Do the HIPAA Privacy Rule protections apply to deceased individuals?

Yes, the HIPAA Privacy Rule protects the health information of deceased individuals for 50 years following their death. During this time, their identifiable health information is treated the same as that of living individuals, meaning it cannot be used or disclosed without proper authorization or as allowed by HIPAA’s regulations. 

What does the 50-year protection cover?

For 50 years after death, protected health information (PHI) includes any data that can identify the individual, such as medical records, treatment history, or billing information. The HHS states, "During this period, the Privacy Rule protects the identifiable health information of the deceased individual to the same extent the Rule protects the health information of a living individual."

When is disclosure of a deceased individual’s PHI allowed?

While HIPAA safeguards PHI, certain disclosures are permitted during the 50-year period to balance privacy with practical needs:

• For treatment or payment: PHI can be shared with providers involved in the deceased’s care or to process outstanding payments.
• To family members or caregivers: PHI may be disclosed to individuals involved in the deceased’s care or payment responsibilities unless the deceased expressed otherwise.
• For public health or legal purposes: Disclosures may occur for public health reporting, death investigations, or as required by law.
• To coroners, medical examiners, and funeral directors: PHI can help identify the deceased, determine the cause of death, or support funeral arrangements.

What happens after the 50-year period?

According to the HHS, "However, in cases where a covered entity maintains a medical records archive or otherwise maintains health or medical records that contain identifiable health information on individuals who have been deceased for more than 50 years, such information is not considered protected health information and may be used or disclosed without regard to the Privacy Rule." State laws, institutional policies, or ethical considerations may still restrict how this information is used or disclosed.

How to ensure deceased individuals’ records are protected during the required period

• Secure storage: Ensure medical records are stored in HIPAA compliant systems with robust encryption and access controls. Limit physical access to archived paper records by securing them in locked, monitored areas.
• Access control: Grant access to PHI only to authorized personnel, such as staff involved in treatment, payment, or other permitted purposes. Regularly review and update access permissions to prevent unauthorized use.
• Employee training: Train staff to recognize the importance of protecting PHI for deceased individuals, stressing the HIPAA requirements and common scenarios involving disclosure.
• Audits and monitoring: Regularly audit medical records systems to detect unauthorized access or potential breaches. Maintain an activity log for all electronic access to deceased individuals’ records.
• Business associate agreements (BAAs): Ensure that any third-party vendors (e.g., storage providers, IT services) handling records sign BAAs to guarantee HIPAA compliance.

Related: HIPAA guide for email and file protection

FAQs

What happens if a deceased individual’s PHI is accidentally disclosed during the 50-year protection period?

If a breach occurs, it must be handled like any other HIPAA breach, including notifying affected parties and reporting to the HHS Office for Civil Rights (OCR) if the breach meets reporting thresholds.

Can family members request access to a deceased individual’s complete medical record?

Family members can only access PHI relevant to their involvement in the individual’s care or payment unless they have legal authorization, such as being an executor or having power of attorney.

Are psychotherapy notes for deceased individuals treated differently under HIPAA?

Yes, psychotherapy notes receive heightened protection and are generally not disclosed even after death, except in very limited circumstances, such as with proper authorization or a legal requirement.