[Editor’s note, July 2010: The Office for Civil Rights has proposed modifications to HIPAA that would ease the release of deceased patient records.]

A son calls the HIM department and requests his deceased father’s medical records. Shortly afterward, the man’s wife requests the records, also. Then a man calls identifying himself as the executor of the estate. Who is authorized to access the records?

Determining appropriate release of a deceased patient’s medical records can be complex. HIPAA, sometimes blamed for denied requests, is rarely cause for a roadblock, however. The federal law does extend a person’s privacy rights into death, but it also explicitly requires facilities to release records to authorized individuals.

The complications typically come when a patient dies without having named a personal representative. In those instances, HIPAA defers to state law to determine access rights.

Though most state laws are sufficiently clear, the hierarchy may be complex, and some situations will still require judgment calls. Facility staff who are unclear on the law may err on the side of caution and refuse access rather than risk violating privacy laws. On the other extreme, they may release records without requesting proper verification or release them rather than upset or anger the requestor.

The best practice, experts say, is to gain knowledge of the law, share it, and request that patients identify their personal representatives during the admission process.

What Did HIPAA Change?

“The problem is a lot of people don’t really understand how HIPAA operates in collaboration with the existing state regulatory framework that they live in…” says Barry Herrin, JD, FACHE, a partner with the Atlanta-based law firm Smith Moore Leatherwood LLP. “HIPAA is not the bad guy here.”

HIPAA did not create a new rule, Herrin says, and in instances where it does prevent someone from accessing patient records, generally speaking, it is reinforcing existing state laws on how deceased patient matters are handled.

HIPAA leaves it up to states to determine who qualifies as a deceased patient’s personal representative-the person who has legal rights to access another’s medical record. This is clear cut when a patient has signed a HIPAA release or named an executor to his or her estate. But when a patient dies without doing either, HIPAA defaults to state law to determine the hierarchy of rights to that person’s estate and health records.

The privacy rule states that people have the same privacy rights in death as they do in life. But it also requires that healthcare facilities must release medical records to those people either appointed by the patient or who are deemed a personal representative by state law. Because of this, Herrin says that HIPAA law can actually help authorized individuals access deceased patient’s medical records.

HIPAA also requires a covered entity to verify the identity of a person requesting protected health information as well as their authority to such access. Just because someone is related to a deceased patient does not mean they have a right to their record. “There is a difference between identity and status,” Herrin says. “You have to verify both.”

Though HIPAA federalized this requirement, the act of authenticating requestors of protected health information was being done in many facilities long before HIPAA was passed. Aurora Healthcare, based in Milwaukee, WI, updated their information release policies to include specific language about verification following HIPAA implementation. But the rule did not change their practices significantly, says Peg Schmidt, RHIA, Aurora’s chief privacy officer.

Varying State Laws

State laws can get complicated regarding who has rights to access or authorize the release of a person’s record after death.

In Utah, pre-HIPAA policy was to follow a hierarchal next-of-kin list regarding who had authorization to a deceased patient’s record. But after HIPAA was implemented, some providers felt they needed clearer direction from the state on whether it was still legal to discuss a deceased patient’s medical care with his or her spouse, says Mary Thomason, MSA, RHIA, CHPS, CISSP, privacy compliance consultant with Intermountain Healthcare, based in Salt Lake City. Because of this, Utah legislators passed specific state laws to define exactly who qualifies as the personal representative of a deceased patient.

The executor has first rights to the patient’s records. But if no executor was named, the patient’s spouse or adult child can become the deceased’s personal representative. Proving status as a personal representative requires that a person must receive a letter of appointment from a probate court.

Even though the law is relatively clear, Thomason’s facility has had to deny records requests in the past and deal with disputes. A common dispute occurs when adult siblings want to deny record access to brothers and sisters. “In that case we basically say, ‘Hey, we are not the court. Go back to the probate court and find out who gets the letter of appointment to represent the estate, and that is the person we will deal with,’” Thomason says.

The situation in Wisconsin is more complicated. In Wisconsin, different laws govern the release of records for behavioral health records and general medical records.

With behavioral health records, access rights first go to the executor of the estate. If there is no executor, the patient’s spouse has sole rights of access. If there is no spouse or executor, a “responsible member of the patient’s family” comes next, Schmidt explains.

With the general record, the patient’s personal representative and spouse or domestic partner share access rights equally. “None is higher than the other, none can cancel out the other’s authority,” Schmidt says. If those individuals do not exist, then the personal representative is defined as any adult member of the deceased patient’s immediate family, such as children, parents, grandchildren, siblings, and even spouses of siblings.

All share equal rights to the record. Discretion is left up to the healthcare staff handling the request to decide if record requestors meet state law requirements as a personal representative. No one official document is required for access.

Common Disputes

With so many people authorized to access the record in Wisconsin, verification issues can arise. At Aurora Healthcare, the burden of proof lies with the requestor. Providing that proof is not always easy, and it can lead to people being denied access.

