HIPAA Final Rule: Protected Health Information of Deceased Individuals

March 12, 2013.  Today, we continue going through the HIPAA Privacy Rule, section by section, as modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

Our focus last week and early this week has been on 45 CFR 164.502: Uses and disclosures of protected health information:  General Rules.  Today, we finish up with this modified rule with: 164.502(f): StandardDeceased individuals.

“164.502(f): StandardDeceased individuals.  A covered entity must comply with the requirements of [the HIPAA Privacy Rule] with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.”

We provide here the content of the Final Rule preamble that underpins the Uses and disclosures of protected health information:  General Rules pertaining to deceased individuals:

“We believe 50 years is an appropriate period of protection for decedent health information, taking into account the remaining privacy interests of living individuals after the span of approximately two generations have passed, and the difficulty of obtaining authorizations from a personal representative of a decedent as the same amount of time passes. For the same reason, we decline to shorten the period of protection as suggested by some commenters or to adopt a 100-year period of protection for decedent information. We also believe the 50-year period of protection to be long enough so as not to provide an incentive for covered entities to change their record retention policies in order to profit from the data about a decedent once 50 years has elapsed.

“With respect to commenters’ concerns regarding protected health information about decedents that is sensitive, such as HIV/AIDS, substance abuse, or mental health information, or that involves psychotherapy notes, we emphasize that the 50-year period of protection for decedent health information under the Privacy Rule does not override or interfere with State or other laws that provide greater protection for such information, or the professional responsibilities of mental health or other providers. Covered entities may continue to provide privacy protections to decedent information beyond the 50-year period, and may be required to do so under other applicable laws or as part of their professional responsibility. Alternatively, covered entities may choose to destroy decedent information although other applicable law may prescribe or limit such destruction.

“We also decline to limit protections under the Privacy Rule to a certain period beyond the last date in the medical record. While we appreciate the challenges that may be present in determining the date of death of an individual in cases in which it is not sufficiently clear from the age of the record whether the individual is deceased, we believe that this determination is necessary in closer cases to protect the individual, as well as living relatives and others, who may be affected by disclosure of the information. Further, as we stated in the [July 14, 2010, Notice of Proposed Rule Making], this modification has no impact on a covered entity’s disclosures permitted under other provisions of the Privacy Rule. For example, a covered entity is permitted to disclose protected health information of decedents for research that is solely on the information of decedents in accordance with 45 CFR 164.512(i)(1)(iii) [Uses and disclosures for which an authorization or opportunity to agree or object is not required], without regard to how long the individual has been deceased.

“Finally, we clarify that the 50-year period of protection is not a record retention requirement. The HIPAA Privacy Rule does not include medical record retention requirements and covered entities may destroy such records at the time permitted by State or other applicable law. (We note that covered entities are subject to the accounting requirements at 45 CFR 164.528 [Accounting of disclosures of protected health information] and, thus, would need to retain or record certain information regarding their disclosures of protected health information.) However, if a covered entity does maintain decedent health information for longer than 50 years following the date of death of the individual, this information will no longer be subject to the Privacy Rule.”

78 Federal Register 5614

Tomorrow, we look at a related modified HIPAA Privacy Rule pertaining to decedents:  45 CFR 164.510(b):  Disclosures about a decedent to family members and others involved in care.

Leave a Reply

Your email address will not be published. Required fields are marked *