The Health Insurance Portability and Accountability Act (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) contains the HIPAA Privacy and Security rules. On January 25, 2013, the U.S. Department of Health and Human Services modified the HIPAA Privacy, Security, Enforcement and Breach Notification Rules to add additional protections and to improve workability, effectiveness and flexibility and to reduce the burden for regulated entities. It also implemented section 105 of Title I of the Genetic Information Nondiscrimination Act (GINA) to strengthen protections for genetic information. Those amended rules became effective on March 26, 2013.
HIPAA has long addressed disclosure restrictions for HIPAA-protected health information (PHI). On April 9, 2013, the U.S. Court of Appeals for the 11th Circuit affirmed the Northern District of Florida holding that a Florida statute was preempted by HIPAA and its implementing regulations. The Florida statute permitted licensed nursing homes to release a former deceased resident's medical records to the spouse, guardian, surrogate or attorney in fact without need for a HIPAA authorization and without regard to the authority of the individual making the request to act in the deceased resident's stead. The Court interpreted the law to authorize sweeping disclosures "for any conceivable reason" or no reason at all.
The original action, seeking a declaratory judgment that the Florida statute was preempted by HIPAA, was brought by various nursing home facilities which had refused to release the residents' medical records to the requesting parties because they were not "personal representatives" under HIPAA. The District Court ruled in favor of the nursing homes and the state appealed. The U.S. Court of Appeals, in its ruling affirming the District Court's decision, noted that amendments to HIPAA, referenced above, had been enacted pending the appeal. However, it found the amendments were largely immaterial to the issue before the Court.
The state contended on appeal that the provisions of the Florida law did not impede the goals of HIPAA and should not be preempted. It argued that the Florida statute empowers an individual to act on the deceased resident's behalf and meets the definition of "personal representative" under HIPAA. The nursing homes argued otherwise.
The District Court agreed with the nursing homes and the U.S. Court of Appeals affirmed. The HIPAA rule regarding disclosure of a deceased individual's PHI limits disclosure to narrowly delineated circumstances. The time limitation stating that a deceased person's record was protected for a period of 50 years following the death of the individual was not contained in the HIPAA rule until the January 25, 2013 amendments, which became effective March 26, 2013. However, the protection against disclosure as permitted under the broad Florida law did apply under the HIPAA rules in effect when the action was brought. HIPAA treats a personal representative as the protected deceased individual for purposes of the disclosure requirements under HIPAA. See, 45 CFR 164,502 (f) and (g). 45 CFR 164.502(g)(4) provides that "[i]f under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a 'personal representative'…" under the HIPAA rules with respect to PHI. 45 CFR 164.510 already delineated a covered entity's permitted use and disclosure of PHI subject to an individual's advance notice and right to agree or object. 45 CFR 164.510(b) delineated the circumstances under which a covered entity could disclose PHI directly relevant to family members, other relatives, close personal friends or others identified by the individual, or involved in the care or payment for the health care of the individual. The recent HIPAA amendment adds a provision that a covered entity may disclose to a family member, or other relatives, close personal friends of the individual or any other persons identified by the individual who were involved in the individual's care or payment for health care prior to the individual's death, PHI of the individual that is relevant to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. See, 45 CFR 164.510(b)(5).
Therefore, the Court concluded the regulation permits disclosure to personal representatives as defined under the Rule and to two other groups of people: (1) those involved in the deceased individual's health care, and (2) those who paid for the deceased individual's health care.
As it relates to the other two groups of people, covered entities may disclose only PHI that is relevant to such person's involvement; i.e., information that is relevant to the care of the deceased individual or to the payment of the deceased individual's health care costs. The Court also recognized that the HIPAA rule, 45 CFR 164.512(a)(1), permits a covered entity to use and disclose PHI as "required by law." While the State argued that the Florida law permitted such a disclosure required by Florida law, it only raised this argument on appeal. The Court declined to consider the argument for the first time on appeal.
Nursing homes and other providers and suppliers are cautioned when receiving requests for deceased resident or patient medical records or other PHI to carefully determine whether disclosure is authorized under the HIPAA rule and applicable state law. They should also remember that the HIPAA disclosure protection now applies for a period of 50 years.