With the death of Prince, I’m confused about HIPAA regulations for dead people. I originally thought HIPAA only applied to living people, so that there isn’t problem with the leaks from the hospital that he was treated for drug overdose on his plane trip to Minnesota a couple weeks ago.
THan I read that HIPAA applies up to 50 years after your death.
But then I always see officials coming out with medical reports about famous dead people just days or weeks after their death…which would seem like a violation.
So I’m confused. Does HIPAA apply to dead people and if so, how come we are always hearing about the medical condition of famous dead people which seems like a violation?
HIPAA doesn’t prevent all release of personally identifiable medical information, what it does is forbid release without the consent of the person who’s information it is. When someone dies, whoever takes over their estate* also takes over ownership of their medical information. So it’s fine for medical personnel to release information of the person agreed to release it before they died, made provision for release in their will, or if the person running their affairs allows it. Also investigations by the police or coroner into the circumstances of someone’s death may not be covered by HIPAA, so sometimes the ‘officials’ are fine without any approval.
This is a simplification, there are tons of special cases with a contested estate, and I’m not sure if ‘takes over the estate’ is the correct legal terminology.
It’s been a while since my HIPAA training, but my recollection (in addition to what Pantastic said) is that HIPAA only applies to “covered entities.” So while it would be illegal for your doctor or insurance company to release personal health information, I’m not sure the law applies to law enforcement agencies, etc. Someone will surely correct me if I’m wrong.
or it comes under " Serious Threat to Health or Safety. Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public"
HIPAA broadly applies to people who provide medical services to a patient. The public officials didn’t provide medical care to the person – Prince was already dead when they got involved. HIPAA does not apply to the disclosures they would make.
The HIPAA privacy rule also does not apply when the law compels the health care provider to provide the information to public health authorities authorized by law to collect or receive such information for public health purposes. So the public health authorities, like a coroner, can get access to the relevant medical records. State laws would govern when the coroner may or must disclose the records but the general rule with public records is that they must be made public under open records laws. If you want your health information to remain private, try not to die in an interesting way that draws the attention of the public health authorities.
If I have a (full, legal) name, a date and place (city/state USA) of death, can I find the record before the 50th anniversary of the death?
This is assuming there is no person capable of giving consent (no survivors, Estate closed, Executor dead).
I’m reasonably certain that the medical professionals who treated her can’t discuss the case.
I suspect that those who have access to health databases because of their work cannot legally disclose such data.
What information, specifically, are you looking for, who has it, and why do you need/want it? (that is, would your reason fall into the various exceptions in HIPAA or under other legislation?)
Information in the hands of governmental entities, including the police and health department, usually falls under different rules than information in the hands of a treating physician. Information included on a death certificate is governed by the state’s laws on death certificates, which range from fairly open to don’t even bother asking.
Assume I am NOT in a class entitled by HIPAA to the data.
The info would include dates of tests/diagnosis and prognosis.
How did the disease(s) present, when, what were the diagnoses? What treatments (“Antibiotic Drugs” would be adequate; specific drug names not required.
Would not want names of individuals, but the locations might be of interest.
I’m guessing “Cause of Death” is (almost) always public domain. How about “Suicide”? In small, conservative, devoutly “Christian” towns in deep backwaters?
Would that even be recorded? Would there be two causes? One for public consumption and one known only to a few?
Are "Accident"s involving single-occupant cars striking solid objects with no brake marks are going to be listed as “Accident” even when “Suicide” is known/strongly suspected?
I work for a health insurance company and our HIPAA training states that the decedent’s privacy rights devolve to the estate, and can only be waived by the executor of the estate. Also any writing authorizations or POAs the mbr send us expire with their death so even if a relative who had durable POA calls in after the mbr’s death (say about a bill from a healthcare provider) who can’t tell them anything until they send in a copy of the estate paperwork (assuming it exists). That can least to some highly unpleasant conversations.
Death Certificates issued by the County Coroner ARE public information. And basic info like “Cause of Death” will be listed there for anyone to see. Those are public records. The records covered by HIPPA are the private medical records kept by doctors, etc. about the patient.
Death records are not public records so far as anyone can see them if they want to. They are available to verifiable family members and those who can demonstrate a legitimate need to the state for them.
That said, death records are not even terribly accurate. I know of a doctor in the state of Vermont and he teaches a course on how to properly fill out a death certificate. And even in Vermont the things he teaches are not requirements but suggestions.
For instance, a death certificate for renal failure SHOULD list any disease that the person had that contributed to, or were affected by such failure. But it’s SHOULD not must.
Basically as long as their is no foul play or suicide, state government don’t care all that much if someone died from a heart attack or a stroke, so long as it wasn’t criminal.
HIPAA isn’t limited to ‘covered entities’, though they are the most affected.
Businesses or persons who work WITH ‘covered entities’ are also covered. The rules are slightly different.
Reason I know this: I do not work for a ‘covered entity’, but I work for a company which develops, installs, and supports hospital software. In the course of my work (debugging a reported problem with software at a hospital site, for example), I will probably see HIPAA covered information.
There are a LOT of rules as to what I can’t do with that information. Like an employee of a ‘covered entity’ I must pass HIPAA training & tests every year or so.