The United States Department of Health and Human Services (HHS) provides a helpful set of questions and answers on its website regarding the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Professionals should note that this guidance is informal, may be updated or withdrawn, and may differ from state laws. Below, we highlight three questions and answers from the HHS website.
Do the HIPAA Privacy Rule protections apply to the health information of deceased individuals?
Yes, for a period of 50 years following the date of death of the individual. During this period, the Privacy Rule protects the identifiable health information of the deceased individual to the same extent the Rule protects the health information of a living individual. However, in cases where a covered entity maintains a medical records archive or otherwise maintains health or medical records that contain identifiable health information on individuals who have been deceased for more than 50 years, such information is not considered protected health information (PHI) and may be used or disclosed without regard to the Privacy Rule.
Content reviewed last December 28, 2022
Does the HIPAA Privacy Rule permit a covered entity to disclose PHI about a decedent to family members or other persons involved in the care of the decedent?
Yes. The Privacy Rule permits a covered entity to disclose PHI about a decedent to a family member, or other person who was involved in the individual's health care or payment for care prior to the individual's death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. This may include, depending on the circumstances, disclosures to spouses, parents, children, domestic partners, other relatives, or friends of the decedent, provided the information disclosed is limited to that which is relevant to the person's involvement in the decedent's care or payment for care. See 45 CFR 164.510(b)(5). For example, a covered health care provider could describe the circumstances that led to an individual's death with the decedent's sister who is asking about her sibling's death. In addition, a covered health care provider or pharmacy could disclose billing information or records to a family member of a decedent who is assisting with closing a decedent's estate. However, in both cases, a provider generally should not share information about past, unrelated medical problems.
Content reviewed last January 9, 2023
Does the HIPAA Privacy Rule require that a health care provider document a patient's expressed preference not to have the provider discuss the details of her health care with her family?
No. The Privacy Rule does not require that a health care provider document a patient's expressed preference not to have the provider discuss the details of the patient's medical conditions or health care with family members of the patient. However, while not required, we expect many providers do so (e.g., by making a note in the patient's medical file) as a means of ensuring the provider does not later violate the Rule by making such a disclosure. Such notes also would ensure that all current and future members of the workforce who are in a position to make such disclosures are aware of the individual's objection.
Content reviewed last September 18, 2013
A personal representative may stand in the shoes of a patient and exercise the patient's HIPAA rights on their behalf, including their right to request access to their medical records. A covered entity must treat an executor, administrator, or other person who has authority to act on behalf of a deceased individual, or of the individual's estate, as a personal representative with respect to PHI relevant to such representation. See 45 CFR § 164.502(g)(4). However, HIPAA permits a covered entity to disclose PHI about a deceased patient to family members or other persons who were involved in the patient's health care or payment for care prior to their death but who are not personal representatives, unless disclosing the PHI would be inconsistent with the patient's known preferences while they were alive. For example, this may include disclosures to the patient's adult children, provided the information disclosed to the children is limited to that which is relevant to their involvement in the patient's care or payment for care.
For more information, please contact Grant Dearborn, Kate Crawford, or another member of Shumaker's Health Law Service Line.