Portal de Periódicos da CAPES

Medical Privacy After Death: Implications of New Modifications to the Health Insurance Portability and Accountability Act Privacy Rule

2013; Elsevier BV; Volume: 88; Issue: 10 Linguagem: Inglês

10.1016/j.mayocp.2013.05.026

1942-5546

Charles G. Kels, Lori H. Kels,

Palliative Care and End-of-Life Issues

On January 25, 2013, the US Department of Health and Human Services (HHS) published “the most sweeping changes” to its health information regulations “since they were first implemented” more than a dozen years earlier.1US Department of Health and Human Services. New rule protects patient privacy, secures health information [news release]. January 17, 2013. http://www.hhs.gov/news/press/2013pres/01/20130117b.html. Accessed April 17, 2013.Google Scholar Among the modifications to the Privacy Rule, a regulation issued under the Health Insurance Portability and Accountability Act (HIPAA) to establish national standards to protect individuals’ personal health information, was a substantial shift in the way that medical records of deceased patients are treated under the law. Throughout the Privacy Rule’s history, the status of decedents’ health information has oscillated between greater and lesser protection. In the rule’s first iteration in 1999, the HHS proposed extending confidentiality for 2 years after a person died.2US Department of Health and Human ServicesStandards for Privacy of Individually Identifiable Health Information; Proposed Rule.Fed Regist. 1999; 64: 59918-60065PubMed Google Scholar This proposal was largely consistent with traditional privacy law, in which an individual’s protectable interests cease at death, but at odds with US medical ethics, whereby postmortem confidentiality mirrors that during life.3Council on Ethics and Judicial Affairs, American Medical Association. Opinion 5.051: confidentiality of medical information postmortem.in: Code of Medical Ethics: Current Opinions With Annotations. American Medical Association, Chicago, IL2012Google Scholar Faced with criticism that the 2-year time frame was “not sufficiently protective” of medical privacy, the final Privacy Rule of 2000 jettisoned the temporal limitation in favor of extending protection indefinitely. Agreeing that the 2-year period was “both inadequate and arbitrary,” the HHS declined to specify an alternative time frame and opted to safeguard decedents’ information “in the same manner and to the same extent” as living individuals.4US Department of Health and Human ServicesStandards for privacy of individually identifiable health information; final rule.Fed Regist. 2000; 65: 82462-82829PubMed Google Scholar The new modifications, which became effective on March 26, 2013, and mandate compliance by September 23, 2013, make 2 important changes regarding the records of decedents (Table). First, the regulation returns to the formula of a temporal restriction on privacy protection but opts for a considerably longer period of 50 years after death. Second, disclosure of a decedent’s health information is now permitted to family members or others who were involved in the individual’s care or payment for care, unless the individual had earlier expressed a preference otherwise.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar These changes implicate 2 substantial considerations regarding the disclosure of medical records post mortem: privacy expectations for deceased individuals and their survivors and appropriate access for those survivors to confidential information about their departed loved ones.TableHealth Insurance Portability and Accountability Act Privacy Rule Modifications: Effects on Decedent Health InformationRevised sections50-Year ruleDisclosure to family membersKey aspectsHealth information protected by the Privacy Rule excludes decedent records >50 years after deathCompliance with the Privacy Rule is not required for decedent records >50 years after deathDisclosure of decedent health information is permitted to relatives and others involved in the patient’s care or payment for care before death, consistent with the prior expressed preferences of the deceased individualWhat it meansAuthorization by a personal representative is not necessary for disclosing decedent records >50 years after deathHealth care practitioners may continue to share relevant information with relatives and caretakers who had access to the individual’s health information before death but who lack testamentary status as a personal representativeWhat it does not meanDoes not require records retention for 50 yearsDoes not mandate disclosure >50 yearsDoes not override more stringent laws or professional guidelinesDoes not change the personal representative’s authority to access and authorize the use and disclosure of the decedent’s recordsDoes not confer new individuals with personal representative authorityDoes not mandate disclosure to the decedent’s family and friends if the practitioner is uncomfortable doing soDoes not permit the disclosure of past medical problems unrelated to the requestor’s involvement in the individual’s careDoes not override more stringent