“The Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the decedent’s health care or payment for care prior to the decedent’s death, only if doing so is not inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity,” says the HHS.
General rule: Limited sharing
The short answer is no. Covered entities are not permitted to share a deceased individual’s PHI with family members or others, except under specific conditions. These include:
Involvement in healthcare or payment before death
A covered entity may disclose PHI to family members or other individuals directly involved in the deceased’s healthcare or payment for that care before the individual passed away. However, this is only allowed if such disclosure aligns with the deceased’s known preferences.
Respect for expressed preferences
If the deceased had previously expressed a preference not to share their information with specific individuals, the covered entity must honor that wish. This restriction ensures that the individual’s privacy is maintained even after death.
Related: HIPAA and accessing a deceased relative's PHI
Role of personal representatives
An exception to the general rule involves the deceased’s personal representative. This individual, such as an executor or administrator of the decedent’s estate, is treated as the individual under the HIPAA Privacy Rule. This distinction grants the personal representative significant rights, including:
- Access to PHI that is relevant to their legal responsibilities.
- The ability to receive a copy of the decedent’s medical records.
Importantly, the decedent’s prior objections to disclosing PHI do not apply when the request comes from the personal representative. This ensures the personal representative can fulfill their duties, such as managing the estate or addressing legal matters.
Additional considerations
- State laws: Some states impose stricter rules on the disclosure of PHI, even after death. Covered entities must comply with both HIPAA and applicable state regulations.
- Sensitive records: Certain types of records, such as psychotherapy notes or substance use treatment information, may have additional protections under federal or state law.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
How long is a deceased individual’s PHI protected under HIPAA?
The PHI of a deceased individual is protected for 50 years after their death under the HIPAA Privacy Rule. After this period, the information is no longer considered PHI and is not subject to HIPAA protections.
What if state laws are stricter than HIPAA?
HIPAA does not override state laws. If state laws impose stricter regulations on the disclosure of a decedent’s PHI, those laws must be followed.
Can a surviving spouse access the decedent’s medical records?
Only if the surviving spouse is a personal representative of the decedent or if the disclosure is consistent with the decedent’s prior expressed preferences and relevant to their involvement in the decedent’s care or payment for care.
Tshedimoso Makhene
