Back to top

emrDo you keep records from 1963?

PHI is now public record 50 years after death, according to the HIPAA Final Rule.

This is yet another area of the Final Rule (or Omnibus Rule) that has set forth additional concerns amongst healthcare professionals. It seems as though there is a reoccurring trend with HHS regulations that intended to be clear and helpful, but instead include language that could be open to interpretation thereby leading to more confusion.

Decedent Health Information

One such area of additional concern is in regards to the Final Rule’s amendments on decedent information. There were two major changes relating to the way PHI is managed for deceased patients:

  • The Final Rule requires a Covered Entity to comply with the requirements of the HIPAA Privacy Rule with regard to PHI of a deceased individual for a period of 50 years following the date of death.
  • The Final Rule also permits Covered Entities to disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior express preference of the individual that is known by the Covered Entity.

50 years after death, PHI becomes public record

Our initial response to this provision, as I'm sure was yours, is who keeps records for 50 years?? We’re sure some facilities, such as historic or research-centered facilities, keep their records for many years as references or historic artifacts, but what about other facilities? Maintaining medical records can be burdensome and can exhaust an HIM department’s budget. Therefore, HIM is generally pretty eager to destroy records as soon as they are able to. Furthermore, state laws usually govern how long a facility is required to retain their medical records.

The strictest record retention law comes from Massachusetts:

  • Massachusetts law requires each hospital/clinic to maintain medical records for at least 20 years after the patient’s discharge or after the final treatment, while physicians are only required to maintain records for a minimum of 7 years.
  • Twenty years is definitely a significant amount of time and much longer than any of the other states, but is still a long way from 50.

The state with the least strict retention law is Wisconsin:

  • Wisconsin law requires all health care providers to maintain medical records for each patient and retain those records for at least 5 years.

HHS does give a few clarifications under this section of Omnibus. In respect to concerns regarding PHI about decedents that is sensitive, they do emphasize that the 50-year period of protection under the Privacy Rule does not override or interfere with state or other laws that provide greater protection for such information. A Covered Entity may choose/be required to give continued privacy protections past this 50-year period to sensitive decedent information that applies.

Lastly, HHS also clarifies that the 50-year period of protection is not a record retention requirement. The HIPAA Privacy Rule does not include medical record retention requirements and Covered Entities may destroy such records at the time permitted by state or other applicable law. However, if a Covered Entity does maintain decedent health information for longer than 50 years following the date of death, this information will no longer be subject to the Privacy Rule and is considered public record.

We'll touch on part 2 of the decedent rule next week, as I'm sure we've left you with quite a bit to mull over.