Leveraging HIPAA-the double-edged sword

Abusive guardians are notorious for using the canard that family members are a danger to the well-being of the ward.

Among the many frustrations that face families with loved ones in forced guardianships is the inability to receive information about the well-being of their loved one.  Abusive guardians are notorious for using the canard that family members are a danger to the well-being of the ward.  They do so without even offering any evidence to support such an absurd claim which is one of the offshoots of the defamation of character of the family members who so desperately want to rescue their loved one.  However, once uttered fully or in writing.  In the court, the judge is often persuaded to buy into the canard.  The resultant judicial order is extremely difficult to fight.  But the guardians can accomplish the same thing without a judicial order.  Ofttimes, the guardian and/or institution in which the ward is housed withholds vital information about the ward status by using the patently wrong and misleading excuse that divulging even the name or location of a ward is a violation of the health information portability and accountability act HIPAA.  This tactic effectively demoralizes the family and shuts them out of even trying to visit the ward, assuming they can even find her.

It is therefore especially important to understand this opaque, complex, and sensitive set of government rules—and the exceptions to those rules- that have dominion over all healthcare information in America.

It is critically important to realize that in the opinion of AAAPG and others, court-appointed guardians are not “covered entities” or “business associates of covered entities” as defined by the government and are not required to comply with HIPAA laws.  When guardians claim they would be violating HIPAA by divulging any information about a ward they are either uninformed, misinformed or lying.

HIPAA was designed in the 80s and 90s by then Health Secretary Donna Shalala under the Clinton administrations and implemented in stages thereafter.  It was brought about by concerns that health information, particularly negative health information was being used to deny people jobs, insurance or otherwise discriminate against them.

The massive program is run by the Department of Health and Human Services through the division called the office of civil rights, or OCR.

Running afoul of OCR rules can be awfully expensive even for a not-for-profit hospital system like the one in Florida that is the subject of the following press release:


About the OCR

OCR Mission

As a U.S. Department of Health and Human Services law enforcement agency, the Office for Civil Rights (OCR) ensures compliance with our nation’s civil rights, conscience and religious freedom, and health information privacy and security laws by investigating complaints and conducting compliance reviews, requiring corrective and remedial action, promulgating policy and regulations, and providing technical assistance and public education for the American people.

OCR enforces civil rights and conscience and religious freedom laws, and protects the privacy, security, and availability of individuals’ health information. Through these mechanisms, OCR helps to ensure equal access to health and human services, protects the exercise of religious beliefs and moral convictions by individuals and institutions participating in HHS programs, protects individuals’ health information, gives tools for provider awareness and full engagement of individuals.

The OCR has an annual budget between 32 and $40 million per year and has nearly 200 full-time DC based employees to enforce these laws, plus offices all over the country.

Covered entities (CE’s) are defined in the HIPAA rules as

(1) health plans

(2) health care clearinghouses, and

(3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

CE’s are required by statute to always comply with all HIPAA components.

Guardians are not mentioned anywhere as CE’s.


Whether a medical or dental practice, health insurance agency, or an employee of an organization that manages health records, they must record and review audit logs to stay compliant with HIPAA and protect the information you maintain. Failure to do so in secure fashion can result in OCR action including audits.

The Office for Civil Rights (OCR) conducts periodic audits to ensure that covered entities and their business associates comply with the requirements of HIPAA’s regulations.

For a CE, the indirect and direct cost of an OCR audit, direct and indirect can easily run into the 5-figure area.


OCR also conducts audits when complaints are lodged.

Why it is so important to obtain at least a verbal HIPAA release for a loved one?

From the HHS website:

If I do not object, can a health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care?

Yes.  As long as you do not object, your health care provider is allowed to share or discuss your health information with your family, friends, or others involved in your care or payment for your care.  Your provider may ask your permission, may tell you he or she plans to discuss the information and give you an opportunity to object, or may decide, using his or her professional judgment, that you do not object.  In any of these cases, your health care provider may discuss only the information that the person involved needs to know about your care or payment for your care.  

Here are some examples:

  • An emergency room doctor may discuss your treatment in front of your friend when you ask that your friend come into the treatment room.
  • Your hospital may discuss your bill with your daughter who is with you at the hospital and has questions about the charges.
  • Your doctor may talk to your sister who is driving you home from the hospital about your keeping your foot raised during the ride home.
  • Your doctor may discuss the drugs you need to take with your health aide who has come with you to your appointment.
  • Your nurse may tell you that he or she is going to tell your brother how you are doing, and then your nurse may discuss your health status with your brother if you did not say that he or she should not.


  • Your nurse may not discuss your condition with your brother if you tell your nurse not to.

What can family members do?

File a HIPAA compliance complaint.


For purposes of this discussion, filing a HIPAA complaint is a powerful tool by which to alert the OCR of any one or more of the hundreds of possible violations of information privacy policies committed by a covered entity.

HIPAA Prohibits Retaliation

Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.




The Novel Coronavirus (COVID-19) has presented the healthcare industry with an abundance of issues and questions, most of which revolve around public health and safety. Recognizing the wide-reaching effects of COVID-19, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS)—which enforces HIPAA—issued a bulletin that provided guidance on how covered entities and business associates may share protected health information (PHI) under the HIPAA Privacy Rule, without a patient’s authorization, during a public health emergency EVEN IF THE GUARDIAN DOES NOT AGREE! Published on February 3, 2020, the bulletin also reiterated that the HIPAA Privacy Rule has always allowed protected health information (PHI) to be shared without patient authorization under certain circumstances. We outline the key points of the OCR’s guidance below.

