The United State Department of Health and Human Services issued a privacy rule to implement the requirements under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). These rules establish standards that address the use and disclosure of individual’s health information. Within the United States Department of Health and Human Services, the Office for Civil Rights has responsibility for implementing and enforcing HIPAA. The objective under HIPAA is to assure that an individual’s private patient information is protected yet at the same time, allow the flow of such information that is needed in order to provide quality healthcare.


When a home healthcare agency is confronted with a request for the release of information, the agency must take caution in order to ensure that they are in compliance. They need to understand what information is protected and who has the right to review such information. Finally, they should also understand what third parties have authority to receive and/or review such protected information. Because HIPAA is extensive, all home healthcare companies confronted with a request need to consult with their attorney to insure that they remain in compliance.


Protected patient information generally includes information including demographic information that relates to an individuals’ past, present or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present or future payment for the provision of healthcare to the individual. A covered entity may not use or disclosure protected health information except as the rule permits, or as the individual, who is subject to the information, or the individual’s personal representative, authorizes in writing. One of the permitted disclosures that is commonly considered by a home healthcare agency is pursuant to a subpoena and/or a request from an individual operating under a power of attorney.


One of the exceptions to HIPAA is pursuant to a judicial or administrative proceeding. As long as the request for the information is through a court order or an administrative tribunal, then the agency is permitted to make the disclosure. Quite commonly, the court will have a protective order in place that would govern the use of such patient information. In any event, in these situations disclosure is permissible.


Another common disclosure is through a request submitted by a power of attorney. One making a request under a power of attorney is the equivalent of the patient themselves making such request. However, it is critical that the agency verifies that the one making the request does in fact have a power of attorney.


All home healthcare agencies need to establish a procedure when dealing with a request for a turnover of protected information. We recommended that any request be submitted in writing, and specifically sets forth the nature of the documents that they wish to review, and describe the authority for which the request is based. In addition, these requests must be maintained within the records for the patient in question.


The obligations under HIPAA are quite extensive. Any home healthcare agency that is dealing with such a request should consult with their attorney to verify that they are acting within the guidelines under the rule. Failure to comply will subject the home healthcare company to damages.