Nursing Homes Must Abide by HIPAA Rules When Disclosing Deceased Resident PHI

by Baker Donelson

The Health Insurance Portability and Accountability Act (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) contains the HIPAA Privacy and Security rules. On January 25, 2013, the U.S. Department of Health and Human Services modified the HIPAA Privacy, Security, Enforcement and Breach Notification Rules to add additional protections and to improve workability, effectiveness and flexibility and to reduce the burden for regulated entities. It also implemented section 105 of Title I of the Genetic Information Nondiscrimination Act (GINA) to strengthen protections for genetic information. Those amended rules became effective on March 26, 2013.

HIPAA has long addressed disclosure restrictions for HIPAA-protected health information (PHI). On April 9, 2013, the U.S. Court of Appeals for the 11th Circuit affirmed the Northern District of Florida holding that a Florida statute was preempted by HIPAA and its implementing regulations. The Florida statute permitted licensed nursing homes to release a former deceased resident's medical records to the spouse, guardian, surrogate or attorney in fact without need for a HIPAA authorization and without regard to the authority of the individual making the request to act in the deceased resident's stead. The Court interpreted the law to authorize sweeping disclosures "for any conceivable reason" or no reason at all.

The original action, seeking a declaratory judgment that the Florida statute was preempted by HIPAA, was brought by various nursing home facilities who had refused to release the residents' medical records to the requesting parties because they were not "personal representatives" under HIPAA. The District Court ruled in favor of the nursing homes and the State appealed. The U.S. Court of Appeals, in its ruling affirming the District Court's decision, noted that amendments to HIPAA, referenced above, had been enacted pending the appeal. However, it found the amendments were largely immaterial to the issue before the Court.

The State contended on appeal that the provisions of the Florida law did not impede the goals of HIPAA and should not be preempted. It argued that the Florida statute empowers an individual to act on the deceased resident's behalf and meets the definition of "personal representative" under HIPAA. The nursing homes argued otherwise.

The District Court agreed with the nursing homes and the U.S. Court of Appeals affirmed. The HIPAA rule regarding disclosure of a deceased individual's PHI limits disclosure to narrowly delineated circumstances. The time limitation stating that a deceased person's record was protected for a period of 50 years following the death of the individual was not contained in the HIPAA rule until the January 25, 2013 amendments which became effective March 26, 2013. However, the protection against disclosure as permitted under the broad Florida law did apply under the HIPAA rules in effect when the action was brought. HIPAA treats a personal representative as the protected deceased individual for purposes of the disclosure requirements under HIPAA. See, 45 CFR 164,502 (f) and (g).  45 CFR 164.502(g)(4) provides that  "[i]f  under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a 'personal representative'…" under the HIPAA rules with respect to PHI. 45 CFR 164.510 already delineated a covered entity's permitted use and disclosure of PHI subject to an individual's advance notice and right to agree or object. 45 CFR 164.510(b) delineated the circumstances under which a covered entity could disclose PHI  directly relevant to family members, other relatives, close personal friends or others identified by the individual, or involved in the care or payment for the health care of the individual. The recent HIPAA amendment adds a provision that a covered entity may disclose to a family member, or other relatives, close person friends of the individual or any other persons identified by the individual who were involved in the individual's care or payment for health care prior to the individual's death, PHI of the individual that is relevant to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. See, 45 CFR 164.510(b)(5).

Therefore, the Court concluded the regulation permits disclosure to personal representatives as defined under the Rule and to two other groups of people: (1) those involved in the deceased individual's health care, and (2) those who paid for the deceased individual's health care.

As it relates to the other two groups of people, covered entities may disclose only PHI that is relevant to such person's involvement; i.e., information that is relevant to the care of the deceased individual or to the payment of the deceased individual's health care costs. The Court also recognized that the HIPAA rule, 45 CFR 164.512(a)(1), permits a covered entity to use and disclose PHI as "required by law." While the State argued that the Florida law permitted such a disclosure required by Florida law, it only raised this argument on appeal. The Court declined to consider the argument for the first time on appeal.

Nursing homes and other providers and suppliers are cautioned when receiving requests for deceased resident or patient medical records or other PHI to carefully determine whether disclosure is authorized under the HIPAA rule and applicable state law. They should also remember that the HIPAA  disclosure protection now applies for a period of 50 years.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Written by:

Baker Donelson

Baker Donelson on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.