Martin Shenkman

Disclosures of Private Health Information

Why HIPAA (Health Insurance Portability and Accountability Act) is so important to CPAs and what you need to know about disclosing client medical data today.

March 20, 2008
by Martin Shenkman, PFS/JD

Why is HIPAA (Health Insurance Portability and Accountability Act) so important to CPAs? CPAs deal with a wide range of matters, transactions and documents that can require the disclosure of medical information. These transactions demonstrate the importance to practitioners of being familiar with HIPAA:

  • Shareholders' agreements commonly deal with a shareholder becoming disabled. A worker's salary may be phased out if temporarily disabled or may trigger a repurchase if the worker is permanently disabled. These events require a medical determination. This might be a simple mandate in the shareholders agreement that a letter from a physician should be obtained. But without an authorization from the disabled shareholder, that letter won't be obtainable. To be effective, the authorization must address the restrictions and rules contained in legislation known as HIPAA. Addressing HIPAA's impact on the disclosure of your client's medical information is thus important for a host of practice matters.

  • Have you considered what provisions your accounting practice succession documents should include? Suppose your partner is disabled and you need to take over the practice. How can you obtain the requisite physician letter mandated in your shareholders' agreement to demonstrate his incompetence and trigger the replacement provision? HIPAA needs to be addressed in this and many common situations.
  • A common estate planning step often recommended by CPAs is for a client to use an irrevocable life insurance trust ("ILIT"). Key to the success of an ILIT is the trustee. But if the trustee is disabled, how does the trust transition to a successor trustee? If the current trustee forgets to pay premiums, can you help replace them? Should you? The ILIT should include a mechanism to replace a disabled trustee and require a HIPAA release to permit obtaining the necessary medical determination of disability.

Editor Note: Martin Shenkman will be speaking at AICPA's Tax Strategies for the High Income Individual conference in Las Vegas, NV, May 8‑9, 2008.

What Is HIPAA?

HIPAA is short for the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191, 110 Stat. 1936 (1966)). HIPAA protects a patient's rights to confidential medical information, "Protected Health Information" or PHI. A goal of HIPAA is to provide protection for sensitive health information. This has broad implications to a wide range of personal, estate planning and business transactions.

When Can Health Information Be Disclosed?

The key to planning client transactions is to assure that the required health information is accessible by the client's personal representative and can be disclosed when needed. This concept is the focus of most CPAs' involvement with HIPAA. Specifically, when planning documents necessitate the need for disclosure of PHI, you need to assure that someone is authorized to be the personal representative to obtain medical disclosures. For example, a successor trustee may have to be designated the HIPAA representative for a prior trustee in order to obtain the written physician determination that the predecessor trustee is disabled and the baton of control should pass to the successor.

What Information Can Be Disclosed?

Medical providers should only disclose the minimum necessary to achieve the purpose of the requested disclosure. Your client should clearly delineate the specific purpose of the disclosure to protect and limit the scope of what is disclosed, so that this can be determined. For example, while it may be relevant for a co-shareholder to inquire of a client's physician whether he is permanently disabled, detailed information concerning the client's mental health records would be inappropriate.

Can an Agent Under a Power of Attorney Be a Client's HIPAA Representative?

There are circumstances that might warrant having an agent ("personal representative" in HIPAA jargon) act on a client's behalf with regard to HIPAA matters. The agent under a client's financial power of attorney is not always empowered to make health care decisions. Merely paying medical bills may not constitute making health care decisions. PHI requires adequately addressing HIPAA, when triggering a springing power of attorney based on disability requiring medical information. Most commentators have focused their HIPAA attention on the grantor of a power of attorney. But the same issue arises for any agent or trustee, who might become disabled.

A Client's Executor Is Their HIPAA Personal Representative

An executor of an estate has authority to act on behalf of the decedent with respect to PHI. This can be very important for matters, such as when the executor needs medical records to resolve outstanding medical bills. In the event of an IRS challenge of the decedent's competency to have affected estate planning transactions, the executor will have authority to access medical records.

Can a Successor Trustee Be Your Trustee's Personal Representative?

A mechanism could be included in a trust mandating that all trustees grant authorization to release their PHI to successor trustees for the purpose of determining disability. A HIPAA release must acknowledge that the person (trustee) can revoke it. This problem could be addressed by the trust providing that, if the revocation constitutes a termination of the trustee's position as a trustee. The medical disclosures could be limited to the minimum information necessary to making this determination.

Obtaining the Release of Personal Health Information (PHI)

A client's HIPAA representative has the right to authorize the release of PHI if the following requirements are met:

  • Writing: The authorization should be in writing and that it is a voluntary act authorizing the disclosure to the named representative.

  • What: It should describe the health information to be disclosed. This is likely to only be specified components of the client's medical record. The client might specify that medical records between certain dates be released or expressly exclude certain information such as alcohol and drug treatment. The HIPAA paradigm is that only as much information should be disclosed as necessary.
  • Who: Which medical provider should make the disclosure? This could be a specific physician, hospital, list of providers or even a category of providers. For example, "any physicians, hospitals or other medical providers who have provided treatment, other medical services or payment for same, from June 1, 2004 through February 1, 2008."
  • Term: When does the authorization to disclose PHI expire? This could be: "upon a child attaining age 21," which might suffice for a minor's care. It could be "two years from the signing of the authorization," which should be more than adequate for a life insurance application. "Upon the conclusion of my court case" may suffice for a litigation matter, although issues of appeals, etc. might warrant consideration in setting the parameters. If feasible for a trustee it might be "so long as serving as trustee of the [identify trust]."
  • Revocation: The client retains the right to revoke any authorization to disclose his or her PHI. Any revocation is not binding on a medical provider until they receive it, minimizes their liability for disclosing information based on an authorization they held prior to the revocation.
  • Purpose: The purpose for the disclosure should be explained. This might be limited to the minimum information to determine whether the particular person or client has the ability to function as a trustee or should be replaced or only that information necessary to underwrite the client for life insurance.


HIPAA affects a broad range of personal, financial and estate transactions with which CPAs are involved. Almost every key estate document and many key business documents need to address HIPAA disclosure issues to assure that various trigger mechanisms (succession of fiduciaries, determinations of disability, etc.) can occur. Because drafting and planning are complex issues, practitioners should guide their clients in these issues before problems arise.

Rate this article 5 (excellent) to 1 (poor).
Send your responses here.

Martin M. Shenkman, CPA, MBA, PFS, JD is an estate planner in Paramus, New Jersey. He is author of 36 books on tax, estate and related planning, the most recent of which, Life Cycle Planning for the CPA Practice, a practical form book for every phase of the solo to small CPA firm published by AICPA and available through CPA2BIZ.