Kenneth Mr. Vercammen was included in the 2020 “Super Lawyers” list published by Thomson Reuters.

To schedule a confidential consultation, email us at, call or visit

(732) 572-0500

Friday, February 8, 2008

New Health Insurance Portability and Accountability Act -HIPAA

Compiled by Kenneth A. Vercammen
A federal regulation known as the Health Insurance Portability and Accountability Act (HIPAA) was recently adopted regarding disclosure of individually identifiable health information. This necessitated the addition of a special release and consent authority to all healthcare providers before medical information will be released to agents and interested persons of the patients. The effects of HIPAA are far reaching, and can render previously executed estate planning documents useless, without properly executed amendments, specifically addressing these issues. As HIPAA affects not only new documents, any previously executed documents are affected as well. Any previously executed Powers of Attorney, Living Wills, Revocable Living Trusts, and certainly all Medical Directives now require HIPAA amendments.

The following information was provided by the American Medical Association (AMA).

Today, state and federal laws also attempt to ensure the confidentiality of this sensitive information. The federal government recently published regulations designed to protect the privacy of your health information. This ³privacy rule² protects health information that is maintained by physicians, hospitals, other health care providers and health plans. As of April 14, 2003, your physician will need to comply with the privacy rule¹s standards for protecting the confidentiality of your health information.

This new regulation protects virtually all patients regardless of where they live or where they receive their health care. Every time you see a physician, are admitted to the hospital, fill a prescription, or send a claim to a health plan, your physician, the hospital and health plan will need to consider the privacy rule. All health information including paper records, oral communications, and electronic formats (such as e-mail) are protected by the privacy rule.

Patient: When my family member comes to pick me up from the hospital, the doctor will still be able to explain my condition and tell him what to expect when I return home. Right? True! The Rule permits doctors to discuss a patient¹s condition with family or friends involved in the person¹s care, unless the patient objects.

Patient: The privacy rule prevents a friend or family member from picking up prescriptions for me. Now I¹ll have to get out of my sick bed to get my medicine. False! The Rule allows a pharmacist to use professional judgment and experience with common practice to make reason-able inferences of the patient¹s best interest in allowing a person, other than the patient, to pick up a prescription.

Family The Privacy Rule would have prevented me from finding out information about my son Member: in a hospital in New York on September 11. False! The Rule permits hospitals and disaster relief agencies to notify family members that a loved one has been admitted to a hospital or has been involved in a disaster.

New national health information privacy standards have been issued by the U.S. Department of Health and Human Services (DHHS), pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new regulations provide protection for the privacy of certain individually identifiable health data, referred to as Protected Health Information (PHI).

The shift of medical records from paper to electronic formats has increased the potential for individuals to access, use, and disclose sensitive personal health data. Although protecting individual privacy is a long-standing tradition among health-care providers and public health practitioners in the United States, previous legal protections at the federal, tribal, state, and local levels were inconsistent and inadequate. A patchwork of laws provided narrow privacy protections for selected health data and certain keepers of that data

Among other provisions, the Privacy Rule

* gives patients more control over their health information; * sets boundaries on the use and release of health records; * establishes appropriate safeguards that the majority of health-care providers and others must achieve to protect the privacy of health information; * holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights; * strikes a balance when public health responsibilities support disclosure of certain forms of data;

* enables patients to make informed choices based on how individual health information may be used; * enables patients to find out how their information may be used and what disclosures of their information have been made; * generally limits release of information to the minimum reasonably needed for the purpose of the disclosure; * generally gives patients the right to obtain a copy of their own health records and request corrections; and * empowers individuals to control certain uses and disclosures of their health information.

Who Is Covered

Covered entities are as follows:

* Health plans. An individual or group plan that provides, or pays the cost of, medical care that includes the diagnosis, cure, mitigation, treatment, or prevention of disease. Health plans include private entities (e.g., health insurers and managed care organizations) and government organizations (e.g., Medicaid, Medicare, and the Veterans Health Administration). * Health-care clearinghouses. A public or private entity, including a billing service, company, or community health information system, that processes nonstandard data or transactions received from another entity into standard transactions or data elements, or vice versa. * Health-care providers. A provider of health-care services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business. Health-care providers (e.g., physicians, hospitals, and clinics) are covered entities if they transmit health information in electronic form in connection with a transaction for which a HIPAA standard has been adopted by DHHS.

The Privacy Rule also establishes requirements for covered entities with regard to their nonemployee business associates (e.g., lawyers, accountants, billing companies, and other contractors) whose relationship with covered entities requires sharing of Protected Health Information (PHI). The Privacy Rule allows a covered provider or health plan to disclose Protected Health Information (PHI) to an attorney or business associate if satisfactory written assurance is obtained that the attorney or business associate will use the information only for the purposes for which it was

engaged, will safeguard the information from misuse, and will help the covered entity comply with certain of its duties under the Privacy Rule.

