I often get asked whether a close friend or family member can ask for another individual’s medical records. The very sick often have little energy to devote to obtaining their records, a time and energy-consuming process, so friends and family members frequently act as caregivers, and they are eager to assist in any way that they can. Sometimes that help involves managing important health data on behalf of the patient.
Under the HIPAA Right of Individual Access, health care providers and health plans covered by HIPAA are required to respond when copies of health information are requested by (1) the individual (the subject of the information) and/or (2) the individual’s personal representative.
Can an individual just declare that a caregiver (friend or family member) is his or her “personal representative”?
The answer is: no. A personal representative is not just someone named by the patient.
To qualify as a “personal representative,” you must be authorized by law to make health care decisions on behalf of an individual. (45 CFR 164.502(g).) An example of a personal representative is someone with a health care power of attorney, a court-appointed legal guardian, or a parent with respect to a minor child (as long as that parent has the legal authority to make medical decisions for the minor). If someone is deceased, the personal representative is a person with legal authority to make any decisions (not just health care decisions) for the person who is deceased or that person’s estate.
If someone only has authority to make certain medical decisions on behalf of an individual (i.e., some but not all medical decisions), then their right as a “personal representative” to request health records under the HIPAA Right of Access is limited to information that is relevant to their decision-making authority.
In addition, a healthcare provider or health plan can refuse to release records even to someone who is a legitimate “personal representative” if a licensed healthcare professional, exercising professional judgement, determines that providing access to an individual’s personal representative is “reasonably likely to cause substantial harm to the individual or another person” (45 CFR 164.524(a)(3)(iii)). However, the personal representative can appeal this decision (and entities are required to establish appeals processes to review such decisions) (45 CFR 164.524(a)(4)).
How Can Information Get to Caregivers?
Is a caregiver then powerless to help a friend or family member manage his or her health information? No, not entirely. A patient can share his or her health information with anyone they choose. For example, a patient can use his or her HIPAA Right of Access to have health information sent directly to a caregiver. In other words, the patient must make the request, but they don’t have to play middleman in order to route that information directly to a caregiver. In addition, once the patient has their information in an online account-such as in a Ciitizen profile-the patient can grant access to that information to anyone they choose.
Health care providers under HIPAA, along with health plans, also are permitted by HIPAA to share information with friends and family members who are involved in caring for an individual (or paying for that individual’s care), to the extent the information being shared is relevant to the friend or family member’s involvement (45 CFR 164.510(b)).
How We Help at Ciitizen
At Ciitizen, we make it as easy as possible for our cancer patient users to initiate requests for their medical records — and we do all of the follow-up to make sure those requests are successful.
Once the information is in the Ciitizen profile, patients can easily grant access to caregivers and share it with anyone they choose.
Originally published at https://blog.ciitizen.com on March 26, 2019.