HIPAA and Access to Medical Information by Medical Examiner and Coroner Offices

Abstract

Often, medical staff and sometimes their attorneys mistakenly believe that HIPAA prevents disclosure of medical records to medical examiner and coroner offices. Medical examiner and coroner government offices are not covered entities. Moreover, HIPAA specifically allows disclosure to law enforcement, public health, and medical examiner and coroners. However, state and Joint Commission requirements may further impact disclosures.

It is critical for medical examiner and coroner (ME/C) offices to obtain the medical history as part of the investigation of their cases; Medical examiners and coroners have broad statutory authority to investigate deaths falling within their jurisdiction. Most hospitals and clinics will comply with requests from ME/C for the electronic health records. However, lawyers in some medical systems automatically respond to not allow such disclosures based upon Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act) (1)—they are naive. Somewhat analogously, some have mistakenly claimed during the COVID-19 pandemic that HIPAA prevents disclosure of vaccination status (2).

HIPAA consists of five Titles that encompass insurance, medical spending account, and group health plan regulations among other things (3). HIPAA includes the Privacy Rule (45 CFR 160 and 164) and the Security Rule (45 CFR 160, 162, and 164) that protect the confidentiality (nondisclosure) and security of Protected Health Information (PHI) (4 -6). Electronic communications are of particular concern and HIPAA’s security rules apply specifically to electronic transactions (7), but the privacy rules apply to PHI in “any form or medium”—including paper records, as well as electronic records, faxes, emails, exchanges in phone conversations, and face-to-face talk. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights enforces the Privacy Rule (8); penalties were strengthened in 2009 in Subtitle D of the HITECH Act (9).

Protected Health Information is individually identifiable health information that relates to the past, present, or future physical or mental health or condition of an individual, that is linked to the specific person, and is transmitted or maintained in electronic media or any other form, with certain specific exceptions, such as in education and employment records (10). There are 18 identifiers that must be removed for deidentification (11). Originally HIPAA did not apply to deceased patients, but this was specifically changed and now it applies for 50 years following the death of a patient (12).

HIPAA confers a certain set of national “health information rights,” as well as a requirement for notice of these rights, to all patients. Specifically, these rights include: 1) a right of access to records, 2) a right to amend the records to correct errors or to enter statements of disagreement, 3) a right to receive an accounting of uses and disclosures of records, 4) a right to request restrictions on access to or additional protections of particularly sensitive data, and 5) a right to prevent certain reasonable “additional” types of use and disclosure. The HITECH Act gives patients a right to request electronic copies of their record; entities generally have 30 days to respond. Patients may complain of violations of their HIPAA rights to an entity’s Privacy Officer and, if not satisfied, to the HHS Office of Civil Rights or to state-level agencies.

There are three major categories of health information uses and disclosures: 1) no permission required, 2) oral permission required, and 3) written permission required. The no permission required category is the largest and pertains to treatment, payment, and other core health care operations (TPO). Beyond TPO, there are other broad categories of data that do not require specific disclosure, such as information related to public health and health system oversight activities, reporting about victims of abuse, neglect, or domestic violence, content for judicial and administrative proceedings, and activities related to “specialized governmental functions.” Oral permission is allowed for disclosures such as inclusion or exclusion from facility directories, as well as uses and disclosures to friends and family involved in the person’s care. Specific written authorization is needed for research, marketing, and fundraising. As a general rule, if a person has a right to make a health care decision, then that person has a right to control information associated with that decision.

Health care workers have three personal legal obligations: 1) to use or disclose PHI only for legitimate, work-related purposes, 2) to limit use or disclosure to only the minimum necessary information to achieve the work-related purposes, and 3) to exercise reasonable and appropriate caution to protect the PHI.

HIPAA applies to “covered entities” as defined by the HHS. Covered entities include: 1) health plans, 2) health care clearinghouses (such as billing services), and 3) health care providers that electronically transmit PHI (13,14). Medical examiner and coroner offices are not covered entities. Covered entities must maintain compliance with HIPAA guidelines. HIPAA permits covered entities to disclose PHI to business associates that may not be covered entities through business associate agreements that require no further disclosure from the business associate (15). Business associates are generally defined as a person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity (5,16).

