By T. Scott Gilligan, NFDA General Counsel
I. Overview of HIPAA Privacy Rule. In 1996, Congress passed the Health Insurance Portability and Accountability Act ("HIPAA"). The Act required the U.S. Department of Health & Human Services ("HHS") to issue a regulation protecting the privacy of health information if Congress failed in its self-imposed deadline of August 1999 to enact comprehensive privacy legislation. When Congress did not meet that August, 1999 deadline, HHS was compelled to develop Standards for Privacy of Individually Identifiable Health Information, which is now commonly referred to as the HIPAA Privacy Rule.
After nearly three years of development, HHS published final modifications to the HIPAA Privacy Rule on August 14, 2002. Compliance with the Rule for most "covered entities" is required by April 14, 2003. Covered entities include health care plans, health care clearinghouses, and health care providers, such as hospitals, doctor offices, and nursing care facilities.
Overall, the HIPPA Privacy Rule creates for the first time national standards to protect an individual's medical records and other personal health information. It gives patients more control over their health information by setting boundaries on the use and release of health records.
II. Obligations of Covered Entities . The businesses covered by the HIPAA Privacy Rule (the “Covered Entities”) generally include health care providers, health care clearinghouses and health plans. The HIPAA Privacy Rule will require Covered Entities to undertake the following activities:
- Notify patients about their privacy rights and how their health information will be used.
- Adopt and implement privacy procedures for the Covered Entity.
- Train employees so they understand the privacy procedures.
- Designate an individual to be responsible for seeing that privacy procedures are adopted and followed.
- Secure patient records containing individually identifiable health information so that they are not readily available to unauthorized parties.
As noted above, most Covered Entities will have to undertake these compliance steps by April 14, 2003.
III. Funeral Homes are not Covered Entities. Covered Entities, which are those businesses which are subject to the HIPAA Privacy Rule requirements, consist of health plans, health care clearinghouses, and health care providers. Although funeral homes may receive or have access to health information of the decendents they care for, they are not considered to be Covered Entities. Therefore, funeral homes are not subject to the HIPAA Privacy Rule and do not have to comply with the obligations imposed upon Covered Entities regarding the development of privacy practices and the protection of private health care information.
Although funeral homes are not subject to the privacy practices imposed by HIPAA, it is important to note that state law and funeral board regulations generally require funeral directors to protect confidential information regarding decedents and families they serve.
IV. Funeral Homes are not Business Associates. When a Covered Entity has another business perform functions or activities on behalf of the Covered Entity, and that business is provided patient health information, the business is regarded as a “Business Associate” of the Covered Entity. While the HIPAA Privacy Rule does not directly regulate Business Associates, it does require Covered Entities to regulate the activities of their Business Associates. The Covered Entity must enter into a contract with the Business Associate that mandates that the Business Associate's use of protected health information will be consistent with the privacy policies of the Covered Entity.
While Covered Entities, such as hospitals and nursing homes, may from time-to-time provide confidential patient health information to funeral homes, funeral homes will not be regarded as a Business Associate of those Covered Entities. Business Associates are contractors or other businesses hired to do the work of a Covered Entity that involves the use or disclosure of protected health information. Although funeral homes may receive protected health information from Covered Entities, they are not being hired by the Covered Entity to perform a function or activity on behalf of the Covered Entity.
If a funeral home were approached by a health care provider and asked to enter into a Business Associate contract, in nearly all cases the funeral home should refuse the request because it would not meet the definition of a Business Associate under the HIPAA Privacy Rule. Unless the funeral home were actually performing services for the health care provider, such as running a morgue for a hospital, it would be outside the definition of a Business Associate since it is not performing a function or activity on behalf of the health care provider. Therefore, although funeral homes may receive protected health information from health care providers, they should not be misled into believing that they are a Business Associate of the health care provider.
V. Circumstances when Disclosures are Required. The HIPAA Privacy Rule recognizes that there are legitimate needs to disclose an individual's health information to public health and safety authorities and others that are charged with the protection of public health. Therefore, the Rule does permit health providers to disclose confidential health information without authorization from an individual in specific circumstances.
One of the circumstances recognized by the HIPAA Privacy Rule is disclosure to persons at risk of contracting or spreading disease. The Rule recognizes that a Covered Entity may disclose confidential health information to a person who is at risk of contracting or spreading the disease or condition whenever federal or state law authorizes the Covered Entity to make that disclosure. For example, a health care provider may disclose confidential health information to notify a person that he has been exposed to a communicable disease if the health care provider is legally authorized to do so by federal or state law in order to prevent or control the spread of the disease.
It is important to note that the HIPAA Privacy Rule does not require Covered Entities to make disclosures to public health authorities. Rather, the provision is intended to allow Covered Entities to continue current voluntary reporting practices or reporting practices that are compelled by federal or state law.
The HIPAA Privacy Rule recognizes that funeral directors may also be included in the class of businesses and individuals receiving the information. Section 164.512(g) of the Rule allows Covered Entities to disclose confidential health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to a decedent. For example, the Rule allows hospitals to disclose to funeral directors the fact that an individual has donated an organ or tissue because this information has implications for the funeral home staff when embalming the decedent. The Rule also states that when necessary for funeral directors to carry out their duties, Covered Entities may disclose protected health information prior to and in reasonable anticipation of an individual's death.
VI. Consultation with Health Care Providers. Some states require disclosure of patient health information, such as the results of a positive HIV test or the presence of a communicable disease, to funeral home personnel. Other states do not require those disclosures. To determine what disclosures a particular state may or may not require, consult your state funeral association or visit www.healthprivacy.org and click on the state law section. That website has a survey of each state's laws regarding disclosure of patient health information. However, this website is only an overview and should not be relied upon when deciding what state law requires. Check with an attorney who has knowledge in the area of medical information privacy.
If state law does not mandate the disclosure of the presence of communicable diseases to funeral home personnel, funeral homes may want to contact hospitals and nursing homes from which they remove bodies to determine the scope of their internal HIPAA Privacy Rule disclosure policies. Unless prohibited by state law, hospitals and nursing homes may authorize disclosure of patient health information to funeral home personnel when necessary for funeral directors to carry out their duties. This being the case, funeral homes may wish to alert hospitals and nursing homes of their need to be advised of the presence of communicable diseases in order to protect funeral home personnel.
If members have any questions regarding the HIPAA Privacy Rule, please contact NFDA.