The Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA, acts in part to provide federal protection for identifiable health information retained by covered entities, which includes most businesses that offer company health plans. While many employers have policies and procedures in place to ensure HIPAA compliance in routine, every day matters relating to the management of employee health data, few employers have developed policies or even considered how to manage protected health information in the unfortunate event of employee death or incapacitation.
Importantly, HIPAA’s protection of identifiable health information does not expire in the event of incapacitation or even the death of an employee. In fact, HIPAA continues to protect identifiable health information for 50 years after death. Consequently, it is important for employers to know to whom protected health information may be disseminated during this time period in order to continue to ensure compliance and avoid the assessment of steep penalties and fines.
Covered health information for the deceased or incapacitated employee during this time may be released to their legal representative under state law. In most instances involving a diseased employee, this would be the appointed administrator of the deceased’s estate. It is permissible to release protected health information to non-representative family members, including but not limited to spouses, domestic partners, parents, children, or siblings, unless doing so is inconsistent with any prior expressed preference that is known to the covered entity. However, the information released to a non-representative family member must be limited to that information which is relevant to that person’s involvement in the decedent’s or incapacitated employee’s care or payment for care. The regulations leave the determination of this relevancy up to the entity’s “professional judgment.” 45 CFR 164.510(b)(5).
The Department of Health and Human Services gives the following example of what could be released: “For example, a covered health care provider could describe the circumstances that led to an individual’s death with the decedent’s sister who is asking about her sibling’s death. In addition, a covered health care provider or pharmacy could disclose billing information or records to a family member of a decedent who is assisting with closing a decedent’s estate. However, in both cases, a provider generally should not share information about past, unrelated medical problems.” (Click here to directed to The Department of Health and Human Services website.)
Consequently, unless protected information is requested by the legal representative of the deceased’s estate, or the information requested is directly related to the requestor’s involvement in the deceased’s care prior to death or payment for the deceased’s care prior to death, a signed HIPAA release by the legal representative is required prior to release of the protected information. Other exceptions allowing the release of protected health information covering special situations are also available, including the allowance of release to law enforcement to assist in a criminal investigation.
It is important that employers understand their responsibilities to protect identifiable health information covered by HIPAA and develop policies to ensure compliance.