In the first half of 2026, large healthcare breaches had already affected more than 19 million people, and Paubox reported that 173 of 189 large breaches were tied to hacking or IT incidents. Paubox’s 2025 Healthcare Email Security Report also found 180 email-related healthcare breaches in 2024, while only 1.1% of analyzed organizations had a low-risk email security posture. It is why niche decedent workflows deserve more attention than they usually get. When a hospital is coordinating with a funeral home, a coroner, a medical examiner, or an organ procurement organization, the information being exchanged may be postmortem, but the privacy and security risk is still very current.

Confusion may be a team assuming that HIPAA ends at death, a lawyer assuming that HIPAA blocks any postmortem disclosure, or an IT team assuming that an ordinary email path is sufficient because the disclosure itself is lawful. All three can be wrong at once. As the Academic Forensic Pathology article on medical examiner and coroner access points out, hospitals continue to regularly misinterpret HIPAA in this regard, even though the rule specifically addresses disclosures regarding decedents.

 

The HIPAA rule people still misread

HIPAA does not stop when a patient dies. Weedn notes in the study cited above that HIPAA now covers a decedent’s protected health information (PHI) for 50 years after death, and he stresses that the privacy rule applies to PHI in “any form or medium,” including paper records, email, faxes, phone calls, and face-to-face conversations. Legacy workflows remain heavily reliant on handoffs, scanned forms, calls from the nursing station, and outbound email from health information management.

The best way to think about this topic is not as a list of entities that are outside HIPAA but as a set of narrow disclosure permissions inside an ongoing privacy regime. So HIPAA protects decedent PHI and then creates specific lanes for disclosure to certain recipients and purposes. The compliance question is usually whether the disclosure is in the right lane, for the right purpose, and through an actually secure channel.

There is also a matter of dignity here. In a review of privacy and confidentiality, Moskop writes that we should handle disclosures after death in a way that preserves the decedent’s reputation and dignity. It explains why postmortem information shouldn’t be considered operationally disposable, even if it is permissible to disclose.

 

What HIPAA permits for coroners and medical examiners

As Weedn writes, “Medical examiner and coroner government offices are not covered entities.” At the same time, HIPAA expressly allows a covered entity to disclose PHI to a coroner or medical examiner to identify a deceased person, determine cause of death, or carry out other duties authorized by law. In other words, covered entities do not need to guess whether HIPAA blocks a valid coroner or medical examiner request. The rule anticipates that request and permits it.

What HIPAA does not do is relieve the hospital, physician group or vendor acting on behalf of a covered entity of its own obligations. Weedn’s article makes that distinction clear, too. The coroner or medical examiner may not be a covered entity, but the sender still has to disclose PHI for a legitimate work purpose, appropriately limit the disclosure and exercise reasonable caution in handling the information. Weedn summarizes those workforce obligations as PHI should be used only for legitimate purposes; PHI should be limited to the minimum necessary for the work purpose; and PHI should be protected with reasonable care.

 

Where funeral directors and organ procurement organizations fit

Funeral directors are often talked about as if they exist in a vague grey zone. HIPAA is more specific than that. Under the rule, a covered entity can disclose PHI to funeral directors where the disclosures are consistent with applicable law and the information is needed by the funeral directors to carry out functions related to the deceased. The niche point that many teams miss is that the rule also provides for that disclosure prior to death when it is necessary and made in reasonable anticipation of death.

Organ procurement organizations differ, but it is the same story. HIPAA permits a covered entity to use or disclose PHI to organ procurement organizations and other entities involved in the donation of organs, eyes, or tissue from a cadaveric donor to facilitate donation and transplantation. It is not a blanket authorization to broadly disseminate decedent information across transplant-related workflows. It is a purpose-based permission to facilitate cadaveric donation and transplantation.

A volume on deceased donor transplantation from the National Academies states that “public trust is utterly indispensable” and that trustworthiness is a foundation of the legitimacy of the organ system. There is another reason this area is operationally sensitive. A 2023 Patterns article on transplant information governance warned that, in the current U.S. transplant system, “there are no regulations defining how organ procurement organizations must manage personal data and protect the privacy of donors and recipients.” It does not change HIPAA’s disclosure permission for covered entities, but it should change how seriously healthcare organizations treat their own role in the handoff. When governance is uneven across institutions, the sending side needs to be even more deliberate about scope, recipient identity, logging, and transport security.

 

What covered entities, vendors, and developers should do

Covered entities should develop a decedent-specific disclosure matrix and not rely on staff memory. The matrix should identify at least four lanes for disclosures by the coroner or medical examiner for purposes of identification, cause of death, or other duties authorized by law; disclosures by the funeral director that are necessary for duties related to the decedent, including the pre-death planning scenario HIPAA contemplates disclosures for organ procurement that facilitate cadaveric donation and transplantation and everything else, which should be considered separately. The goal is to make a legally gray area into a repeatable operational decision.

Compliance and privacy teams also should not treat any request related to death as inherently broad. Weedn’s summary of HIPAA workforce obligations takes a more narrow view, where legitimate purpose, minimum-necessary discipline, and reasonable caution. It means noting why the recipient has a right to the information, what purpose the disclosure is intended to serve, which fields or documents are needed for that purpose, and what overlays of state law may impact release.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQs

Who can access a deceased patient’s PHI?

A deceased patient’s personal representative can usually access the decedent’s PHI.

 

Can family members receive a deceased person’s medical information?

HIPAA permits disclosure to a family member or another person who was involved in the patient’s care or payment for care before death, unless the disclosure would conflict with a known prior preference expressed by the patient.

 

Can a hospital disclose PHI to a funeral director?

Yes, when the disclosure is necessary for the funeral director to carry out duties related to the deceased person and is consistent with applicable law.