In the past month I’ve gotten close to a dozen questions about protecting the personal data of the deceased, most from medical organizations. However, given the soon-to-be enforced EU GDPR, and the long-time requirements under USA’s HIPAA, it is not surprising. Information security and privacy pros are trying to get up-to-speed on all aspects of privacy protection.
Time now to think about the legal protections for the personal data of the deceased. Let’s look in turn at two kingpins of privacy regulation mentioned earlier, HIPAA and GDPR, and then take a brief view at a few of the literally hundreds of other personal information protection laws and regulations with regard to if and how they relate to the protection of personal data of the deceased.
Before addressing the privacy issues for this discussion, be sure to understand: if you are not based in the US, you may still be legally required to comply with HIPAA. Generally any entity, located anywhere in the world, that accesses the protected health information (PHI) to support the treatment, payment, or healthcare operations (TPO) of the healthcare activities performed by HIPAA covered entities for patients within the US, or who are citizens of the US, must comply with HIPAA. Many types of TPO activities are performed by contracted entities (called “business associates” under HIPAA), and many HIPAA covered entities (CEs) have operations located in other countries that involve PHI access of some kind. So, in most cases these organizations must also be HIPAA compliant.
The general questions recently I received from healthcare organizations about this topic include:
When can a family member access a deceased patient’s medical records?
If there is a power of attorney in place prior to the patient’s death, can that power of attorney access the medical records?
Can a patient representative, who paid the patient’s medical bills and was authorized by the patient to access the patient’s medical information, access the deceased’s medical records?
HIPAA is very clear about most aspects related to these questions; patient records and PHI of the deceased must be protected according to the same controls that must be applied to the records of the living for 50 years after the individual dies. This means that family members would need to follow those controls to get access to the PHI, unless it has been more than 50 years since their family member died.
It is worth noting that prior to the enactment of the Omnibus Rule in 2013, the PHI and patient records were required to be protected according to HIPAA requirements forever. It is likely there are still many organizations that are covered under HIPAA that never updated their information security and privacy policies and are still following those original requirements.
Here are the times when family members can obtain access under HIPAA rules to the PHI of a person who has been deceased for less than 50 years:
(1)(ii) (ii) A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with the other requirements within § 164.510, as applicable. (5) Uses and disclosures of PHI when the individual is deceased. If the individual is deceased, a covered entity may disclose to a family member, or other persons (family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.) who were involved in the individual’s care or payment for health care prior to the individual’s death, protected health information of the individual that is relevant to such person’s involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
So the key considerations include:
if the information is necessary to the family member’s own healthcare, or
if they had been involved with the deceased’s treatment, payment or operations (TPO), or
if they had explicitly indicated that sharing the PHI was approved by them,
… then the PHI of the deceased can be shared with them.
Regarding whether or not those with power of attorney can access the PHI of the deceased, per the HHS:
“If a health care power of attorney is currently in effect, the named person would be the patient’s personal representative (The period of effectiveness may depend on the type of power of attorney: Some health care power of attorney documents are effective immediately, while others are only triggered if and when the patient lacks the capacity to make health care decisions and then cease to be effective if and when the patient regains such capacity).
“Personal representatives,” as defined by HIPAA, are those persons who have authority, under applicable law, to make health care decisions for a patient. HIPAA provides a personal representative of a patient with the same rights to access health information as the patient, including the right to request a complete medical record containing mental health information. The patient’s right of access has some exceptions, which would also apply to a personal representative. For example, with respect to mental health information, a psychotherapist’s separate notes of counseling sessions, kept separately from the patient chart, are not included in the HIPAA right of access.
Additionally, a provider may decide not to treat someone as the patient’s personal representative if the provider believes that the patient has been or may be subject to violence, abuse, or neglect by the designated person or the patient may be endangered by treating such person as the personal representative, and the provider determines, in the exercise of professional judgment, that it is not in the best interests of the patient to treat the person as the personal representative. See 45 CFR 164.502(g)(5).”
In stark contrast to HIPAA, GDPR does not protect the privacy of the dead. Recital 27 of the EU GDPR specifies that the “Regulation does not apply to the personal data of deceased persons.” This comes as a surprise to many.
However, it is important to understand that the GDPR also states that EU Member States can create their own rules to cover the processing of the personal data of deceased persons. There is much activity in many EU countries where bills establishing such legal protections are moving forward.
It is important for organizations to understand the laws for this topic for each country within which they have clients, customers, workers, patients, or any other individuals whose personal data they possess.
Other Legal Requirements
There are a wide range of data protection laws worldwide, and many of them include requirements for protecting the personal data of the deceased. Here are just a couple of examples:
Make sure you discuss the legal requirements covering the protection of personal data of the deceased with your legal counsel to ensure you know all that are applicable to your organization. Also, monitor resources for this type of information on new and updated data protection laws, such as here at CPO Magazine.
Do you possess personal data of the deceased? Do you know? Where is it located? How is it protected? How is it used? What laws are applicable?
To help answer these questions, take the following actions:
Define what constitutes “personal information” or “personal data” for your organization. This definition will vary from one organization to the next based upon the unique business environment and applicable legal considerations for each.
Establish a personal information inventory for your organization.
Specify within the inventory the personal information items that are for the deceased.
Establish procedures for keeping the inventory up-to-date
Document the locations for where the personal information items are located.
Document the security controls for the personal information.
Determine every type of entity (e.g. individual, application, outside entity, etc.) that has access to the personal information items.
Determine and document the applicable legal requirements (laws, regulations, contractual requirements) for protecting, using, sharing, etc. the personal information.
Perform a risk assessment and privacy impact assessment (PIA) for the current personal information within the organization, and associated safeguards, uses, and access to the personal information.
Mitigate identified risks.
Review and update as necessary, or create new, policies and supporting procedures for the protection of personal information in all forms.
Provide regular training for the policies and procedures, along with sending occasional reminder messages.
Ensure all contractors, vendors, and BAs with access to the personal information you entrust to them have strong information security and privacy programs in place to protect and use personal information to at least the same level of your organization’s protections.
Parting thoughts on privacy for the deceased…
I’ve written about this topic for many years. For example, see one of my early articles, “Is There Privacy Beyond Death.” I’ve also discussed the topics of protecting the personal data of the deceased at length with my SIMBUS and Privacy Professor clients.
If you have any questions on this topic, just let me know. I will be touching upon this at my Data Privacy Asia sessions this September in Manila, Philippines.
Please get in touch!
I look forward to covering the wide range of privacy issues that must be addressed by every business, and every individual, in the coming months within this blog feature! If you have a topic to suggest, just let me know. I always appreciate knowing the topics that are at top of mind for our readers.