Note to Mr. Donald Trump: According to HHS' New Omnibus Rule, You Can Have A Copy of That Birth Certificate in About 100 or so Years Because HIPAA Doesn't Apply
One change under the Omnibus Rule that is somewhat flying under the radar is that HIPAA no longer will apply to a patients’ medical information 50 years after their death. One of the main reasons HHS cites as the impetus for this change is that researchers, historians, biographers and archivists have had difficulty gaining access to such information since HIPAA was enacted. While I find this to be an issue that may have justified a small tweak to the Privacy Rule to allow proper access to such information by authorized individuals, I find it is curious that HHS chose to simply remove all protections 50 years after death.
The Omnibus Rule has revised the definition of “deceased individuals” at Section 164.502(f) so that a covered entity is no longer required to abide by HIPAA’s restrictions on using and disclosing a patient’s PHI 50 years after their date of death.
More curious rationale abounds in the Preamble to the Omnibus Rule. At one point, all decedents’ information is referred to as “ancient or old records of historical value held by covered entities” and with “likely few surviving individuals concerned with the privacy of such information”. HHS also believes that 50 years is an appropriate period of protection for decedents’ information, taking into account the remaining privacy interests of living individuals “after the span of approximately two generations have passed”. Finally, HHS dismisses that the 50 year limitation will incentivize record retention policies to be changed in order to profit from decedents’ data after 50 years has elapsed. In my opinion, these don’t really hold up as great reasons for entirely removing HIPAA’s protection of decedents’ health information.
First, not all records are “ancient” and there certainly can be surviving individuals concerned with keeping such information private. Obviously, people don’t all live to average life expectancies and some decedents will have even died at birth. Such “young” decedents in particular can have many surviving family members, including siblings (maybe even a twin), parents or their own offspring. These family members absolutely have a continuing interest to not have their deceased family member’s health information become “public” during their lifetime.
Thus, this Omnibus Rule change to the Privacy Rule appears to essentially have shifted the burden to the surviving family member to take affirmative action and expend potential resources to ensure such information is not made public.
I am also not convinced that this change does not create an incentive to monetize access to decedents' data. Although HHS emphasized that the change is NOT a record retention requirement (i.e., they are not saying that hospitals or health care providers have to keep records for 50 years), the change certainly could cause covered entities and business associates to hang on to such records longer, especially in cases where the data originates from decedents between the ages of birth-20 years and is still relatively “current”.
When the original HIPAA Privacy Rule was enacted, HHS considered many comments that pointed out the negative consequences of not extending HIPAA’s protections to decedents’ data. Commentators originally specifically argued that surviving family members would be negatively affected, and a number of medical associations even asserted that individuals may avoid genetic testing, diagnoses, and treatment and suppress information important to their health care if they fear family members will suffer discrimination from the release of their medical information after their death. Further, it was argued that the privacy of the deceased individual and his or her family is far more important than allowing genetic information to be abstracted by an institutional or commercial collector of information. HHS’ original response to such comments was:
Response: We find the arguments raised by these commenters persuasive. We have reconsidered our position and believe these arguments for maintaining privacy on protected health information without temporal limitations outweigh any administrative burdens associated with maintaining such protections. As such, in the final rule we revise our policy to extend protections on the protected health information about a deceased individual to remain in effect for as long as the covered entity maintains the information.
In the end, while HHS may give “researchers” the big “GO AHEAD” to access information like birth certificates of past presidents and other health information 50 years after the person's date of death, there are state laws, like Hawaii's health care information privacy law (Haw. Rev. Stat. section 323C-43 (*), that will continue to apply to the protected health information of a deceased individual following the death of that individual. Therefore, covered entities and business associates should be remember that before you begin to amend your policies to reflect that HIPAA will no longer protect the privacy of medical records and health information 50 years after a decedent’s death, state laws must still be followed – and, should be reflected in such policies as well.
(*) Note that while this statute is mentioned by HHS in its original Preamble, Hawaii appears to have repealed this law on on June 30 2001.