Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: General Rules for Uses and Disclosures of Protected Health Information: Deceased Individuals - § 164.502(f)

    As Contained in the HHS HIPAA Privacy Rules

    Health Information of Deceased Individuals

     

    HHS Regulations as Amended January 2013
    General Rules for Uses and Disclosures of Protected Health Information: Deceased Individuals - § 164.502(f)

     

    Standard: deceased individuals. A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.

     

    HHS Description and Commentary From the January 2013 Amendments
    General Rules for Uses and Disclosures of Protected Health Information: Deceased Individuals

     

    Proposed Rule

    Section 164.502(f) requires covered entities to protect the privacy of a decedent’s protected health information generally in the same manner and to the same extent that is required for the protected health information of living individuals. Thus, if an authorization is required for a particular use or disclosure of protected health information, a covered entity may use or disclose a decedent’s protected health information in that situation only if the covered entity obtains an authorization from the decedent’s personal representative. The personal representative for a decedent is the executor, administrator, or other person who has authority under applicable law to act on behalf of the decedent or the decedent’s estate. The Department heard a number of concerns since the publication of the Privacy Rule that it can be difficult to locate a personal representative to authorize the use or disclosure of the decedent’s protected health information, particularly after an estate is closed. Furthermore, archivists, biographers, and historians had expressed frustration regarding the lack of access to ancient or old records of historical value held by covered entities, even when there are likely few surviving individuals concerned with the privacy of such information. Archives and libraries may hold medical records, as well as correspondence files, physician diaries and casebooks, and photograph collections containing fragments of identifiable health information, that are centuries old. Currently, to the extent such information is maintained by a covered entity, it is subject to the Privacy Rule.Accordingly, we proposed to amend § 164.502(f) to require a covered entity to comply with the requirements of the Privacy Rule with regard to the protected health information of a deceased individual for a period of 50 years following the date of death.

    We also proposed to modify the definition of “protected health information” at § 160.103 to make clear that the individually identifiable health information of a person who has been deceased for more than 50 years is not protected health information under the Privacy Rule. We proposed 50 years to balance the privacy interests of living relatives or other affected individuals with a relationship to the decedent, with the difficulty of obtaining authorizations from personal representatives as time passes. A 50-year period of protection had also been suggested at a National Committee for Vital and Health Statistics (the public advisory committee which advises the Secretary on the implementation of the Administrative Simplification provisions of HIPAA, among other issues) meeting, at which committee members heard testimony from archivists regarding the problems associated with applying the Privacy Rule to very old records. We requested public comment on the appropriateness of this time period.

    Overview of Public Comments

    The majority of public comment on this proposal was in favor of limiting the period of protection for decedent health information to 50 years past the date of death.

    Some of these commenters specifically cited the potential benefits to research. A few commenters stated that the 50-year period was too long and should be shortened to, for example, 25 years. Some supporters of limiting privacy protection for decedent information indicated that the date of death is often difficult to determine, and thus suggested an alternative time period (e.g., 75, 100, 120, 125 years) starting from the last date in the medical record, if the date of death is unknown.

    Some commenters were opposed to limiting the period of protection for decedent health information due to the continued privacy interests of living relatives as well as the decedent, particularly when highly sensitive information is involved, including HIV/AIDS status, or psychiatric or substance abuse treatment. A couple of commenters recommended that there should be no time limit on the protection of psychotherapy notes.

    One commenter expressed concern that this modification may encourage covered entities to retain records that they would not have otherwise in order to profit from the data after the 50-year period. One commenter suggested that the period of protection should be extended to 100 years, if protections are to be limited at all. A few commenters were opposed to the 50-year period of protection because they interpreted this provision to be a proposed record retention requirement.

    Final Rule

    After considering the public comments, the final rule adopts the proposal. We believe 50 years is an appropriate period of protection for decedent health information, taking into account the remaining privacy interests of living individuals after the span of approximately two generations have passed, and the difficulty of obtaining authorizations from a personal representative of a decedent as the same amount of time passes. For the same reason, we decline to shorten the period of protection as suggested by some commenters or to adopt a 100-year period of protection for decedent information. We also believe the 50-year period of protection to be long enough so as not to provide an incentive for covered entities to change their record retention policies in order to profit from the data about a decedent once 50 years has elapsed.

    With respect to commenters’ concerns regarding protected health information about decedents that is sensitive, such as HIV/AIDS, substance abuse, or mental health information, or that involves psychotherapy notes, we emphasize that the 50-year period of protection for decedent health information under the Privacy Rule does not override or interfere with State or other laws that provide greater protection for such information, or the professional responsibilities of mental health or other providers. Covered entities may continue to provide privacy protections to decedent information beyond the 50-year period, and may be required to do so under other applicable laws or as part of their professional responsibility. Alternatively, covered entities may choose to destroy decedent information although other applicable law may prescribe or limit such destruction.

