Home
What is HIPAA?
 · Background & History
 · Who Is Affected?
 · The Importance of Privacy
 · Examples of Privacy Violations
 · From the Fact Sheet issued by the DHHS on April 2, 2002
 · From the Fact Sheet issued by the DHHS on August 9, 2002 (Final Rule)
 · From the Fact Sheet issued by the DHHS on December 3, 2002
 · HIPAA Links
Test Your HIPAA Knowledge
What We Offer - Sample
Our Objectives
Our Legislation Library
Glossary of Terms
Ask the Expert
Contact Us
Get Started (Order Now)


Business Associates
If are not a healthcare provider but you do business with one, you may be a Business Associate.

  

PERSONAL REPRESENTATIVES

[45 CFR 164.502(g)]

Background

The HIPAA Privacy Rule establishes a foundation of Federally-protected rights which permit individuals to control certain uses and disclosures of their protected health information. Along with these rights, the Privacy Rule provides individuals with the ability to access and amend this information, and the right to an accounting of certain disclosures. The Department recognizes that there may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf with respect to these rights. Under the Rule, a person authorized (under State or other applicable law, e.g., tribal or military law) to act on behalf of the individual in making health care related decisions is the individual's "personal representative." Section 164.502(g) provides when, and to what extent, the personal representative must be treated as the individual for purposes of the Rule. In addition to these formal designations of a personal representative, the Rule at 45 CFR 164.510(b) addresses situations in which persons are involved in the individual's health care but are not expressly authorized to act on the individual's behalf.

How the Rule Works

General Provisions. Except as otherwise provided in 45 CFR 164.502(g), the Privacy Rule requires covered entities to treat an individual's personal representative as the individual with respect to uses and disclosures of the individual's protected health information, as well as the individual's rights under the Rule.

The personal representative stands in the shoes of the individual and has the ability to act for the individual and exercise the individual's rights. For instance, covered entities must provide the individual's personal representative with an accounting of disclosures in accordance with 45 CFR 164.528, as well as provide the personal representative access to the individual's protected health information in accordance with 45 CFR 164.524 to the extent such information is relevant to such representation. In addition to exercising the individual's rights under the Rule, a personal representative may also authorize disclosures of the individual's protected health information.

In general, the scope of the personal representative's authority to act for the individual under the Privacy Rule derives from his or her authority under applicable law to make health care decisions for the individual. Where the person has broad authority to act on the behalf of a living individual in making decisions related to health care, such as a parent with respect to a minor child or a legal guardian of a mentally incompetent adult, the covered entity must treat the personal representative as the individual for all purposes under the Rule, unless an exception applies. (See below with respect to abuse, neglect or endangerment situations, and the application of State law in the context of parents and minors). Where the authority to act for the individual is limited or specific to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation. For example, a person with an individual's limited health care power of attorney regarding only a specific treatment, such as use of artificial life support, is that individual's personal representative only with respect to protected health information that relates to that health care decision. The covered entity should not treat that person as the individual for other purposes, such as to sign an authorization for the disclosure of protected health information for marketing purposes. Finally, where the person has authority to act on the behalf of a deceased individual or his estate, which does not have to include the authority to make decisions related to health care, the covered entity must treat the personal representative as the individual for all purposes under the Rule. State or other law should be consulted to determine the authority of the personal representative to receive or access the individual's protected health information.

Who Must Be Recognized as the Individual's Personal Representative. The following chart displays who must be recognized as the personal representative for a category of individuals:

If the Individual Is: The Personal Representative Is:
An Adult or
an Emancipated Minor		 A person with legal authority to make health care decisions on behalf of the individual

Examples:
  • Health care power of attorney
  • Court appointed legal guardian
  • General power of attorney
An Unemancipated Minor A parent, guardian, or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor child

Exceptions:
  • See parents and minors discussion below.
Deceased A person with legal authority to act on behalf of the decedent or the estate (not restricted to health care decisions)

Examples:
  • Executor of the estate
  • Next of kin or other family member
  • Durable power of attorney

Parents and Unemancipated Minors. The Privacy Rule defers to State or other applicable laws that address the ability of a parent, guardian, or other person acting in loco parentis (collectively, "parent") to obtain health information about a minor child. In most cases under the Rule, the parent is the personal representative of the minor child and can exercise the minor's rights with respect to protected health information, because the parent usually has the authority to make health care decisions about his or her minor child. Regardless of whether a parent is the personal representative, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child's protected health information when and to the extent it is expressly permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child's protected health information to a parent, or providing a parent with access to, such information when and to the extent it is expressly prohibited under State or other laws (including relevant case law). Thus, State and other applicable law governs when such law explicitly requires, permits, or prohibits the disclosure of, or access to, the health information about a minor child.

