Call: (407) 331-6620 or (850) 439-1001
Toll-free: (888) 331-6620
Menu
Call: (407) 331-6620 or (850) 439-1001
Toll-free: (888) 331-6620
By Michael L. Smith, J.D., R.R.T.
The original HIPAA privacy regulations issued in 2000, required a covered entity to maintain the confidentiality of protected health information for as long as the covered entity held the protected health information. Essentially, health care providers were required to maintain the confidentiality of a deceased patient’s records until the health care provider destroyed the record. In the days of paper medical records, health care providers routinely destroyed patient records for most patients after several years. With the advent of electronic records health care providers are maintaining patient records significantly longer.
Recently, the HIPAA regulations were revised and now provide that a health care provider must maintain the confidentiality of a deceased patient’s records for a period of 50 years following the death of the individual. Consequently, covered entities need to know who may authorize the release of a deceased patient’s protected health information.
The HIPAA regulations provide that upon the death of an individual, the executor, administrator, or other person authorized under applicable law to act on behalf of the decedent’s estate becomes the person able to authorize the release of protected health information. Very often the personal representative is the former spouse or other immediate family member of the deceased patient. However, covered entities need to know that only the “person authorized by law” may authorize the disclosure of protected health information. Many a covered entity has been caught in the middle of family disputes when a legally appointed personal representative is at odds with the deceased patient’s immediate family members. The covered entity should require the personal representative to produce a letter of administration or other legal authority showing the personal representative is the “person authorized under applicable law” to act in behalf of the deceased patient.
Generally, a covered entity cannot rely upon a healthcare advance directive or other document granting authority to a particular individual to authorize the disclosure of protected health information once the patient dies. Most authorizations granted by a patient during their life expire upon their death. Even a durable power of attorney that is intended to survive the death of the patient is limited to the specific powers granted in the power of attorney. The revised HIPAA regulations include a new provision that allows a covered entity to disclose the protected health information of a deceased patient to a family member or a close friend that was involved in the care of the deceased individual that is relevant to such person’s involvement in the care of the deceased individual unless the disclosure is inconsistent with a prior expressed preference of the deceased individual.
Finally, health care providers need to remember that HIPAA is the minimum requirement. They may be required to adhere to more stringent standards by the laws of their individual states.
Health care providers must maintain the confidentiality of the protected health information of their patients even after the patient is deceased. They should determine that the person requesting the release of protected health information of a deceased individual is the person authorized by law to act on behalf of the deceased patient before releasing protected health information.
Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.
This article was originally published in Advance for Respiratory Care and Sleep Medicine.
Main Office • 1101 Douglas Avenue, Suite 1000, Altamonte Springs, FL 32714 Telephone: (407) 331-6620
By Appointment • 37 N. Orange Avenue, Suite 500, Orlando, FL 32801 Telephone: (888) 331-6620
By Appointment • 201 E. Government Street, Pensacola, FL 32502 Telephone: (850) 439-1001 Telefax: (407) 331-3030
By Appointment: 201 St. Charles Avenue, Suite 2500, New Orleans, LA 70170
By making this website information available for those who access it does not constitute doing business in or having a presence in any state or jurisdiction, nor does it constitute an advertisement sent to or a solicitation made in any state or jurisdiction. This firm is located in and maintains a presence in only those states where the firm maintains an actual physical office. Its attorneys are only admitted to practice in those states specifically listed on their resumes.
Available in the following states: Alabama, Alaska, Arizona, Arkansas, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, Wisconsin, and Wyoming
Disclaimer | Terms of Representation
“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999. Copyright © 2024 The Health Law Firm. All rights reserved.