The HIPAA privacy and security rules generally apply to protected health information of deceased persons as well as the living. Providers may generally use or disclose such information concerning deceased persons as follows:
1. Treatment, Payment, or Operations. As with living persons, HIPAA allows providers to use or disclose protected health information of deceased persons for purposes of treatment, payment, or the provider's healthcare operations, unless the provider has agreed otherwise. (See 45 CFR §§164.506 and 164.522(a)). This may include treatment of other living relatives. As the Office for Civil Rights (OCR) explained, “disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.” (OCR FAQ, available at https://www.hhs.gov/hipaa/for-professionals/faq/222/how-can-i-obtain-a-deceased-relative-medical-record/index.html).
2. To Family and Other Involved Persons. Providers may disclose protected health information about a deceased person to a family member, relative, close friend, or other person identified by the decedent if: (1) the person was involved in the decedent’s care or payment for their healthcare prior to the decedent’s death; (2) such disclosure is not inconsistent with the decedent’s prior expressed preferences; and (3) the provider limits the disclosure to information relevant to the person’s involvement in the decedent’s care or payment. (45 CFR § 164.510(b)(5)). “For example, a covered health care provider could describe the circumstances that led to an individual’s death to the decedent’s sister who is asking about her sibling’s death. In addition, a covered health care provider or pharmacy could disclose billing information or records to a family member of a decedent who is assisting with closing a decedent’s estate. However, in both cases, a provider generally should not share information about past, unrelated medical problems.” (OCR FAQ, available at https://www.hhs.gov/hipaa/for-professionals/faq/1503/does-hipaa-permit-a-covered-entity-to-disclose-information-about-a-decedent/index.html).
3. As Authorized by the Personal Representative. Providers may disclose protected health information to or as authorized by the personal representative of the deceased person. (45 CFR § 164.502(g)(4)). The “personal representative” is the executor, administrator, or other person with authority under applicable law to act on behalf of the decedent or the decedent’s estate. (Id.). The legally authorized representative is entitled to information regardless of their prior involvement in the decedent’s care or the decedent’s wishes as to such disclosure. (OCR FAQ, available at https://www.hhs.gov/hipaa/for-professionals/faq/1504/can-a-covered-entity-discuss-an-individuals-health-information-after-death/index.html). When in doubt as to whether a person is the legally authorized “personal representative,” the provider may, but is not necessarily required to, request that the person provide proof of their authority or sign an affidavit attesting to their authority. For more information about personal representatives, see the OCR guidance at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html.
4. Other Exceptions. As with living persons, providers may disclose protected health information about deceased persons if another HIPAA exception applies. For example, HIPAA allows disclosures:
(1) to alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (§ 164.512(f)(4)); (2) to coroners or medical examiners and funeral directors (§ 164.512(g)); (3) for research that is solely on the protected health information of decedents (§ 164.512(i)(1)(iii)); and (4) to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation (§ 164.512(h)).
(OCR, Health Information of Deceased Individuals, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/health-information-of-deceased-individuals/index.html). Providers should review the regulatory requirements before relying on one of these exceptions.
5. After 50 Years. HIPAA no longer applies to information of persons who have been deceased for more than 50 years. (45 CFR 160.103, definition of “protected health information”).
For more information, see the OCR guidance published at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/health-information-of-deceased-individuals/index.html. Also, it is possible that other laws might apply, including 42 CFR part 2 (for substance use disorder records) or state laws; accordingly, providers should check their particular state laws to ensure compliance with any laws that provide more protection than that which is afforded by HIPAA.
Subscribe to get our Insights delivered to your inbox.
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author(s). This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.