Abstract
Often, medical staff and sometimes their attorneys mistakenly believe that HIPAA prevents disclosure of medical records to medical examiner and coroner offices. Medical examiner and coroner government offices are not covered entities. Moreover, HIPAA specifically allows disclosure to law enforcement, public health, and medical examiner and coroners. However, state and Joint Commission requirements may further impact disclosures.
It is critical for medical examiner and coroner (ME/C) offices to obtain the medical history as part of the investigation of their cases; Medical examiners and coroners have broad statutory authority to investigate deaths falling within their jurisdiction. Most hospitals and clinics will comply with requests from ME/C for the electronic health records. However, lawyers in some medical systems automatically respond to not allow such disclosures based upon Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act) (1)—they are naive. Somewhat analogously, some have mistakenly claimed during the COVID-19 pandemic that HIPAA prevents disclosure of vaccination status (2).
HIPAA consists of five Titles that encompass insurance, medical spending account, and group health plan regulations among other things (3). HIPAA includes the
Protected Health Information is individually identifiable health information that relates to the past, present, or future physical or mental health or condition of an individual, that is linked to the specific person, and is transmitted or maintained in electronic media or any other form, with certain specific exceptions, such as in education and employment records (10). There are 18 identifiers that must be removed for deidentification (11). Originally HIPAA did not apply to deceased patients, but this was specifically changed and now it applies for 50 years following the death of a patient (12).
HIPAA confers a certain set of national “health information rights,” as well as a requirement for notice of these rights, to all patients. Specifically, these rights include: 1) a right of access to records, 2) a right to amend the records to correct errors or to enter statements of disagreement, 3) a right to receive an accounting of uses and disclosures of records, 4) a right to request restrictions on access to or additional protections of particularly sensitive data, and 5) a right to prevent certain reasonable “additional” types of use and disclosure. The HITECH Act gives patients a right to request electronic copies of their record; entities generally have 30 days to respond. Patients may complain of violations of their HIPAA rights to an entity’s Privacy Officer and, if not satisfied, to the HHS Office of Civil Rights or to state-level agencies.
There are three major categories of health information uses and disclosures: 1) no permission required, 2) oral permission required, and 3) written permission required. The no permission required category is the largest and pertains to treatment, payment, and other core health care operations (TPO). Beyond TPO, there are other broad categories of data that do not require specific disclosure, such as information related to public health and health system oversight activities, reporting about victims of abuse, neglect, or domestic violence, content for judicial and administrative proceedings, and activities related to “specialized governmental functions.” Oral permission is allowed for disclosures such as inclusion or exclusion from facility directories, as well as uses and disclosures to friends and family involved in the person’s care. Specific written authorization is needed for research, marketing, and fundraising. As a general rule, if a person has a right to make a health care decision, then that person has a right to control information associated with that decision.
Health care workers have three personal legal obligations: 1) to use or disclose PHI only for legitimate, work-related purposes, 2) to limit use or disclosure to only the minimum necessary information to achieve the work-related purposes, and 3) to exercise reasonable and appropriate caution to protect the PHI.
HIPAA applies to “covered entities” as defined by the HHS. Covered entities include: 1) health plans, 2) health care clearinghouses (such as billing services), and 3) health care providers that electronically transmit PHI (13,14). Medical examiner and coroner offices are not covered entities. Covered entities must maintain compliance with HIPAA guidelines. HIPAA permits covered entities to disclose PHI to business associates that may not be covered entities through business associate agreements that require no further disclosure from the business associate (15). Business associates are generally defined as a person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity (5,16).
HIPAA specifically defines exemptions, where the consent of the patient is not required. These specifically exempt coroners and medical examiners (45 CFR § 164.512(g)(1)) (17), and other relevant exemptions including disclosures where required by law and for public health purposes (18), law enforcement purposes (19), funeral home directors, organ and tissue donations, and some types of research: 45 CFR § 164.512—Uses and disclosures for which an authorization or opportunity to agree or object is not required. A covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity’s information and the individual’s agreement may be given orally. (a) Standard: A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law. (b) Standard: (1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to: (i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; (ii) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect; … (iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or … (f) Standard: (1) Permitted disclosures: (i) As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or (ii) In compliance with and as limited by the relevant requirements of: (A) A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer; (B) A grand jury subpoena; or (C) An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: (1) The information sought is relevant and material to a legitimate law enforcement inquiry; (2) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and (3) De-identified information could not reasonably be used. (2) Permitted disclosures: (i) The covered entity may disclose only the following information: (A) Name and address; (B) Date and place of birth; (C) Social security number; (D) ABO blood type and rh factor; (E) Type of injury; (F) Date and time of treatment; (G) Date and time of death, if applicable; and (H) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos. (ii) Except as permitted by paragraph (f)(2)(i) of this section, the covered entity may not disclose for the purposes of identification or location under paragraph (f)(2) of this section any protected health information related to the individual’s DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue. (3) Permitted disclosure: (i) The individual agrees to the disclosure; or (ii) The covered entity is unable to obtain the individual’s agreement because of incapacity or other emergency circumstance, provided that: (A) The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim; (B) The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and (C) The disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment. (4) Permitted disclosure: (5) Permitted disclosure: (6) Permitted disclosure: (i) A covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to: (A) The commission and nature of a crime; (B) The location of such crime or of the victim(s) of such crime; and (C) The identity, description, and location of the perpetrator of such crime. (ii) If a covered health care provider believes that the medical emergency described in paragraph (f)(6)(i) of this section is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care, paragraph (f)(6)(i) of this section does not apply and any disclosure to a law enforcement official for law enforcement purposes is subject to paragraph (c) of this section. (g) Standard: (1) (2) (h) Standard: (i) Standard: (1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that: (i) Board approval of a (A) An Institutional Review Board (IRB), established in accordance with 7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or (B) A privacy board that:
…
[bold highlights added]
Independent forensic pathologists and organizations contracted to perform medicolegal death investigations for jurisdictions operate under color of law and would probably fall under the “Coroner and Medical Examiner” exemption. Private forensic pathology consultants and consultation services performing private consultations would probably not be exempt, although they may gain access by consent or legal process; but they would not be “covered entities.”
Coroner offices and a few medical examiner offices have subpoena power that help the situation where a medical system refuses release of the records.
It is important to recognize that many states may have their own privacy laws, often covering specific types of data (such as data on mental health treatment, HIV, sexually transmitted infections, genetic tests, and substance abuse), that supplement the federal HIPAA laws that could also potentially impact disclosure (20,21). Furthermore, constraints also flow from nongovernment sources on medical institutions, such as through certification by The Joint Commission (formerly known as JCAHO), and providers through their professional codes of ethics.
Footnotes
Ethical Approval
N/A.
Statement of Human and Animal Rights
N/A.
Statement of Informed Consent
N/A.
Disclosures & Declaration of Conflicts of Interest
The author, reviewers, editors, and publication staff do not report any relevant conflicts of interest.
Financial Disclosure
The author has indicated that he does not have financial relationships to disclose that are relevant to this manuscript.