HIPAA rules for deceased patients

HIPAA regulations provide confidentiality protection for sensitive medical information of both living and deceased patients. Healthcare providers must follow these regulations to ensure that they honor the privacy of deceased patients while maintaining the trust and integrity of the healthcare system.

Ongoing protection

Despite common misconceptions, HIPAA's regulations regarding patient privacy do not end upon their passing. Rather, these rules still apply to the protection of deceased individuals' protected health information (PHI) for a specified duration, often 50 years beyond their death. This prolonged safeguarding honors the dignity and confidentiality of the deceased and those who survive them by keeping sensitive medical records confidential.

See also: 

• What happens to the PHI of a deceased person?
• Does HIPAA require the decedent's information be kept for 50 years?

Application of the HIPAA Privacy Rule to deceased patients

The HIPAA Privacy Rule applies to the individually identifiable health information of a decedent for 50 years following the date of death of the individual. During the 50-year period, the Privacy Rule generally protects a decedent’s health information to the same extent as the Rule protects the health information of living individuals, but it does include a number of special disclosure provisions relevant to deceased individuals. 

These include provisions that permit a covered entity to disclose a decedent’s health information: 

• To alert law enforcement to the death of the individual when there is a suspicion that death resulted from criminal conduct 
• To coroners, medical examiners and funeral directors  
• For research that is solely on the protected health information of decedents
• To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs 

Furthermore, the Privacy Rule allows a covered entity to disclose PHI pertaining to an individual who has passed away to a family member or other person who was involved in the individual’s health care or payment for care prior to the individual’s death. However, this is only permissible if it does not contradict any prior explicit wishes of the deceased person that are within the knowledge of the said entity.

Go deeper: Health Information of Deceased Individuals

Considerations and exceptions regarding the disclosure of PHI for deceased patients

• Limited PHI release: Healthcare providers may disclose PHI of deceased individuals to family members, relatives, or other individuals involved in the deceased's care or payment for care, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
• Personal representatives: HIPAA defines a personal representative for a deceased individual as either an executor or administrator of the deceased's estate or an individual who has authority under applicable law to act on behalf of the deceased or the deceased's estate. Personal representatives have the same rights to access the deceased individual's PHI as the individual would have had.
• Protection of PHI: Covered entities must still safeguard the confidentiality of deceased individuals' PHI and take reasonable steps to protect it from unauthorized access or disclosure.
• Duration of protection: HIPAA protections typically apply to PHI for 50 years following an individual's death.
• Research purposes: PHI of deceased individuals may be used or disclosed for research purposes under certain conditions, such as when the research has been approved by an institutional review board (IRB) or privacy board and the PHI is necessary for the research.
• State laws: Some states may have additional or different requirements regarding the protection and disclosure of PHI for deceased individuals. Covered entities must comply with both HIPAA and any applicable state laws.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What steps should healthcare providers take to safeguard the confidentiality of deceased patients' PHI?

Healthcare providers have a responsibility to safeguard the confidentiality of deceased patients' PHI just as they do for living patients. Safety measures such as encryption, access controls, audits and secure disposal still apply to this category of PHI.

Can healthcare providers release deceased patients' PHI to the media or the public?

Healthcare providers should not release deceased patients' PHI to the media or the public without authorization. PHI should only be disclosed for purposes permitted under HIPAA regulations.

See also: HIPAA and accessing a deceased relatives PHI

Are there any restrictions on disclosing deceased patients' PHI for organ donation or transplantation purposes?

HIPAA permits healthcare providers to disclose deceased patients' PHI for organ donation or transplantation purposes without authorization. However, such disclosures must comply with applicable state laws and regulations governing organ donation and transplantation.

Related: Safeguarding PHI in organ donation