Will the new HITECH-HIPAA Privacy Rules really impact your release process for patients deceased 50 years or more?
Here are my thoughts…
For many covered entities the answer may be no.
The new HIPAA Privacy Rule effective March 2013 states any individually identifiable health information of a person deceased for more than 50 years is no longer considered PHI under the Privacy Rule.
One of the major intentions of this new Privacy Rule was to alleviate the difficulty that living relatives and other affected individuals faced while obtaining authorizations from personal representative of the decedent as time passed. According to the Department of Health and Human Services, the 50-year mark was enough time for the privacy rights to extend. The new rule releases access restrictions on PHI 50 years after the date of death.
Even though the new HIPAA Privacy Rule is in effect, it still does not supersede any state regulation that is more stringent than HIPAA regarding the release of deceased patient records, even after 50 years, the state laws will prevail.
In Massachusetts for example, the state law is stricter, requiring proof of executorship to release a deceased patient PHI.
In any state in which the laws are stricter than HIPAA prohibiting the release of deceased patients PHI, there will be little to no changes for HIM professionals determining whether to release or not.
What are your thoughts?