laws or professional guidelinesRole of clinicians and institutionsContinue to follow applicable records retention requirementsUnderstand whether other applicable laws or rules grant protection to certain categories of health information >50 years after death; if so, adhere to the more stringent requirementRecord and check for any expressed preferences of patients regarding who should or should not receive their personal health informationMake reasonable assurances that the requestor is in fact a relative or friend involved in the individual’s care or payment on the basis of documents, past interactions, or reasonable discretionLimit disclosures to information relevant to the requestor’s involvement in treatment or paymentImplications for decedents and familiesDecedent records are no longer protected by the Privacy Rule >50 years after deathRequestors involved in the individual’s care do not need to provide legal proof of executorship to access decedent records under the Privacy RuleRelatives with access to an individual’s health information before death can retain similar access after death Open table in a new tab The updated Privacy Rule makes clear that information about people deceased for longer than 50 years no longer qualifies as “protected” and that nondisclosure is only required for 50 years after death.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar This approach marks a major shift from the prior determination of the HHS that “specifying another time period” in response to criticism of its 2-year proposal “would raise many of the same concerns.”4US Department of Health and Human ServicesStandards for privacy of individually identifiable health information; final rule.Fed Regist. 2000; 65: 82462-82829PubMed Google Scholar In contrast, the 50-year window of protection—spanning roughly 2 generations—is intended to strike an effective balance between the competing interests of family privacy and public access. The modified rule reflects a practical reality learned through experience with HIPAA. As time passes after a patient’s death, it can become more difficult to locate a “personal representative” authorized under the Privacy Rule to sanction disclosure of health information. This can prove frustrating to “archivists, biographers, and historians” who run into roadblocks accessing “ancient or old records of historical value.”5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar Although the Privacy Rule’s restrictions only apply to specific entities related to health care, some of these “covered entities” may warehouse historical records of legitimate interest to researchers. Archives and libraries that belong to academic medical centers may be considered part of the covered entity and bound by the Privacy Rule.6US Department of Health and Human Services, National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confidentiality.Minutes. January 11-12, 2005; (Accessed May 25, 2013)http://ncvhs.hhs.gov/050111mn.htmGoogle Scholar Moreover, even when medical facilities retire their antiquated files to centralized repositories, such records centers could reasonably be construed as “business associates,” thereby subjecting them to the HIPAA rules as well. It bears noting, however, that the new 50-year limit on protection does not constitute a records retention requirement. Health care organizations may continue purging their files according to schedule and consistent with other applicable law.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar Whereas an individual’s actionable privacy rights terminate on death, other privacy claims survive, notably, “family privacy concerning a family member who has died.”7Annas G.J. Family privacy and death—Antigone, war, and medical research.N Engl J Med. 2005; 352: 501-505Crossref PubMed Scopus (12) Google Scholar This concept has been ratified by US court decisions that prohibit media access to both the stateside arrival of military remains and the explicit images of a suicide scene to secure the survivors’ “refuge from a sensation-seeking culture.”7Annas G.J. Family privacy and death—Antigone, war, and medical research.N Engl J Med. 2005; 352: 501-505Crossref PubMed Scopus (12) Google Scholar Particularly with respect to “highly sensitive information,” including human immunodeficiency virus or AIDS status or treatment for psychiatric disorders or substance abuse, both the privacy rights of the family and the prior expectations of confidentiality of the decedent may be implicated.