Are There Special Circumstances Permitting Disclosure During the 50-Year Period?
During the 50-year period of protection, the HIPAA Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals.
However, the HIPAA Privacy Rule does include a number of special disclosure provisions relevant to deceased individuals. These include provisions that permit a covered entity to disclose a decedent’s health information:
- To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct;
- To coroners or medical examiners and funeral directors;
- For research that is solely on the protected health information of decedents; and
- To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation.
When is a Written Authorization Required?
For uses or disclosures of a decedent’s health information not otherwise permitted by the HIPAA Privacy Rule, a covered entity must obtain a written HIPAA authorization from a personal representative of the decedent who can authorize the disclosure. A decedent’s personal representative is an executor, administrator, or other person who has authority under applicable State or other law to act on behalf of the decedent or the decedent’s estate.
Does HIPAA Apply After Death: What Happens Once the 50-Year Period Has Passed?
Once the 50-year period has passed, the PHI is no longer considered to be protected health information under the HIPAA Privacy Rule. As such, covered entities that maintain, health or medical records, correspondence files, physician diaries and casebooks, or photograph collections that contain identifiable health information on individuals who have been deceased for more than 50 years may use or disclose the information without regard to the HIPAA Privacy Rule.