Unless involved in performing autopsies, most physicians generally do not consider the liability that exists from the way patients are treated after they die. However, at a time when many different areas of law can apply to the same issue, it is important to understand how to deal with a patient’s medical records, once he passes away.
The main body of law that governs patient records is the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule, which requires a covered entity (which includes a physician and/or medical practice) to protect the medical records, or “Protected Health Information” (“PHI”), of a patient. This obligation continues even post-mortem, and is quite similar to the obligation that exists when a patient is still alive. The primary, and obvious, distinction is that authority over records can no longer belong to a deceased patient. Upon death, this authority gets transferred to the patient’s “personal representative.” Under 45 CFR § 164.502(g)(4), a covered entity must treat a person as a personal representative, “If under applicable law an executor, administrator or other person has authority to act on behalf of a deceased individual or of the individual’s estate.”
A personal representative is generally appointed in a will, where an individual selects the person to carry out her wishes at death. This person is then granted either a letter testamentary or a letter of administration. If a personal representative has been appointed, it is important to note that authorization to release records then lies only with that person, who may be someone other than a former spouse or another family member. In fact, even if a decedent had provided a surviving party with a separate form granting authorization to obtain or grant disclosure of medical records, there is risk in relying on that as continuing authority. Even though the actual person whose records are at issue granted authority to another person to obtain or release the deceased’s records, technically that person loses authority to the appointed representative immediately upon death. To avoid this conflict, a separate authorization should be included from the deceased’s representative for any further disclosure of the patient’s PHI. Any use or disclosure that has already been made in reliance on the now deceased patient’s authorization is valid, however.
If an individual dies without appointing a personal representative in a will, then state intestacy laws govern. In New Jersey, this authority would automatically first pass either to a surviving spouse or a surviving domestic partner, who receives the same treatment for these purposes under New Jersey law. To officially become appointed through intestate law, a party must first consent to the responsibility (See N.J.S.A. 10:3B-2.)
Since privacy laws were created to protect patients from having their personal histories made public in ways against their wills, exceptions were created to avoid preventing professionals from carrying out their jobs in good faith. For example, health care providers can exchange the PHI of a deceased patient among one another if the purpose is to treat another patient, mainly in the case of a relative with a potentially similar genetic makeup. Also, in the event that covered entities want to notify family members or representatives of a death, or need to identify deceased persons to establish the cause of death, authorization is likewise not required. Some additional exceptions for professionals permit funeral directors, organ procurement organizations, and law enforcement personnel to obtain information consistent with carrying out their jobs.
Beyond these carefully carved out exceptions, PHI can also be transferred under the umbrella of research, but only if the researcher provides a covered entity with assurance that the information will strictly be used for