PHI Protection for 50 Years After Death

Protected health information (PHI) is any individually identifying health information classified by the Department of Health and Human Services (HHS) into 18 identifiers, such as name, date of birth, address, payment information, treatment information, etc. The Health Insurance Portability and Accountability Act (HIPAA) mandates that organizations that work with PHI have safeguards in place in the form of administrative, technical, and physical, to protect PHI. Safeguarding PHI is extremely important to keeping patient’s sensitive information private, however, did you know that PHI protection extends beyond death? In fact, HIPAA requires PHI protection for 50 years after a patient’s death. 

HIPAA Privacy Rule and PHI Protection

The HIPAA Privacy Rule applies to deceased patients in mostly the same way as it would to living patients, with a few exceptions. The HHS states, “During the 50-year period of protection, the Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals but does include a number of special disclosure provisions relevant to deceased individuals.”

According to the HHS the following are permitted disclosures of PHI for deceased patients:

(1) to alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct

(2) to coroners or medical examiners and funeral directors

(3) for research that is solely on the protected health information of decedents

(4) to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation

(5) to a family member or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity

For disclosure of PHI that is not covered under the exceptions, there needs to be written consent from an authorized representative for disclosure to be permitted. 

PHI Disclosure and Family Members

There may be cases in which a patient requests that their PHI is not disclosed to family members upon their death. An exception to that however, is if the surviving relative is an executor of the deceased patient’s estate. The HHS maintains, “In these cases, a covered health care provider may disclose relevant protected health information about the decedent to the family member, and the family member retains the right to receive a copy of the relevant information in the decedent’s medical record, without regard to the decedent’s prior objection.”

In addition, when a surviving family member would like access to the deceased’s PHI for their own healthcare, it is permitted for the following:

  • A covered entity (CE) can disclose the PHI of the deceased relative to a surviving relative’s treating physician without authorization;
  • if the information is relevant to the surviving relative’s care;
  • or a representative, such as the executor, may receive PHI if it is permitted under the law.

PHI protection is essential to maintaining a patient’s privacy. Although it may be difficult to obtain the proper authorization before a patient’s death, covered entities must ensure that they are following HIPAA law when it comes to PHI protection.