The following request occasionally pops up.
“You took care of my wife. She recently passed away. Can I have a copy of her records?”
HIPAA survives death. For 50 years.
The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual. This period of protection for decedent health information balances the privacy interests of surviving relatives and other individuals with a relationship to the decedent, with the need for archivists, biographers, historians, and others to access old or ancient records on deceased individuals for historical purposes. During the 50-year period of protection, the personal representative of the decedent (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the rights under the Privacy Rule with regard to the decedent’s health information, such as authorizing certain uses and disclosures of, and gaining access to, the information. With respect to family members or other persons involved in the individual’s health care or payment for care prior to the individual’s death, but who are not personal representatives, the Privacy Rule permits a covered entity to disclose the relevant protected health information of the decedent to such persons, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity.
HIPAA allows the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate.
Instead of asking the requestor to produce a death certificate—which would be an awkward discussion, you can ask if they are the executor of the estate. If so, you have killed two birds with one stone. You have information to confirm that the patient is actually dead. (You’d be surprised how divorced couples might deceive to gain some type of perceived leverage…) And that the requesting individual is the proper person to receive records.
Of course, the deceased may have authorized any or all family members to have unfettered access to the records post-mortem. That works the same way as a standard HIPAA authorization document. If there’s a signed HIPAA agreement on file, then just honor that signed agreement.
What if the requesting individual had healthcare power of attorney? If that individual can make all healthcare decisions, then records can be shared with that individual. If that individual is authorized to make healthcare decisions limited to specific questions, such as artificial life support, then only those records reflecting end-of-life support can be shared.
The deeper details are below:
In general, the scope of the personal representative’s authority to act for the individual under the Privacy Rule derives from his or her authority under applicable law to make health care decisions for the individual. Where the person has broad authority to act on the behalf of a living individual in making decisions related to health care, such as is usually the case with a parent with respect to a minor child or a legal guardian of a mentally incompetent adult, the covered entity must treat the personal representative as the individual for all purposes under the Rule, unless an exception applies. (See below with respect to abuse, neglect or endangerment situations, and the application of State law in the context of parents and minors). Where the authority to act for the individual is limited or specific to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation. For example, a person with an individual’s limited health care power of attorney regarding only a specific treatment, such as use of artificial life support, is that individual’s personal representative only with respect to protected health information that relates to that health care decision. The covered entity should not treat that person as the individual for other purposes, such as to sign an authorization for the disclosure of protected health information for marketing purposes. Finally, where the person has authority to act on the behalf of a deceased individual or his estate, which does not have to include the authority to make decisions related to health care, the covered entity must treat the personal representative as the individual with respect to protected health information relevant to such personal representation (e.g., an executor of an estate has the right to access all of the protected health information of the decedent relevant to these responsibilities)
So, the practical answer to the question posed at the beginning is to ask if the requesting spouse is the executor of the estate. If so, then ask them to please send documentation thereof. Once received, you can share the full record.
What do you think?
Many years ago a patient of mine was killed in an accident. The patient’s widow requested copies of his medical records to give to the entity responsible for the accident, to determine the deceased husband’s general health and estimated lifespan and determine liability payments. The medical record had a single page in it documenting treatment for a sexually transmitted disease. Somehow this page went missing when the record was copied and sent to the deceased’s spouse.
Health care power of attorney ceased upon death so it may not apply.
If I am understanding this correctly, HIPAA instituted a requirement in 2013 that records be kept for 50 years after the patient dies.
This suggests that a physician should retain records well after they are retired, and perhaps after they are dead. That imposes a huge burden on the physician’s spouse/heirs, if there are any.
This is problematic for those of us who retired years ago, and had paper files.
When researching the topic of how long records need to be kept, and having consulted, the AMA, State medical society, the board of medicine in my state, and the malpractice carrier, the consensus, sort of was somewhere between 6-8 years. There were rumblings at that time, that Medicare wanted to keep records around forever.
