HIPAA Privacy for Dead Persons - Confidentiality Beyond the Grave and After the End of the Doctor-Patient Privilege

Description

Under the HIPAA Privacy Rule, the confidentiality and privacy protections afforded to individuals’ health information do not automatically end with death. Instead, they continue to apply to a decedent’s protected health information (PHI) for 50 years after the date of death. The Privacy Rule defines PHI as individually identifiable health information held by a covered entity or its business associates, and this definition explicitly includes data about deceased persons for a 50-year period following death.

During the 50-year protected period, a covered entity—such as a health care provider, health plan, or health care clearinghouse—is generally required to safeguard a deceased individual’s health information in the same manner as it would for a living person, restricting unauthorized uses and disclosures. This means that simply being deceased does not lift HIPAA’s protections and that PHI remains subject to the Privacy Rule’s limits.

However, the Privacy Rule also includes special provisions that speak directly to the context of decedents. For example, covered entities may disclose PHI of a deceased individual to family members or others involved in the individual’s care or payment for care prior to death, unless doing so is inconsistent with any known prior expressed preferences of the individual. The disclosures must be limited to information that is relevant to the person’s involvement in the decedent’s care or estate matters.

The rule further permits disclosures in specific situations without authorization. Covered entities may share PHI about a decedent with law enforcement to alert them of death under suspicious circumstances, with coroners, medical examiners, or funeral directors as needed for their official functions, and with research entities when the PHI is solely for research on deceased individuals. Covered entities may also use decedent PHI to facilitate organ donation.

When it comes to accessing a decedent’s medical records, HIPAA recognizes that protected health information may be relevant to the treatment of surviving family members. Under the Privacy Rule, disclosures for treatment purposes do not require authorization; thus, a provider may disclose a deceased relative’s PHI to another provider treating a family member if it’s relevant to that treatment.

Additionally, a personal representative, often the executor or administrator of the decedent’s estate under applicable law, is treated as the individual for purposes of accessing and authorizing disclosures of the decedent’s PHI, to the extent authorized by law.

Importantly, HIPAA does not mandate retention of medical records for 50 years—covered entities may dispose of records according to state law or organizational policy. The 50-year protection period reflects how long PHI remains subject to HIPAA if retained.

Overall, HIPAA’s approach balances privacy interests of decedents and their families with practical needs for estate administration, treatment of surviving relatives, public health, law enforcement, and research.

Finally, examine some state licensure laws that state confidentiality survives the death of the patient, and learn some examples of health care practitioners who violated that.

Areas Covered in the Session

• HIPAA Privacy Rules Regarding Decedents
• HIPAA Rights for PHI and Decedent’s Family
• When and Who PHI Can be Disclosed to
• Special Situations when PHI can be Disclosed
• Documentation Preferences and Record Retention
• State Licensure Laws on Post-Death Confidentiality
• Horror Stories of Confidentiality Violations for Breaches After Death – You Mean a Dead Patient Complained???

Why should you Attend?

You should attend this webinar so that you are prepared in the event that a patient dies.

Who will Benefit?

Healthcare practitioners who work with individuals.