August 2022

August 5th, 2022
by William Erhart
No, HIPAA is not short-hand for hippopotamus. Nor is it something bad. In fact, it’s something good. Fill out any paperwork at a doctor’s office, and you will be asked to review and sign a HIPAA authorization and release. What is HIPAA?

HIPAA is a federal law protecting your health information. The acronym “HIPAA” stands for “Health Insurance Portability and Accountability Act of 1996.” Its purpose is to protect your privacy rights as a patient.

When Congress enacted HIPAA in 1996, Congress put in place, for the first time, national standards for protecting health information. HIPAA required the Secretary of the Department of Health and Human Services (“HHS”) to issue privacy regulations governing individual health information if Congress did not enact privacy legislation by 1999. When Congress did not, HHS developed its proposed rule in 1999 and released it for comment in 1999 and 2002. The final “Privacy Rule” was published in August 2002, found at 45 C.F.R. Parts 160 and 164, Subparts A and E.

That Privacy Rule, accompanied by state laws, is the reason for the paperwork and practices we see in the medical field governing personal health information. Now that we are at the 20-year mark of the Privacy Rule becoming effective, it seems an opportune time to examine what it requires.

The Big Picture:

The guiding principle of the Privacy Rule is a “covered entity” may not use or disclose your “protected health information” without authorization. The Privacy Rule authorizes certain disclosures. You or your personal representative may authorize other disclosures.

Who is a “Personal Representative”?

A “personal representative” for HIPAA purposes is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or estate. Usually a parent is considered personal representative for the parent’s minor child. A covered entity must treat the personal representative the same as the patient, however if the covered entity has a reasonable belief that the personal representative may be abusing or neglecting the individual, the Privacy Rule permits the covered entity to refrain from disclosing.

The person you designate in your Health Care Power of Attorney to make health care decisions for you is your personal representative for purposes of HIPAA. This and similar aspects of this issue are codified at 16 Del. C. § 2509 “Health-care information”:

“(a) Unless otherwise specified in an advance health-care directive, a person then authorized to make health-care decisions for a patient has the same rights as the patient to request, receive, examine, copy and consent to the disclosure of medical or any other health-care information.

(b) Unless otherwise specified in an advance health-care directive or court order, an agent appointed by a valid advance health-care directive under this chapter, a surrogate determined and confirmed under § 2507 of this title or a guardian of the person of a minor or adult appointed pursuant to a court order shall be authorized as a “personal representative” with full authority and standing thereof as provided in the Health Insurance Portability and Accountability Act of 1996 [P.L. 104-191], its regulations and the standards issued by the Secretary of the United States Department of Health and Social Services.”

What is a Covered Entity?

A “covered entity” under HIPAA includes actual health care providers, such as doctor’s offices, hospitals, and nursing facilities. It also includes a “health care plan,” including an individual or group plan that pays for the cost of medical care, such as health maintenance organizations (HMOs), Medicare, Medicaid, and Medicare Supplement providers. A covered entity includes a health care provider who electronically transmits health information in connection with certain transactions including claims, benefits eligibility inquiries, and referral authorization requests. These are bound by privacy standards even if they contract with others to perform some essential functions.
What Does HIPAA Require Covered Entities to Do Besides Not Disclose Without Authorization?

Covered entities must perform certain duties such as:

(1) Notifying patients about their privacy rights and how their information can be used;
(2) Adopting and implementing privacy procedures;
(3) Training employees to ensure they understand the privacy procedures;
(4) Designating an individual to be responsible for ensuring that privacy procedures are adopted and complied with; and
(5) Securing patient records.

What Information is Protected?

HIPAA protects all “individually identifiable health information” that is held or transmitted by a covered entity or those it contracts with. This includes information about: (1) the individual’s past, present or future physical or mental health condition; (2) the providing of health care to the individual; or (3) past, present or future payment for providing health care to the individual. To be protected, information must specifically identify the individual, or there must be a reasonable basis for believing that the information can be used to identify the individual.

When May a Covered Entity Disclose Protected Health Information?

A covered entity may disclose protected health information to the patient or personal representative for purposes of treatment, payment, and other health care operations.

Disclosure for purposes of public interest is permitted, but not required, such as if disclosure is required by another law (including statutes, regulations, and court orders), or to public health authorities for such purposes as preventing and controlling disease. In some instances, information regarding victims of abuse or neglect may be provided to appropriate government agencies. Disclosure may be made to funeral directors for purposes of identifying a deceased person and determining cause of death. Disclosure for law enforcement purposes is permitted.

What are the Penalties for HIPAA Noncompliance?