HIPAA specifically defines exemptions, where the consent of the patient is not required. These specifically exempt coroners and medical examiners (45 CFR § 164.512(g)(1)) (17), and other relevant exemptions including disclosures where required by law and for public health purposes (18), law enforcement purposes (19), funeral home directors, organ and tissue donations, and some types of research:

45 CFR § 164.512—Uses and disclosures for which an authorization or opportunity to agree or object is not required.

A covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity’s information and the individual’s agreement may be given orally.

• (a) Standard: Uses and disclosures required by law.

  1. A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

  2. A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law.

• (b) Standard: Uses and disclosures for public health activities -

  • (1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to:

    • (i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;

    • (ii) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;

    • …

    • (iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or

  • …

• (f) Standard: Disclosures for law enforcement purposes. A covered entity may disclose protected health information for a law enforcement purpose to a law enforcement official if the conditions in paragraphs (f)(1) through (f)(6) of this section are met, as applicable.

  • (1) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information:

    •  (i) As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or

    •  (ii) In compliance with and as limited by the relevant requirements of:

      •   (A) A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;

      •   (B) A grand jury subpoena; or

      •   (C) An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:

        •     (1) The information sought is relevant and material to a legitimate law enforcement inquiry;

        •     (2) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and

        •     (3) De-identified information could not reasonably be used.

  • (2) Permitted disclosures: Limited information for identification and location purposes. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official’s request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that:

    •  (i) The covered entity may disclose only the following information:

      •   (A) Name and address;

      •   (B) Date and place of birth;

      •   (C) Social security number;

      •   (D) ABO blood type and rh factor;

      •   (E) Type of injury;

      •   (F) Date and time of treatment;

      •   (G) Date and time of death, if applicable; and

      •   (H) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.

    •  (ii) Except as permitted by paragraph (f)(2)(i) of this section, the covered entity may not disclose for the purposes of identification or location under paragraph (f)(2) of this section any protected health information related to the individual’s DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.

  • (3) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official’s request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if:

    •  (i) The individual agrees to the disclosure; or

    •  (ii) The covered entity is unable to obtain the individual’s agreement because of incapacity or other emergency circumstance, provided that:

      •   (A) The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;

      •   (B) The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and

      •   (C) The disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.

  • (4) Permitted disclosure: Decedents. A covered entity may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct.

  • (5) Permitted disclosure: Crime on premises. A covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.

  • (6) Permitted disclosure: Reporting crime in emergencies.

    •  (i) A covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to:

      •   (A) The commission and nature of a crime;

      •   (B) The location of such crime or of the victim(s) of such crime; and

      •   (C) The identity, description, and location of the perpetrator of such crime.

    •  (ii) If a covered health care provider believes that the medical emergency described in paragraph (f)(6)(i) of this section is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care, paragraph (f)(6)(i) of this section does not apply and any disclosure to a law enforcement official for law enforcement purposes is subject to paragraph (c) of this section.

• (g) Standard: Uses and disclosures about decedents –

  • (1) Coroners and medical examiners. A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for the purposes described in this paragraph.

  • (2) Funeral directors. A covered entity may disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, the covered entity may disclose the protected health information prior to, and in reasonable anticipation of, the individual’s death.

• (h) Standard: Uses and disclosures for cadaveric organ, eye or tissue donation purposes. A covered entity may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.

• (i) Standard: Uses and disclosures for research purposes –

  • (1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that:

    •  (i) Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by § 164.508 for use or disclosure of protected health information has been approved by either:

      •   (A) An Institutional Review Board (IRB), established in accordance with 7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or

      •   (B) A privacy board that:

…

[bold highlights added]

Independent forensic pathologists and organizations contracted to perform medicolegal death investigations for jurisdictions operate under color of law and would probably fall under the “Coroner and Medical Examiner” exemption. Private forensic pathology consultants and consultation services performing private consultations would probably not be exempt, although they may gain access by consent or legal process; but they would not be “covered entities.”

Coroner offices and a few medical examiner offices have subpoena power that help the situation where a medical system refuses release of the records.

It is important to recognize that many states may have their own privacy laws, often covering specific types of data (such as data on mental health treatment, HIV, sexually transmitted infections, genetic tests, and substance abuse), that supplement the federal HIPAA laws that could also potentially impact disclosure (20,21). Furthermore, constraints also flow from nongovernment sources on medical institutions, such as through certification by The Joint Commission (formerly known as JCAHO), and providers through their professional codes of ethics.

Author

Victor W. Weedn, MD, JD, Department of Forensic Sciences, George Washington University; Graduate School, University of Maryland, Baltimore

Roles: A, B, C, D, E, 1, 6