Privacy After Death
Due to new HIPAA rules, HIM must strike an appropriate privacy balance when releasing decedent records
By Judi Hofman, CHPS, CAP, CHP, CHSS
With the HITECH-HIPAA Privacy Rule finalized, HIM professionals have found answers to many questions regarding how to handle access to a deceased patient’s protected health information (PHI).
The HITECH Act’s modification to the HIPAA Privacy Rule, released in January, grants access to a decedent’s records for family members, relatives, and others that previously did not qualify as a “personal representative.” The new rule also releases access restrictions on personal health information (PHI) 50 years after a patient has died. While these changes may offer a great opportunity for those individuals wishing to access PHI of the deceased, HIM professionals should not act too fast when releasing this PHI. Even with the changes in the HIPAA privacy provision, there still may be state regulations that are more stringent than HIPAA prohibiting the release of records. HIPAA regulations are the floor of privacy law, with states dictating the ceiling.
Most Records Open After 50 Years
In the final rule, the Department of Health and Human Services (HHS) recommended suspending the privacy rights of patients 50 years after the date of their death. According to the final rule, this was done to “balance the privacy interest of living relatives or other affected individuals with a relationship to the decedent.” The change was also proposed due to the difficulties people face obtaining authorizations from personal representatives as time passes. Apparently the span of approximately two generations was enough time, in HHS’s opinion, for the decedent’s privacy rights to extend. The National Committee on Vital and Health Statistics (NCVHS)—the public advisory committee that advises the HHS Secretary on the implementation of administrative simplification provisions of HIPAA and other issues—agreed, noting technical problems associated with applying the HIPAA Privacy Rule to very old records.
Another reason for selecting 50 years as the protection benchmark is HHS felt it was long enough that healthcare organizations wouldn’t try to profit from various uses of decedent health records that were five decades old. “The 50-year period of protection [is] long enough so as not to provide an incentive for [a] covered entity to change their record retention policies in order to profit from the data about a decedent,” HHS wrote in the final rule.
Many, but not all, of the public comments submitted to HHS agreed with the final rule’s proposal of limiting the period of protection for decedent health information to 50 years past the date of death.
Some privacy advocates stated concerns during the comment period, saying they were opposed to any timeline associated with the release of decedents’ records. One comment stated that HHS should indefinitely “limit the period of protection for decedent health information due to the continued privacy interest of living relatives as well as the decedent, particularly when highly sensitive information is involved, such as HIV/AIDS status, or psychiatric or substance abuse treatment.” To address these concerns, HHS documented in the HITECH-HIPAA final rule that:
Record Retention Implications
Kirk Nahra, JD, partner at Wiley Rein law firm specializing in healthcare privacy law, does not think that there is necessarily much patient interest in the protection of these records since this provision only applies to records that are at least 50 years old and could be much older. Most facilities, Nahra says, don’t keep records around that long, purging them as part of pre-established medical record retention policies. “You would be hard pressed to find records anywhere near this old in most circumstances,” Nahra says. “Or even 10 years old, based on most general state laws for healthcare.”
Hoping to address provider concerns that they must hold on to patient records for decades, HHS pointed out in the final rule that the 50-year period of protection is not a record retention requirement. In other words, organizations are not required to hold onto patient records for up to 50 years. The rule does not include any medical record retention requirements, and covered entities may destroy medical records at the time permitted by state or other applicable law or requirement.
Facilities Not Required to Release Decedent Records
Nahra does not believe that the HITECH modification to the HIPAA final rule will mean that a covered entity must simply open the door and give PHI away. “This HIPAA rule only removes one regulatory hurdle. It doesn’t force any covered entity to give records out to strangers walking in off the street, or really to do anything at all,” Nahra says.
