-making on behalf of someone else, PoA is a broader legal concept that covers various aspects of decision-making. In contrast, a personal representative under HIPAA specifically pertains to healthcare decision-making and access to medical information. It operates under the regulations outlined in HIPAA.

See also: HIPAA, disability, and caregiver rights

Does power of attorney grant access to PHI?

A PoA alone does not automatically grant access to PHI. While a PoA allows an agent to make decisions on behalf of another person, access to PHI is governed by HIPAA. For the agent to access PHI, the PoA document must be carefully drafted to align with HIPAA's requirements. Additionally, it's advisable to include a specific HIPAA waiver within the PoA document. This waiver explicitly grants the agent the right to access PHI, waiving the patient's HIPAA privacy protections. 

How should healthcare providers deal with power of attorney and accessing PHI?

1. Verification of PoA documents: When a patient's designated healthcare agent presents a PoA document, the healthcare provider should verify the authenticity and legality of the document. This involves checking if the PoA is properly executed, up-to-date, and complies with state laws. Different states may have specific requirements for PoA documents, so providers should be aware of local regulations.
2. Review HIPAA compliance: Healthcare providers must ensure that the PoA document explicitly grants the agent access to PHI for healthcare-related decisions. The document should include a HIPAA waiver, which specifically waives the patient's HIPAA privacy protections and authorizes the agent to access and disclose PHI as needed for healthcare purposes.
3. Documentation and record-keeping: Providers should maintain clear records of the PoA documentation, including copies of the PoA itself and any associated HIPAA waivers. This documentation is essential for legal compliance and patient care.
4. Verification of identity: To prevent unauthorized access to PHI, healthcare providers must verify the identity of the healthcare agent. This may involve requesting identification, comparing signatures, and confirming the agent's relationship to the patient.
5. Scope of authority: Providers should understand the scope of the agent's authority as outlined in the PoA document. The document may grant authority for specific healthcare decisions, such as treatment options or end-of-life choices. Providers should only disclose PHI relevant to the authorized decision-making scope.
6. Consistent communication: Healthcare providers should maintain open and consistent communication with the healthcare agent. They should discuss treatment options, share relevant medical information, and involve the agent in decision-making as appropriate. This communication should adhere to HIPAA regulations and be via HIPAA compliant email or other secure channels.
7. Safety concerns: If a healthcare provider reasonably believes that the agent may pose a risk to the patient or that the patient is experiencing abuse, neglect, or endangerment due to the agent's involvement, the provider has the discretion to reconsider treating the agent as the personal representative. In such cases, professional judgment should prioritize the patient's safety and well-being.

See also: A guide to HIPAA's rules