According to the Department of Health and Human Services, “When a covered health care provider, in the course of treating an individual or otherwise, collects an individual’s family health history, this information becomes part of the individual’s medical or other record and is treated as protected health information about the individual and not about the family member(s). Thus, even where an individual’s family health history includes information about family members who have been deceased for more than 50 years, the information is protected under the Privacy Rule as the health information of the individual.”
Post-death protection period
The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual.
Access to deceased individuals' records
According to the American Medical Association, “A patient’s designated personal representative or legal executor of their estate has a right by law to access and copy the deceased’s medical records. To request access to the deceased’s medical records, the designated personal representative or executor of the estate will typically need to present the following to establish proof of authorization:
• documentation verifying personal representative status or estate executorship;
• the patient’s death certificate; and
• completed medical records request form”
Historical medical records and research
For medical records that are over 50 years old, researchers and historians may access them without authorization. This provision facilitate historical research while still maintaining privacy for more recent records.
However, before the end of the 50-year period, the University of Colorado’s Office of Regulatory Compliance’s states, “To use or disclose PHI of the deceased for research, covered entities are not required to obtain authorization from the personal representative or next of kin, a waiver or an alteration of the authorization, or a data use agreement. However, the covered entity must obtain from the researcher who is seeking access to the decedent’s PHI: 1) oral or written representations that the use and disclosure is sought solely for research on the PHI of decedents, 2) oral or written representations that the PHI for which use or disclosure is sought is necessary for the research purposes, and 3) documentation, at the request of the covered entity, of the death of the individuals whose PHI is sought by the researchers.”
Family medical history considerations
When it comes to family medical history:
- Current medical records that contain family history information remain protected
- Information shared verbally within families isn't covered by HIPAA
- Genetic information about family members in medical records is protected
- Personal notes and family records kept at home aren't subject to HIPAA
State laws matter
State laws may provide additional protection beyond HIPAA. Some states have stricter privacy laws that extend protection periods or provide additional safeguards for medical information, regardless of age.
For example, California's Confidentiality of Medical Information Act (CMIA) provides stronger privacy protections than HIPAA in several ways. The CMIA applies to a broader range of entities than just HIPAA-covered entities, including many businesses that maintain medical information. It also imposes stricter penalties for unauthorized disclosures and gives patients greater rights to sue for damages when their medical information is improperly disclosed. Unlike HIPAA, which focuses primarily on living individuals, the CMIA continues strong protections for deceased patients' medical information without a specific time limitation, effectively providing indefinite protection beyond HIPAA's 50-year post-death period.
Best Practices for handling old medical records
Even when records are old enough to lose HIPAA protection, consider:
- Treating all medical information with respect and discretion
- Consulting with legal professionals before publishing or sharing old medical records
- Being mindful of living relatives who might be affected by shared medical histories
- Documenting the age and origin of medical records to determine applicable protections
FAQs
Can HIPAA protect family health history if it is not part of a medical record?
No, HIPAA protection only applies to family health history that is included as part of an individual's medical record.
What should be done if a personal representative cannot provide the necessary documentation to access a deceased individual's records?
The personal representative should seek legal advice and obtain the appropriate documentation, such as proof of executorship or a death certificate, to request access.
How can organizations ensure compliance with both HIPAA and state-specific privacy laws for family medical history?
Organizations should stay informed about both HIPAA and state laws, establish clear policies, and seek legal counsel to navigate complex privacy requirements.
What happens to medical records that fall under both HIPAA and state law protections after the 50-year period?
After the 50-year HIPAA protection period, state laws may still offer continued privacy protections, depending on the jurisdiction.
