QUESTION: One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient. The physician believes that this information will assist the patient in making choices about the direction of her treatment. Can he do that?
ANSWER: The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition. Thus, the deceased patient’s cancer history meets this definition. However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule? The answer to this question is “yes.” The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual. Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.
That being said, it is certainly important that a patient understand his/her family history, including risks for certain diseases and disorders so that he/she can proactively address those risks. Here, the treating physician’s hands aren’t completely tied when it comes to counseling the patient on such matters. He has a few options. The physician can rely on an exception to the HIPAA Privacy Rule, which permits the disclosure of protected health information for treatment activities. According to guidance issued by the United States Department of Health and Human Services, the “treatment” exception “allow[s] use and disclosure of protected health information about one individual for the treatment of another individual.” If the physician is concerned that counseling on a family member’s cancer history does not definitively meet the definition of “treatment” under HIPAA, he has other options. First, and most obviously, the physician can ask the patient if she is aware of any family history of cancer. If not, the physician can obtain a written HIPAA authorization from a personal representative (e.g., the deceased patient’s executor or administrator) to disclose the information. If the physician is unable to obtain a written authorization for whatever reason (such as an inability to locate the personal representative) or believes this is too burdensome, the physician can still make treatment recommendations without disclosing health information protected under HIPAA. For example, the physician may recommend more frequent cancer screenings based on the family history to which he is privy.