Does HIPAA Apply After Death?

Does HIPAA apply after death? The HIPAA Privacy Rule requires that covered entities and business associates develop safeguards to protect the privacy of protected health information (PHI). The Privacy Rule also sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

When a patient dies, covered entities and business associates are not free to use the patient’s PHI. The HIPAA Privacy Rule requires that a deceased individual’s PHI remain protected for 50 years following the date of the person’s death.

Who Can Enforce Protection of Deceased Individuals’ PHI?

During the 50-year period of protection, the personal representative of the deceased individual (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the following rights under the Privacy Rule with regard to the deceased individual’s (decedent’s) PHI. These rights include:

The general right to authorize certain uses and disclosures of PHI
The general right to access the PHI

What Rights Do Individuals Who Are Not Personal Representatives Have?

With respect to family members or other persons involved in the individual’s healthcare or payment for care prior to the individual’s death, but who are not personal representatives, the HIPAA Privacy Rule permits a covered entity to disclose the relevant PHI of the deceased individual to those family members or other persons. “Relevant PHI” means PHI that was or is relevant to the person’s involvement in the decedent’s care or payment for care. There is an exception to this general rule. Disclosure is not permitted if disclosure is:

Inconsistent with any prior expressed preference of the deceased individual,
That the covered entity already knows about.

Therefore, if a patient informed a covered entity, before the patient’s death, that the patient did not want his or her PHI disclosed to:

A family member or other person
Involved in the deceased person’s healthcare or payment prior to death,

The covered entity may not disclose the PHI.

Schedule a Demo

See the software that makes tracking compliance a breeze!

Schedule Now

Are There Special Circumstances Permitting Disclosure During the 50-Year Period?

During the 50-year period of protection, the HIPAA Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals.

However, the HIPAA Privacy Rule does include a number of special disclosure provisions relevant to deceased individuals. These include provisions that permit a covered entity to disclose a decedent’s health information:

To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct;
To coroners or medical examiners and funeral directors;
For research that is solely on the protected health information of decedents; and
To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation.

When is a Written Authorization Required?

For uses or disclosures of a decedent’s health information not otherwise permitted by the HIPAA Privacy Rule, a covered entity must obtain a written HIPAA authorization from a personal representative of the decedent who can authorize the disclosure. A decedent’s personal representative is an executor, administrator, or other person who has authority under applicable State or other law to act on behalf of the decedent or the decedent’s estate.