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar Indeed, fear of postmortem disclosure could potentially have a chilling effect on patients’ willingness to share such information with their health care practitioners during life.8Robinson D.J. O’Neill D. Access to health care records after death: balancing confidentiality with appropriate disclosure.JAMA. 2007; 297: 634-636Crossref PubMed Scopus (15) Google Scholar Although it is difficult to pinpoint a specific expiration date for confidentiality, it is reasonable to presume that as the years pass, the tradeoff between personal and family privacy and the public interest begins to shift toward the latter, particularly with respect to historically relevant data about public figures. Certainly, the fact that personal representatives who can authorize disclosure are increasingly hard to locate with the passage of time suggests that there may be fewer individuals remaining who are intimately linked with the decedent and likely to require protection from intrusion. Last year, when several Minnesota legislators sought access to baseball legend Lou Gehrig’s medical records from the Mayo Clinic to investigate the possible role of brain trauma in his 1941 death, Gehrig’s next of kin were difficult to identify because he had no children and his wife had died in 1984. The Mayo Clinic asserted that “patient records should remain private even after the patient is deceased,” in this instance more than 70 years later.9Kaszuba M. What’s to learn from Lou Gehrig’s death?.Star Tribune. October 9, 2012; (Accessed May 20, 2013)http://www.startribune.com/lifestyle/health/172581481.html?refer=yGoogle Scholar Conversely, researchers published the results of genetic studies related to former Vice President Hubert Humphrey less than 2 decades after his death. These reports proved noteworthy both medically, highlighting the potential for molecular screening to facilitate proactive intervention for bladder cancer, and historically, fueling speculation that an earlier diagnosis would have prompted Humphrey to withdraw from the 1968 presidential race.10Hruban R.H. van der Riet P. Erozan Y. et al.Molecular biology and the early detection of carcinoma of the bladder—the case of Hubert H. Humphrey.N Engl J Med. 1994; 330: 1276-1278Crossref PubMed Scopus (72) Google Scholar In this case, Humphrey’s widow granted permission for the study and approved the manuscript before publication,11Hruban R.H. van der Riet P. Sidransky D. Hubert Humphrey’s bladder cancer [letter].N Engl J Med. 1994; 331: 880-881Crossref Scopus (1) Google Scholar all of which occurred before the HIPAA legislation was enacted in 1996. The 50-year standard is not altogether dispositive of when privacy protections end because the Privacy Rule generally yields to state law that is more stringent in restricting release. HIPAA provides “a federal floor of privacy protections,” as opposed to a ceiling.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar For example, whereas the Privacy Rule is agnostic as to the type of health information being protected, state laws may afford perpetual and wide-ranging confidentiality to information related to human immunodeficiency virus/AIDS testing or treatment.12N Y Pub Health L §2782 (2012).Google Scholar Similarly, although HIPAA makes no distinction between medical and psychiatric information (aside from “psychotherapy notes” maintained separately from the patient’s file), state statutes often treat mental health records as a specially protected category.13740 Ill Comp Stat §110 (2012).Google Scholar Thus, it is entirely possible that covered entities will continue to shield the records of decedents past 50 years in deference to either state law or professional guidelines that offer more robust safeguards.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar The new rule mandates protection for 50 years, not automatic disclosure thereafter. Therefore, the Mayo Clinic is still not obligated to release Gehrig’s records, although Mayo now must provide a reason other than HIPAA for withholding them. Humphrey’s data, meanwhile, still fall within the 50-year time frame, meaning that a medical facility currently maintaining his records would require a personal representative to approve their release, unless disclosure was otherwise authorized under HIPAA. The flip side of family privacy is family access. Under prior versions of the Privacy Rule, individuals privy to a patient’s health information during treatment could be denied access after the patient died. Whereas those involved in the patient’s care can receive relevant information, there was until now no HIPAA provision that extended similar access once care was terminated by the patient’s death. These close relatives and friends, even when possessing health care proxies or medical powers of attorney, often did not “rise to the level” of a personal representative, whose status is derived from authority over the decedent’s estate. As a result, family members who sought to “find out about the circumstances surrounding the death of their loved ones” often faced substantial hurdles during an emotionally sensitive time.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar Hospitals that sought to facilitate access for such individuals were left navigating the legal dichotomy between a patient’s former caretakers and a decedent’s personal representatives. Although a decedent’s information could always be disclosed to health care practitioners for purposes of treating family members,4US Department of Health and Human ServicesStandards for privacy of individually identifiable health information; final rule.Fed Regist. 