PGTS STANDARD
7. An opinion has been obtained from an attorney licensed to practice in the applicable jurisdiction regarding the implications of the Health Insurance Portability and Accountability Act (HIPAA) and appropriate actions for the organization when serving as a fiduciary successor fiduciary, attorney-in-fact, and any other related activity. [PGTS]
Who Must Comply with Standard #07?
Organizations with a PGTS Level of Service Accreditation and that have accepted fiduciary responsibilities on behalf of donors or could accept these responsibilities in the future must comply with this standard. This standard does not apply to organizations accredited at a PGP or PGO level or service.
Special Note
This standard requires organizations to secure an attorney’s opinion.
HIPAA Now Required
For several years now, trust reviews have reported the need for organizations to consult with their legal counsel on how to relate to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Legal counsel was asked to evaluate whether the organization had all the necessary HIPAA release forms to fulfill its fiduciary responsibilities and avoid risk. Having an attorney’s opinion on HIPAA has not been a standard until now. But, starting January 01, 2023, all organizations with a PGTS Level of Service that accept fiduciary responsibilities must have an attorney’s opinion concerning HIPAA. The organization must follow the guidance provided in the opinion, including when the opinion specifies that a HIPAA release is in each file containing documents that may require the organization to act as a fiduciary.
The HIPAA release may be a separate document, or it may be a part of each of the appropriate documents that may be used during the donor’s life(s). Documents only used after the donor(s) dies, such as a will, do not need HIPAA releases.
Why is HIPAA Release needed?
If your organization is currently the fiduciary for the donor(s), or if your organization is the successor and the donor(s) become disabled and cannot function any longer on their behalf, you will need a HIPAA release. This document will allow you to obtain “protected health information” with “covered entities” such as Healthcare providers, Healthcare plans, Healthcare clearinghouses, and business associates. The ability to communicate would be essential if your organization is responsible for paying medical bills for the donor(s), if you need to confirm that a medical bill is legitimate, or when you need to communicate with the organization requiring payment of medical bills.
Privacy Rule
Most NAD PGTS organizations do not receive “Protected Health Information” (PHI) and thus would not be considered “covered entities” under HIPAA regulations. But when acting as fiduciary for a donor, you may receive health-related information on the donor’s behalf. These files may contain this PHI and need to be kept private, and access should be restricted only to those working directly with PGTS. These are the same people in your PGTS office who are required to sign a conflict of interest form every year.
Security Rule
With the NAD Working Policy allowing electronic storage of informational documents, your office may not store paper documents but have them digitized. The HIPAA SECURITY RULE covers “electronically-stored protected health information (ePHI).” The security rule gives guidance to organizations for storing PHI electronically. The American Medical Association states, “All covered entities must assess their security risks,… …Those entities must put in place administrative, physical and technical safeguards to maintain compliance with the Security Rule and document every security compliance measure.” Every area where PHI is used in the GC office building has off-limit signs restricting access. There are locked doors in the new NAD building that an individual must have permission to access. The Security Rule expectations are scalable, so small offices are not expected to have the same security as larger offices.
Consequences
The organizations listed in the previous paragraph may be impacted if they breach either the privacy rule or the security rule of HIPAA. The Health and Human Services (HHS) Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties. It has been over two and one-half decades since HIPAA was passed. There have been enough lawsuits and judgments paid that most healthcare organizations will not talk to you as a fiduciary unless you have the appropriate legal releases.
Attorney Opinion
Now is the time to approach your legal counsel to start the process of securing the legal opinions for Standard #07 as well as the other new standards that require legal opinions (#17, 18, 23b). These legal opinions may be added to your existing legal opinions and received every 5 years along with the rest of the directions for how your PGTS office should operate.
Canadian PIPEDA
Just as HIPAA is a US Federal law, other state laws may apply. Canada has Personal Information Protection and Electronic Document Act (PIPEDA) and other Provincial laws that may apply, such as Ontario’s Personal Health Information Protection Act (PHIPA) (2004). Where the Ontario PHIPA focuses on Personal Health Information (PHI), the Canadian PIPEDA covers all Personal Identifiable Information (PII) more similar to the European Union’s General Data Protection Regulation (GDPR) (2018). The NAD PGTS Standard #07 does not explicitly mention the Canadian laws. The NAD PGTS Department recommends that all Canadian organizations have their attorneys review the privacy laws that govern their jurisdiction and determine how these Health Care Privacy laws would affect how they operate. A formal response from the NAD PGTS Standing Committee will come later.
File Review
Now is the time to review all of your files carrying your organization’s current or future fiduciary responsibilities. You may already have a list of these files. If you find that HIPAA releases are missing, you still have time before January 01, 2023, to work with the donors to remedy the situation.
Conclusion
For all the offices that are including HIPAA release language into all of their applicable estate planning documents and have contacted donors whose documents predate HIPAA requirements getting separate HIPAA releases, you can continue doing what you have been doing. For offices that are unsure, now is the time to find out what needs to be done.
For all organizations involved with assisting donors with document preparation, even if your organization does not accept fiduciary responsibilities, make sure that all applicable documents contain HIPAA release language to benefit your donor’s fiduciaries.
Links to Health Care Privacy Information
1. Center for Disease Control and Prevention
https://www.cdc.gov/phlp/publications/topic/hipaa.html#one