Patients cannot always act on their own behalf when it comes to making health care decisions. As a result, covered entities must know how to handle these situations and keep track of corresponding information.
How do I navigate and understand special patient considerations?
Answer: The first step to answering this question involves understanding the personal representative guidelines under HIPAA. According to the U.S. Department of Health and Human Services, a personal representative is authorized under law to make health care decisions on behalf of an individual who is incapable of doing so himself. This individual essentially assumes the rights delivered to patients under the HIPAA Privacy Rule.
Examples of personal representatives for adults include:
- Health care power of attorney.
- General power of attorney.
- Durable power of attorney.
- An executor of an estate (for deceased individuals).
Use HIPAA Help Center application to navigate and understand personal representatives and patient rights. The Resource module outlines all components of HIPAA, ensuring that covered entities have a thorough understanding of what constitutes a personal representative and what rights he may exercise.
Are there exceptions to the personal representative’s authority?
Answer: Yes. The Privacy Rule allows covered entities to exercise professional judgment in deciding whether treating an individual as a personal representative would not be beneficial for the patient. Additionally, if a health care provider suspects that the personal representative is subjecting the individual to abuse, neglect or domestic violence, the covered entity can refuse to allow the representative to continue to make decisions on the patient’s behalf.
Penalties related to noncompliance
Covered entities that neglect to grant access to certain protected health information to personal representatives or do not allow them to otherwise exercise patient rights may be in violation of HIPAA. At the same time, releasing information to unauthorized parties also constitutes as noncompliance. As a result, they may be subject to civil penalties, which include the following:
- An individual unknowingly violated HIPAA: $100 per violation.
- An individual violated HIPAA due to a reasonable cause: $1,000 per violation.
- An individual violated HIPAA as a result of willful neglect but corrected the issue: $10,000 per violation.
- An individual violated HIPAA as a result of willful neglect and did not correct the issue: $50,000 per violation.
It is not considered a violation if a covered entity does not allow a personal representative to access PHI because the health care provider believes that doing so may endanger the patient.