Great article by Judy G. Russell, re-posted with permission. I have contacted the New York State Office of Mental Health asking their position on this new ruling. Hopefully, they will respond soon.
There’s been a major breakthrough in records access for those of us with family medical issues that we research in part through our genealogy.
Quietly, without much fanfare, the federal Department of Health and Human Services (HHS) has finally come around to understanding that closing medical records forever, even after the death of the person treated, isn’t the way to go.
It adopted a new set of rules earlier this year, effective just two weeks ago, that opens medical records 50 years after the patient’s death.
The change — first proposed nearly three years ago1 — came in an omnibus Final Rule adoption governing a vast array of issues under the federal Health Insurance Portability and Accountability Act (HIPAA) designed primarily to update personal privacy rules in light of technological changes in medical recordkeeping.2 The rule was adopted in January and became effective on March 26th.
As far back as 2003, archivists had complained to HHS about the old rule, under which personal health information was to be protected forever and only disclosed even after the patient’s death only if the legal representative of the estate authorized it.
In 2005, Stephen E. Novak of Columbia University had quoted from those earlier complaints in an HHS conference, explaining that “certain historical, biographical and genealogical works where the identity of the individual is the whole point could not be written, such as the Pulitzer Prize-winning A Midwife’s Tale, based on the late 18th and early 19th century diary of Maine midwife Martha Ballard.”3
Nancy McCall of the Johns Hopkins Medical Institutions told that same conference that “a number of state archives have acquired the records of defunct hospitals in their states and do not know whether they are covered entities. This is especially important for mental hospitals and TB hospitals that have closed.”4
All of those participating pleaded for clarity — and for access.
The new rule is, finally, the HHS response.
In its rulemaking, HHS recognized the problems inherent in “the lack of access to ancient or old records of historical value held by covered entities, even when there are likely few surviving individuals concerned with the privacy of such information. Archives and libraries may hold medical records, as well as correspondence files, physician diaries and casebooks, and photograph collections containing fragments of identifiable health information, that are centuries old. Currently, to the extent such information is maintained by a covered entity, it is subject to the Privacy Rule.”5
It noted that the “majority of public comment on this proposal was in favor of limiting the period of protection for decedent health information to 50 years past the date of death. Some of these commenters specifically cited the potential benefits to research. A few commenters stated that the 50-year period was too long and should be shortened to, for example, 25 years.”6
Based on its review and the public comments, HHS concluded:
We believe 50 years is an appropriate period of protection for decedent health information, taking into account the remaining privacy interests of living individuals after the span of approximately two generations have passed, and the difficulty of obtaining authorizations from a personal representative of a decedent as the same amount of time passes. For the same reason, we decline to shorten the period of protection as suggested by some commenters or to adopt a 100-year period of protection for decedent information.7
So, as of the 26th of March, HIPAA’s definition of “protected health information” expressly excludes information regarding “a person who has been deceased for more than 50 years,”8 and covered entities need only comply with HIPAA “with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.”9
Now the fact that the federal government isn’t standing in the way doesn’t mean that all of us with family health issues can rush out and expect to be given immediate access to those old health records that may tell us so much about things we face today. The feds have never been the only player in the privacy game — state laws may also restrict access to health information.
But it’s a major breakthrough to have the federal government finally move out of the way of access to records of critical importance.
Tip of the hat to Ron Tschippert for alerting The Legal Genealogist to the rule adoption!
- Notice of proposed rulemaking, 75 Fed. Reg. 40868, 40874 (14 Jul 2010). ↩
- See “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules,” 78 Fed. Reg. 5565 (25 Jan 2013), PDF version, U.S. Government Printing Office (http://www.gpo.gov/fdsys/ : accessed 7 Apr 2013). ↩
- Minutes, 11-12 January 2005, Subcommittee on Privacy and Confidentiality, National Committee on Vital and Health Statistics, HHS.gov (http://ncvhs.hhs.gov/ : accessed 7 Apr 2013). ↩
- Ibid. ↩
- “Modifications to the HIPAA … Rules,” 78 Fed. Reg. 5613-5614. ↩
- Ibid., 78 Fed. Reg. 5614. ↩
- Ibid. ↩
- 45 CFR §160.103. ↩
- 45 CFR §164.502(f). ↩