Note: Ken and I attended a NAMI Franklin County workshop on February 8, 2020, that included a presentation on Navigating HIPAA for Families and Caregivers. We learned some good information that, in addition to info we had or have found out the hard way, we’d like to share with you.
The Health Insurance Portability and Accountability Act (HIPPA), which went into effect in 2003, has been a major barrier for many families dealing with a loved one with mental health issues. Sometimes this is because the law is being used correctly. And sometimes because health care providers are over-interpreting or misinterpreting it.
Here’s one example: My cat, Chester, needed medicine that the vet didn’t have. So she wrote me a prescription to take to the pharmacy. Once there, the pharmacist looked at the prescription for Chester Twinem (feline) and asked me how old he was. I said, “16.” The pharmacist said, “That’s good. That means you can sign his HIPPA form for him.”
I was thankful that he wasn’t older because he would not like going to the pharmacy to sign the form for himself with his little paw.
That’s how it can be. Systems are set up based on HIPPA that actually not in the best interest of all patients. There are the true HIPAA regulations, and then there are the interpretations of those regulations by hospitals, doctors, pharmacists, etc. Here’s a look at the truth:
Who has to comply with HIPAA?
- Most health care providers (physical, mental health, addiction services providers)
- Health plans (private insurance companies, such as Anthem
- Public benefit payers, such as ADAMH boards
These people and organizations are called “covered entities.”
What is protected information under HIPAA?
Basically, it’s any information that a covered entity has in its records about a person who has received health care services, including demographic information. The rule is that HIPPA covers:
- Information that relates to the individual’s physical or mental health or condition,
- That a HIPAA covered entity created, received or transmitted in the provision of health care or payment for health care services AND
- Which either identifies the individual or can be used to identify the individual.
Covered entities must obtain written authorization to disclosed protected information unless HIPPA contains an exception that applies to the disclosure. One exception is sharing between treatment providers.
What disclosures are permitted to families and caregivers?
Information can be disclosed to a Personal Representative, an individual who has the authority to make health care decisions under Ohio law. Other states have different laws on this. Under Ohio law, covered entities (providers) must disclose information to the individual, the personal representative or both.
The people who have legal authority to make health care decisions for another person under Ohio law are:
- Those with a Health Care Power of Attorney
- Those identified in a Declaration for Mental Health Treatment
- A court-appointed legal guardian
- The parent or guardian of a minor child
What is a Health Care Power of Attorney?
This authorizes a second person to make health care decisions when a person can no longer make them. Two health care professionals have to agree that the person can no longer make decisions for themselves. When that happens, the second person becomes a Personal Representative.
The Health Care Power of Attorney document can also authorize the designated second person to obtain health care information for and on behalf of the individual at any time. It must say specifically: “I specifically authorize my agent to obtain my protected health care information immediately and at any future time.”
What is a Declaration for Mental Health Treatment?
This document authorizes a proxy to make mental health treatment decisions when the individual does not have capacity to consent to treatment decisions. When the declaration goes into effect, the designee becomes the personal representative. (Note: This form is long and can be difficult for a mental illness person to fill out.)
Unless limited in the declaration, the proxy has the right to obtain personal health information regarding the proposed mental health treatment of the person and to receive, review and consent to disclosure of records relating to that treatment.
What about court-appointed legal guardians?
The court-appointed legal guardian of an incompetent person is a personal representative. An incompetent person is incapable of taking proper care of themselves and their family as a result of a mental or physical illness/disability, intellectually disability and chronic substance abuse. The process of obtaining legal guardianship takes many months.
What are the rights of parents and guardians of minors regarding information?
The parent, legal guardian or other person acting in loco parentis with legal authority to make health care decisions is a personal representative.
Exceptions include when the minor is receiving confidential mental health services and the parent/guardian has agreed to a confidentiality agreement between the provider and the minor.
The covered entity may decide not to treat a parent, etc. as a personal representative if the covered entity has a reasonable belief that the parent has abused or neglected the child. Or if treating the parent of the personal representative could endanger the individual and the covered entity decides it’s not in the child’s best interest to treat the parent as a personal representative.
What information can be given to persons involved in care?
Health-care or payment-related information can be disclosed to a family member, other relative, close personal friend or other person identified by individual. The information must be directly relevant to the person’s involvement with the health care or payment of health care.
An organization’s policies may supersede and be more restrictive than HIPAA.
Covered entities can notify family members, personal representatives and other people responsible for an individual’s care of the person’s location, general condition or death.
If a person is present in the room and has the capacity to make health care decisions, the covered entity must obtain agreement to disclose personal health information, give the ill person the opportunity to agree or object, or reasonably infer using professional judgment that, based on the circumstances, the ill person would not object.
If a person is not present, or if the opportunity to agree or object cannot happen due to incapacity or emergency circumstances, the covered entity must use its professional judgment to determine whether disclosure is in the best interests of the person.
How do you get written authorization?
The form to obtain written authorization, in which the individual authorizes the Covered Entity to disclose personal health information, has many names:
- Release of Information
- Written Authorization
- Consent to Disclose
- Standard Authorization form
The form must contain some specific elements from the HIPAA law. Generally, the covered entity is not required to disclose the information.
Ohio’s Standard Authorization Form, which is a national example, says the covered entity is REQUIRED to disclose the information.
So what should you do to get access to the information you need to help your loved one?
First, you need to act before there’s an issue. Make sure that your loved one’s health care providers know that you are involved in the person’s care.
Get Health Care Power of Attorney, a Declaration for Mental Health Treatment and, if in Ohio, the Ohio Standard Authorization Form signed and given to the providers. Do this when your loved one is well enough to discuss and sign to provide you with updates or notifications in the event of an emergency.