In the past month I’ve gotten close to a dozen questions about protecting the personal data of the deceased, most from medical organizations. However, given the soon-to-be enforced EU GDPR, and the long-time requirements under USA’s HIPAA, it is not surprising. Information security and privacy pros are trying to get up-to-speed on all aspects of privacy protection.
Time now to think about the legal protections for the personal data of the deceased. Let’s look in turn at two kingpins of privacy regulation mentioned earlier, HIPAA and GDPR, and then take a brief view at a few of the literally hundreds of other personal information protection laws and regulations with regard to if and how they relate to the protection of personal data of the deceased.
Before addressing the privacy issues for this discussion, be sure to understand: if you are not based in the US, you may still be legally required to comply with HIPAA. Generally any entity, located anywhere in the world, that accesses the protected health information (PHI) to support the treatment, payment, or healthcare operations (TPO) of the healthcare activities performed by HIPAA covered entities for patients within the US, or who are citizens of the US, must comply with HIPAA. Many types of TPO activities are performed by contracted entities (called “business associates” under HIPAA), and many HIPAA covered entities (CEs) have operations located in other countries that involve PHI access of some kind. So, in most cases these organizations must also be HIPAA compliant.
The general questions recently I received from healthcare organizations about this topic include:
- When can a family member access a deceased patient’s medical records?
- If there is a power of attorney in place prior to the patient’s death, can that power of attorney access the medical records?
- Can a patient representative, who paid the patient’s medical bills and was authorized by the patient to access the patient’s medical information, access the deceased’s medical records?
HIPAA is very clear about most aspects related to these questions; patient records and PHI of the deceased must be protected according to the same controls that must be applied to the records of the living for 50 years after the individual dies. This means that family members would need to follow those controls to get access to the PHI, unless it has been more than 50 years since their family member died.
It is worth noting that prior to the enactment of the Omnibus Rule in 2013, the PHI and patient records were required to be protected according to HIPAA requirements forever. It is likely there are still many organizations that are covered under HIPAA that never updated their information security and privacy policies and are still following those original requirements.
Here are the times when family members can obtain access under HIPAA rules to the PHI of a person who has been deceased for less than 50 years:
(1)(ii) (ii) A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with the other requirements within § 164.510, as applicable.
(5) Uses and disclosures of PHI when the individual is deceased. If the individual is deceased, a covered entity may disclose to a family member, or other persons (family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.) who were involved in the individual’s care or payment for health care prior to the individual’s death, protected health information of the individual that is relevant to such person’s involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
So the key considerations include:
- if the information is necessary to the family member’s own healthcare, or
- if they had been involved with the deceased’s treatment, payment or operations (TPO), or
- if they had explicitly indicated that sharing the PHI was approved by them,
… then the PHI of the deceased can be shared with them.