Many assume privacy concerns end with death, but HIPAA protections continue to apply. The confidentiality of medical records remains important for healthcare providers and families who may need access to their loved one’s health information.
How HIPAA protects patient information after death
According to the U.S. Department of Health and Human Services (HHS), “The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual.” This rule ensures that protected health information (PHI) remains confidential throughout a patient’s life and for 50 years after their death. During this period, healthcare providers must treat PHI with the same level of care as they would for a living patient. Access to this information is generally limited to specific individuals, such as the personal representative of the deceased’s estate, who is typically designated through a will or estate plan.
In some cases, family members involved in the deceased’s care or payment for care may be allowed access to limited information. Access, however, depends on whether the deceased had specified privacy preferences before their passing.
Read more: Does HIPAA require the decedent's information be kept for 50 years?
Special circumstances permitting disclosure
While the 50-year protection period is in effect, the HIPAA privacy rule offers several provisions allowing for the disclosure of a decedent's health information. These provisions authorize covered entities to disclose such information in the following scenarios:
- Alerting law enforcement: If there is a suspicion that the individual's death resulted from criminal conduct, covered entities can disclose the decedent's health information to law enforcement agencies.
- Coroners, medical examiners, and funeral directors: Health information may be shared with these professionals for the purpose of their duties.
- Research: Covered entities are permitted to disclose a decedent's health information solely for research purposes related to deceased individuals.
- Organ procurement organizations and transplantation entities: Health information can be disclosed to facilitate organ, eye, or tissue donation and transplantation.
The role of state laws
While HIPAA sets a federal standard, state laws often add another layer of complexity. Some states extend the protection of PHI beyond 50 years or impose stricter rules on access. Healthcare providers must understand both federal and state requirements to stay compliant. Families seeking access to a loved one’s records should also be aware of how state laws might affect their ability to obtain information.
Legal advisors can help providers understand how HIPAA and state laws intersect. Advisors can help draft policies that protect confidentiality while allowing lawful access. Families can also benefit from legal guidance, particularly in cases where estate plans are unclear or disputes arise.
Accessing a deceased loved one’s medical records
Family members often wonder what rights they have when it comes to accessing a deceased person’s medical records. Under HIPAA, the personal representative of the estate has the primary right to access PHI. This person is typically named in a will or estate plan and is legally authorized to handle the deceased’s affairs, including their medical records.
In some cases, other family members may request access, especially if they were involved in the deceased’s care. To do so, they often need to provide documentation proving their involvement. The process usually involves submitting a formal request to the healthcare provider, along with any necessary paperwork.
Read also: Do personal representatives need to be HIPAA compliant?
Maintaining confidentiality after death
Healthcare organizations must implement strong security measures to prevent unauthorized access, even after a patient passes away. This includes secure storage, administrative controls, and technical safeguards for electronic and physical records. Regular audits and risk assessments are fundamental to identify vulnerabilities and improve data protection.
Training staff on confidentiality ensures everyone understands their role in protecting PHI, even for deceased patients. These efforts meet legal requirements and reflect the trust families place in healthcare providers during difficult times.
In the news
A 34-year-old man was convicted of unlawfully accessing the private medical information of the late U.S. Supreme Court Justice Ruth Bader Ginsburg.
Trent J. Russell was found guilty of wrongfully obtaining Ginsburg's private health data and destroying records related to the federal investigation that ensued. The incident occurred in 2019, when Ginsburg's hospital chart surfaced on the online message board 4chan, sparking a flurry of conspiracy theories about the justice's health and even false claims of her death.
The case stresses the value of protecting patient privacy, even after death, and the consequences that can arise from breaching this trust. The unauthorized access and online dissemination of Ginsburg's information illustrate the harm that can result from weak data security practices. Healthcare organizations must enforce stringent policies to ensure sensitive patient information is protected at all times.
FAQs
What steps should healthcare providers take to safeguard the confidentiality of deceased patients' PHI?
Healthcare providers have a responsibility to safeguard the confidentiality of deceased patients' PHI just as they do for living patients. Safety measures such as encryption, access controls, audits, and secure disposal still apply to this category of PHI.
Can healthcare providers release deceased patients' PHI to the media or the public?
Healthcare providers should not release deceased patients' PHI to the media or the public without authorization. PHI should only be disclosed for purposes permitted under HIPAA regulations.
See also: HIPAA and accessing a deceased relative's PHI
Are there any restrictions on disclosing deceased patients' PHI for organ donation or transplantation purposes?
HIPAA permits healthcare providers to disclose deceased patients' PHI for organ donation or transplantation purposes without authorization. However, such disclosures must comply with applicable state laws and regulations governing organ donation and transplantation.
Related: Safeguarding PHI in organ donation
Farah Amod