There is no private cause of action for a HIPAA violation, although it may be possible for individuals to pursue legal action under state laws. Under HIPAA, a covered entity is subject to civil and criminal penalties for failures to comply with HIPAA. Civil penalties may be imposed by HHS on covered entities as monetary fines for each violation. Criminal penalties including imprisonment and fines are possible if noncompliance involves intent to sell, transfer or use health information for commercial advantage, personal gain, or malicious harm.


The Privacy Rule, along with state laws, is the reason for so many of the daily practices we see in managing the health care of ourselves and our loved ones: forms at doctor’s offices, pharmacy texts and e-mails that hide identifiable information, not being permitted to ask questions of the doctor’s office staff about a loved one by telephone unless a signed HIPAA authorization and release is on file.
For these purposes we provide in all of our estate plans a HIPAA Authorization and Release for you to sign, copy and provide to any covered entity, authorizing the covered entity to disclose your private information to your designated agents. We also include provisions in the Health Care Power of Attorney specifically authorizing your agents to receive and disclose protected health information.

For helpful FAQs for Individuals, see the HHC website on HIPAA at:
Monday, September 5th - Our office will be closed in observance of Labor Day.

Q. I am very concerned about my mother. She is having memory problems, no longer can drive and can easily forget to turn off the stove. The problem is that I live 500 miles away. Each time I visit her she seems to be getting worse. I want to provide some homecare and don’t know where to begin. Any suggestions? B.A.

Your concern is valid and know you are not alone. Of the 35 million Americans caring for older family members, about 15 percent live at least one hour away. 

I recently had a conversation with Lynn Friss Feinberg, Family Caregiving Advocate and former Policy Advisor at the AARP Public Policy Institute. She noted, “It is challenging to be a long-distance caregiver and often a time of uncertainty. It’s important to recognize that if you live at a distance from your mother, you can’t do it alone.” She suggests trying to coordinate with family members or close friends who live near your mother. If that isn’t an option, she suggests considering hiring a geriatric care manager to identify your mother’s needs and arrange for services.  

This geriatric professional usually is a licensed clinical social worker who can also develop, plan and coordinate services. The National Institute on Aging has referred to such an individual as a “sort of professional relative.” The care manager can check in with you from time to time serving as your point person. Here’s the catch. You likely will have to pay for the service since Medicare and most insurance companies do not. Most charge by the hour. 

If you decide to go this route, here are some questions to ask, as suggested by the National Institute on Aging.

  • Are you a licensed geriatric care manager?
  • How long have you been providing this service? 
  • Are you available around the clock, particularly for emergencies?
  • How will you communicate information to me?
  • What are your fees and references? 

Note another name for geriatric care management is Aging Life Care. To find a care manager in your mother’s community, go to Another useful tool is the CareNav™ – Family Caregiver Alliance, which helps families navigate the emotional, physical, and financial complexities of family caregiving. 

If you do not hire a care manager, you likely will be looking for caregivers. Then there’s the decision of whether to hire someone from an agency or someone who is a private caregiver offering independent services. 

The pros of using an agency: These caregivers are pre-screened and vetted so you don’t have to do it. If a caregiver gets sick, the agency will provide a replacement. Also, you won’t have to manage payroll, benefits and liability. Caregivers employed by the agency receive training and the required certifications. Finally, agencies carry liability insurance and many have worker’s compensation. 

The cons of using an agency: One disadvantage is there is no guarantee that you will have the same caregiver each time. Additionally, fees may be higher than an independent care manager. 

The pros of using a private caregiver: You select your favorite one and have the last word in assessing the individual’s medical and daily life-assistance skills. You also have the opportunity to double-check on formal training and certifications. Another advantage is that you likely will have the same person over some consistent period of time. A private caregiver typically costs less since there is no agency to take a portion of the fee. 

The cons of using a private caregiver: You have to do all of the work consisting of interviews and background checks that are time-consuming. You also need a backup plan if the caregiver is not available. Managing employee payroll, tax deductions and other Federal law requirements are additional tasks. Finally, you are liable for job-related accidents in your home.

There is another very important person in this situation. That is you. It’s important to get emotional support for yourself. Talk to friends or find an online or in-person support group to discuss caregiving challenges as well as tips. 

Although this subject may personally sound remote or untimely, it is relevant to each of us. Former first lady Rosalynn Carter said it well in 2011: “There are only four kinds of people in the world: those who have been caregivers, those who are currently caregivers, those who will be caregivers and those who will need caregivers.” 

Thank you, B.A., for your important question. Best wishes in finding the needed support for your mother. Stay well and be kind to yourself and others.