POLST Forms and HIPAA: Privacy, Access, and Sharing Explained

Understanding POLST Forms

What a POLST Is—and Why It Matters

A POLST (Physician/Provider Orders for Life-Sustaining Treatment) translates your current care preferences into actionable medical orders. It’s designed for people who are seriously ill or medically frail, so clinicians and EMS can honor your wishes quickly across care settings.

What a POLST Typically Covers

Most POLST forms address cardiopulmonary resuscitation (CPR), ventilation and airway support, hospital transfer, antibiotics, and artificial nutrition/hydration. Because these are medical orders, they guide real-time treatment without delay.

Who Completes and Signs

You complete a POLST through a conversation with an authorized clinician (for example, a physician, nurse practitioner, or physician assistant, depending on state law). Your signature and, in many states, the clinician’s signature confirm the Legal Validity of POLST as an order set.

Key Attributes

• Portable across care settings (home, hospital, long-term care, EMS).
• Focused on current treatment goals—not distant, hypothetical scenarios.
• Meant to complement, not replace, other planning tools.

HIPAA Privacy Rule Overview

What HIPAA Protects

HIPAA safeguards your Protected Health Information (PHI)—any identifiable health data created or held by covered entities and their business associates. That includes your POLST, whether on paper or stored electronically.

Permitted Uses and Disclosures

Covered entities may use or disclose PHI for treatment, payment, and health care operations without Patient Authorization. Treatment Disclosure allows clinicians and EMS to share and act on a POLST to provide appropriate care, even in emergencies.

Minimum Necessary and Professional Judgment

The minimum necessary standard does not apply to treatment. Still, clinicians should share only what’s relevant and use professional judgment to respect privacy while ensuring safe, timely care.

Your Rights and Personal Representatives

You have the right to access your POLST and other PHI. A legally recognized personal representative—such as an agent named in a Health Care Power of Attorney—generally has the same access rights you do, consistent with state law and clinical judgment for safety.

Disclosure and Use of POLST Forms

Who May See and Use a POLST

Clinicians and EMS may access and rely on a POLST to deliver treatment. Hospitals, nursing facilities, home health, and hospice teams can also use it when directly involved in your care.

Family, Caregivers, and Involvement in Care

With your agreement—or when you lack capacity and sharing is in your best interest—providers may discuss relevant parts of your POLST with family or caregivers involved in your care. This supports alignment between your wishes and real-time decisions.

After Death

Once a patient dies, certain rights shift to the person authorized under state law (for example, an executor). Records retention and privacy still apply, and disclosures should remain limited to appropriate purposes.

Documentation and Auditing

When POLST information is disclosed, organizations should document the rationale and rely on role-based access and audit logs. This promotes transparency and reduces privacy risk.

Integration with Electronic Health Records

Electronic Health Record Integration

Modern EHR systems can store structured POLST data and scanned forms, making the orders visible to clinicians at the point of care. Many regions also use registries so EMS and emergency departments can retrieve the latest version quickly.

Privacy and Security Safeguards

When a POLST is stored electronically, HIPAA’s Security Rule requires administrative, physical, and technical safeguards. Encryption, access controls, authentication, and audit trails help protect PHI while preserving rapid access during emergencies.

Sharing Across Settings

Health information exchanges and secure Direct messaging allow POLST orders to follow you across hospitals, clinics, and long-term care. Data segmentation can limit sensitive elements while preserving essential treatment guidance.

Best Practices for You

• Ask your clinician to upload the POLST to your EHR and any applicable registry.
• Keep a paper copy in an easy-to-find place at home and bring one to appointments.
• Confirm that your nursing facility, hospice, or home health team has the most recent version.

Voluntary and Revocation Rights

Voluntary Participation

A POLST is always voluntary. It should reflect your values and current goals of care—not pressure or default choices. You can decline a POLST or choose treatments à la carte.

Patient Capacity and Revocation

You may revoke a POLST at any time. If you lack capacity, an authorized surrogate (for example, a Health Care Power of Attorney agent) may modify or revoke it under state law. The newest signed orders control in a clinical setting.

How to Revoke or Change a POLST

• Tell your clinician you want to change or void the POLST and create new orders.
• Mark paper copies “VOID,” then replace them with the updated version.
• Ensure your EHR, facility chart, and any registry show the latest orders.
• Inform caregivers and family about the change to prevent confusion in emergencies.

Advance Directives and POLST Relationship

How They Differ

An advance directive documents your broader preferences and often names a decision-maker through a Health Care Power of Attorney. A POLST is a present-tense medical order for specific treatments that clinicians and EMS must follow.

How They Work Together

Use an advance directive to appoint your agent and outline values. Use a POLST to convert those values into concise, actionable orders for your current condition. Together, they create clarity from the bedside to the ambulance.

Resolving Conflicts

If documents conflict, the most recent and clinically applicable guidance usually prevails, subject to state law. Regularly review both documents to keep them aligned with your goals.

State-Specific Regulations and Compliance

Variation by State

Names, formats, and signing rules vary (for example, POLST, MOLST, or MOST). Some states require specific clinician signatures, colors, or registry enrollment for the Legal Validity of POLST.

Portability and EMS Protocols

Most states honor a properly executed POLST within their borders, but portability across states can differ. EMS protocols also vary, so verify how your state implements and retrieves POLST orders.

Organizational Policies

Hospitals and long-term care facilities should keep policies for obtaining, storing, and honoring POLSTs, train staff on privacy-compliant sharing, and audit access to reduce risk.

Conclusion

POLST forms and HIPAA work together to safeguard privacy while enabling timely, values-based care. By integrating your POLST into the EHR, clarifying who may access it, and reviewing it as your goals change, you ensure your wishes are both known and honored.

FAQs.

How does HIPAA protect POLST forms?

HIPAA treats a POLST as Protected Health Information, requiring safeguards, access controls, and limited sharing. Disclosures beyond treatment, payment, and operations generally need Patient Authorization or a specific legal basis.

Who can access POLST forms under HIPAA?

Clinicians and EMS may access and use a POLST for treatment. You and your personal representative—such as an agent named in a Health Care Power of Attorney—also have access, consistent with state law and safety considerations.

Can POLST forms be shared electronically?

Yes. POLST orders can be stored in EHRs, exchanged through registries or health information exchanges, and retrieved by authorized users. Electronic sharing must follow HIPAA security requirements and organizational policies.

How can patients revoke a POLST form?

Tell your clinician you want to change or void the form, create new orders, and replace all copies. Ensure Electronic Health Record Integration and any registry reflect the newest POLST, and inform caregivers about the update.