Aurora Healthcare, based in Milwaukee, WI, updated their information release policies to include specific language about verification following HIPAA implementation. Though HIPAA federalized this requirement, the act of authenticating requestors of protected health information was being done in many facilities long before HIPAA was passed. “There is a difference between identity and status,” Herrin says. Just because someone is related to a deceased patient does not mean they have a right to their record. HIPAA also requires a covered entity to verify the identity of a person requesting protected health information as well as their authority to such access. Because of this, Herrin says that HIPAA law can actually help authorized individuals access deceased patient’s medical records. But it also requires that healthcare facilities must release medical records to those people either appointed by the patient or who are deemed a personal representative by state law. The privacy rule states that people have the same privacy rights in death as they do in life. But when a patient dies without doing either, HIPAA defaults to state law to determine the hierarchy of rights to that person’s estate and health records. This is clear cut when a patient has signed a HIPAA release or named an executor to his or her estate. HIPAA leaves it up to states to determine who qualifies as a deceased patient’s personal representative-the person who has legal rights to access another’s medical record.
HIPAA did not create a new rule, Herrin says, and in instances where it does prevent someone from accessing patient records, generally speaking, it is reinforcing existing state laws on how deceased patient matters are handled. “The problem is a lot of people don’t really understand how HIPAA operates in collaboration with the existing state regulatory framework that they live in…” says Barry Herrin, JD, FACHE, a partner with the Atlanta-based law firm Smith Moore Leatherwood LLP. The best practice, experts say, is to gain knowledge of the law, share it, and request that patients identify their personal representatives during the admission process. On the other extreme, they may release records without requesting proper verification or release them rather than upset or anger the requestor. Facility staff who are unclear on the law may err on the side of caution and refuse access rather than risk violating privacy laws. Though most state laws are sufficiently clear, the hierarchy may be complex, and some situations will still require judgment calls. In those instances, HIPAA defers to state law to determine access rights. The complications typically come when a patient dies without having named a personal representative. The federal law does extend a person’s privacy rights into death, but it also explicitly requires facilities to release records to authorized individuals. HIPAA, sometimes blamed for denied requests, is rarely cause for a roadblock, however. Who is authorized to access the records?ĭetermining appropriate release of a deceased patient’s medical records can be complex. Then a man calls identifying himself as the executor of the estate. Shortly afterward, the man’s wife requests the records, also.
A son calls the HIM department and requests his deceased father’s medical records.
0 kommentar(er)
