The original HIPAA privacy regulations issued in 2000, required a covered entity to maintain the confidentiality of protected health information for as long as the covered entity held the protected health information. Essentially, health care providers were required to maintain the confidentiality of a deceased patient's records until the health care provider destroyed the record. In the days of paper medical records, health care providers routinely destroyed patient records for most patients after several years. With the advent of electronic records health care providers are maintaining patient records significantly longer.
Recently, the HIPAA regulations were revised and now provide that a health care provider must maintain the confidentiality of a deceased patient's records for a period of 50 years following the death of the individual. Consequently, covered entities need to know who may authorize the release of a deceased patient's protected health information.
The HIPAA regulations provide that upon the death of an individual, the executor, administrator, or other person authorized under applicable law to act on behalf of the decedent's estate becomes the person able to authorize the release of protected health information. Very often the personal representative is the former spouse or other immediate family member of the deceased patient. However, covered entities need to know that only the "person authorized by law" may authorize the disclosure of protected health information. Many a covered entity has been caught in the middle of family disputes when a legally appointed personal representative is at odds with the deceased patient's immediate family members. The covered entity should require the personal representative to produce a letter of administration or other legal authority showing the personal representative is the "person authorized under applicable law" to act in behalf of the deceased patient.
Generally, a covered entity cannot rely upon a healthcare advance directive or other document granting authority to a particular individual to authorize the disclosure of protected health information once the patient dies. Most authorizations granted by a patient during their life expire upon their death. Even a durable power of attorney that is intended to survive the death of the patient is limited to the specific powers granted in the power of attorney. The revised HIPAA regulations include a new provision that allows a covered entity to disclose the protected health information of a deceased patient to a family member or a close friend that was involved in the care of the deceased individual that is relevant to such person's involvement in the care of the deceased individual unless the disclosure is inconsistent with a prior expressed preference of the deceased individual.
Finally, health care providers need to remember that HIPAA is the minimum requirement. They may be required to adhere to more stringent standards by the laws of their individual states.
Health care providers must maintain the confidentiality of the protected health information of their patients even after the patient is deceased. They should determine that the person requesting the release of protected health information of a deceased individual is the person authorized by law to act on behalf of the deceased patient before releasing protected health information.
Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.
This article was originally published in Advance for Respiratory Care and Sleep Medicine.