We are proposing that information otherwise protected by these regulations retain that protection for two years after the death of the subject of the information. The only exception that we are proposing is for uses and disclosures for research purposes.
HIPAA includes no temporal limitations on the application of the privacy protections. Although we have the authority to protect individually identifiable health information maintained by a covered entity indefinitely, we are proposing that the requirements of this rule generally apply for only a limited period, as discussed below. In traditional privacy law, privacy interests, in the sense of the right to control use or disclosure of information about oneself, cease at death. However, good arguments exist in favor both of protecting and not protecting information about the deceased. Considering that one of the underlying purposes of health information confidentiality is to encourage a person seeking treatment to be frank in the interest of obtaining care, there is good reason for protecting information even after death. Federal agencies and others sometimes withhold sensitive information, such as health information, to protect the privacy of surviving family members. At the same time, perpetual confidentiality has serious drawbacks. If information is needed for legitimate purposes, the consent of a living person legally authorized to grant such consent must be obtained, and the further from the date of death, the more difficult it may be to identify the person. The administrative burden of perpetual protection may eventually outweigh the privacy interests served.
The proposed two-year period of confidentiality, with an exception for uses and disclosures for research purposes, would preserve dignity and respect by preventing uncontrolled disclosure of information immediately after death while allowing access to the information for proper purposes during this period and for any purpose thereafter. We would not subject the use or disclosure of protected health information of deceased individuals to the requirements in proposed § 164.510(j) governing most uses and disclosures for research because we believe that it is important to remain as consistent as possible with the Common Rule. The Common Rule does not consider deceased persons to be “human subjects” and therefore they have never been covered in the standard research protocol assessments conducted under the Common Rule. The Department of Health and Human Services will examine this issue in the context of an overall assessment of the Common Rule. Pending the outcome of this examination, we concluded that this exception was warranted so as not to interfere with standard research practice. We invite comments on whether the exception that we are proposing is necessary, or whether existing research using the protected health information of deceased individuals could proceed under the requirements of proposed § 164.510(j).
Under our proposal, and subject to the exceptions discussed above, the right to control the individual’s health information within that two-year time period would be held by an executor or administrator, or in the absence of such an officer, by next-of-kin, as determined under applicable law, or in absence of both, by the holder of the health information. This is reflected in the proposed definition of “individual” discussed above. The legally authorized representative would make decisions for the individual with regard to uses or disclosures of the information for purposes not related to treatment, payment or health care operations. Likewise, an authorized representative could exercise the individual rights of inspection, copying, amendment or correction under proposed §§ 164.514 and 164.516.
Under our proposal, information holders could choose to keep information confidential for a longer period. These proposed rules also would not override any legally required prohibitions on disclosure for longer periods.
One area of concern regarding the proposed two-year period of protection relates to information on individual genetic make-up or individual diseases and conditions that may be hereditary. Under the proposed rules, covered entities would be legally allowed to use such information or to disclose records to others, such as commercial collectors of information, two years after the death of the individual. Since genetic information about one family member may reveal health information about other members of that family, the health data confidentiality of living relatives could be compromised by such uses or disclosures. Likewise, information regarding the hereditary diseases or conditions of the deceased person may reveal health information about living relatives. In the past, information that may not have been legally protected was de facto protected for most people because of the difficulty of its collection and aggregation. With the dramatic proliferation of large electronic databases of information about individuals, growing software-based intelligence, and the declining cost of linking information from disparate sources, such information could now be more readily and cost-effectively accessed.
While various State laws have been passed specifically addressing privacy of genetic information, there is currently no federal legislation that deals with these issues. We considered extending the two-year period for genetic and hereditary information, but were unable to construct criteria for protecting the possible privacy interests of living children without creating extensive burden for information holders and hampering health research. We invite comments on whether further action is needed in this area and what types of practical provisions may be appropriate to protect genetic and hereditary health information.