Your chance to weigh in on proposed U.S. HIPAA rule changes

A few weeks ago, the U.S. Department of Health and Human Services published a series of proposed changes to the Privacy, Security, and Enforcement Rules of the Health Insurance Portability and Accountability Act (HIPAA), which governs access to medical records and personal health information.

One of these regulatory changes centers upon access to data concerning deceased persons and ought to be of great interest to archivists, historians of medicine and social welfare policy, and genealogists. As archivists Stephen Novak and Nancy McCall testified at a 2005 hearing held by the Department of Health and Human Services, National Committee on Vital and Health Statistics, Sub-Committee on Privacy and Confidentiality, HIPAA's imposition of perpetual access restrictions upon "personal health information" poses myriad challenges for archivists and researchers alike.

The following proposed change is intended to address these concerns:

1. Section 164.502(f)--Period of Protection for Decedent Information

Section 164.502(f) requires covered entities to protect the privacy of a decedent's protected health information generally in the same manner and to the same extent that is required for the protected health information of living individuals. Thus, if an authorization is required for the use or disclosure of protected health information, a covered entity may use or disclose a decedent's protected health information in that situation only if the covered entity obtains an authorization from the decedent's personal representative. The personal representative for a decedent is the executor, administrator, or other person who has authority under applicable law to act on behalf of the decedent or the decedent's estate. The Department has heard a number of concerns since the publication of the Privacy Rule that it can be difficult to locate a personal representative to authorize the use or disclosure of the decedent's protected health information, particularly after an estate is closed. Furthermore, archivists, biographers and historians have expressed frustration regarding the lack of access to ancient or old records of historical value held by covered entities, even when there are likely few remaining individuals concerned with the privacy of such information. Archives and libraries may hold medical records that are centuries old. Furthermore, fragments of health information may be found throughout all types of archival holdings, such as correspondence files, diaries, and photograph collections, that are also in some cases centuries old. Currently, to the extent such information is maintained by a covered entity, it is subject to the Privacy Rule. For example, currently the Privacy Rule would apply in the same manner to the casebook of a 19th century physician as it would to the medical records of current patients of a physician.

Accordingly, we propose to amend Sec. 164.502(f) to require a covered entity to comply with the requirements of the Privacy Rule with regard to the protected health information of a deceased individual for a period of 50 years following the date of death. We also propose to modify the definition of ``protected health information'' at Sec. 160.103 to make clear that the individually identifiable health information of a person who has been deceased for more than 50 years is not protected health information under the Privacy Rule. We believe that fifty years is an appropriate time span, because by approximately covering the span of two generations we believe it will both protect the privacy interests of most, if not all, living relatives, or other affected individuals, and it reflects the difficulty of obtaining authorizations from personal representatives as time passes. A fifty- year period of protection also was suggested at a prior National Committee for Vital and Health Statistics (NCVHS) (the public advisory committee which advises the Secretary on the implementation of the Administrative Simplification provisions of HIPAA, among other issues) meeting, at which committee members heard testimony from archivists regarding the problems associated with applying the Privacy Rule to very old records. See http://ncvhs.hhs.gov/050111mn.htm. We request public comment on the appropriateness of this time period.

My employer holds medical records and will, in all likelihood, take an official position on these proposed changes. My views will be reflected in my employer's comment (I'm not being facetious -- I'm involved in the discussion), but I think it's really important for individuals to speak out as well. If you are an archivist or records manager, a scholar or genealogist seeking access to older medical records, or simply have an interest in striking a balance between personal privacy and access to records, please take the time to look over the proposed changes in their entirety (go to http://www.regulations.gov/search/Regs/home.html#home, check "Open for Comment/Submission," and search for "HIPAA"), think through their implications, and submit a comment outlining your position. Comments will be accepted until 13 September 2010.