Responding to requests for medical records has become fairly routine for most health care providers. Those same responses get a bit more complex when the patient is deceased. Deceased patients still have the right to confidentiality of their protected health information, but it may take some investigation for a covered entity to determine the identity of the individual that may authorize the release of the deceased patient's records.
The Health Insurance Portability and Accountability Act (HIPAA) is the federal law that creates the minimum requirements for the confidentiality of protected health information. HIPAA applies to covered entities which are defined as a health plan, a health care clearinghouse or a health care provider that transmits any health information in electronic form in connection with a transaction covered under the HIPAA regulations.
The original HIPAA privacy regulations issued in 2000, required a covered entity to maintain the confidentiality of protected health information for as long as the covered entity held the protected health information. Essentially, health care providers were required to maintain the confidentiality of a deceased patient's records until the health care provider destroyed the record. In the days of paper medical records, health care providers routinely destroyed patient records for most patients after several years. With the advent of electronic records health care providers are maintaining patient records significantly longer.
Recently, the HIPAA regulations were revised and now provide that a health care provider must maintain the confidentiality of a deceased patient's records for a period of 50 years following the death of the individual. Consequently, covered entities need to know who may authorize the release of a deceased patient's protected health information.
The HIPAA regulations provide that upon the death of an individual, the executor, administrator, or other person authorized under applicable law to act on behalf of the decedent's estate becomes the person able to authorize the release of protected health information. Very often the personal representative is the former spouse or other immediate family member of the deceased patient. However, covered entities need to know that only the "person authorized by law" may authorize the disclosure of protected health information. Many a covered entity has been caught in the middle of family disputes when a legally appointed personal representative is at odds with the deceased patient's immediate family members. The covered entity should require the personal representative to produce a letter of administration or other legal authority showing the personal representative is the "person authorized under applicable law" to act in behalf of the deceased patient.
Generally, a covered entity cannot rely upon a healthcare advance directive or other document granting authority to a particular individual to authorize the disclosure of protected health information once the patient dies. Most authorizations granted by a patient during their life expire upon their death. Even a durable power of attorney that is intended to survive the death of the patient is limited to the specific powers granted in the power of attorney. The revised HIPAA regulations include a new provision that allows a covered entity to disclose the protected health information of a deceased patient to a family member or a close friend that was involved in the care of the deceased individual that is relevant to such person's involvement in the care of the deceased individual unless the disclosure is inconsistent with a prior expressed preference of the deceased individual.
Finally, health care providers need to remember that HIPAA is the minimum requirement. They may be required to adhere to more stringent standards by the laws of their individual states.
Health care providers must maintain the confidentiality of the protected health information of their patients even after the patient is deceased. They should determine that the person requesting the release of protected health information of a deceased individual is the person authorized by law to act on behalf of the deceased patient before releasing protected health information.
Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.