- HIPAA regulations help ensure that covered entities and business associates put in the necessary safeguards to keep individuals sensitive medical information secure. But what happens after a patient passes away? Are healthcare providers still under the obligation to keep that individuals’ PHI secure? What about family members: are they allowed unfiltered access to their deceased relative’s information?
This week, HealthITSecurity.com will discuss how HIPAA requires healthcare organizations to handle deceased individuals’ health information. We’ll review how HIPAA regulations stipulate PHI be transferred and secured, and how the family of deceased individuals will potentially be given access to that information.
Does the HIPAA Privacy Rule apply to deceased individuals?
The HIPAA Privacy Rule states that individuals’ identifiable health information remain protected for 50 years following their death.
“The Rule explicitly excludes from the definition of ‘protected health information’ individually identifiable health information regarding a person who has been deceased for more than 50 years,” the Department of Health and Human Services (HHS) explains on its website. “During the 50-year period of protection, the Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals but does include a number of special disclosure provisions relevant to deceased individuals.”
The provisions where a covered entity can disclose the PHI of a deceased individual include the following:
(1) to alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct
(2) to coroners or medical examiners and funeral directors
(3) for research that is solely on the protected health information of decedents
(4) to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation
(5) to a family member or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity
For PHI disclosures that fall outside of the HIPAA Privacy Rule, covered entities need to receive “a written HIPAA authorization from a personal representative of the decedent who can authorize the disclosure,” according to HHS.
What else should covered entities know ?
According to HHS, it is not necessary covered entities to keep a decedent’s PHI for the same 50-year period. The Privacy Rule does not have any medical retention requirements as is, but organizations can adhere to any state or other applicable laws about destroying medical records.
It is also important to know that in general, a covered entity should not disclose PHI with family members of a decedent if that individual had given strict instructions to not do so upon his or her death. However if a family member is an executor or administrator of the decedent’s estate, then he or she should be treated as the individual in regards to PHI disclosure.
“In these cases, a covered health care provider may disclose relevant protected health information about the decedent to the family member, and the family member retains the right to receive a copy of the relevant information in the decedent’s medical record, without regard to the decedent’s prior objection,” according to HHS.
However, this desire to not disclose PHI does not need to be documented. It is likely that many healthcare providers would choose to do this anyway, and to also ensure that other employees who may become involved in the case will also abide by the patient’s wishes.
Overall, should a decedent’s family members want to gain PHI access to have a better idea toward their own healthcare, the HIPAA Privacy does account for that. There are three situations where individuals could gain PHI about their deceased relatives:
- a covered entity may disclose a decedent’s PHI, without authorization, to the provider treating the surviving relative.
- if the information being disclosed “is relevant to the person’s involvement in the decedent’s care or payment for care.”
- an individual acting on behalf of a decedent (i.e. executor) can receive PHI “if it is within the scope of such personal representative’s authority under other law.”
While it might not always be possible to plan ahead and have documents created to dictate how an individual’s PHI is to be treated following his or her death, it is important to know that the information will still be treated securely under HIPAA regulations. Moreover, family members who are concerned over their own healthcare treatments, may have PHI disclosed to their own provider, to ensure proper care.
HIPAA regulations are not discarded upon an individual’s death. It is essential that covered entities and business associates understand how PHI is to be handled and transferred, even after a patient passes away.