Generally, yes. A Health Care Power of Attorney grants a trusted individual access to medical and mental health records under the Health Insurance Portability and Accountability Act (HIPAA).
What is a Health Care Power of Attorney (HCPOA)?
“HCPOA is a document that identifies one or more people you trust to tell health care clinicians about your decisions for medical care when you are unable to,” explains Penn State Health’s HCPOA for advance care planning.
Furthermore, “HCPOA is often a part of other documents called Advance Directives or Living Wills.” So, some POAs take immediate effect, while others only become active when the patient is deemed incapable of making their own healthcare decisions.
Moreover, the POA ceases to be effective if and when the patient regains capacity.
HCPOA and HIPAA
Under HIPAA, individuals with an active HCPOA are recognized as "personal representatives." The HHS Health Information Privacy page explains, “Personal representatives...have authority, under applicable law, to make health care decisions for a patient.”
Therefore, in most cases, a personal representative has the same right to access medical records as the patient.
Access to medical and mental health records
Since HIPAA grants patients access to their own medical records, a personal representative under a HCPOA would typically have this same right. It includes the ability to request a complete medical record, even if it contains mental health information.
However, there are some exceptions, like psychotherapy notes that a mental health provider keeps separately from the main medical record and are not covered under HIPAA’s right of access.
Consequently, a personal representative under a POA may be denied access to these records.
Exceptions to POA Access
In certain circumstances, healthcare providers have the right to deny access to medical records, even if a POA is in place. HIPAA allows providers to refuse to recognize a personal representative if doing so would protect the patient from harm.
“A provider may decide not to treat someone as the patient’s personal representative if the provider believes that the patient has been or may be subject to violence, abuse, or neglect by the designated person or the patient may be endangered by treating such person as the personal representative, and the provider determines, in the exercise of professional judgment, that it is not in the best interests of the patient to treat the person as the personal representative, the HHS adds.
Therefore, HIPAA prioritizes patient safety and well-being, preventing individuals who pose a risk to the patient from accessing their protected health information (PHI).
HCPOAs and secure communication
Since mental health records are classified as PHI, HIPAA mandates that mental health professionals use secure communication methods to protect PHI during transit and at rest.
More specifically, mental health professionals must use a HIPAA compliant email solution, like Paubox, with advanced security measures, including encryption, access controls, and audit trails, upholding HIPAA regulations.
Learn more: HIPAA Compliant Email for Mental Health Professionals
FAQs
What rights do patients have under HIPAA regarding their mental health information?
Patients have the right to access, request corrections, and obtain a copy of their mental health information.
Do HIPAA compliant emails protect mental health information?
Yes, HIPAA compliant emailing platforms, like Paubox, use encryption and other security measures, so only authorized individuals can access the information.
Can mental health providers disclose PHI without patient consent?
Yes, mental health providers can disclose protected health information (PHI) without patient consent to prevent harm or comply with legal mandates.
