Does HIPAA Apply After Death?

Does HIPAA apply after death? The HIPAA Privacy Rule requires that covered entities and business associates develop safeguards to protect the privacy of protected health information (PHI). The Privacy Rule also sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. When a patient dies, covered entities and business associates are not free to use the patient’s PHI. The HIPAA Privacy Rule requires that a deceased individual’s PHI remain protected for 50 years following the date of the person’s death. 

Does HIPAA Apply After Death

Who Can Enforce Protection of Deceased Individuals’ PHI?

During the 50-year period of protection, the personal representative of the deceased individual (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the following rights under the Privacy Rule with regard to the deceased individual’s (decedent’s) PHI. These rights include:

  • The general right to authorize certain uses and disclosures of PHI
  • The general right to access the PHI

What Rights Do Individuals Who Are Not Personal Representatives Have?

With respect to family members or other persons involved in the individual’s healthcare or payment for care prior to the individual’s death, but who are not personal representatives, the HIPAA Privacy Rule permits a covered entity to disclose the relevant PHI of the deceased individual to those family members or other persons. “Relevant PHI” means PHI that was or is relevant to the person’s involvement in the decedent’s care or payment for care. There is an exception to this general rule. Disclosure is not permitted if disclosure is:

  • Inconsistent with any prior expressed preference of the deceased individual,
  • That the covered entity already knows about.

Therefore, if a patient informed a covered entity, before the patient’s death, that the patient did not want his or her PHI disclosed to:

  • A family member or other person
  • Involved in the deceased person’s healthcare or payment prior to death,

The covered entity may not disclose the PHI.

Make Sure You’re HIPAA Compliant

The HIPAA Privacy Rule imposes several requirements for healthcare organizations. Let us help make sure you meet them all!

Learn More

Are There Special Circumstances Permitting Disclosure During the 50-Year Period?

During the 50-year period of protection, the HIPAA Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals. 

However, the HIPAA Privacy Rule does include a number of special disclosure provisions relevant to deceased individuals. These include provisions that permit a covered entity to disclose a decedent’s health information: 

  • To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct;
  • To coroners or medical examiners and funeral directors;
  • For research that is solely on the protected health information of decedents; and
  • To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation.

When is a Written Authorization Required?

For uses or disclosures of a decedent’s health information not otherwise permitted by the HIPAA Privacy Rule, a covered entity must obtain a written HIPAA authorization from a personal representative of the decedent who can authorize the disclosure.  A decedent’s personal representative is an executor, administrator, or other person who has authority under applicable State or other law to act on behalf of the decedent or the decedent’s estate.  

Does HIPAA Apply After Death: What Happens Once the 50-Year Period Has Passed?

Once the 50-year period has passed, the PHI is no longer considered to be protected health information under the HIPAA Privacy Rule. As such, covered entities that maintain, health or medical records, correspondence files, physician diaries and casebooks, or photograph collections that contain identifiable health information on individuals who have been deceased for more than 50 years may use or disclose the information without regard to the HIPAA Privacy Rule.

HIPAA Compliance Software

Learn How Simple Compliance Can Be

Get Compliant Today!