The Privacy Rule specifies three circumstances in which the parent is not the "personal representative" with respect to certain health information about his or her minor child. These exceptions generally track the ability of certain minors to obtain specified health care without parental consent under State or other laws, or standards of professional practice. In these situations, the parent does not control the minor's health care decisions, and thus under the Rule, does not control the protected health information related to that care. The three exceptional circumstances when a parent is not the minor's personal representative are:

  1. When State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service;
    • Example: A State law provides an adolescent the right to obtain mental health treatment without the consent of his or her parent, and the adolescent consents to such treatment without the parent's consent.
  2. When a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor;
    • Example: A court may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself.
  3. When a parent agrees to a confidential relationship between the minor and the physician.
    • Example: A physician asks the parent of a 16-year-old if the physician can talk with the child confidentially about a medical condition and the parent agrees.

Even in these exceptional circumstances, where the parent is not the "personal representative" of the minor, the Privacy Rule defers to State or other laws that require, permit, or prohibit the covered entity to disclose to a parent, or provide the parent access to, a minor child's protected health information. Further, in these situations, if State or other law is silent or unclear concerning parental access to the minor's protected health information, a covered entity has discretion to provide or deny a parent with access to the minor's health information, if doing so is consistent with State or other applicable law, and provided the decision is made by a licensed health care professional in the exercise of professional judgment.

Abuse, Neglect, and Endangerment Situations. When a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse or neglect by the personal representative, or that treating a person as an individual's personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual's personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual. For example, if a physician reasonably believes that disclosing information about an incompetent elderly individual to the individual's personal representative would endanger that individual, the Privacy Rule permits the physician to decline to make such disclosure.



PERSONAL REPRESENTATIVES

Frequently Asked Questions

Q. Does the HIPAA Privacy Rule change the way in which an individual can grant another person health care power of attorney?

A. No. Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney for health care decisions. State law (or other law) regarding health care powers of attorney continue to apply. The intent of the provisions regarding personal representatives was to complement, not interfere with or change, current practice regarding health care powers of attorney or the designation of other personal representatives. Such designations are formal, legal actions which give others the ability to exercise the rights of, or make treatment decisions related to, an individual. The Privacy Rule provisions regarding personal representatives generally grant persons, who have authority to make health care decisions for an individual under other law, the ability to exercise the rights of that individual with respect to health information.



Q. If someone has health care power of attorney for an individual, can they obtain access to that individual's medical record?

A. Yes, an individual that has been given a health care power of attorney will have the right to access the medical records of the individual related to such representation to the extent permitted by the HIPAA Privacy Rule at 45 CFR 164.524. However, when a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse or neglect by the personal representative, or that treating a person as an individual's personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual's personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual.



Q. Can the personal representative of an adult or emancipated minor obtain access to the individual's medical record?

A. The HIPAA Privacy Rule treats an adult or emancipated minor's personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual's protected health information regarding health care in general. On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative's authority. For example, if a personal representative's authority is limited to authorizing artificial life support, then the personal representative's access to protected health information is limited to that information which may be relevant to decisions about artificial life support.

There is an exception to the general rule that a covered entity must treat an adult or emancipated minor's personal representative as the individual. Specifically, the Privacy Rule does not require a covered entity to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. This exception applies to adults and both emancipated and unemancipated minors who may be subject to abuse or neglect by their personal representatives.



Q: How can family members of a deceased individual obtain the deceased individual's protected health information that is relevant to their own health care?

A: The HIPAA Privacy Rule recognizes that a deceased individual's protected health information may be relevant to a family member's health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative. First, disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent's protected health information, without authorization, to the health care provider who is treating the surviving relative. Second, a covered entity must treat a deceased individual's legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation. Therefore, if it is within the scope of such personal representative's authority under other law, the Rule permits the personal representative to obtain the information or provide the appropriate authorization for its disclosure.



Q: Does the HIPA Privacy Rule address when a person may not be the appropriate person to control an individual's protected health information?

A: Generally, no. The Rule defers to State and other laws that address the fitness of a person to act on an individual's behalf. However, a covered entity does not have to treat a personal representative as the individual when it reasonably believes, in the exercise of professional judgment, the individual is subject to domestic violence, abuse or neglect by the personal representative, or doing so would otherwise endanger the individual.



Q: Does a power of attorney given to a person for purposes other than health care, such as a power of attorney to close on real estate, authorize that person to access an individual's health information as that individual's personal representative?