    We also decline to limit protections under the Privacy Rule to a certain period beyond the last date in the medical record. While we appreciate the challenges that may be present in determining the date of death of an individual in cases in which it is not sufficiently clear from the age of the record whether the individual is deceased, we believe that this determination is necessary in closer cases to protect the individual, as well as living relatives and others, who may be affected by disclosure of the information.

    Further, as we stated in the NPRM, this modification has no impact on a covered entity’s disclosures permitted under other provisions of the Privacy Rule. For example, a covered entity is permitted to disclose protected health information of decedents for research that is solely on the information of decedents in accordance with § 164.512(i)(1)(iii), without regard to how long the individual has been deceased.

    Finally, we clarify that the 50-year period of protection is not a record retention requirement. The HIPAA Privacy Rule does not include medical record retention requirements and covered entities may destroy such records at the time permitted by State or other applicable law. (We note that covered entities are subject to the accounting requirements at § 164.528 and, thus, would need to retain or record certain information regarding their disclosures of protected health information.) However, if a covered entity does maintain decedent health information for longer than 50 years following the date of death of the individual, this information will no longer be subject to the Privacy Rule.

     

    HHS Description From Original Rulemaking
    General Rules for Uses and Disclosures of Protected Health Information: Deceased Individuals

     

    We proposed to extend privacy protections to the protected health information of a deceased individual for two years following the date of death. During the two-year time frame, we proposed in the definition of “individual” that the right to control the deceased individual's protected health information would be held by an executor or administrator, or other person (e.g., next of kin) authorized under applicable law to act on behalf of the decedent's estate. The only proposed exception to this standard allowed for uses and disclosures of a decedent's protected health information for research purposes without the authorization of a legal representative and without the Institutional Review Board (IRB) or privacy board approval required (in proposed § 164.510(j)) for most other uses and disclosures for research.

    In the final rule (§ 164.502(f)), we modify the standard to extend protection of protected health information about deceased individuals for as long as the covered entity maintains the information. We retain the exception for uses and disclosures for research purposes, now part of § 164.512(i), but also require that the covered entity take certain verification measures prior to release of the decedent's protected health information for such purposes (see §§ 164.514(h) and 164.512(i)(1)(iii)).

    We remove from the definition of “individual” the provision related to deceased persons. Instead, we create a standard for “personal representatives” (§ 164.502(g), see discussion below) that requires a covered entity to treat a personal representative of an individual as the individual in certain circumstances, i.e., allows the representative to exercise the rights of the individual. With respect to deceased individuals, the final rule describes when a covered entity must allow a person who otherwise is permitted under applicable law to act with respect to the interest of the decedent or on behalf of the decedent's estate, to make decisions regarding the decedent's protected health information.

    The final rule also adds a provision to § 164.512(g), that permits covered entities to disclose protected health information to a funeral director, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. Such disclosures are permitted both after death and in reasonable anticipation of death.

     

    HHS Response to Comments Received From Original Rulemaking
    General Rules for Uses and Disclosures of Protected Health Information: Deceased Individuals

     

    Comment: Most commenters on this topic generally did not approve of the Secretary's proposal with regard to protected health information about deceased individuals. The majority of these commenters argued that our proposal was not sufficiently protective of such information. Commenters agreed with the statements made in the preamble to the proposed rule that the privacy concerns addressed by this policy are not limited to the confidential protection of the deceased individual but instead also affects the decedent's family, as genetic information and information pertinent to hereditary diseases and risk factors for surviving relatives and direct family members may be disclosed through the disclosure of the deceased individual's confidential data. It was argued that the proposal would be inadequate to protect the survivors who could be negatively affected and in most cases will outlive the two-year period of protection. A number of medical associations asserted that individuals may avoid genetic testing, diagnoses, and treatment and suppress information important to their health care if they fear family members will suffer discrimination from the release of their medical information after their death. One commenter pointed out that ethically little distinction can be made between protecting an individual's health information during life and protecting it post-mortem. Further, it was argued that the privacy of the deceased individual and his or her family is far more important than allowing genetic information to be abstracted by an institutional or commercial collector of information. A few commenters asked that we provide indefinite protection on the protected health information about a deceased person contained in psychotherapy notes. One commenter asked that we extend protections on records of children who have died of cancer for the lifetime of a deceased child's siblings and parents.