“The verification of some of these situations becomes a little difficult,” Schmidt says. “They have to prove their relationship to the deceased, and that is not always easy for them to do.”

A spouse can present a marriage certificate, but brothers and sisters lack comparable documents that show their relationship to the deceased. “They have to be able to just prove their standing in the family and their relationship to that person any way that they feel they can,” she says. It is up to staff to decide whether someone has provided adequate proof that they are authorized to access a deceased patient’s record.

“These are just things that you do to the best of your ability,” Schmidt says. “You are always looking for that comfort feeling of ‘this feels right’ or ‘this doesn’t.’ And sometimes that is all you are left with.”

Wisconsin state law leaves the potential that legally authorized individuals could be denied deceased patients health records due to their inability to prove their authorization. However, Schmidt says the law has worked well at her facility, and she hasn’t encountered many problems with verification.

People become upset when they feel entitled to the patient’s medical record even though state law blocks their access, Thomason says. In most state law, a healthcare agent for a patient loses authority after the patient dies. If that agent was not named as an executor to the deceased patient’s estate, and is not related to the deceased, then that person is denied access, even though they most likely would feel entitled to the records.

Another common situation occurs when a patient dies and the spouse breaks all contact with the deceased’s immediate family, Schmidt says. The deceased’s siblings would not have authorization to access the records because the spouse holds all rights of access. “If the spouse really has moved on, the immediate family probably feels they have a right to that patient’s record, and technically they do not,” Schmidt says. “Those situations get hard.”

In July Wisconsin legislators amended state confidentially laws to allow domestic partners the same authority over a patient’s records as a spouse. However, the change was only for general records, and it did not affect laws governing behavioral health medical records-an oversight Schmidt says could lead to some problems.

But the change will still help with a number of situations. “Somebody who took care of someone for 20 years and suddenly loses all authority, and the family steps in and kicks them out,” she says, “we have seen that. So I think it will help some people.”

Preventing Ambiguity

The most direct way for facilities to prevent record access disputes is to require patients to sign release of information authorizations or name their personal representative upon their admittance, Herrin says. Many healthcare facilities only ask patients for the name of someone they can contact in an emergency or the person who is the responsible party on their account. These questions do not identify who may legally access their medical records.

If a patient has not declared an executor or personal representative, Herrin recommends that a patient advocate or other staff member assist in filling out the proper paper work. A HIPAA authorization form specifically identifies who can access their medical records before and after their death. This form should be filled out during or just after patient registration.

Federal law requires hospitals to ask admitted patients if they have an advance directive. Many facilities merely ask patients if they have an executor of their estate or have assigned a durable power of attorney, but they do not collect the actual advance directive documents, Herrin says. Requiring that these documents be included in the medical record on the front end can save hours of arguing if disputes arise later.

“It is that kind of preparation that HIPAA specifically allowed that people are not taking advantage of,” Herrin says. “They are treating HIPAA as a shield, instead of a sword.”

Best Practices

Unless state law dictates otherwise, healthcare facilities should require that requesters present a court-authorized document showing they have authority to see the record. A hospital is not a court, and staff should not have the responsibly of determining who has first authorization rights.

“Why should the hospital spend all its time and resources hiring a lawyer to fight this fight [between people over records],” Herrin says. “Just tell them, ‘Look, whatever court of whatever county handles disputes about who is in charge. You all go fight about it there and tell me who won.’”

HIM professionals in general err on the conservative side when releasing medical information, Schmidt says. “We are trying to err on protecting that person’s privacy, and [we] just try to make that judgment call thinking in terms of the best interest of the patient as a human being,” she says.

There are varying reasons why patients may not want family members to access their records after death. A common reason for privacy, Herrin says, is when a person is dying from a “catastrophic disease” such as HIV and does not want family members or others to know. The patient deliberately shielded his or her health information from them while alive, and that decision must be protected after death. Release of information staff should not be tempted to simply release a record rather than deal with irate requestors, Herrin says.

“If it is your medical information or your mother’s, and something happens to you or her, do you want everybody in your family poking around in that stuff?” Herrin says. “If the answer to that question is no, then you can’t be mad at HIPAA for making a person go and become the personal representative of a deceased patient’s estate. Because that is precisely what it is intended to do-to stop people from poking around in your stuff.”

Thomason can see how facilities that do not have ample access to legal council could restrict their policies rather than break the law by issuing records to an unauthorized person. But ignorance of the law is not an excuse, she says.

HIM professionals responding to a release of information request have a duty to explain why a record request is denied, Schmidt says. Aurora Healthcare keeps the state’s hierarchical chart of authority on hand for staff to reference. Facilities can also keep a sample copy of a valid court document to show requestors how to become a personal representative or executor, Thomason says.

“Part of our role is to educate the requestor on the true facts of why they can or can’t [access the record] or what the rules are,” Schmidt says. “I would sure hope we never see someone just give an outright ‘Well, it is HIPAA.’ Because that is never really the answer, directly.”

For answers to frequently asked questions on this topic, see “Accessing Deceased Patient Records—FAQ.”