How to Avoid Inappropriate Disclosures of Deceased Patient Records

Consider these scenarios:  

A 22-year-old woman dies in a car accident, and her parents want to access her medical record to understand her injuries.  

A 35-year-old man dies after a medical error, and his brother wants access to his record so he can file a wrongful death lawsuit.  

A 40-year-old woman dies suddenly, and her long-time (but unmarried) partner wants access to her record for closure. 

While these may seem like cases where it is reasonable to fulfill requests, that’s not necessarily the case, say health information experts. As with any release of information (ROI) request, you still need to validate the requestor’s identity and authority — a multi-step process during which staff must consider the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, state laws, organization-specific policies, and more. 

Every scenario is different. In some cases, requestors may need to go to probate court and become executors of the decedent’s estate. In others, the request for access must originate from a different individual. And in some cases, the requestor may have no legal right to access the record at all. 

“The most common mistake ROI staff make with all records — not just those of deceased patients — is in over-releasing information. They give access when they shouldn’t, just to avoid a hassle,” says Barry Herrin, CHPS, FAHIMA, FACHE, founder of Herrin Health Law in Atlanta. 

Laurie A. Rinehart-Thompson, JD, RHIA, CHP, FAHIMA, program director and professor of the health information management systems program at the Ohio State University, agrees. “A significant compliance vulnerability is providing access to the record without any legal basis on which to do so,” she says. “However, blocking appropriate access has become a major legal concern as well.” 

Education, Planning Help Promote Compliance 

How can ROI staff avoid inappropriate disclosures of medical records for deceased patients? 

First, staff should differentiate between who should have access and who does have access under the HIPAA privacy rule, applicable laws, and any other relevant internal policies, says Herrin.  

Per HIPAA, covered entities may release a decedent’s medical record to their “personal representative.” This is a legal designation for someone able to exercise the decedent’s right to access protected health information (PHI) in a covered entity’s designated record set. 

Ideally, the decedent would have created a will or trust before death in which they secured this designation by naming someone executor or administrator of their estate. These documents are not the same as a Living Will or Durable Power of Attorney (DPOA) that have legal force and effect only while the patient is alive. 

However, in the absence of a will or trust naming an executor or administrator of the estate, ROI staff must review state law to determine who can access the medical record of a deceased patient, Herrin says. 

“There’s a whole hierarchy of succession under most state laws that usually begins with the surviving spouse, children, parents, and then siblings,” says Richelle Marting, JD, MHSA, RHIA, attorney at Marting Law, LLC in Olathe, KS. For mental health records, there may be other state- and federal-specific laws and regulations to consider as well, she says. 

“When you get into these nuances, it’s easy to see how it could take an hour or more to do this research and make the right decisions,” says Marting. 

For example, while a DPOA may be able to access the record while the patient is living, the executor of the estate (if identified) gains access once the patient dies, and the DPOA’s access becomes null and void. This is relevant when the two individuals are not the same person, says Herrin. 

Estranged relationships add a layer of complexity, says Marting. “For example, if you have evidence that the patient trusted the person they named DPOA more than they trusted their next of kin, it’s reasonable to make a professional judgment to provide the DPOA with access to the medical record should they request it.” 

How would ROI staff know this?  

They might not — and that’s okay because there’s no requirement to investigate relationships, says Marting. But it’s always a good idea to get providers in the habit of documenting whether there are family dynamics of which staff must be aware, she adds.  

“You need a process for this — where and how you document it — so physicians, nurses, billing, and ROI folks don’t need to dig through the narrative language of every note to figure it out,” says Marting. “There should be a designated spot in the record so that after the patient passes away, you can continue to use that information as a quick check and part of your due diligence to ensure you’re making a prudent professional decision in terms of sharing information about a deceased individual.”  

