DEALING WITH DECEASED PATIENTS' MEDICAL RECORDS
By: Denise L. Sanders, Esq.
Unless involved in performing autopsies, most physicians generally do not consider the liability that exists from the way patients are treated after they die. However, at a time when many different areas of law can apply to the same issue, it is important to understand how to deal with a patient’s medical records, once he passes away.
The main body of law that governs patient records is the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule, which requires a covered entity (which includes a physician and/or medical practice) to protect the medical records, or “Protected Health Information” (“PHI”), of a patient. This obligation continues even post-mortem, and is quite similar to the obligation that exists when a patient is still alive. The primary, and obvious, distinction is that authority over records can no longer belong to a deceased patient. Upon death, this authority gets transferred to the patient’s “personal representative.” Under 45 CFR § 164.502(g)(4), a covered entity must treat a person as a personal representative, “If under applicable law an executor, administrator or other person has authority to act on behalf of a deceased individual or of the individual’s estate.”
A personal representative is generally appointed in a will, where an individual selects the person to carry out her wishes at death. This person is then granted either a letter testamentary or a letter of administration. If a personal representative has been appointed, it is important to note that authorization to release records then lies only with that person, who may be someone other than a former spouse or another family member. In fact, even if a decedent had provided a surviving party with a separate form granting authorization to obtain or grant disclosure of medical records, there is risk in relying on that as continuing authority. Even though the actual person whose records are at issue granted authority to another person to obtain or release the deceased’s records, technically that person loses authority to the appointed representative immediately upon death. To avoid this conflict, a separate authorization should be included from the deceased’s representative for any further disclosure of the patient’s PHI. Any use or disclosure that has already been made in reliance on the now deceased patient’s authorization is valid, however.
If an individual dies without appointing a personal representative in a will, then state intestacy laws govern. In New Jersey, this authority would automatically first pass either to a surviving spouse or a surviving domestic partner, who receives the same treatment for these purposes under New Jersey law. To officially become appointed through intestate law, a party must first consent to the responsibility (See N.J.S.A. 10:3B-2.)
Since privacy laws were created to protect patients from having their personal histories made public in ways against their wills, exceptions were created to avoid preventing professionals from carrying out their jobs in good faith. For example, health care providers can exchange the PHI of a deceased patient among one another if the purpose is to treat another patient, mainly in the case of a relative with a potentially similar genetic makeup. Also, in the event that covered entities want to notify family members or representatives of a death, or need to identify deceased persons to establish the cause of death, authorization is likewise not required. Some additional exceptions for professionals permit funeral directors, organ procurement organizations, and law enforcement personnel to obtain information consistent with carrying out their jobs.
Beyond these carefully carved out exceptions, PHI can also be transferred under the umbrella of research, but only if the researcher provides a covered entity with assurance that the information will strictly be used for, and is necessary for, research on the PHI of decedents, and provides supporting documentation to confirm the death of the individual.
Perhaps the most unnerving requests for medical records are those associated with any pending or future litigation. PHI requested for purposes of litigation are subject to an entirely different set of very specific rules, the precise details of which are beyond the scope of this article, but physicians should always first ensure that the PHI requested for legal proceedings can legally be disclosed. If a physician is a party to the litigation (e.g., a defendant in a medical malpractice suit or plaintiff in a suit for reimbursement), PHI can be used or disclosed as part of the physician’s “health care operations” (See 45 CFR 164.501), including for the purpose of justifying a particular course of treatment. However, physicians can only offer this information for that narrowly defined purpose.
When a physician is not a party to the litigation, and consent cannot be obtained to release PHI, physicians are again charged with the burden of making reasonable efforts to ensure that the PHI is being used only for the narrow purpose that it was intended for. The specific intentions can be found by reading the original requesting document, which may appear in various forms including a subpoena or court order. Moreover, when responding to a subpoena, covered entities must confirm that efforts have been made to inform the patient that a request has been made for disclosure of her medical records and the patient given a sufficient time to respond or object. In the event that the party for whom the records apply is deceased, efforts to locate and notify the representative should then be undertaken instead.
Even after patients die, physicians and covered entities can still face liability for them. This article is intended to make healthcare professional aware of these risks and as a general guideline for dealing with requests for the PHI of a deceased patient. This article does not offer any legal advice and should not be relied on for such. Prior to sending any records or taking any action that could be governed under HIPAA, it is suggested that physicians consult their personal attorney.
Kern Augustine Conroy & Schoppmann, P.C., Attorneys to Health Professionals, www.DrLaw.com. The firm’s practice is solely devoted to the representation of health care professionals. The author of this article may be contacted at 1-800-445-0954 or via email at firstname.lastname@example.org.