    The majority of commenters who supported increased protections on the protected health information about the deceased asked that we extend protections on such information indefinitely or for as long as the covered entity maintains the information. It was also argued that the administrative burden of perpetual protection would be no more burdensome than it is now as current practice is that the confidentiality of identifiable patient information continues after death. A number of others pointed out that there was no reason to set a different privacy standard for deceased individuals than we had for living individuals and that it has been standard practice to release the information of deceased individuals with a valid consent of the executor, next of kin, or specific court order. In addition, commenters referenced Hawaii's health care information privacy law (see Haw. Rev. Stat. section 323C-43) as at least one example of a state law where the privacy and access provisions of the law continue to apply to the protected health information of a deceased individual following the death of that individual.

    Response: We find the arguments raised by these commenters persuasive. We have reconsidered our position and believe these arguments for maintaining privacy on protected health information without temporal limitations outweigh any administrative burdens associated with maintaining such protections. As such, in the final rule we revise our policy to extend protections on the protected health information about a deceased individual to remain in effect for as long as the covered entity maintains the information.

    For purposes of this regulation, this means that, except for uses and disclosures for research purposes (see § 164.512(i)), covered entities must under this rule protect the protected health information about a deceased individual in the same manner and to the same extent as required for the protected health information of living individuals. This policy alleviates the burden on the covered entity from having to determine whether or not the person has died and if so, how long ago, when determining whether or not the information can be released.

    Comment: One commenter asked us to delete our standard for deceased individuals, asserting that the deceased have no constitutional right to privacy and state laws are sufficient to maintain protections for protected health information about deceased individuals.

    Response: We understand that traditional privacy law has historically stripped privacy protection on information at the time the subject of the information dies. However, as we pointed out in the preamble to the proposed rule, the dramatic proliferation of electronic-based interchanges and maintenance of information has enabled easier and more ready access to information that once may have been de facto protected for most people because of the difficulty of its collection and aggregation. It is also our understanding that current state laws vary widely with regard to the privacy protection of a deceased individual's individually identifiable health information. Some are less protective than others and may not take into account the implications of disclosure of genetic and hereditary information on living individuals. For these reasons, a regulatory standard is needed here in order to adequately protect the privacy interests of those who are living.

    Comment: Another commenter expressed concern over the administrative problems that the proposed standard would impose, particularly in the field of retrospective health research.

    Response: For certain research purposes, we permit a covered entity to use and disclose the protected health information of a deceased individual without authorization by a personal representative and absent review by an IRB or privacy board. The verification standard (§ 164.514(h)) requires that covered entities obtain an oral or written representation that the protected health information sought will be used or disclosed solely for research, and § 164.512(i)(1)(iii) requires the covered entity to obtain from the researcher documentation of the death of the individual. We believe the burden on the covered entity will be small, because it can reasonably rely on the representation of purpose and documentation of death presented by the researcher.

    Comment: A few commenters argued that the standard in the proposed rule would cause significant administrative burdens on their record retention and storage policies. Commenters explained that they have internal policy record-retention guidelines which do not envision the retention of records beyond a few years. Some commenters complained about the burden of having to track dates of death, as the commenters are not routinely notified when an individual has died.

    Response: The final rule does not dictate any record retention requirements for the records of deceased individuals. Since we have modified the NPRM to cover protected health information about deceased individuals for as long as the covered entity maintains the information, there will be no need for the covered entity to track dates of death.

    Comment: A few commenters voiced support for the approach proposed in the proposal to maintain protections for a period of two years.

    Response: After consideration of public comments, we chose not to retain this approach because the two-year period would be both inadequate and arbitrary. As discussed above, we agree with commenter arguments in support of providing indefinite protection.

    Comment: A few commenters expressed concern that the regulations may be interpreted as providing a right of access to a deceased's records only for a two-year period after death. They asked the Department to clarify that the right of access of an individual, including the representatives of a deceased individual, exists for the entire period the information is held by a covered entity.

    Response: We agree with these comments, given the change in policy discussed above.

    Comment: A few commenters suggested that privacy protections on protected health information about deceased individuals remain in effect for a specified time period longer than 2 years, arguing that two years was not long enough to protect the privacy rights of living individuals. These commenters, however, were not in agreement as to what other period of protection should be imposed, suggesting various durations from 5 to 20 years.

    Response: We chose not to extend protections in this way because specifying another time period would raise many of the same concerns voiced by the commenters regarding our proposed two year period and would not reduce the administrative burden of having to track or learn dates of death. We believe that the policy in this final rule extending protections for as long as the covered entity maintains the information addresses commenter concerns regarding the need for increased protections on the protected health information about the deceased.

    Comment: Some commenters asserted that information on the decedent from the death certificate is important for assessment and research purposes and requested that the Department clarify accordingly that death certificate data be allowed for use in traditional public health assessment activities.