Preventing a Serious and Imminent Threat

PHI may be disclosed as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public (like COVID 19 risk in nursing homes) based on the health care provider’s professional judgment under 45 CFR 164.512(j). The disclosure may be to anyone in a position to prevent or lessen the serious and imminent threat, including family, friends, caregivers, and law enforcement.

Notifying Family, Friends, and Others Involved in Care

PHI may be disclosed to a patient’s family, friends, or other persons identified by the patient as involved in the patient’s care, as well as to the police, press, or public. Verbal permission from the patient should be obtained if possible. However, if the patient is incapacitated, then the PHI disclosure should be made based on professional judgment and limited to only necessary and related information. Patient permission is not necessary for disclosures to disaster relief organizations for the purpose of coordinating these family, friend, and caretaker notifications, if doing so would interfere with the organization’s ability to respond to the emergency.

Clearly guardians do not fit the definition of a covered entity. Ultimately, the question of whether guardians are bound by HIPAA or not, is determined by the government’s own well delineated definition of a “business associate” of a covered entity as found at



In summary:

HIPAA is a two-edged sword that cuts both ways.

For covered entities like physicians and institutions who must abide by the HIPAA rules or face OCR scrutiny, lodging a complaint for failure to comply with every aspect of the rules can trigger investigations which can be very time-consuming and possibly even result in OCR audits which can cost the covered entity enormous amounts of money and aggravation.  Any deviation from the rules prohibiting sharing of information as well as the rule cited above that provide specific exceptions to those rules, particularly during a pandemic can be used by families to exert influence on the provider to abide by the rules as well as the exceptions lest he be faced with a very unpleasant audit by the OCR.

For incapacitated patients, which includes every ward, the covered entity is allowed to use their professional judgment to decide whether to share private health information and this judgment which is subjective can be open to challenge.  If a family member believes that the judgment is being influenced by outside forces such as a guardian who wishes to keep all information away from family, a complaint to the OCR, or the threat of one, may be sufficient to convince the covered entity to reconsider their position and release at least a modicum of information to the family, particularly during the time of the pandemic.

With regard to the guardian, it should go without saying that a good and proper guardianship would entail keeping family members abreast of at least minimal information on the location and/or well-being of their loved one.  It is only in corrupt guardianships where secrecy and hiding of even the location of a ward is normative.  In these situations, there are legal questions about whether the civil rights of the ward are being violated and these questions are beyond the scope of this article.  However, a guardian cannot use HIPAA as an excuse for withholding vital information from family members who are concerned about their loved one because those laws simply do not apply to noncovered entities.

In a guardianship, the Guardian does have the right to control everything about the ward, including what information they divulge to anyone- even family -about the ward.  But the Guardian does not have the right or the ability to dictate to a covered entity such as a facility or treating physician what they may or may not wish to divulge to family.

The takeaway is that the refusal of a guardian to divulge critical information about a ward to family is unacceptable, even though technically, the guardian can literally do whatever she wants under the letters of guardianship from the Judge. BUT she cannot use HIPAA as the excuse for her refusal. A complaint to the Judge disclosing the false HIPAA claim may influence his decision to compel her to release the information.

More importantly, the HIPAA opinion (quoted above) about disclosing information pertaining to an incapacitated person, especially during a national health emergency, leaves the decision up to the subjective judgement of the covered entity—which can be challenged. If the covered entity persists in their refusal, the threat of a HIPAA complaint, properly completed and submitted, can be a very persuasive tool since the entity must decide if refusing to disclose elementary information about a patient is worth the cost and time of possibly facing an invasive, drawn out OCR HIPAA audit which almost always can be counted on to find some mistakes or violations leading to sanctions and fines.

In the interest of full disclosure, the issue of whether the Guardian has the fiduciary authority to step into the shoes of the ward in order to restrict information flow to family members is an open question.  Since the guardian’s powers are defined by State statute, even in states that have adopted aspects of the uniform guardianship code, the statutes are silent about whether the Guardian has the authority and ability to prevent dissemination of vital information to family members.

A judge might grant the guardian the power to ‘cover up’ the medical condition of his ward but only upon a Petition, notice and hearing. However, the order granting would have to be specific and based upon disclosed compelling evidence which would be impossible in 99 out of 100 situations.   It is therefore a reasonable position to take that the guardian is not only overstepping her authority in denying information but may actually be breaching her fiduciary relationship to the disabled person/ward.  Worst case scenario, the issue can be litigated.

Without demonstrated evidence that contact with family members could be dangerous or deleterious to the health of the ward, or that revealing the location and status of a ward would place them in any kind of danger from family, guardians should not be allowed to deny family members this critical information.  If necessary, family members can resort to the tactics outlined herein to protect your loved ones, their rights, and their health.


The information provided herein does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available herein are for general informational purposes only.  This information may not constitute the most up-to-date legal or other information.  This article contains links to other third-party websites.  Such links are only for the convenience of the reader, user, or browser; AAAPG and its members do not recommend or endorse the contents of the third-party sites.

Readers of this information should contact their attorney to obtain advice with respect to any particular legal matter.  No reader, user, or browser of this site should act or refrain from acting on the basis of information in this article or the AAAPG website without first seeking legal advice from counsel in the relevant jurisdiction.  Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation.  Use of, and access to, this article or www.aaapg.net  or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors or contributors.

The views expressed at, or through, this site is those of the individual authors writing in their individual capacities only. All liability with respect to actions taken or not taken based on the contents of this article or www.aaapg.net are hereby expressly disclaimed.  No representations are made that this content is error-free.