To effectively guard protected health information, your dental practice should have a records release policy. When forming or updating this policy you need to make sure it includes information on how to handle a deceased patient's records.

Posted in Insurance Services on Thursday, June 30, 2016

Does your dental practice have a records release policy? If so, does this policy include information on how to handle the records of a deceased patient? To effectively guard protected health information (PHI), your practice should have both in place.

While HIPAA sets the minimum requirement for privacy from the federal level, state regulations can be more stringent when it comes to releasing PHI. For this reason, when the issue arises as to whom, what and when records of deceased patients can be released, it is always wise to check with your attorney and/or state association.

To help you better understand patient privacy and how it relates to your office policies, here are a few highlights of the 2013 HIPAA OMNIBUS Final Rule:

What do dentists need to know about the Final Rule when designing a records release policy?

Under the Final Rule, privacy rights are suspended 50 years after a patient’s date of death – requiring no authorization for release. After 50 years, a covered entity (CE) may determine their own privacy protections, but they cannot justify them as a HIPAA requirement.

It is important to note that sensitive information and state laws could require greater privacy protection. Elements that could be classified as sensitive include: information on HIV/AIDS, substance abuse, mental health and/or psychotherapy notes.

Can patient records be accessed prior to 50 years?

A patient’s designated personal representative or legal executor has a right under law to access the records. Legal documents to establish the right to records include: a copy of the death certificate, a court document establishing executorship or a court order. If no designee is named by the decedent, state law will determine who possesses the right to access.

Individuals who had access to the records prior to death continue to have access, unless this is inconsistent with the expressed wishes of the decedent prior to death. This includes family members, relatives and others who were involved in the care or payment prior to death. This also includes surviving family members who need the decedent’s PHI for their own healthcare treatment.

However, reasonable assurance by the CE is necessary to ensure that the:

• Individual requesting records indicates a relationship to the decedent or offers sufficient details about the decedent’s circumstances prior to death to demonstrate involvement in their care and that the information is relevant to the person(s) requesting involvement with the decedent’s care or payment.

It is important to note that if a CE is uncomfortable with releasing PHI under the provision due to questions about an individual’s relationship to the decedent, the CE is not required to provide the PHI.

Is the 50 year rule a record retention requirement?

A CE may destroy medical records consistent with the time periods of their state regulations or other applicable law requirements.

Remember, being proactive with an established records release policy prior to a situation arising can improve the experience for all involved.

For more information on this topic, check out AHIMA’s document on Privacy After Death.