It is unknown if this “regulation” from HIPAA has been challenged.
I am aware that most hospitals do not keep records that were on paper and destroy them after so many years. Additionally when converting from one electronic medical record system, to another, most hospitals cannot convert the records due to significant problems with compatibility between different medial record systems. As a result they too destroy records after a certain amount of time.
Long ago, when I was in practice I used to have the medical records department pull the medical records for a patient that was going to undergo anesthesia the next day. When the hospital went from storing records on site, to storing records off site, this was a major big deal to have someone go to that site and pull records. The paper records were of declining quality, and were themselves a health hazard as they were exposed to moisture, insects, and other critters.
Now in the era of electronic medical records, theoretically, medical records could be kept forever. Practically though, no hospital can afford to store terabytes of data indefinitely. In addition, as noted above when medical records systems change, which they do, access to old records is difficult if not impossible.
It would seem legally impossible HIPAA notwithstanding, for the retention of medical records to be placed on spouses or heirs. They are not bound by a doctor patient relationship. Moreover, the 50 year after death rule is impossible to administer, because one would have to be able to determine when a former patient died before getting rid of records.
HIPAA has been problematic with overly broad provisions such that no patient information can EVER be disclosed. Depending upon office construction, a glass panel between front office staff, and the waiting room patients, is not sound proof. Nor are the walls and doors between exam rooms. When one bills Medicare electronically, one guarantees that one will be 100% HIPAA compliant. Within the construct of an office, unless one has a “Get Smart” “Cone of Silence”, or access to a federal SCIF for sensitive compartmentalized information facility, there is no guarantee of absolute privacy. This is simply a fiction.
I was expecting given the broad overreach of HIPAA regulations that there would be a raft of lawsuits by lawyers for HIPAA violations, since the legal burden of proof is far lower than it is for malpractice.
So the HIPAA rule for retaining records for 50 years after death is absolutely impossible and impractical to enforce. Beyond that from a medical standpoint, what good is a record that is 50 years old to anyone? When I was in my early practice years, in the 1980s, I came across a medical chart from the early 1950s. The entire record said the following: “Appendicitis, removed same.” That was the entire chart.
Electronic records are almost as bad. When I have reviewed my own records from a university hospital, there are pages and pages of records that are duplicative. Most are check boxes with no narrative and tell us very little. If someone was not the former treating physician, even those records are difficult to access. HIPAA has locked down records such that even medical providers have difficulty accessing them. To get a copy of a holter monitor report, from my family physician, they could not provide me an electronic copy. I had to send a paper request and then got a multipage print out mailed to me.
The point here, is that this regulation is in essence unenforceable. Is HHS going to try to go after a physician that is dead or long retired, or has moved out of state, to retain records for more than the typical 6-8 years? Have any such cases happened?
I then looked up the HIPAA regulations:
https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html
So HIPAA requires HIPPA protections for 50 years, but not HIPAA record retention for 50 years, if one can understand the different HIPAA regs. So does that mean that a physician can talk about a patient 50 years after their death. I don’t think so.
Common sense would dictate retaining records for the generally accepted 6-8 years.
Given the requirements for privacy, it would be prudent to make sure that all records that are in a physician’s custody be destroyed upon their death. It would seem unenforceable to have spouses or heirs be required to maintain access to records. If the goal is to maintain access, a reasonable time is required. But if the physician dies (even if he was seeing patients up until his death), it would seem to be a gray area about who retains records custody after that.
I am aware of a situation, where a physician died, and the storage unit where his patient’s medical records, was emptied by the owner, for non payment. The owner dumped file boxes of medical records on the driveway of the home that the physician previously lived in with his spouse.
But his spouse did not live there any more. Fortunately one of the physician’s kids lived in the area, was made aware of the file boxes on the driveway of his childhood home, and picked them up and destroyed them. The reals world is far messier than regulations allow for.