Source Ledger - HIPAA

May 23, 2026

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is the federal statute that governs the privacy and security of individually identifiable health information in the United States. It is the law that determines who can access a person’s medical records, under what circumstances, and what authorization is required.

For estate planning purposes, the relevant section of HIPAA is the Privacy Rule, which prohibits “covered entities” (healthcare providers, health plans, and healthcare clearinghouses that transmit information electronically) from disclosing Protected Health Information without authorization. The Privacy Rule is the reason a spouse may be denied a partner’s lab results, prognosis, or treatment plan during a medical crisis, even when the spouse is making decisions on the partner’s behalf under a Healthcare Power of Attorney.

The misunderstanding most families have about HIPAA is that the hospital staff is being unhelpful. They are not. They are following federal law, which prohibits disclosure by default unless an authorization document is on file.

Where the law came from

HIPAA was signed into law by President Bill Clinton on August 21, 1996, after passage by Congress as Public Law 104-191. The bill was co-sponsored by Senator Edward Kennedy (D-MA) and Senator Nancy Kassebaum (R-KS), and its original purpose was narrow: to address the portability of health insurance when employees changed jobs. The “portability” in the name refers to this original goal, not to medical records.

The privacy provisions were added during the legislative process in response to growing concerns about the digitization of medical records. Congress directed the Department of Health and Human Services (HHS) to draft specific privacy regulations if Congress did not enact privacy legislation within three years. Congress did not act in time, and HHS proceeded with regulatory rulemaking.

The HIPAA Privacy Rule (codified at 45 CFR Part 160 and Subparts A and E of Part 164) was issued in final form in 2000, revised in 2002, and became effective on April 14, 2003 for most covered entities. The Security Rule, which addresses the technical and administrative safeguards for electronic health information, was issued separately and became effective April 20, 2005.

Enforcement was significantly expanded by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, which raised civil penalties for violations and required notification of breaches affecting 500 or more individuals. The HHS Office for Civil Rights is the primary enforcement agency.

How it operates

HIPAA’s structure rests on a default rule: a covered entity may not disclose Protected Health Information unless a specific authorization exists or a specific exception applies.

The default rule is broad. It covers any information that could identify the patient (name, address, dates, medical record numbers, photographs, biometric data, and any health information tied to those identifiers). It applies whether the disclosure is in writing, verbal, or electronic. It applies to disclosures to spouses, adult children, parents, and anyone else who is not the patient.

The authorized exceptions are narrow. Routine disclosures are permitted for treatment (sharing information among providers caring for the patient), payment (billing and insurance processing), and healthcare operations (quality assessment, accreditation, training). Emergency disclosures are permitted when the patient cannot communicate and the disclosure is in the patient’s best interest as judged by the provider. Disclosures required by law (subpoenas, court orders, mandated reporting of certain conditions) are permitted within the scope of that legal requirement.

Outside those exceptions, disclosure to family members requires either the patient’s verbal authorization (if the patient can communicate), the patient’s written authorization, or an authorization executed by someone with the legal authority to act on the patient’s behalf. A Healthcare Power of Attorney does not automatically provide this; a HIPAA Authorization is a separate document.

The HIPAA Authorization must be specific. It must name the person authorized to receive information, describe the information that can be released, state the purpose of the disclosure, and include an expiration date or event. Generic “HIPAA waiver” forms downloaded from the internet often fail one or more of these specificity requirements and can be rejected by hospital records departments.

Why it creates confusion in estate planning

The most common source of confusion is the assumption that a Healthcare Power of Attorney covers HIPAA access. It does not. The Healthcare POA grants decision-making authority. The HIPAA Authorization grants information access. They are different legal instruments addressing different needs.

This distinction matters in practice. A spouse holding a Healthcare POA may have the authority to consent to surgery, refuse treatment, or transfer the patient to another facility, while still being denied the test results, imaging, or prognosis that would inform those decisions. The hospital is following federal law; the family is operating with incomplete information.

The fix is a HIPAA Authorization executed alongside the Healthcare POA, typically as part of a combined Advance Healthcare Directive that includes the Living Will, Healthcare POA, and HIPAA Authorization in one document. Most Arizona estate plans now use this combined structure.

A secondary source of confusion is the assumption that HIPAA prevents emergency disclosure. It does not. The Privacy Rule explicitly permits emergency disclosure when the patient cannot communicate and the disclosure is in the patient’s best interest. The problem in practice is that “emergency” is interpreted narrowly by hospital privacy officers, and many situations families consider urgent (a hospitalization that requires care coordination but is not life-threatening) are not treated as emergencies for HIPAA purposes.

Formal definition

HIPAA is the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), a federal statute whose Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) prohibits covered entities from disclosing individually identifiable Protected Health Information without specific authorization, with narrow exceptions for treatment, payment, healthcare operations, and certain emergency or legally required disclosures.

COMMON MISUSE OR MISCONCEPTION

Treated as covering everything medical. HIPAA applies to “covered entities” (healthcare providers, health plans, healthcare clearinghouses, and their business associates). It does not apply to friends, family members, employers, or most commercial entities that may incidentally learn medical information. A neighbor cannot be sued under HIPAA for gossiping about a hospitalization.

Assumed to be the reason for any privacy denial. Not every “we cannot tell you that” is HIPAA. Hospital policies, state law (Arizona has additional protections for mental health, substance abuse, and HIV-related records), and individual provider judgment all play roles. HIPAA is often invoked as the explanation for denials that have other legal sources.

Confused with informed consent. Informed consent is a separate legal doctrine governing whether a patient understood and agreed to a treatment. HIPAA governs who can access information about that treatment after the fact. Different domain, different documents.

Assumed to be circumvented by knowing the password to the patient portal. Patient portals are convenient for the patient’s own use. They do not authorize anyone else to log in. A spouse logging into a partner’s patient portal without authorization is technically violating both HIPAA and the portal’s Terms of Service, even if the spouse knows the password and the partner would have approved.

Treated as eliminated by marriage. Marriage does not constitute HIPAA authorization. A married spouse has no greater statutory right to a partner’s medical information than any other family member. The HIPAA Authorization is the document that grants access; marriage alone is not enough.

Where this comes up in the series

Understanding Your Healthcare POA and HIPAA Authorization, addresses the gap between marriage and HIPAA access directly, and explains why most Arizona estate plans combine the Living Will, Healthcare POA, and HIPAA Authorization into a single Advance Healthcare Directive.