Getting hip on HIPAA

HIPAA doesn’t lock the door on genealogical archives.

Reader Tanya asks:

I visited a county historical society museum in my parents’ hometown … and they had binders of documents that came from a funeral home that had gone out of business. These documents included death certificates and all the info that goes with it (i.e., SSN, cause of death). It’s a great genealogical find but I’m concerned that the museum might be violating HIPAA laws by having it available to the public. I don’t want them to get in trouble and just wanted to get someone’s opinion. What do you think?

Great question, Tanya, and thanks for the opportunity to set the record straight on this, since this isn’t the first time this issue has come up. I’ve seen it repeatedly on mail lists for genealogists who’ve been told (a) they can’t see coroner’s inquest files or (b) they can’t publish an index of burials or (c) they can’t see cemetery records or (d) they can’t see records of a funeral home or (e) — and this one’s my favorite — the funeral home can’t even say if it handled a burial.

The short answer to Tanya’s question is NO. The museum — along with the vast majority of archives and repositories that genealogists might use — aren’t affected by the federal statute known as HIPAA or the federal regulations under the statute at all. Here’s why.


Does HIPAA lock up genealogical archives?

First a bit of background. HIPAA is an acronym — pronounced HIP-puh, often misspelled as HIPPA — for a federal statute, the Health Insurance Portability and Accountability Act of 1996.1

What Congress was out to do was make the health care system more efficient by getting electronic information exchanges working.2 To get people to go along, the law strongly protects the confidentiality of that information. It’s now a federal crime to disclose it without authorization.3 And Congress told the US Department of Health and Human Services (“HHS”) to set up privacy rules (called regulations in “fed-speak”4) as well.5

The statute did a lot of different things, but the aspect we’re all concerned with is its effect on what the law called “individually identifiable health information.”6

The definition of that sort of information in the statute and in the regulations is pretty broad. It includes anything that identifies the person by name (or can be used to do that) and shows:

    • the individual’s past, present or future physical or mental health or condition,
    • the provision of health care to the individual, or
    • the past, present, or future payment for the provision of health care to the individual.

Individually identifiable health information includes things like a person’s name, address, birth date, Social Security Number.7

And even with that very broad definition, absolutely not one bit of the law or the regulations affects genealogical archives at all.

The reason is simple: HIPAA only affects “covered entities” — health plans, health care clearinghouses, and health care providers, and only if they transmit information in electronic form about certain “covered transactions.”8 That means, just as an example, that a K-12 public school that has doctors and nurses and psychologists and counselors working with students is NOT a covered entity (in this case, because it doesn’t bill for its health-related services).9

And it means, as well, that a genealogical archive like your local historical society museum is NOT a covered entity. A library is NOT a covered entity. A cemetery is NOT a covered entity. They’re not in the health care business, and the fact that a piece of health-related information shows up in a document they possess doesn’t magically morph them into covered entities.

It’s true that sometimes the line between health information and other information can get a little fuzzy, and every time it does, the place with the records gets scared and clams up out of fear of violating HIPAA. That happened in Nebraska in 2008 when a county historical society wanted access to cemetery records for a former state psychiatric hospital. The state agency refused to let the historical society have access, arguing that knowing that “because all of those patients buried in the … cemetery had been patients … when they died, releasing their names is equivalent to releasing medical records.” The trial court sided with the state because of HIPAA. Fortunately, the Nebraska Supreme Court rejected the state’s argument and ordered the records disclosed.10

Where HIPAA really does have a big effect for genealogists is when we’re looking for what really are medical records held by “covered entities,” because right now it provides that we can’t ever get those records no matter how long the person has been dead. The law is seriously goofy there, though there is a move afoot to reduce the time frame to 50 years after death.11 And when I say “seriously goofy,” I’m not kidding — the official HHS answer to “How can family members of a deceased individual obtain the deceased individual’s protected health information that is relevant to their own health care?” basically says unless your doctor needs it to treat you right now, you need a court order.12

