skip to main content

April 8, 2019

By: Susan E. Ziel and

The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health or “HITECH” Act  (hereinafter “HIPAA”)1 establishes numerous obligations for HIPAA covered entities and business associates.  

One obligation, in particular, concerns the rights of individual patients or clients (“Individual(s)”) who are the subject of protected “individually identifiable health information” or “PHI” that is created or received and maintained by HIPAA covered entities and business associates.  These Individual rights include the following:  

  • The right to inspect, request and timely receive a copy of PHI;
  • The right to request an amendment of PHI; 
  • The right to request an accounting of certain PHI disclosures; and
  • The right to receive notification of a breach incident or other unauthorized disclosure involving the Individual’s PHI.2 

Whereas HIPAA authorizes Individuals, as adults, to initiate these rights under specific procedures, HIPAA also designates certain other “personal representatives” to “step into the shoes” of these Individuals and act for or behalf of these Individuals in the exercise of these rights under applicable state laws.3 Covered entities must recognize these rights and treat personal representatives in the same manner as if the Individual was the person making his or her own health care decision. In the case of living Individuals, the person(s) who can qualify as surrogate health care decision-makers under state law typically carry out these obligations.4 In the case of a deceased Individual, the persons(s) who can qualify as a “personal representative” in the management of trusts and estates typically carry out these obligations.5 

State  laws define Individuals who qualify as adults due to their age. State laws also define various classes of Individuals who qualify as minors due to their age; however, these same laws confirm that minors may qualify as adults due to their marital status. The requirements to qualify as an adult are set forth in the Indiana Code.6  Individuals classified as adults may consent to their own health care, except as provided in other areas of this section of the law. 

State laws also define those classes of persons who can make health care decisions on behalf of an Individual minor, or alternatively, an Individual adult who is not otherwise capable of making these decisions.7  As stated above, these person(s) would qualify as “personal representatives” who can qualify as surrogate health care decision-makers for living Individuals if they are not otherwise able to exercise these rights under HIPAA. Covered entities should be aware that effective July 1, 2018, Indiana law sets out a hierarchy of persons who may consent to healthcare for incapacitated individuals and adds grandparents, other relatives, and friends to the list.8  

In the case of a  deceased Individual, state laws also define the persons(s) who can qualify as a “personal representative” in the management of matters concerning wills, trusts and estates.9  Similar to personal representatives of living individuals, representatives of deceased individuals may exercise the decedent’s HIPAA rights. The HIPAA Privacy Rule protects a decedent’s PHI for 50 years after the date of death.10 There are exceptions to this rule, such as disclosure of PHI to a decedent’s family member or others involved in the decedent’s health care payment prior to death.11 There are additional exceptions to disclosing a decedent’s PHI12, however HIPAA generally covers a decedent’s PHI to the same extent as a living individual. 

If you or your organization has any questions regarding rights and obligations under HIPAA, or general HIPAA compliance questions, please contact Susan E. Ziel of Integrity Health Strategies at, Alexandria M. Foster at, or any other Krieg DeVault attorney in the Health Care practice group. 

[1] HIPAA 110 Stat. 1936, HITECH Act 123 Stat. 226, and the implementing regulations at 45 C.F.R §164 and 45 C.F.R §170.
[2] 45 C.F.R. §164.524 and 45 C.F.R.§164.404.
[3] See 45 C.F.R. §164.502.
[4] See
[5] Id.
[6] See IC 16-36-1-3.
[7] See IC 16-36-1-5.
[8] IC 16-36-1-5.
[9] See IC 29-1-10-1
[11] Id.

[12] See additional requirements at 45 C.F.R. § 164.512.