HIPAA and Records of Deceased Persons

The HIPAA privacy and security rules generally apply to protected health information of deceased persons as well as the living. Providers may generally use or disclose such information as follows:

1. Treatment, Payment, or Operations. As with living persons, HIPAA allows providers to use or disclose protected health information of deceased persons for purposes of treatment, payment, or the provider's healthcare operations, unless the provider has agreed otherwise. (See 45 CFR 164.506 and 164.522(a)). This may include treatment of other living relatives. As the Office for Civil Rights (OCR) explained, “disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.” (OCR FAQ, available here).

2. To Family and Other Involved Persons. In the wake of the HIPAA Omnibus Rule, providers may now disclose protected health information about a decedent to a family member, relative, close friend, or other person identified by the decedent if: (1) the person was involved in the decedent’s care or payment for their healthcare prior to the decedent’s death; (2) such disclosure is not inconsistent with the decedent’s prior expressed preferences; and (3) the provider limits the disclosure to information relevant to the person’s involvement in the decedent’s care or payment. (45 CFR 164.510(b)(5)). “For example, a covered health care provider could describe the circumstances that led to an individual’s death to the decedent’s sister who is asking about her sibling’s death. In addition, a covered health care provider or pharmacy could disclose billing information or records to a family member of a decedent who is assisting with closing a decedent’s estate. However, in both cases, a provider generally should not share information about past, unrelated medical problems.” (OCR FAQ, available here).

3. As Authorized by the Personal Representative. Providers may disclose protected health information to or as authorized by the decedent’s personal representative. (45 CFR 164.502(g)(4)). The “personal representative” is the executor, administrator, or other person with authority under applicable law to act on behalf of the decedent or the decedent’s estate. (Id.). The legally authorized representative is entitled to information regardless of their prior involvement in the decedent’s care or the decedent’s wishes as to such disclosure. (OCR FAQ, available here). When in doubt as to whether a person is the legally authorized “personal representative,” the provider may, but is not necessarily required to, request that the person provide proof of their authority or sign an affidavit attesting to their authority.

4. Other Exceptions. As with living persons, providers may disclose protected health information about decedents as required by other laws or for certain public safety functions, e.g. to report abuse or communicable diseases; for certain law enforcement purposes, or; to prevent or lessen a serious and imminent threat of harm. (45 CFR 164.512). Providers should review the regulatory requirements before relying on one of these exceptions.

5. After 50 Years. HIPAA no longer applies to information of persons who have been deceased for more than 50 years. (45 CFR 160.103, definition of “protected health information”).

For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: (208) 383-3913

This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.


Unless you are a current client of Holland & Hart LLP, please do not send any confidential information by email. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. Thus, we may represent a party adverse to you, even if the information you submit to us could be used against you in a matter, and even if you submitted it in a good faith effort to retain us.