Privacy & Information Security Law Blog

On April 9, 2013, the United States Court of Appeals for the Eleventh Circuit held that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law regarding the disclosure of patient records by nursing homes. The law required nursing homes in Florida to provide the medical records of a deceased nursing home resident to the “spouse, guardian, surrogate, proxy, or attorney in fact,” including “medical and psychiatric records and any records concerning the care and treatment of the resident performed by the facility, except progress notes and consultation report sections of a psychiatric nature.”

The Florida law was challenged by several nursing homes that had been penalized for refusing to disclose such records due to restrictions imposed by the HIPAA Privacy Rule. The HIPAA Privacy Rule permits a covered entity, such as a nursing home, to disclose a deceased individual’s protected health information (“PHI”) to the individual’s “personal representative,” which could include the executor, administrator or other person acting on behalf of an individual or his or her estate. The Final Omnibus Rule added that a covered entity may disclose the PHI about a deceased individual to a family member or other person “involved in the individual’s care or payment for health care prior to the individual’s death” if the PHI is relevant to the person’s involvement and not inconsistent with an expressed preference of the deceased individual.

The Court of Appeals held that the Florida law “impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule in keeping an individual’s protected health information confidential.” Specifically, the Court maintained that the Florida statute was too broad and made a deceased individual’s PHI “available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason, and without regard to the authority of the individual making the request to act in a deceased resident’s stead.” The Court left open the possibility that the Florida law could be revised to comply with HIPAA, but noted that “[a]mending the statute, however, is a task for the state legislature, not a panel of federal judges.”