HIPAA and posthumous rights

Deceased individuals have a continued right to privacy regarding their individually identifiable health information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the related Privacy Rule, and the Omnibus Rule (78 Fed. Reg. 5566, 5576 (Jan. 25, 2013)) make it clear that a decedent’s privacy rights are protected for fifty (50) years from the date of death. This means that a covered entity (45 CFR §160.103), which includes providers, health plans, and health care clearinghouses must follow the same steps that it took when a patient was alive, as required by the Privacy Rule.

The U.S. Department of Health and Human Services (HHS) succinctly summarizes how the Privacy Rule applies to decedents, personal representatives and family members alike. Specifically,

During the 50-year period of protection, the personal representative of the decedent (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the rights under the Privacy Rule with regard to the decedent’s health information, such as authorizing certain uses and disclosures of, and gaining access to, the information. With respect to family members or other persons involved in the individual’s health care or payment for care prior to the individual’s death, but who are not personal representatives, the Privacy Rule permits a covered entity to disclose the relevant protected health information of the decedent to such persons, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. (emphasis added).

A prudent course of action is to have a current durable medical power of attorney (DMPOA), a signed HIPAA Authorization Form, which may permit multiple family members and fiduciaries (i.e., attorneys) to receive medical information about the individual, and a will. Although a power of attorney is a function of state law, a DMPOA is different than a power of attorney for other purposes, such as financial affairs. If no one is designated, then states have a statutory hierarchy, which would apply.

As the American Medical Association (AMA) sets forth in a practical publication,

Are personal representatives and primary carepartners able to access electronic copies of a deceased patient’s records?
Yes, personal representatives must be treated as the individual with respect to the Rule, as defined by the
Rule in Section 164.502(g). However, there are instances where an individual has not expressly authorized another person to act on the individual’s behalf. Persons who are involved in the individual’s health care may be considered “carepartners” and, like family members, are permitted to have access to the deceased’s PHI, as defined by the Rule in 45 CFR 164.510(b). Since these individuals must be treated as the individuals, covered entities are required to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, as per the Rule at 45 CFR 164.524(c)(2)(i).

What about medical examiners and coroners? They fall under the HIPAA law enforcement exception, which means that while a decedent’s protected health information (PHI) may be disclosed to them by a covered entity (i.e., hospital or physician), they may not disclose the information to any individual that requests it. HHS distills this notion into very relatable terms:

During the 50-year period of protection, the Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals but does include a number of special disclosure provisions relevant to deceased individuals. These include provisions that permit a covered entity to disclose a decedent’s health information: (1) to alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (§ 164.512(f)(4)); (2) to coroners or medical examiners and funeral directors (§ 164.512(g)); (3) for research that is solely on the protected health information of decedents (§ 164.512(i)(1)(iii)); and (4) to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation (§ 164.512(h)). (emphasis added).

Stated another way, HIPAA permits a covered entity or police officer to disclose the information to a coroner or a medical examiner for the purpose of identifying the cause of death. HIPAA does not, however, authorize the coroner or medical examiner to further disclose the PHI, including the autopsy report, to a person without legal authority, whether a personal representative or a family member prescribed by state statute. Moreover, states that have public records request acts create categories of exemptions. For example, the California Public Records Act, § 6254 (CPRA), which was reorganized 2021 Cal AB 473 (Oct. 7, 2021), provides for the withholding of “personal, medical or similar files, the disclosure of which would constitute an unwarranted invasion of personal privacy.” Texas has a similar law, the Public Information Act (PIA) and on its website, the Office of the Attorney General simply states, “[s]ome information is confidential by statute, a governmental body generally cannot release the information under the PIA.”

While HIPAA does allow entities to disclose PHI, pursuant to 45 C.F.R. § 164.512(j) if it “is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public” and the disclosure is to “a person or persons reasonably able to prevent or lessen the threat,” medical examiners should not have a link available to the public which enables any person, press or not, to request unredacted medical records, which an autopsy report does in fact contain.

Not every person expires due to the natural aging process and in a peaceful manner. The trauma and emotional distress that families experience initially and subsequently if the autopsy report were released without their knowledge or consent, could cause significant harm. In fact, the City of Los Angeles’ Medical Examiner-Coroner is “responsible [for] notify[ing] the decedent’s next of kin of the death of their loved one. If you prefer to notify the next of kin as part of your investigation, in lieu of the Coroner making the notification, this must be coordinated with Medical Examiner-Coroner personnel. What about the “Coroner Report”? In Los Angeles, the Medical Examiner-Coroner maintains two types of documents:

• ‘Non-Exempt’ documents are kept as part of the “Coroner Report” and are available to the public upon request.
• ‘Exempt’ documents, including worklists, notes, instrument tracings, calibration and quality control information, and/or photographs that support the formal reports, are exempt from public disclosure and are available to legal entities upon request.
  To request Laboratory ‘Discovery’ (i.e. to obtain ‘Exempt’ documents), please provide an itemized request with a Subpoena Duces Tecum to the Department’s Subpoena Desk or call 323.343.0518 with any questions.

As the California Attorney General’s Office has consistently stated for nearly twenty (20) years that medical records (i.e., records containing PHI and other sensitive information (i.e., Social Security Number)) are exempt records. “If a record contains exempt information, the agency generally must segregate or redact the exempt information and disclose the remainder of the record.” Therefore, while a date of death and person’s name may be disclosed, other PHI and sensitive PII should be redacted in order to prevent harm and potential misuse of PHI and sensitive PII, such as social security numbers, to perpetuate personal gain, notoriety, or malicious intent at the expense of the decedent’s survivors.

This area of the law requires, as this article has illustrated, wading through a myriad of different federal and state laws. One should also use empathy and common sense when both requesting and disclosing information that should have been redacted from medical examiners in an attempt to circumvent other laws. Fortunately, various state and federal information request laws took this into account. It is incumbent upon the entities that control the autopsy information to redact, include only the minimum necessary, and respect the decedent and the next of kin.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.