Many organizations also have designated team members with advanced HIPAA or ROI training who can help answer non-routine questions, says Marting. “The organization’s privacy officer is also a great point of contact when handling deceased patient records. Legal counsel can also be helpful when reviewing information to provide a recommendation on how to proceed,” she adds. “If an organization doesn’t have legal counsel, it may be able to leverage professional associations like medical societies or specialty organizations for resources to help answer questions.” 

An ROI Policy Is Paramount 

The decision of where and how to document information about estranged relationships should be part of a larger ROI policy that includes specific workflows for deceased patient records, says Marting.  

For example, one organization might rely on an affidavit that the requestor has the authority to access the record while another might take a more conservative approach requiring copies of advance care planning documents or birth certificate of the requester, she adds.  

“We have to take reasonable steps to verify the requestor’s identity and authority, but at the same time, we can’t take so many steps that we are blocking an authorized person from exercising their right to view or inspect the record,” says Marting. “There needs to be a balance.” 

With that said, if the patient didn’t pass away in the facility, it may also be reasonable to require the death certificate to establish the patient is deceased, she says. “The death certificate also often identifies the next of kin, so this can be another source of information on which you can reasonably rely when releasing records.” 

In addition, the policy should address how organizations will handle the patient portal after a patient dies — namely whether they will close it upon notification of a patient’s death. “Closing the portal is a really wise step because it would be very easy for someone without the right identity or authority to access this information,” says Marting. 

Herrin agrees. “If a patient dies in your facility, you can immediately shut down the portal. It’s easy to do this if you build it into your workflow,” he says. 

An ROI policy should also address the release of a decedent’s PHI when that information is relevant to a surviving family member’s healthcare, says Rinehart-Thompson. For example, the medical record of a 50-year-old woman who died of colon cancer may provide valuable information for the well-being and longevity of her children and siblings. One exception to the HIPAA authorization requirement is disclosures made for treatment, payment, and healthcare operations. This includes disclosures of information that pertains to the treatment of someone else when that disclosure is made directly to the treating provider for the benefit of others who may share genetic or environmental risk factors.  

Know How to Handle PHI 50 Years after a Patient’s Death 

One major change with the Health Information Technology for Economic and Clinical Health Act (HITECH) is that PHI is no longer considered PHI 50 years after an individual dies. Although there’s no legal obligation under HIPAA to protect that information as though it were still PHI, this doesn’t mean that state laws applying to medical records or to the records of a deceased person do not apply, says Herrin. The only exception is when the state law definition of PHI is linked to a determination that the information is considered PHI under federal law, he adds. 

But do organizations keep records that long anyway? In other words, is this even an issue? 

“It is more likely that organizations will retain electronic records longer than they retain paper records because electronic records don’t consume the same amount of space. In addition, think of the longitudinal possibilities of the data,” says Rinehart-Thompson. “However, organizations also need to consider this: With retention comes liability if records are breached. Records should not be retained if there isn’t a reason to retain them other than technological capability. A question is whether hospitals and other covered entities will protect patient information as though it’s PHI once it exceeds the 50-year point.” 

Marting says they might want to consider it — regardless of whether state or federal law requires it. “If there’s any issues about the use or disclosure of it, following your ROI policy for PHI is a defense you can raise,” she adds. “Also, to protect health information regardless of its age may make protection of all health information easier because staff only have one set of rules to follow and remember.” 

If an organization plans to retain records past the 50-year mark after a patient’s death, it should address this proactively in its contracts with vendors that access, create, receive, maintain, or transmit any patient information, says Marting. Specifically, the contract should specify what will happen to the data if that vendor goes out of business, meaning whether the vendor will return the data to the organization or destroy it. Legal requirements aside, there’s a customer service component to these requests that ROI staff must keep in mind, says Rinehart-Thompson.  

“For example, rather than simply saying your request can’t be completed because it didn’t meet legal requirements, you could instruct people to contact an attorney or the probate court for more information or refer the request to the next of kin,” she adds. “We need to help people understand how to navigate this.” 

Lisa A. Eramo, MA, is a freelance healthcare writer based in Cranston, RI.