No, you are not required to retain a decedent’s health records for 50 years under HIPAA. The HIPAA Privacy Rule protects a decedent’s protected health information (PHI) for 50 years after death but does not impose record retention requirements.
What the HIPAA Privacy Rule requires
The HIPAA Privacy Rule requires covered entities to protect the confidentiality of a decedent’s PHI for 50 years after their death. However, the HHS clarifies, "The Privacy Rule does not include medical record retention requirements and covered entities may destroy such records at the time permitted by State or other applicable law." Once your legal obligations under other applicable laws are met, you may securely destroy those records, even if the 50-year protection period is still in effect.
Retention requirements come from other sources
While HIPAA doesn’t dictate how long you must keep a decedent’s health records, other laws and standards do:
- State laws: Most states have specific regulations for how long medical records must be retained. For example, some states require retention for at least 5–10 years after a patient’s death.
- Professional standards: Medical boards or accreditation organizations often recommend minimum retention periods to align with best practices.
- Organizational policies: Your practice or healthcare system may have policies, which must comply with legal and professional guidelines.
Why retention policies matter
- Compliance: Adhering to state laws and professional standards protects your practice from legal risks.
- Continuity of care: Retained records may be valuable for ongoing family or research inquiries.
- Audits and investigations: Records may need to be available for regulatory audits or malpractice defense.
How to manage decedent records
Develop a clear, written policy outlining your procedures for retaining and securely destroying records, ensuring compliance with both state and federal regulations. When the retention period ends, securely dispose of records using methods like shredding for paper files or secure digital deletion for electronic records to safeguard patient confidentiality. Regularly review and update your retention policies to reflect changes in laws or regulations, maintaining compliance and operational efficiency.
Related: Guidelines for HIPAA compliant documentation and record retention
FAQs
Does HIPAA require notifying family members before destroying a decedent’s medical records?
HIPAA does not require notification of family members before destroying a decedent’s records. However, state laws or organizational policies may include specific notification procedures.
Can a decedent’s health records be used for research during the 50-year protection period?
Yes, but researchers must meet HIPAA’s requirements for accessing PHI, such as obtaining Institutional Review Board (IRB) approval or a waiver of authorization.
Are decedent records treated differently under HIPAA compared to living patients’ records?
Under HIPAA, decedent records are treated similarly to those of living patients, except for the limitation that privacy protections end 50 years after the individual’s death.
Read more: HIPAA rules for deceased patients
Liyanda Tembani
