We all know that HIPAA regulations are in place to protect sensitive health information, but what about this sensitive health information after a person dies? Here is what you need to know about HIPAA and how it applies after death.
In short, the HIPAA Privacy Rule states that an individual’s personal health information is protected for 50 years following their death. More specifically, according to the Department of Health and Human Services (HHS), “During the 50-year period of protection, the Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals but does include a number of special disclosure provisions relevant to deceased individuals.” In other words, there are some items of protected health information (PHI) that may be disclosed under certain conditions. Here are the specific provisions surrounding when a covered entity can disclose the PHI of a deceased individual, as outlined on the U.S. Department of Health and Human Services website:
(1) to alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (§ 164.512(f)(4))
(2) to coroners or medical examiners and funeral directors (§ 164.512(g))
(3) for research that is solely on the protected health information of decedents (§ 164.512(i)(1)(iii))
(4) to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation (§ 164.512(h))
In addition, a covered entity can disclose a deceased individual’s PHI “to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity.” This family member might be a spouse, domestic partner, sibling, parent, child, other relative, or even a friend—as long as the disclosed information pertains to that person’s involvement in the individual’s care, or to paying for such care.
Finally, in circumstances that lie beyond the provisions outlined in the HIPAA Privacy Rule, a covered entity must obtain written authorization from a representative of the decedent who can personally authorize the disclosure. The personal representative could be an administrator, executor, or other individual who has authority under applicable State or other law.