Privacy After Death

Due to new HIPAA rules, HIM must strike an appropriate privacy balance when releasing decedent records

By Judi Hofman, CHPS, CAP, CHP, CHSS

With the HITECH-HIPAA Privacy Rule finalized, HIM professionals have found answers to many questions regarding how to handle access to a deceased patient’s protected health information (PHI).

The HITECH Act’s modification to the HIPAA Privacy Rule, released in January, grants access to a decedent’s records for family members, relatives, and others that previously did not qualify as a “personal representative.” The new rule also releases access restrictions on personal health information (PHI) 50 years after a patient has died. While these changes may offer a great opportunity for those individuals wishing to access PHI of the deceased, HIM professionals should not act too fast when releasing this PHI. Even with the changes in the HIPAA privacy provision, there still may be state regulations that are more stringent than HIPAA prohibiting the release of records. HIPAA regulations are the floor of privacy law, with states dictating the ceiling.

Most Records Open After 50 Years

In the final rule, the Department of Health and Human Services (HHS) recommended suspending the privacy rights of patients 50 years after the date of their death. According to the final rule, this was done to “balance the privacy interest of living relatives or other affected individuals with a relationship to the decedent.” The change was also proposed due to the difficulties people face obtaining authorizations from personal representatives as time passes. Apparently the span of approximately two generations was enough time, in HHS’s opinion, for the decedent’s privacy rights to extend. The National Committee on Vital and Health Statistics (NCVHS)—the public advisory committee that advises the HHS Secretary on the implementation of administrative simplification provisions of HIPAA and other issues—agreed, noting technical problems associated with applying the HIPAA Privacy Rule to very old records.

Another reason for selecting 50 years as the protection benchmark is HHS felt it was long enough that healthcare organizations wouldn’t try to profit from various uses of decedent health records that were five decades old. “The 50-year period of protection [is] long enough so as not to provide an incentive for [a] covered entity to change their record retention policies in order to profit from the data about a decedent,” HHS wrote in the final rule.

Many, but not all, of the public comments submitted to HHS agreed with the final rule’s proposal of limiting the period of protection for decedent health information to 50 years past the date of death.

Some privacy advocates stated concerns during the comment period, saying they were opposed to any timeline associated with the release of decedents’ records. One comment stated that HHS should indefinitely “limit the period of protection for decedent health information due to the continued privacy interest of living relatives as well as the decedent, particularly when highly sensitive information is involved, such as HIV/AIDS status, or psychiatric or substance abuse treatment.” To address these concerns, HHS documented in the HITECH-HIPAA final rule that:

“the concerns regarding protected health information about decedents that is sensitive, such as HIV/AIDS, substance abuse, or mental health information, or that involved psychotherapy notes, the 50-year period of protection for decedents health information under the Privacy Rule does not override or interfere with state or other laws that provide greater protection for such information, or the professional responsibility of mental health or other providers.”

Record Retention Implications

Kirk Nahra, JD, partner at Wiley Rein law firm specializing in healthcare privacy law, does not think that there is necessarily much patient interest in the protection of these records since this provision only applies to records that are at least 50 years old and could be much older. Most facilities, Nahra says, don’t keep records around that long, purging them as part of pre-established medical record retention policies. “You would be hard pressed to find records anywhere near this old in most circumstances,” Nahra says. “Or even 10 years old, based on most general state laws for healthcare.”

Hoping to address provider concerns that they must hold on to patient records for decades, HHS pointed out in the final rule that the 50-year period of protection is not a record retention requirement. In other words, organizations are not required to hold onto patient records for up to 50 years. The rule does not include any medical record retention requirements, and covered entities may destroy medical records at the time permitted by state or other applicable law or requirement.

Facilities Not Required to Release Decedent Records

Nahra does not believe that the HITECH modification to the HIPAA final rule will mean that a covered entity must simply open the door and give PHI away. “This HIPAA rule only removes one regulatory hurdle. It doesn’t force any covered entity to give records out to strangers walking in off the street, or really to do anything at all,” Nahra says.

For example, it is doubtful that a reporter will be able to request records from Dallas-based Parkland Hospital, where President John F. Kennedy was taken after his fatal gunshot wound in 1962, unless the hospital wishes to provide the information—and still has the records. This is because the new regulation only removes the barrier of HIPAA privacy rules, and not other regulations, like state rules. Therefore, the impact of this change on patients and HIM professionals should be relatively small, he says.

That doesn’t mean that facilities shouldn’t release decedent information. Chris Apgar, CEO and president of Apgar & Associates and a nationally recognized information security and privacy expert, says the rule modification amounts to a change in the definition of PHI under HIPAA. “When the September compliance date arrives, any and all health-related information that was PHI is no longer included in the definition of PHI after 50 years from death,” Apgar says. “This means at that point no family or friends’ authorization would be required [to access the records]. Covered entities could release what was PHI to the media, the general public, etc. freely, right or wrong.”

Apgar contends that HIPAA has in the past and continues to protect only the privacy of patients, not necessarily the rights of a patient’s family and friends. HIPAA does define certain circumstances when PHI may be used and disclosed to others, but it vests no rights to that information with friends or family. In this case, if a hospital elected to establish its own privacy protections for health information about deceased patients who died more than 50 years ago, the hospital is well within its rights to do so because HIPAA established the privacy floor. The hospital couldn’t, though, deny a request by claiming the information was still protected by HIPAA.

As far as state law goes, Apgar doesn’t know of any states that protect the health information of deceased patients for any period close to the 50 years, let alone beyond it. However if such a law was found, it would preempt HIPAA.