A: No. Except with respect to decedents, a covered entity must treat a personal representative as the individual only when that person has authority under other law to act on the individual's behalf on matters related to health care. A power of attorney that does not include decisions related to health care in its scope would not authorize the holder to exercise the individual's rights under the HIPAA Privacy Rule. Further, a covered entity does not have to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual.

With respect to personal representatives of deceased individuals, the Privacy Rule requires a covered entity to treat the personal representative as the individual as long as the person has the authority under law to act for the decedent or the estate. The power of attorney would have to be valid after the individual's death to qualify the holder as the personal representative of the decedent.



Q: May adults with mental retardation control their protected health information if they are able to authorize uses and disclosures of their protected health information?

A: Individuals may control their protected health information under the HIPAA Privacy Rule to the extent State or other law permits them to act on their own behalf. Further, even if an individual is deemed incompetent under State or other law to act on his or her own behalf, covered entities may decline a request by a personal representative for protected health information if the individual objects to the disclosure (or for any other reason), and the disclosure is merely permitted, but not required, under the Rule.

However, covered entities must make disclosures that are required under the Rule (i.e., disclosures to the Secretary under subpart C of part 160 regarding enforcement of the Rule, and to the individual under 45 CFR 164.524 and 164.528 with respect to the individual's right of access to his or her protected health information and an accounting of disclosures, respectively). Consequently, with respect to the individual's right of access to protected health information and for an accounting of disclosures, covered entities must provide the individual's personal representative access to the individual's protected health information or an accounting of disclosures upon the request of the personal representative, unless the covered entity, in the exercise of professional judgment, believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. The Rule allows a specified time period before a covered entity must act on such a request; and during this interim period, an individual and his personal representative will have an opportunity to resolve any dispute they may have concerning the request.



Q: How does a covered entity identify an individual's personal representative?

A: State or other law determines who is authorized to act on an individual's behalf, thus the Privacy Rule does not address how personal representatives should be identified. Covered entities should continue to identify personal representatives the same way they have in the past. However, the HIPAA Privacy Rule does require covered entities to verify a personal representative's authority in accordance with 45 CFR 164.514(h).



Q. Does the HIPAA Privacy Rule allow parents the right to see their children's medical records?

A. Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child's personal representative when such access is not inconsistent with State or other law.

There are three situations when the parent would not be the minor's personal representative under the Privacy Rule. These exceptions are: (1) when the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law; (2) when the minor obtains care at the direction of a court or a person appointed by the court; and (3) when, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship. However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If State or other applicable law is silent on a parent's right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor's medical information.

Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child's personal representative could endanger the child.



Q: If a child receives emergency medical care without a parent's consent, can the parent get all information about the child's treatment and condition?

A: Generally, yes. Even though the parent did not consent to the treatment in this situation, the parent would be the child's personal representative under the HIPAA Privacy Rule. This would not be so when the parent does not have authority to act for the child (e.g., parental rights have been terminated), when expressly prohibited by State or other applicable law, or when the covered entity, in the exercise of professional judgment, believes that providing such information would not be in the best interest of the individual because of a reasonable belief that the individual may be subject to abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual.



Q: Does the HIPAA Privacy Rule provide rights for children to be treated without parental consent?

A: No. The Privacy Rule does not address consent to treatment, nor does it preempt or change State or other laws that address consent to treatment. The Rule addresses access to, and disclosure of, health information, not the underlying treatment.



Q. When an individual reaches the age of majority or becomes emancipated, who controls the protected health information concerning health care services rendered while the individual was an unemancipated minor?

A: The individual who is the subject of the protected health information can exercise all rights granted by the HIPAA Privacy Rule with respect to all protected health information about him or her, including information obtained while the individual was an unemancipated minor consistent with State or other law. Generally, the parent would no longer be the personal representative of his or her child once the child reaches the age of majority or becomes emancipated, and therefore, would no longer control the health information about his or her child. Of course, any individual can have a personal representative — which may include a parent — who can exercise rights on his or her behalf.



Q. May a psychologist continue his practice to notify a parent before treating his or her minor child, even though the minor child is able to consent to such health care under State law?

A. The HIPAA Privacy Rule would defer to State or other applicable law that addresses the disclosure of health information to a parent about a minor child. If the minor child is permitted, under State law, to consent to such health care without the consent of her parent and does consent to such care, the provider may notify the parent when the State law explicitly requires or permits the health provider to do so. If State law permits the minor child to consent to such health care without parental consent, but is silent on parental notification, the provider would need the child's permission to notify a parent.





Return to the Introduction / Table of Contents
(December 2002 HHS Guidance Document)

© 2002,2003 HIPAA PS