So if records are being held by a medical archive, where the records really are health records, created and kept as health records, and not records of a totally different type that might happen to include some small piece of health-related data, we’re all pretty much out of luck.13

And, of course, there still may be state statutes that come into play here. In my state of New Jersey, for example, death certificates aren’t public records for 40 years after the death, and the cause of death usually can’t be disclosed except to certain family members or legal representatives.14 (I say usually because the New Jersey Supreme Court has held that the public’s right to know trumps the non-disclosure regulation in certain cases.15) As another example, death certificates in Florida aren’t public records until 50 years after the death.16 By contrast, in Massachusetts, death records are public, period.17

But any access issue would be purely a matter of state law — and would boil down to a question of whether access to a privately-held copy of a death certificate could be restricted. HIPAA wouldn’t come into play at all.

So no. There’s no HIPAA padlock on those records at all.

Image courtesy vectorfresh, Creative Commons

  1. 42 U.S.C. § 1320d et seq.
  2. 67 Fed. Reg. 14776, 14776 (27 March 2002).
  3. 42 U.S.C. §§ 1320d-1(d), 1320d-2.
  4. The federal rulemaking process results in the adoption of regulations that are gathered together and published as the Code of Federal Regulations, abbreviated “C.F.R.” Wikipedia (, “Code of Federal Regulations,” rev. 26 Jan 2012.
  5. 67 Fed. Reg. 14776, 14776 (27 March 2002). See also 42 U.S.C. §§ 1320d-1(d), 1320d-2.
  6. 42 U.S.C. § 1320d(6).
  7. See generally 45 C.F.R. § 164.514(b).
  8. 42 U.S.C. § 1320d-1(a). See also 45 CFR § 160.102.
  9. USHHS, Office for Civil Rights, “Does the HIPAA Privacy Rule apply to an elementary or secondary school?” ( : accessed 8 Feb 2012).
  10. State ex rel. Adams County Historical Society v. Kinyoun, 277 Neb. 749, 755 (2009).
  11. Notice of proposed rulemaking, 75 Fed. Reg. 40868, 40874 (14 Jul 2010).
  12. “HIPAA Frequent Questions,” ( : accessed 8 Feb 2012).
  13. See generally “The Implications of HIPAA for Archives,” Alan Mason Chesney Medical Archives for Johns Hopkins Medical Institutions ( : accessed 8 Feb 2012).
  14. N.J.S. 26:8-59.1; N.J.A.C. 8:2A-2.1.
  15. Home News v. State Dep’t. of Health, 144 N.J. 446 (1996).
  16. Fla. Stat. § 382.025.
  17. See generally “Obtaining Certified Copies of Vital Records,” Massachusetts Office of Health and Human Services, ( : accessed 8 Feb 2012).
Print Friendly
This entry was posted in General. Bookmark the permalink.

16 Responses to Getting hip on HIPAA

  1. Thanks for clarifying this issue, Judy. Unfortunately the records I hope to some day access really are covered by HIPAA. There is a gold mine of information in the records of our state mental hospital–they go back almost as long as there have been settlers in the area. Here’s hoping the revision you mentioned gets passed!

    • Judy G. Russell says:

      I can understand the sensitivity of those records, Christy… but time heals all wounds, and I too would like to see old records. My grandmother’s uncle John died at the Texas State Hospital in Austin nearly 90 years ago. He’d been committed there at the request of his father and brother. I have the court records, but with persistent issues in the extended family (an apparently inherited predisposition towards depression for example), we’d all like to know more about John. If that rule change would be adopted, those doors could be opened.

    • Gus Marsh says:

      I want to find out more about my aunt who was in a mental hospital from the 1950′s until she died. The only way I could get the records, was by opening probate on my mother, which open probate on her sister. This ended up costing me $150.00 in Arkansas, but it was worth every penny.

      • Judy G. Russell says:

        Getting yourself into the legal position to be able to access the records was absolutely the right way to go, Gus. Glad the information proved so valuable.