Accessing Deceased Patient Records—FAQ

For a full FAQ list regarding deceased patient records, visit http://journal.ahima.org.

Q: Who can legally access a deceased person’s medical records?

A: The patient’s designated personal representative or the legal executor of his or her estate has a right under law to access the records.

If the patient died without naming a personal representative or executor, state law determines who by default possesses the right. States often establish a hierarchy of persons based on their relationship to the deceased person. Typically this begins with an adult member of the immediate family, such as a spouse, child, or sibling.

For those family members, relatives, and others who had access to the health information of the deceased prior to death, but had not qualified as a “personal representative” of the decedent under HIPAA Privacy Rule 164.502(g)(4), the final HIPAA Privacy Rule allows covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.

Q. Does this change the personal representative’s rights under HIPAA?

A: This change to the HIPAA Privacy Rule does not change the authority of the decedent’s personal representative. The personal representative continues to have the right to access the decedent’s protected health information and have authority to authorize use and disclosures of the decedent’s protected health information that are not otherwise permitted or required by the HIPAA Privacy Rule.

Q: What legal documents ensure the right to access a deceased patient’s medical records?

A: A combination of the patient’s death certificate and a court document establishing estate executorship is sufficient to establish one’s right. In some states, alternative documentation can also be used.

Where a person does not rise to the level of personal representative, the HITECH-HIPAA final rule at 164.510(b) permits, subject to any prior expressed preference of the individual, a covered entity to disclose relevant protected health information to people that may include those who held a healthcare proxy for the individual or a medical power of attorney.

Q. What documentation or information will I need to meet the “reasonable assurance” for access to a decedent’s medical record if I am not the personal representative?

A. Reasonable assurance criteria could be met by the person by indicating to the covered entity how he or she is related to the decedent or offering sufficient details about the decedent’s circumstances prior to death to indicate involvement in the decedent’s care.

Q: Do I have to go to probate court and become the executor of the deceased’s estate in order to access his or her medical records?

A: It depends on the state. Some state laws require people to submit legal proof of executorship to healthcare organizations in order to access records.

Other states follow a hierarchy of who becomes, by default, the personal representative of a deceased patient if the patient dies without naming an executor (as described above).

The Privacy Rule removes only the HIPAA requirement to deceased protected health information for family members and others who were involved in the care or payment for care of the decedent prior to death. Some states may be more stringent than HIPAA.

Q: How do I find my state’s requirements and restrictions for releasing a deceased patient’s medical record?

A: The HIM department supervisor or the privacy officer of a local hospital can provide details on your state’s release-of-information laws. A local legal assistance group, particularly one that assists seniors, is another good resource.

Wider Access Granted to Family, Caregivers

For many covered entities, the 50-year rule will have little to no impact on their release of records policies, especially if they had been stringent with their retention policies and destroyed many of the records past their required life cycle. What may have a bigger impact is the release of records to a decedent’s family members and others who had been involved in the decedent’s care prior to his or her death.

The HITECH-HIPAA final rule has amended section 164.510(b) to “permit covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with prior expressed preference of the individual that is known to the covered entity.”

The revised rule now allows many of those family members, relatives, and others who had access to a patient’s health information prior to death—through a HIPAA release form—to have those same access rights after the patient’s death. Prior to the change, it was a common complaint that people did not qualify as a “personal representative” after a patient’s death, and therefore didn’t retain access to that person’s records, under 164.502(g)(4). This amendment does not change the authority of a decedent’s appointed personal representative with regard to the decedent’s protected health information. The personal representative would continue to have the right to access protected health information of the decedent, as well as to authorize the use and disclosure of the protected health information that are not otherwise permitted or required by the privacy rule.

HHS states in the rule that they feel the provision “strikes the appropriate balance” in allowing communications with family members and others “unless doing so is inconsistent with the prior expressed wishes of the individual.”

Reasonable Assurance for Decedent ROI

The final rule does not, however, place the burden of proof on the requestor to demonstrate they were involved in the individual’s care. Guidance from HHS on how to determine if records should be released is murky. This leaves the decision to the covered entity’s professional judgment, with the rule stating an organization should have “reasonable assurance” that the person requesting the record is a family member of the decedent, or another person who was involved in the individual’s care or payment for care prior to their death.

There were no changes and no further clarifications for the terms “personal representative” and “family members” written into the rule. HHS pointed out in the preamble that these definitions already exist in 164.502(g)(4) and 160.130. There was no further extension of the provision to allow disclosure to the decedent’s healthcare “proxy,” “medical power of attorney,” “power of attorney,” or “estate executor.” As noted above:

“where person does not rise to the level of personal representative, the final rule at 164.510(b) permits, subject to any prior expressed preference of the individual, a covered entity to disclose relevant protected health information, which may include persons who held a healthcare proxy for the individual or a medical power of attorney.”

HHS reiterated in the preamble that “a covered entity that is uncomfortable disclosing protected health information under this provision because of the questions about the person’s relationship to the decedent is not required to do so.”

Reference

NCVHS. “Minutes.” Subcommittee on Privacy and Confidentiality. January 11-12, 2005. http:/ncvhs.hhs.gov/050111mn.htm.

Judi Hofman (jhofman@stcharleshealthcare.org) is a privacy and information security officer at St. Charles Health System, in Oregon, and served as co-chair of AHIMA’s Privacy and Security Practice Council.


Article citation:
Hofman, Judi. "Privacy After Death." Journal of AHIMA 84, no.4 (April 2013): 32-35.