Late last month I posted, “HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element” and since then I’ve had around half a dozen or so folks ask me to write about privacy for the deceased…
I promised them I’d write about it in September, and here we are on the last day of the month, so I’d better get it written!
I’ve started to write something several times, but always had to stop. Over the past year my father has been struggling with many health problems, and in the past month his skin cancer has spread to his bones and nerves, and so now I am trying to spend as much time with him as possible while I can. So, this is not a topic I find easy to write about at this current time. But, it is an issue of privacy and compliance concern to all organizations, and so I will put a few thoughts out there for you to consider.
I’ve written about this several times over the past few years. The information from “Is There Privacy Beyond Death?” is still largely applicable.
Add to this the HITECH requirements. The relevant passage addressing this topic follows:
SEC. 13402. NOTIFICATION IN THE CASE OF BREACH.
(e) METHODS OF NOTICE.–
(1) INDIVIDUAL NOTICE.–Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form:
(A) Written notification by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.
Do you even know if any of your customers have passed away? If not, you will likely be sending the notices to the last known address any way. But would you know the address of the next of kin?
If you are a medical care facility you probably would know and track your patients who are no longer on this earth. But, in the procedures followed for doing so, have you also eliminated them from your notification process? If you have, you’d better go back and update your procedures and practices.
The use and access to the PII of the deceased is gaining more attention and more concern.
For example:
* In a letter this (2009) summer to David Fewer, acting director of the Canadian Internet Policy and Public Interest Clinic, Assistant Privacy Commissioner Elizabeth Denham outlined the measures Facebook plans to take to address the key outstanding privacy issues identified in the agency’s report. One of the changes was to provide new privacy policy wording to clarify that families of deceased users can ask to have sites memorializing their deceased relatives deleted.
* The huge amount of digging into Michael Jackson’s death, health problems, and associated details of his private life shows how the press seems to feel it is given free rein to publish any type of information about someone following death. Of course they justify this by stating he was a public celebrity. But does this really justify such privacy ransacking? Especially when family members are still raw and hurting from their loss?
* Farrah Fawcett also had intimate details of her life and medical problems revealed almost immediately upon her death. Even her so-called good friends are profitting by publishing her private details. Is this okay just because she was a celebrity?
* It’s not just the famous whose privacy is invaded upon following death, as I pointed out in a January 2008 blog post, “Egregious Privacy Infringment: Fire Chief Emails Photo Of Topless Crash Victim”
Now, all this makes me wonder; what will happen to the PII of the deceased when electronic health records (EHR) vendors, such as Microsoft’s Healthvault and Google’s Health? I could find nothing addressing it in the Microsoft Healthvault privacy policy, nor the Google Health privacy policy.
In fact, the way the privacy policies are worded, it looks as though next of kin would not be able to ask to have their recently departed family members’ PII removed.
And there are growing numbers of other EHR vendors out there; many with what I would consider as suspect (at best) to horrible or completely lacking (at worst) security and privacy practices for the living, not to mention the dead.
It is also worth noting that identity theft using the PII of deceased is increasing.
Indeed, there *SHOULD* be privacy protections for individuals no longer with us, and there are increasing legal requirements for them.
The recommendations in my “Is There Privacy Beyond Death?” article are still good, with a few additions. So, consider doing the following to address the issues of privacy for the deceased:
- Identify any laws and regulations that apply to your company concerning how to manage the personal information and service information, such as email and messages, in the event of death.
- Even if no laws currently exist that address how to handle the PII of those who have died, consider what your organization would do, and then create procedures to the do right, ethical, types of activities.
- Consider all issues, make a decision and clearly document what you will do with the information of deceased customers and employees.
- Write supporting policies and procedures to reflect your decisions.
- Review your breach response plans and ensure you are also including activities to notify next of kin for the PII of the deceased that has been breached.
- Periodically test to ensure the procedures are effective. You do not want to wait until a death occurs to discover your processes do not work as envisioned.
Tags: awareness and training, breach notice, breach response, deceased, HIPAA, HITECH, Information Security, IT compliance, IT training, personally identifiable information, PIA, PII, policies and procedures, privacy breach, privacy impact assessment, privacy training, security training