There are many reasons that someone might request medical records for a deceased person, but these requests can be tricky. Learn what you need to know to stay compliant and handle the job right!
Even though the person with medical records is now deceased, their information privacy rights live on in the form of HIPAA (Healthcare Insurance Portability and Accountability Act). It is important for those who work with medical records to understand the law surrounding records of the deceased, as these situations can become confusing and frustrating to individuals.
The HIPAA privacy rule governs to whom and for what reason medical information can be disclosed to another individual, or another covered entity (a medical provider or organization covered under HIPAA), for fifty years following death. Within those fifty years, the personal representative of the deceased, such as a surviving spouse or the executor of an estate, may authorize certain uses and access to the information.
After fifty years has passed following death, any records, case files, or photographs with identifiable health information can be disclosed without regard to HIPAA. This happens in the case of historical study, genealogy, and research.
After death, a patient’s protected health information is generally treated the same as if they were living, except in the case of a number of special disclosures that are relevant to deceased individuals. These are:
Most of the time a covered entity can release records to a family member or other person who was involved in the decedent’s healthcare or payment for care prior to death. This may include spouses, relatives, domestic partners, parents, children, other relatives, or friends. The records that can be disclosed are those which are relevant to the person’s involvement in the decedent’s care or payment for care. In addition, the covered entity may disclose PHI to notify a family member or other named personal representative of the decedent of the patient’s location, condition, and death.
It is important for the covered entity (hospital or similar) to verify that there is no documentation in the record preventing such disclosure of information to this individual. For example, if a patient had expressly prevented disclosure of information to a certain relative, then the covered entity must continue to honor that request.
For record requests for health information that are not relevant to care or payment, a covered entity must obtain a signed, written HIPAA authorization from a personal representative who can legally authorize the disclosure of all of the protected health information.
According to the HIPAA Privacy Rule, a personal representative of a deceased individual is defined as:
Legally, the medical records department is required to verify the legal authority of a requestor – whether that is a person or another entity (such as a hospital or law office).
Although exact documentation can vary from state to state, the following items are almost always needed:
Some states use a hierarchy of persons based on their relationship with the decedent to establish legal next of kin. This typically begins with the current spouse, then moves to adult children, parents, and siblings. The medical records department of each covered entity should know the exact law for the state and follow that hierarchy.
RecordQuest is a release of information service (ROI) that partners with hospitals across the nation. We simplify the process with knowledgeable, expert staff, while ensuring that all legal requirements are met. Need help efficiently meeting requests for records? Contact us for more information about how we can help.