This article, written by attorney Jason Gregoire, was originally published by the NH Bar News and can be found here. (p 31)
Unless a legal exception applies, healthcare providers cannot release a patient’s medical records without the patient’s written authorization. When someone other than the patient requests the release of medical records, healthcare providers must ask whether the requestor has legal authority to do so. Under the federal Health Insurance Portability and Accountability Act (HIPAA), a “personal representative” may stand in the patient’s shoes and authorize release of medical records. Under HIPAA, whether someone qualifies as a personal representative depends on state law. This article covers common personal representative scenarios under New Hampshire law.
Parent – Child
As a general rule, parents have the right to obtain and compel disclosure of their child’s medical records. The same is true for court-appointed guardians or other persons acting in loco parentis. Sometimes, however, this general rule does not apply where the policy reasons supporting a parent’s right to access are trumped by policy reasons supporting denial of access.
For example, under RSA 318-B:12- a, any minor 12 years of age or older may seek substance use disorder treatment without parental consent and the records of this treatment are shielded from parental view. Similarly, under RSA 141- C:18, a minor 14 years of age or older may seek treatment for sexually transmitted diseases without the knowledge or consent of their parent or legal guardian, and the associated medical records are not obtainable by the minor’s parents. The obvious policy reason behind these To Release or Not to Release: Common Medical Record Release Issues laws is to encourage minor patients to seek treatment for these conditions without fear of parental retribution.
Similarly, if a parent grants their child permission to have a confidential relationship with a healthcare provider, the provider can refuse parental access to associated medical records. New Hampshire courts have also denied a parent’s access to their child’s behavioral health records where the parent sought these records for a purpose other than in the best interests of the child. See In the Matter of Berg and Berg, 152 N.H. 658 (2005) (declining parental access to mental health records for use in contentious child custody proceedings).
Guardians and Powers of Attorney
A guardian of an incapacitated adult usually qualifies as the patient’s personal representative and, thus, is authorized to make decisions concerning the release of the ward’s medical records. See, e.g., RSA 464-A:9, IV-a. Similarly, and subject to the terms of the instrument in question, agents acting under a durable power of attorney for healthcare – or a general power of attorney which grants the agent the right to make decisions concerning medical records – usually have the right to authorize the release of the principal’s medical records.
Deceased Persons
Under HIPAA and state law, when a patient dies the executor or administrator of their probate estate qualifies as the deceased patient’s personal representative. When there is no estate administration, RSA 332-I:13 enables the deceased person’s spouse or “next of kin” to obtain medical records. The statute defines “next of kin” as either “an adult child by blood or adoption only in the absence of a surviving spouse” or “parent, only in the absence of a surviving spouse or adult child.” RSA 332-I:13, II(a). If two or more relatives in the same category qualify, each will be considered the deceased’s personal representative. RSA 332-I:13, II(b).
Once the requestor proves that they qualify as either the surviving spouse or next of kin, they must then provide the healthcare provider with (1) a copy of the patient’s death certificate, (2) a signed HIPAA-compliant authorization for release of medical records, and (3) an affidavit in the form set forth in RSA 332-I:13, VII. Upon receipt of these three items, the healthcare provider shall release the requested records unless the deceased patient previously indicated that they do not want records shared with the requestor or a court has issued an order denying the requestor access. Notwithstanding the foregoing, the requestor may not obtain mental health records or other medical records afforded heightened privacy protection under other laws such as substance use treatment records protected under 42 CFR part 2.
Abuse, Neglect, and Endangerment Exception
Although a requestor may qualify as a patient’s personal representative under the above-cited laws, HIPAA grants healthcare providers authority to refuse to treat someone as a personal representative if either (1) the patient, including a minor, has been or may be subjected to domestic violence, abuse, or neglect by the personal representative, or (2) honoring the personal representative designation could endanger the patient or, if in the exercise of professional judgment, doing so would not be in the patient’s best interests. See 45 C.F.R. § 164.502(g) (5). For example, if a healthcare provider suspects an incapacitated adult patient is being abused by the patient’s agent under an activated power of attorney, the healthcare provider may deny the agent’s request to access records that document abuse-related injuries.
The examples above are only a few of many that arise in day-to-day healthcare operations. Healthcare providers facing these situations should consult with experienced healthcare counsel to avoid HIPAA Right of Access penalties for refusing to produce records or adverse legal action for wrongful disclosure to an unauthorized party