  2. I have a NY funeral home who uses HIPAA as a reason not to share information, any suggestions as to how I can use the info to try and get more information from them. Thanks!

  3. Tanya says:

    Judy, thank you again for answering my question so quickly and for publishing a post about it. It’s a confusing Act and you explained it so well!

  4. Another winner, Judy! Congrats!

  5. Barbara Schenck says:

    Thank you, Judy. I was fortunate, some years ago, to be able to get the medical records for a cousin who had died in a Montana tuberculosis sanatorium over 50 years ago. They were minimally about his health, but had a great deal of information about where he had been living prior to his admittance, and they gave a name and address of next of kin when he died. Those were very helpful in both looking for other records in his previous residence, and in contact descendants of his next of kin for further family history.

    As far as New Jersey goes, a sibling of my husband’s grandfather was at Greystone, the state hospital at Morristown, NJ, and died in April 1918. We wonder if his death was the result of the flu epidemic or was related to his medical condition which seems to have been some form of mental illness. Is there any way of discovering anything in NJ records or are they always and forever sealed? They are not even remotely in my area of expertise.

    • Judy G. Russell says:

      Barbara, New Jersey death certificates are public records 40 years after the death. Generally speaking, when a government record becomes a public record, the public right to access will weigh heavier than any HIPAA or related restriction (such as the state regulation). Right now, death records are available on microfilm at the New Jersey State Archives for the period 1878-1955. The only hitch is that you have to use the microfilm in person. So the short answer is you SHOULD be able to get that info, but you’d need somebody who has time to spend at the archives in Trenton.

  6. Joseph Reinckens says:

    As I mentioned in another post, I’m an attorney representing hospitals and we routinely deal with HIPAA. I strongly disagree with your claim that HIPAA only applies to information transmitted electronically. We routinely receive physical medical records and there is no doubt among anyone who deals with HIPAA routinely that we would be a covered entity.

    All this emphasis on “electronic records” is b.s. HIPAA was enacted because of privacy concerns. Electronic Medical Records (EMR) have been a pipe-dream for decades. The fantasy is the “everyone” is going to agree on a “standard” format. But hospitals have BILLIONS of dollars invested in the systems of various vendors, and no vendor is willing to scrap the hundreds of millions of dollars it invested in developing its software, forms, and hardware to switch to ANYONE else’s standard.

    Reasons HIPAA was enacted included public concern about identity theft, privacy, Big Brother, and similar issues. A large part of the public thinks there is a central location “somewhere” where all police agencies and insurance companies can find all available information on any auto accident. Many people think there is some central location where every insurance company can get full access to anyone’s healthcare history.

    People were worried (reasonably) that even if that didn’t exist yet, if it wasn’t prohibited eventually health insurers would create something like it and use it to refuse coverage or jack up premiums based on personal or family history. Even though antitrust laws might prevent that, it could take years before an individual company would get in trouble–and then it would just pay a fine and claim to mend its ways, nothing would happen for those affected.

    There’s another aspect of HIPAA, which is the threat of criminal penalties. Health care providers are routinely taught at seminars, “The HIPAA statute includes criminal penalties for giving out information when you’re not supposed to. So just to be cautious, unless you’re sure you can, don’t.”

    For instance, information necessary to obtain payment for services is not covered by HIPAA. Often an insurer asks a hospital, “We need proof that this treatment is related to this accident and not that the patient also had.” Often the only person with that information is the treating physician (who is in private practice). When we contact the physician’s office, we’re told, “I’m sorry, but that information is covered by HIPAA. We can’t give it to you.” Even when I write a letter quoting the statute, there response is, “We were told at a seminar that we can’t do it, so that’s our policy.” End of story. We don’t get the information.

    • Judy G. Russell says:

      You’re misreading the post. It doesn’t say it applies only to electronic information. It says that was the original reason why HIPAA was enacted: because of the impact of easy electronic exchange of information on privacy rights. Of course it applies — as the post makes abundantly clear — to all individually identifiable information. And it still does NOT apply to genealogical repositories.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>