For example, it is doubtful that a reporter will be able to request records from Dallas-based Parkland Hospital, where President John F. Kennedy was taken after his fatal gunshot wound in 1962, unless the hospital wishes to provide the information—and still has the records. This is because the new regulation only removes the barrier of HIPAA privacy rules, and not other regulations, like state rules. Therefore, the impact of this change on patients and HIM professionals should be relatively small, he says.
That doesn’t mean that facilities shouldn’t release decedent information. Chris Apgar, CEO and president of Apgar & Associates and a nationally recognized information security and privacy expert, says the rule modification amounts to a change in the definition of PHI under HIPAA. “When the September compliance date arrives, any and all health-related information that was PHI is no longer included in the definition of PHI after 50 years from death,” Apgar says. “This means at that point no family or friends’ authorization would be required [to access the records]. Covered entities could release what was PHI to the media, the general public, etc. freely, right or wrong.”
Apgar contends that HIPAA has in the past and continues to protect only the privacy of patients, not necessarily the rights of a patient’s family and friends. HIPAA does define certain circumstances when PHI may be used and disclosed to others, but it vests no rights to that information with friends or family. In this case, if a hospital elected to establish its own privacy protections for health information about deceased patients who died more than 50 years ago, the hospital is well within its rights to do so because HIPAA established the privacy floor. The hospital couldn’t, though, deny a request by claiming the information was still protected by HIPAA.
As far as state law goes, Apgar doesn’t know of any states that protect the health information of deceased patients for any period close to the 50 years, let alone beyond it. However if such a law was found, it would preempt HIPAA.
Wider Access Granted to Family, Caregivers
For many covered entities, the 50-year rule will have little to no impact on their release of records policies, especially if they had been stringent with their retention policies and destroyed many of the records past their required life cycle. What may have a bigger impact is the release of records to a decedent’s family members and others who had been involved in the decedent’s care prior to his or her death.
The HITECH-HIPAA final rule has amended section 164.510(b) to “permit covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with prior expressed preference of the individual that is known to the covered entity.”
The revised rule now allows many of those family members, relatives, and others who had access to a patient’s health information prior to death—through a HIPAA release form—to have those same access rights after the patient’s death. Prior to the change, it was a common complaint that people did not qualify as a “personal representative” after a patient’s death, and therefore didn’t retain access to that person’s records, under 164.502(g)(4). This amendment does not change the authority of a decedent’s appointed personal representative with regard to the decedent’s protected health information. The personal representative would continue to have the right to access protected health information of the decedent, as well as to authorize the use and disclosure of the protected health information that are not otherwise permitted or required by the privacy rule.
HHS states in the rule that they feel the provision “strikes the appropriate balance” in allowing communications with family members and others “unless doing so is inconsistent with the prior expressed wishes of the individual.”
Reasonable Assurance for Decedent ROI
The final rule does not, however, place the burden of proof on the requestor to demonstrate they were involved in the individual’s care. Guidance from HHS on how to determine if records should be released is murky. This leaves the decision to the covered entity’s professional judgment, with the rule stating an organization should have “reasonable assurance” that the person requesting the record is a family member of the decedent, or another person who was involved in the individual’s care or payment for care prior to their death.
There were no changes and no further clarifications for the terms “personal representative” and “family members” written into the rule. HHS pointed out in the preamble that these definitions already exist in 164.502(g)(4) and 160.130. There was no further extension of the provision to allow disclosure to the decedent’s healthcare “proxy,” “medical power of attorney,” “power of attorney,” or “estate executor.” As noted above:
HHS reiterated in the preamble that “a covered entity that is uncomfortable disclosing protected health information under this provision because of the questions about the person’s relationship to the decedent is not required to do so.”
NCVHS. “Minutes.” Subcommittee on Privacy and Confidentiality. January 11-12, 2005. http:/ncvhs.hhs.gov/050111mn.htm.
Judi Hofman (firstname.lastname@example.org) is a privacy and information security officer at St. Charles Health System, in Oregon, and served as co-chair of AHIMA’s Privacy and Security Practice Council.