The Privacy Rule does not apply to all persons or entities that regularly use, disclose, or store individually identifiable health information. For example, the Privacy Rule does not cover employers, certain insurers (e.g., auto, life, and worker compensation), or those public agencies that deliver social security or welfare benefits, when functioning solely in these capacities.

Protected Health Information

The Privacy Rule protects certain information that covered entities use and disclose. This information is called protected privacy, which is generally individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to 1) the past, present, or future physical or mental health, or condition of an individual; 2) provision of health care to an individual; or 3) payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information.

Required Protected Health Information (PHI) Disclosures

A covered entity is required by the Privacy Rule to disclose protected privacy in only two instances: 1) when an individual has a right to access an accounting of his or her protected privacy (see previous paragraph); and 2) when DHHS needs protected privacy to determine compliance with the Privacy Rule [45 CFR § 164.502(a)(2)]. Certain other uses and disclosures of protected privacy may be permitted without authorization, but are not required by the Privacy Rule. However, other federal, tribal, state, or local laws may compel disclosure.

Permitted Protected Health Information (PHI) Disclosures Without Authorization

The Privacy Rule permits a covered entity to use and disclose Protected Health Information (PHI), with certain limits and protections, for TPO activities [45 CFR § 164.506]. Certain other permitted uses and disclosures for which authorization is not required follow. Additional

requirements and conditions apply to these disclosures. The Privacy Rule text and OCR guidance should be consulted for a full understanding of the following:

* Required by law. Disclosures of protected privacy are permitted when required by other laws, whether federal, tribal, state, or local. * Public health. Protected privacy can be disclosed to public health authorities and their authorized agents for public health purposes including but not limited to public health surveillance, investigations, and interventions. * Health research. A covered entity can use or disclose protected privacy for research without authorization under certain conditions, including 1) if it obtains documentation of a waiver from an institutional review board (IRB) or a privacy board, according to a series of considerations; 2) for activities preparatory to research; and 3) for research on a decedent's information. * Abuse, neglect, or domestic violence. Protected privacy may be disclosed to report abuse, neglect, or domestic violence under specified circumstances. * Law enforcement. Covered entities may, under specified conditions, disclose protected privacy to law enforcement officials pursuant to a court order, subpoena, or other legal order, to help identify and locate a suspect, fugitive, or missing person; to provide information related to a victim of a crime or a death that may have resulted from a crime, or to report a crime. * Judicial and administrative proceedings. A covered entity may disclose protected privacy in the course of a judicial or administrative proceeding under specified circumstances. * Cadaveric organ, eye, or tissue donation purposes. Organ- procurement agencies may use protected privacy for the purposes of facilitating transplant. * Oversight. Covered entities may usually disclose protected privacy to a health oversight agency for oversight activities authorized by law. * Worker's compensation. The Privacy Rule permits disclosure of work- related health information as authorized by, and to the extent necessary to comply with, workers' compensation programs.

Other Authorized Disclosures

A valid authorization is required for any use or disclosure of Protected Health Information (PHI) that is not required or otherwise permitted without authorization by the Privacy Rule. In general, these authorizations must

* specifically identify the protected privacyto be used or disclosed; * provide the names of persons or organizations, or classes of persons or organizations, who will receive, use, or disclose the protected privacy; * state the purpose for each request; * notify individuals of their right to refuse to sign the authorization without negative consequences to treatment, payment, or health plan enrollment or benefit eligibility, except under specific circumstances; * be signed and dated by the individual or the individual's personal representative; * be written in plain language; * include an expiration date or event; * notify the individual of the right to revoke authorization at any time in writing, and how to exercise that right, and any applicable exceptions to that right under the Privacy Rule; and * explain the potential for the information to be subject to redisclosure by recipient and no longer protected by the Privacy Rule.

The Privacy Rule and Public Health

The Privacy Rule recognizes 1) the legitimate need for public health authorities and others responsible for ensuring the public's health and safety to have access to protected privacy to conduct their missions; and 2) the importance of public health reporting by covered entities to identify threats to the public and individuals. Accordingly, the rule 1) permits protected privacy disclosures without a written patient authorization for specified public health purposes to public health authorities legally authorized to collect and receive the information for such purposes, and 2) permits disclosures that are required by state and local public health or other laws.

However, because the Privacy Rule affects the traditional ways protected privacy is used and exchanged among covered entities (e.g., doctors, hospitals, and health insurers), it can affect public health practice and research in multiple ways. To prevent misconceptions, understanding the Privacy Rule is important for public health practice.