    Response: Nothing in the final rule impedes reporting of death by covered entities as required or authorized by other laws, or access to death certificate data to the extent that such data is available publicly from non-covered entities. Death certificate data maintained by a covered entity is protected health information and must only be used or disclosed by a covered entity in accordance with the requirements of this regulation. However, the final rule permits a covered entity to disclose protected health information about a deceased individual for research purposes without authorization and absent IRB or privacy board approval.

    Comment: A few commenters asked that we include in the regulation a mechanism to provide for notification of date of death. These commenters questioned how a covered entity or business partner would be notified of a death and subsequently be able to determine whether the two-year period of protection had expired and if they were permitted to use or disclose the protected health information about the deceased. One commenter further stated that absent such a mechanism, a covered entity would continue to protect the information as if the individual were still living. This commenter recommended that the burden for providing notification and confirmation of death be placed on any authorized entity requesting information from the covered entity beyond the two-year period.

    Response: In general, such notification is no longer necessary as, except for uses and disclosures for research purposes, the final rule protects the protected health information about a deceased individual for as long as the covered entity holds the record. With regard to uses and disclosures for research, the researcher must provide covered entities with appropriate documentation of proof of death, the burden is not on the covered entity.

    Comment: A few commenters pointed to the sensitivity of genetic and hereditary information and its potential impact on the privacy of living relatives as a reason for extending protections on the information about deceased individuals for as long as the covered entity maintains the information. However, a few commenters recommended additional protections for genetic and hereditary information. For example, one commenter suggested that researchers should be able to use sensitive information of the deceased but then be required to publish findings in de-identified form. Another commenter recommended that protected health information about a deceased individual be protected as long as it implicates health problems that could be developed by living relatives.

    Response: We agree with many of the commenters regarding the sensitivity of genetic or hereditary information and, in part for this reason, extended protections on the protected health information of deceased individuals. Our reasons for retaining the exception for research are explained above.

    We agree with and support the practice of publishing research findings in de-identified form. However, we cannot regulate researchers who are not otherwise covered entities in this regulation.

    Comment: One commenter asked that the final rule allow for disclosure of protected health information to funeral directors as necessary for facilitating funeral and disposition arrangements. The commenter believed that our proposal could seriously disrupt a family's ability to make funeral arrangements as hospitals, hospices, and other health care providers would not be allowed to disclose the time of death and other similar information critical to funeral directors for funeral preparation. The commenter also noted that funeral directors are already precluded by state licensing regulations and ethical standards from inappropriately disclosing confidential information about the deceased.

    Further, the commenter stated that funeral directors have legitimate needs for protected health information of the deceased or of an individual when death is anticipated. For example, often funeral directors are contacted when death is foreseen in order to begin the process of planning funeral arrangements and prevent unnecessary delays. In addition, the embalming of the body is affected by the medical condition of the body.

    In addition, it was noted that funeral directors need to be aware of the presence of a contagious or infectious disease in order to properly advise family members of funeral and disposition options and how they may be affected by state law. For example, certain states may prohibit cremation of remains for a certain period unless the death was caused by a contagious or infectious disease, or prohibit family members from assisting in preparing the body for disposition if there is a risk of transmitting a communicable disease from the corpse.

    Response: We agree that disclosures to funeral directors for the above purposes should be allowed. Accordingly, the final rule at § 164.512(g)(2) permits covered entities to disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. Such disclosures are also permitted prior to, and in reasonable anticipation of, the individual's death.

    Comment: Several commenters urged that the proposed standard for deceased individuals be clarified to allow access by a family member who has demonstrated a legitimate health-related reason for seeking the information when there is no executor, administrator, or other person authorized under applicable law to exercise the right of access of the individual.

    Another commenter asked that the rule differentiate between blood relatives and family members and address their different access concerns, such as with genetic information versus information about transmittable diseases. They also recommended that the regulation allow access to protected health information by blood-related relatives prior to the end of the two-year period and provide them with the authority to extend the proposed two-year period of protection if they see fit. Lastly, the commenter suggested that the regulation address the concept of when the next-of-kin may not be appropriate to control a deceased person's health information.

    Response: We agree that family members may need access to the protected health information of a deceased individual, and this regulation permits such disclosure in two ways. First, a family member may qualify as a “personal representative” of the individual (see § 164.502(g)). Personal representatives include anyone who has authority to act on behalf of a deceased individual or such individual's estate, not just legally-appointed executors. We also allow disclosure of protected health information to health care providers for purposes of treatment, including treatment of persons other than the individual. Thus, where protected health information about a deceased person is relevant to the treatment of a family member, the family member's physician may obtain that information. Because we limit these disclosures to disclosures for treatment purposes, there is no need to distinguish between disclosure of information about communicable diseases and disclosure of genetic information.

    With regard to fitness to control information, we defer to existing state and other laws that address this matter.