Most people know that a solid estate plan should include a will, a trust, and powers of attorney. Far fewer realize that a HIPAA authorization can be just as critical. The Health Insurance Portability and Accountability Act created a federal framework governing how covered entities handle your health information.
If you were suddenly hospitalized and could not speak for yourself, your spouse or adult children might be unable to obtain basic health information about your diagnosis or treatment—even with a healthcare power of attorney—unless you have executed a properly drafted HIPAA authorization form. A HIPAA authorization is a medical privacy release that gives named individuals legal access to medical records otherwise shielded by the HIPAA privacy rule.
Under the HIPAA privacy rule, covered entities—including health care providers, health plans, and clearinghouses—cannot release your personal health information or personal health records to anyone without a valid HIPAA authorization or another legal exception.
Purpose of a HIPAA Authorization in Estate Planning
The Health Insurance Portability and Accountability Act was enacted in 1996 to safeguard the privacy and security of sensitive patient health information. The HIPAA privacy rule prohibits covered entities from disclosing health information to third parties without explicit consent. Covered entities must follow the HIPAA privacy rule when responding to requests from a friend or family member, a personal representative, or any other party seeking health information.
Consider this scenario: a father in his late seventies suffers a serious fall and is rushed to the ER. His adult daughter arrives and asks the physician about his injuries. Without a HIPAA authorization form on file, the health care providers may legally refuse to share health information. The daughter is left with no answers because the covered entities involved have no HIPAA authorization permitting disclosure of his medical records or personal health records.
A HIPAA authorization in estate planning prevents exactly this. By executing a HIPAA authorization form while competent, you grant named individuals legal access to medical records, personal health records, and treatment plans held by covered entities. The primary goals include:
- Ensuring timely access to health information. A HIPAA authorization removes barriers preventing covered entities from releasing health information to your designated person, allowing that individual to participate in care decisions alongside health care providers.
- Avoiding costly delays. Without a HIPAA authorization form, a friend or family member may need a court order before covered entities release medical records. Health care providers as covered entities cannot use professional judgment alone to override the HIPAA privacy rule without documentation.
- Coordinating with other documents. A HIPAA authorization works alongside your health care surrogate designation, living will, and durable power of attorney—ensuring the personal representative making decisions also has the health information needed from covered entities to make them wisely.
Key Definitions Under the HIPAA Privacy Rule
Under the HIPAA privacy rule, “protected health information” includes any data relating to past, present, or future health conditions, health care services, or payment for health care services. Covered entities must treat all such health information with equal confidentiality and may release personal health information only with a valid HIPAA authorization.
A personal representative is someone with authority under applicable law to act on behalf of an individual in making healthcare decisions. In Florida, a personal representative is typically the agent named in a health care surrogate designation. Covered entities must treat a personal representative as the patient for purposes of accessing health information. A personal representative has the broadest authority to request medical records from covered entities, and health care providers should honor those requests.
An authorized recipient named in a HIPAA authorization form does not necessarily have decision-making power over health care services. They simply have permission to receive specified health information from covered entities. The HIPAA privacy rule allows covered entities to exercise professional judgment when evaluating whether a HIPAA authorization is sufficient for disclosure.
Federal rules under the Health Insurance Portability and Accountability Act set the floor, but Florida law can impose stricter standards to protect medical records. Covered entities in Florida must comply with both. An experienced attorney ensures your HIPAA authorization form complies with the HIPAA Privacy Rule (45 CFR § 164.508) and applicable law, so covered entities accept it without pushback.
Covered Entities and Health Information Scope
Your HIPAA authorization form should be drafted broadly enough to cover all three categories of covered entities:
Health care providers who transmit health information electronically—hospitals, physician practices, labs, and pharmacies. These covered entities are the ones a friend or family member will most frequently encounter. Health care providers use professional judgment when responding to a HIPAA authorization and must follow the HIPAA Privacy Rule regarding the disclosure of health information and personal health records.
Health plans such as insurance companies, HMOs, and Medicare. These covered entities hold claims data and coverage details related to health care services. When a personal representative needs to coordinate health care services, a HIPAA authorization directed at these covered entities allows access to relevant health information.
Health care clearinghouses that process claims between health care providers and payers. These covered entities are also bound by the HIPAA Privacy Rule’s restrictions on the disclosure of health information. Covered entities in this category may hold billing-related health information a personal representative needs when coordinating health care services.
The most commonly needed health information includes complete medical records, prescription histories, lab results, mental health notes, personal health records, and billing summaries for health care services.
Who Should Be Authorized to Access Your Health Records
Your HIPAA authorization should name the same individual designated as your personal representative under your advance directive. Beyond that primary designation, consider these categories:
Spouse or domestic partner. The HIPAA privacy rule does not automatically grant spousal access. Covered entities cannot release health information to a spouse without a valid HIPAA authorization or confirmation that the spouse is a personal representative. Name your spouse specifically on the HIPAA authorization form.
Adult children. Including each adult child in the HIPAA authorization ensures they can obtain health information and medical records from covered entities without delay. A locally based designated person who can visit health care providers in person is invaluable during a crisis.
Backup designees. A secondary designated person protects against unavailability. Covered entities will honor the HIPAA authorization for whichever authorized person presents it.
Professional caregivers. A HIPAA authorization for caregivers managing health care services at a nursing or assisted-living facility allows those covered entities to share health information and coordinate your care effectively.
Use full legal names so covered entities can verify identity without delay. Vague references give compliance departments at covered entities grounds to deny disclosure of health information.
Drafting and Revoking a HIPAA Authorization
A valid HIPAA authorization form must satisfy the specific elements set forth in the Health Insurance Portability and Accountability Act at 45 CFR § 164.508. If any element is missing, covered entities can refuse to honor it. Core elements covered entities look for include:
- Description of health information to be disclosed. Specify “records related to diagnosis, treatment, medications, lab results, personal health information, and billing” so covered entities can process the HIPAA authorization efficiently using professional judgment.
- Identification of covered entities authorized to disclose. Name or describe the covered entities—”all health care providers, health plans, and clearinghouses maintaining health information about the principal.”
- Identification of authorized recipients. Each personal representative, designated person, friend, or family member should be listed by full legal name so covered entities can verify authority.
- Expiration date or event. Covered entities will not honor an expired HIPAA authorization. Common choices include “upon death” or “upon written revocation.”
- Purpose of disclosure. Typically worded as “to facilitate healthcare decision-making” or “to enable my personal representative to manage health care services.”
- Signature, date, and right-to-revoke statement. Covered entities require the principal’s signature and a written notice that the HIPAA authorization may be revoked.
While HIPAA does not mandate notarization, having the HIPAA authorization form notarized under Florida law reduces the chance that covered entities will question its authenticity. Align the HIPAA authorization with your advance directive and durable power of attorney so covered entities see a clear chain of authority.
Revocation must be in writing. Once covered entities receive a valid revocation, they must stop disclosing health information under that HIPAA authorization. If you change your personal representative or update your estate plan, review and replace your HIPAA authorization form to keep all documents current. Treating the HIPAA authorization as a living document—reviewed annually—ensures covered entities will release the health information your loved ones need to manage your health care services when it matters most.
