Illinois Healthcare Providers See Conflict Between New State Law and HIPAA Privacy Rule
Health Law Alert
In November 2011, the Illinois General Assembly passed Public Act 097-0623 (the Act). The Act amended the Code of Civil Procedure to mandate the release by health care providers of a deceased person’s medical records upon the written request of his or her surviving spouse, adult children, parents, or siblings, in descending order of priority, if the decedent did not appoint an agent under a power of attorney for health care or the decedent’s estate is not represented by an executor or administrator, and the decedent did not specifically object to such disclosure. The Act has led to conflict between relatives of decedents and health care providers, because the Healthcare Insurance Portability & Accountability Act (HIPAA), a federal law, permits only executors, administrators, and others who have the legal authority to act on behalf of the deceased individual or his or her estate, to gain access to the medical records. The Act does not give to the relatives listed in the law the authority to act “on behalf of” the decedent.
The public policy underlying HIPAA is that a person’s medical records must be kept confidential unless another person or entity has a legitimate need for them. Specifically, HIPAA prohibits any use or disclosure of medical records unless the use or disclosure is permitted by HIPAA or its regulations. With respect to deceased individuals, HIPAA requires health care providers to treat as “personal representatives” of the decedent the executor or administrator of his or her estate, or any other person who under state law has the legal authority to act “on behalf of” the person. In other words, health care providers must treat these people as they would the patient him or herself, and give to such people all the rights that the patient would have with regard to the medical records. Some health care providers have concluded that HIPAA does not contemplate the disclosure of a deceased patient’s medical records to multiple relatives for any reason or no reason at all.
The Act does not make the relatives of the deceased patient “personal representatives” for purposes of HIPAA. In Illinois, the Probate Act sets out who qualifies as a “representative” of a deceased person’s estate: an executor, an administrator or a guardian. The hallmarks of these offices are that the person is appointed by a court, is granted authority to cause others to take steps with regard to the decedent’s estate or his or her property, and is held responsible by the court for his or her actions. In other words, a person must be legally recognized as a fiduciary of the deceased individual or his or her estate to quality as a “representative” under Illinois law. The relatives named in the Act bear no fiduciary duties to the decedent. Rather, they could use the requested medical records for their own purposes, for no purpose, or for purposes that would have been objectionable to the deceased person. Therefore, some health care providers have concluded that the relatives listed in the Act do not qualify as “personal representatives” and cannot be given access to the deceased patient’s medical records.
HIPAA allows states to enact laws that are more protective of an individual’s health information than those set forth in the HIPAA regulations, but does not permit state law to diminish the privacy protections afforded to patients under HIPAA. Therefore, to the extent a law diminishes the degree to which a decedent’s health information is protected, it is preempted by the more restrictive HIPAA rules. Because the Act purports to expand access to decedents’ medical records to individuals beyond those who stand as fiduciary “representatives” of a deceased person, it may be preempted, requiring health care providers to abide by the HIPAA privacy regulations rather than the Act.
The U.S. District Court for the Northern District of Florida recently found that HIPAA preempted a Florida law similar to the Act because a relative not appointed by a court does not have a fiduciary relationship to the decedent and therefore cannot qualify as a personal representative for HIPAA purposes. Opis Management Resources, LLC v. Dudek, (Dec. 3, 2011). Until a federal court analyzes the interplay between HIPAA and the Act, there is no binding authority on this issue and health care providers must decide whether to comply with the more restrictive HIPAA rules or the more permissive disclosures contemplated by the Act.
Health care providers are advised to consider the relative severity of penalties arising out of violations of these two laws. Under the Act, a health care provider that denies a relative’s request for records is required to pay expenses and reasonable attorneys’ fees incurred by a relative if a court finds that the Act is not preempted and orders enforcement of the relative’s request. Under HIPAA, a health care provider that unlawfully discloses medical records can be assessed civil monetary penalties of between $100 and $50,000 for each violation, depending on the level of culpability, up to a maximum of $1.5 million for all violations of an identical provision in a calendar year, and can also be subject to criminal fines of up to $250,000 and up to 10 years’ imprisonment.
Download to read: Public Act 097-0623
This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.