2000; 65: 82462-82829PubMed Google Scholar the relatives themselves were denied access to the records unless the decedent’s testamentary documents or applicable law conferred authority as a personal representative.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar The new rule strikes a balance between the deceased patient’s confidentiality and the valid queries of family members by limiting these relatives’ access to information relevant to their prior or ongoing involvement in the patient’s care or bills.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar This provision mirrors the disclosure permissible during life, when access to medical records is not granted automatically but rather on a need-to-know basis related to participation in the patient’s treatment or finances. As a practical matter, this rule change should assist health care entities in solving the dilemma they faced in the wake of a patient’s death when grieving family members sought access to the individual’s medical record or autopsy report. Under the previous regulatory system, the facility was obliged to determine whether the inquiring relative qualified as the decedent’s personal representative. This process entailed asking the requestor for the appropriate testamentary documents or otherwise determining whether applicable state law authorized certain next of kin to act on behalf of the decedent’s estate, thereby triggering HIPAA’s personal representative clause. With the modified rules, hospital staff need only seek “reasonable assurance” that the requestor was involved in the deceased patient’s care or payment.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar Documents such as a health care proxy or medical power of attorney, which confer neither testamentary powers nor personal representative status, clearly satisfy the standard of “involvement,” but the physician may also exercise professional judgment to determine that sharing relevant details would not run contrary to the decedent’s wishes. Just as a surgeon may reasonably conclude it is beneficial to discuss a patient’s postoperative mobility restrictions with his adult child, involvement in the individual’s care can create a justifiable expectation of access to decedent health information; the Privacy Rule now explicitly recognizes this clinical reality. Furthermore, the patient can preclude postmortem disclosure to certain individuals by expressing an objection to the covered entity before death. Like virtually all HIPAA disclosure provisions, release of the information is “permitted and not required,” meaning that medical facilities can still deny access if they question the appropriateness of the request.5US Department of Health and Human ServicesModifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules; final rule.Fed Regist. 2013; 78: 5566-5702Google Scholar Most important, by tying the permissible release of a decedent’s records to the family member’s involvement in the individual’s medical affairs, the modified regulation links access after death to access during life. This solution enables both adherence to the perceived wishes of the deceased and conformance to the standards of medical ethics. Death extinguishes the cognizable privacy rights of the individual, but it does not end the ethical obligations of clinicians to their former patients. In establishing minimum standards for protecting personal health information, the HIPAA Privacy Rule does not create a new substantive privacy interest for decedents. Rather, it erects a nationwide procedural blueprint that governs the use and disclosure of medical records, including those pertaining to deceased individuals. The recently implemented changes respond to more than a decade of experience with HIPAA by minimizing some of the administrative burdens associated with the old rule, while still remaining tethered to the ethical factors that physicians should consider in determining whether to disclose medical information post mortem.3Council on Ethics and Judicial Affairs, American Medical Association. Opinion 5.051: confidentiality of medical information postmortem.in: Code of Medical Ethics: Current Opinions With Annotations. American Medical Association, Chicago, IL2012Google Scholar Specifically, the new 50-year limit recognizes the potential effect of disclosure on the decedent’s reputation and family’s sensibilities but calculates that this consideration deserves less deference after approximately 2 generations have passed. Meanwhile, the wider postmortem access granted to relatives and caregivers reflects the ethical tenet that information subject to disclosure during life should remain so after death.3Council on Ethics and Judicial Affairs, American Medical Association. Opinion 5.051: confidentiality of medical information postmortem.in: Code of Medical Ethics: Current Opinions With Annotations. American Medical Association, Chicago, IL2012Google Scholar By empowering covered entities to make commonsense judgments about sharing or withholding information based on the requestor’s involvement in care, the modified standards underscore the physician’s fundamental role in protecting the best interests of the patient, both living and deceased.