Part of Kenneth Vercammen¹s Power of Attorney, modified in 2004

Grant of Authority. I appoint You to act as my Agent (called an attorney in fact) to do each and every act which I could personally do for the following uses and purposes:

1. REAL ESTATE: To execute all contracts, deeds, bonds, mortgages, notes, checks, drafts, money orders, and to lease, collect rents, grant, bargain, sell, or borrow and mortgage, and to manage, compromise, settle, and adjust all matters pertaining to any real estate or lands in which I have an interest. This includes the power to sell all land I own.

2. ENDORSEMENT AND PAYMENT OF NOTES, ETC.: To make, execute, endorse, accept, and deliver any and all bills of exchange, checks, drafts, notes and trade acceptances. To pay all sums of money, at any time, or times, that may hereafter be owing by me upon any bill of exchange, check, draft, note, or trade acceptance, made, executed, endorsed, accepted, and delivered by me, or for me, and in my name, by my Agent.

3. MEDICAL RECORDS ACCESS: To be able to access my medical and hospital records under Federal Law HIPAA. Healthcare providers shall release medical information to my agent.

4. STOCKS, BONDS, AND SECURITIES: To sell any and all shares of stocks, bonds, or other securities now or hereafter, belonging to me, that may be issued by an association, trust, or corporation whether private or public, and to make, execute, and deliver any assignment, or assignments, of any such shares of stock, bonds, or other securities.

5. CONTRACTS, AGREEMENTS, ETC.: To enter into safe deposit boxes, and to make, sign, execute, and deliver, acknowledge, and perform any contract, agreement, writing, or thing that may, in the opinion of my Agent, be necessary or proper to be entered into, made or signed, sealed, executed, delivered, acknowledged or performed.

6. BANK ACCOUNTS, CERTIFICATES OF DEPOSIT, MONEY MARKET ACCOUNTS, ETC.: To add to or withdraw any amounts from any of my bank accounts, Certificates of Deposit, Money Market Accounts, etc. on my behalf or for my benefit. To make, execute, endorse, accept and deliver any and all checks and drafts, deposit and withdraw funds, acquire and redeem certificates of deposit, in banks, savings and loan associations and other institutions, execute or release such deeds of trust or other security agreements as may be necessary or proper in the exercise of the rights and powers herein granted; Without in any way being limited by or limiting the foregoing, to conduct banking transactions as set forth in section 2 of P.L. 1991, c. 95 (c. 46:2B-11).

7. TAX RETURNS, INSURANCE AND OTHER DOCUMENTS: To sign all Federal, State, and municipal tax returns, insurance forms and any other documents and to represent me in all matters concerning the foregoing.

8. GIFT GIVING POWERS: To make gifts in amounts which my agent in his sole, absolute and unfettered discretion shall deem appropriate in any given year on my behalf.

Powers. I give you all the power and authority which I may legally give to You. You may revoke this Power of Attorney. I approve and confirm all that You or your substitute may lawfully do on my behalf.

The following is a portion of a form Kenneth Vercammen uses in personal injury cases.

HIPAA Authorization to Disclose Patient Information

Purpose: This form is to be used for including, but not limited to: patient¹s telephone, fax or mail requests for films, reports or disclosures and for non-TPO requests such as lawyers, clergy, employers, schools or for marketing or research purposes.

I ________________ hereby authorize ______________ to disclose my health information described below to:

Recipient¹s Name: Kenneth Vercammen & Associates, PC Recipient¹s Address: 2053 Woodbridge Avenue, Edison, NJ 08817 Recipient¹s Telephone Number: (732) 572-0050

Films/Documents/Information to Be Released:


Purpose of Disclosure (explain or indicate at the request of the individual): PERSONAL INJURY LAWSUIT

There is no expiration date on this authorization. I understand that the terms of this authorization are governed by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA). I understand that I have the right to revoke this authorization, at any time prior to your compliance with the request set forth herein, provided that the revocation is in writing. I further understand that additional information relating to the exceptions to the right to revoke and a description of how I may revoke this authorization is set forth in your Notice of Privacy Practices. I understand that any revocation must include my name, address, telephone number, date of this authorization and my signature and that I should send it to you.

I understand that the information used or disclosed pursuant to this authorization may be subject to re-disclosure by the Recipient listed above and, in that case, will no longer be protected by HIPAA.

This authorization expires upon your release of the information described above or thirty days after the Date of Authorization, as set forth below, whichever comes first.

___________________ __________________ _____________ Signature of Individual Patient¹s Social Security # Date of Birth