Under the new HIPAA Final Rule, CE's may now disclose PHI to persons involved in the decedent's care or payment.
This new regulation has brought about a lot of concern from Covered Entities in regards to the protection of their PHI. How will a Covered Entity be able to prove that an individual was involved in the care or payment of the deceased patient, and is that burden of proof left up to the Covered Entity or to the inquiring individual/family member? Either way, this creates another layer of management and oversight for the CE.
In response to some of the opposition to this regulation, HHS stated that they believe the provision strikes the appropriate balance in allowing communications with family members and other persons who were involved in the individual’s care or payment for care prior to death, unless doing so is inconsistent with the prior expressed wishes of the individual.
It is important that HHS included the patient’s prior expressed wishes, but what if the individual died unexpectedly and was not able to notify the Covered Entity to whom they did or did not want their records to be released to? This new provision under the Final Rule seems to make it easier for a family member to have access to records when the deceased patient may not have had the chance to express their wishes. This can be positive if the individual should in fact receive the records, but it may also be negative if the individual should not have access to the records.
One positive clarification that HHS makes is that the Privacy Rule limits such disclosures to the protected health information relevant to the family member or other person’s involvement in the individual’s health care or payment for health care. A family member may be able to receive information surrounding the death of the decedent. Similarly, the individual assisting to wrap up the decedent’s estate may receive billing information for the decedent. However, in these cases the provider generally should not share information about any past or unrelated medical problems.
Finally, HHS states that these disclosures are permitted and not required, and thus, a Covered Entity that questions the relationship of the person to the decedent or otherwise believes, based on circumstances, that disclosure of the decedent's PHI would not be appropriate, is not require to make the disclosure.
It is clear that HHS was trying to improve the release of information process for decedent records by allowing family members that require certain PHI of the decedent to receive it. However, this “improvement” seems to have come with quite a bit of disapproval from HIM professionals. Protecting patient privacy is most important to Covered Entities, but they are afraid that this new regulation may now jeopardize the privacy of their decedent PHI.
So, is it better to be overcautious and refuse to release records until hard evidence proves the involvement or care of the family member? Or will this refusal lead to even more headaches for Covered Entities? In both scenarios, it's likely a legal representative will have to become involved.