HIPAA doesn’t lock the door on genealogical archives.
Reader Tanya asks:
I visited a county historical society museum in my parents’ hometown … and they had binders of documents that came from a funeral home that had gone out of business. These documents included death certificates and all the info that goes with it (i.e., SSN, cause of death). It’s a great genealogical find but I’m concerned that the museum might be violating HIPAA laws by having it available to the public. I don’t want them to get in trouble and just wanted to get someone’s opinion. What do you think?
Great question, Tanya, and thanks for the opportunity to set the record straight on this, since this isn’t the first time this issue has come up. I’ve seen it repeatedly on mail lists for genealogists who’ve been told (a) they can’t see coroner’s inquest files or (b) they can’t publish an index of burials or (c) they can’t see cemetery records or (d) they can’t see records of a funeral home or (e) — and this one’s my favorite — the funeral home can’t even say if it handled a burial.
The short answer to Tanya’s question is NO. The museum — along with the vast majority of archives and repositories that genealogists might use — aren’t affected by the federal statute known as HIPAA or the federal regulations under the statute at all. Here’s why.First a bit of background. HIPAA is an acronym — pronounced HIP-puh, often misspelled as HIPPA — for a federal statute, the Health Insurance Portability and Accountability Act of 1996.1
What Congress was out to do was make the health care system more efficient by getting electronic information exchanges working.2 To get people to go along, the law strongly protects the confidentiality of that information. It’s now a federal crime to disclose it without authorization.3 And Congress told the US Department of Health and Human Services (“HHS”) to set up privacy rules (called regulations in “fed-speak”4) as well.5
The statute did a lot of different things, but the aspect we’re all concerned with is its effect on what the law called “individually identifiable health information.”6
The definition of that sort of information in the statute and in the regulations is pretty broad. It includes anything that identifies the person by name (or can be used to do that) and shows:
• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual.
Individually identifiable health information includes things like a person’s name, address, birth date, Social Security Number.7
And even with that very broad definition, absolutely not one bit of the law or the regulations affects genealogical archives at all.
The reason is simple: HIPAA only affects “covered entities” — health plans, health care clearinghouses, and health care providers, and only if they transmit information in electronic form about certain “covered transactions.”8 That means, just as an example, that a K-12 public school that has doctors and nurses and psychologists and counselors working with students is NOT a covered entity (in this case, because it doesn’t bill for its health-related services).9
And it means, as well, that a genealogical archive like your local historical society museum is NOT a covered entity. A library is NOT a covered entity. A cemetery is NOT a covered entity. They’re not in the health care business, and the fact that a piece of health-related information shows up in a document they possess doesn’t magically morph them into covered entities.
It’s true that sometimes the line between health information and other information can get a little fuzzy, and every time it does, the place with the records gets scared and clams up out of fear of violating HIPAA. That happened in Nebraska in 2008 when a county historical society wanted access to cemetery records for a former state psychiatric hospital. The state agency refused to let the historical society have access, arguing that knowing that “because all of those patients buried in the … cemetery had been patients … when they died, releasing their names is equivalent to releasing medical records.” The trial court sided with the state because of HIPAA. Fortunately, the Nebraska Supreme Court rejected the state’s argument and ordered the records disclosed.10
Where HIPAA really does have a big effect for genealogists is when we’re looking for what really are medical records held by “covered entities,” because right now it provides that we can’t ever get those records no matter how long the person has been dead. The law is seriously goofy there, though there is a move afoot to reduce the time frame to 50 years after death.11 And when I say “seriously goofy,” I’m not kidding — the official HHS answer to “How can family members of a deceased individual obtain the deceased individual’s protected health information that is relevant to their own health care?” basically says unless your doctor needs it to treat you right now, you need a court order.12
So if records are being held by a medical archive, where the records really are health records, created and kept as health records, and not records of a totally different type that might happen to include some small piece of health-related data, we’re all pretty much out of luck.13
And, of course, there still may be state statutes that come into play here. In my state of New Jersey, for example, death certificates aren’t public records for 40 years after the death, and the cause of death usually can’t be disclosed except to certain family members or legal representatives.14 (I say usually because the New Jersey Supreme Court has held that the public’s right to know trumps the non-disclosure regulation in certain cases.15) As another example, death certificates in Florida aren’t public records until 50 years after the death.16 By contrast, in Massachusetts, death records are public, period.17
But any access issue would be purely a matter of state law — and would boil down to a question of whether access to a privately-held copy of a death certificate could be restricted. HIPAA wouldn’t come into play at all.
So no. There’s no HIPAA padlock on those records at all.
Image courtesy vectorfresh, Creative Commons
- 42 U.S.C. § 1320d et seq. ↩
- 67 Fed. Reg. 14776, 14776 (27 March 2002). ↩
- 42 U.S.C. §§ 1320d-1(d), 1320d-2. ↩
- The federal rulemaking process results in the adoption of regulations that are gathered together and published as the Code of Federal Regulations, abbreviated “C.F.R.” Wikipedia (http://www.wikipedia.com), “Code of Federal Regulations,” rev. 26 Jan 2012. ↩
- 67 Fed. Reg. 14776, 14776 (27 March 2002). See also 42 U.S.C. §§ 1320d-1(d), 1320d-2. ↩
- 42 U.S.C. § 1320d(6). ↩
- See generally 45 C.F.R. § 164.514(b). ↩
- 42 U.S.C. § 1320d-1(a). See also 45 CFR § 160.102. ↩
- USHHS, Office for Civil Rights, “Does the HIPAA Privacy Rule apply to an elementary or secondary school?” (http://www.hhs.gov/ocr/privacy/hipaa/faq/ferpa_and_hipaa/513.html : accessed 8 Feb 2012). ↩
- State ex rel. Adams County Historical Society v. Kinyoun, 277 Neb. 749, 755 (2009). ↩
- Notice of proposed rulemaking, 75 Fed. Reg. 40868, 40874 (14 Jul 2010). ↩
- “HIPAA Frequent Questions,” HHS.gov (http://www.hhs.gov/hipaafaq/notice/222.html : accessed 8 Feb 2012). ↩
- See generally “The Implications of HIPAA for Archives,” Alan Mason Chesney Medical Archives for Johns Hopkins Medical Institutions (http://www.medicalarchives.jhmi.edu/hipaaimplications.html : accessed 8 Feb 2012). ↩
- N.J.S. 26:8-59.1; N.J.A.C. 8:2A-2.1. ↩
- Home News v. State Dep’t. of Health, 144 N.J. 446 (1996). ↩
- Fla. Stat. § 382.025. ↩
- See generally “Obtaining Certified Copies of Vital Records,” Massachusetts Office of Health and Human Services, Mass.gov (http://www.mass.gov/eohhs/consumer/basic-needs/vitals/obtaining-certified-copies-of-vital-records.html : accessed 8 Feb 2012). ↩