[this is a cross post from HealthLawProf]
Warning: some of this post is HIPAA-wonky. But read on: the punch line is that HIPAA does not protect the living or the dead from blanket release of medical records to their personal representatives—unless state law provides otherwise or patients have thought to specify in advance that they do not want anyone to see the record or parts of it and state law gives them this opportunity. This means that the default position is that personal representatives may see highly sensitive health information, including mental health records or sexual or reproductive histories: veritable skeletons in family medical closets.
In an important recent decision, the 11th Circuit has held that the federal Health Insurance Portability and Accountability Act (HIPAA) preempts a Florida statute that gave spouses and other enumerated parties the right to request the medical records of deceased nursing home residents. Opis Management Resources v. Secretary, Florida Agency for Health Care Administration, 2013 U.S. App. LEXIS 7194 (April 9, 2013). The nursing homes had refused to respond to requests for records made by spouses and attorneys-in-fact, arguing that these requesters were not “personal representatives” under Florida law. The requesters filed complaints with HHS’s Office for Civil Rights, which determined that the refusals were consistent with HIPAA. The Florida Agency for Health Care Administration issued citations against the homes for violating Florida law, and the homes went to court seeking a declaratory judgment that the Florida statute was preempted by HIPAA.
The statute in question, Fla. Stat. § 400.145(1) (2013), requires nursing homes to release records to the spouse, guardian, surrogate, or attorney-in-fact of a resident or a deceased resident, unless the release has been expressly prohibited by the resident. Disclosures must include both medical and psychiatric records, with the exception of psychiatric progress notes and consultation reports. The Agency interpreted this statute to authorize release to personal representatives as permitted by the HIPAA Privacy Rule, 45 C.F.R. § 164.502(g)(4)(2013). This section of the Privacy Rule specifies that personal representatives have the same authority to access health information that individuals do, and that executors or others authorized to act on behalf of a decedent must be treated as personal representatives with respect to protected health information. The Privacy Rule also permits covered entities to disclose to persons involved in the deceased individual’s care or payment for care information relevant to that involvement, unless the disclosure is contrary to the known expressed preferences of the decedent, 45 C.F.R. § 164.510(b)(5)(2013).
HIPAA preempts contradictory state law and state law inconsistent with its purposes, 42 U.S.C. § 1320d-7 (2013). It does not preempt more stringent state privacy protections, 45 C.F.R. § 160.203(b)(2013). The 11th Circuit determined that the Florida statute provided less protection than HIPAA, because it allowed individuals to act as thought they were personal representatives without a proper HIPAA authorization in seeking records. HIPAA only allows a personal representative under state law to request records pursuant to a proper HIPAA authorization. The exception for individuals involved in care, or in paying for care, is a very narrow one, again not permitting the broad grant of authority found in the Florida statute. The court refused to read the Florida statute as in effect amending Florida law with respect to identifying personal representatives, leaving that task to the legislature.
In general, HIPAA defers to state law concerning the legal power of individuals acting for the person to access medical records. In many states, statutes simply give designated surrogates or proxies the authority to seek whatever records patients themselves would be able to request in accord with HIPAA. For decedents, the HIPAA requirement is simply that requests for records must come from the state-designated personal representative via a HIPAA authorization. (Custodians of health care records may, to be sure, refuse to release records under special circumstances such as danger to the person or others.)
The decision in Opis Managementdoes not change the scope of this HIPAA deference; it simply insists that Florida comply with HIPAA authorization requirements. But there is a genuine problem here for states to consider regarding access to medical records, for both the living and the dead. Currently, the default position is access to the entire medical record, with limited exceptions. This means that unless patients have thought to specify otherwise under state laws that give them this opportunity, personal representatives may have access to veritable skeletons in the family medical closet: mental health records, sexual histories, reproductive histories, determinations of parentage, and much more that patients might have believed would be kept confidential. In the days of silo-ed paper medical records, records would have been difficult to find or obtain. But in today’s emergent world of interoperable medical records, the results for confidentiality may be serious indeed.