When you create a medical power of attorney, you probably assume your healthcare agent will have full access to your medical information. After all, how can they make informed healthcare decisions without it? The reality is more complicated. Federal privacy laws, specifically HIPAA, can create significant barriers for your agent unless you take the right steps. Understanding the relationship between HIPAA and your medical power of attorney is crucial to ensuring your agent can actually do their job.
What Is HIPAA and Why Does It Matter?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of your health information. Under HIPAA, healthcare providers, hospitals, insurers, and other covered entities are prohibited from disclosing your protected health information (PHI) to unauthorized individuals.
Protected health information includes medical records, lab results, diagnoses, treatment plans, prescription histories, billing records, conversations between you and your doctor, and essentially any information related to your health, healthcare, or payment for healthcare.
HIPAA's privacy protections serve an important purpose, but they can also create obstacles when your healthcare agent needs access to your medical information to make decisions on your behalf.
Does a Medical POA Automatically Grant HIPAA Access?
This is where things get tricky. A medical power of attorney authorizes your agent to make healthcare decisions for you, but it does not necessarily give them the right to access your medical records under HIPAA.
HIPAA has its own rules about who can access a patient's medical information. While HIPAA does allow healthcare providers to share information with a personal representative (which often includes a healthcare agent under a medical POA), the interpretation and application of this rule varies.
Some healthcare providers interpret the HIPAA Privacy Rule broadly and will share information with an agent who presents a valid medical POA. Others are more conservative and may demand a separate HIPAA authorization form before releasing any information. This inconsistency can create frustrating delays precisely when your agent needs timely access to make critical decisions.
The safest approach is to not rely solely on your medical POA for HIPAA access. Instead, create a separate HIPAA authorization that explicitly grants your agent the right to access your medical records.
What Is a HIPAA Authorization?
A HIPAA authorization is a separate document in which you specifically authorize certain individuals to receive your protected health information from healthcare providers and other covered entities. Unlike a medical POA, which focuses on decision-making authority, a HIPAA authorization focuses on information access.
A valid HIPAA authorization must include your name as the patient, the name of the person or persons authorized to receive your information, a description of the information they can access (which can be broad, such as "all medical records and health information"), the name of the healthcare provider or entity authorized to release the information, an expiration date or condition, a statement about your right to revoke the authorization, and your signature and date.
The authorization can be tailored to be as broad or as narrow as you like. For a healthcare agent, a broad authorization is usually appropriate, since they may need access to your complete medical history to make informed decisions.
Why You Need Both Documents
Having both a medical power of attorney and a HIPAA authorization provides comprehensive protection. Here is how they work together.
The medical POA gives your agent the legal authority to make healthcare decisions for you. When your agent needs to consult with your doctors, review your test results, or understand your treatment options, they present the medical POA as their authority to make decisions.
The HIPAA authorization gives your agent the right to access your medical records and health information. When a healthcare provider asks for written permission to share your information, your agent presents the HIPAA authorization.
Together, these documents ensure that your agent can both obtain the information they need and use that information to make decisions on your behalf. Without the HIPAA authorization, your agent may find themselves authorized to make decisions but unable to access the medical details necessary to make informed ones.
Practical Scenarios Where HIPAA Creates Problems
Understanding real-world scenarios can illustrate why a HIPAA authorization is so important.
Hospital admission. Your agent arrives at the hospital after you have been admitted for a medical emergency. They need to understand your condition, review test results, and discuss treatment options with your doctors. Without a HIPAA authorization, the hospital may initially refuse to share information, even if the agent has a valid medical POA.
Coordinating care between providers. If you see multiple specialists, your agent may need to coordinate information between them. Each provider may require separate HIPAA authorization before releasing records to your agent.
Pharmacy and medication management. Your agent may need to review your prescription history, fill prescriptions, or discuss your medications with pharmacists. Pharmacies are covered entities under HIPAA and may require authorization before sharing this information.
Insurance and billing. If your agent needs to deal with your health insurance company, review Explanation of Benefits statements, or manage medical bills, HIPAA protections apply to this information as well.
Tips for Creating an Effective HIPAA Authorization
When drafting your HIPAA authorization, keep these tips in mind.
Make it broad. Unless you have specific reasons to restrict access, authorize your agent to receive all of your protected health information from all healthcare providers. A narrow authorization may not cover all the information your agent needs in an unexpected situation.
Name the same people as your medical POA. Your HIPAA authorization should name the same individual or individuals as your medical power of attorney. If you have successor healthcare agents named in your POA, include them in the HIPAA authorization as well.
Include it with your medical POA. Keep the HIPAA authorization with your medical POA so that your agent can present both documents together. Consider giving copies to your primary care physician, your hospital, and any specialists you see regularly.
Do not set an unnecessary expiration date. While HIPAA requires an expiration date or event, you can set the expiration to coincide with the revocation of your medical POA or your death. Avoid short expiration dates that would require frequent renewals.
Provide copies proactively. Do not wait until an emergency to share your HIPAA authorization. Provide copies to your healthcare providers in advance so that they have it on file when it is needed.
State-Specific Considerations
Some states have their own health information privacy laws that may impose additional requirements beyond HIPAA. These state laws may affect the form of the authorization, who can be authorized, and what information can be shared.
Additionally, some types of health information receive special protection under both federal and state law. These may include mental health records, substance abuse treatment records, HIV and AIDS-related information, and genetic testing results. Access to these types of records may require additional or separate authorizations.
Because the interplay between HIPAA, state privacy laws, and medical POAs can be complex, ensuring your documents are properly executed and notarized per your jurisdiction's requirements is essential.
Do Not Leave Your Agent Without the Tools They Need
A medical power of attorney gives your agent the authority to make decisions, but without a HIPAA authorization, they may not have the information they need to make good ones. By creating both documents together, you equip your agent to advocate effectively for your healthcare needs.
mypoa.ai can help you create a medical power of attorney that is compliant with your state's requirements. We recommend pairing it with a properly drafted HIPAA authorization and following the execution instructions included with your download to ensure both documents are properly signed, witnessed, and notarized.