Is discussing a person’s passing a HIPAA violation? 

Saying someone passed away can be a HIPAA violation, but it depends on who is making the statement, who the statement is made to, and what other information is disclosed. The HIPAA privacy rule protects individually identifiable health information, including details about a person’s past, present, or future health condition. This protection remains in place for 50 years following the individual’s death. However, in most cases, simply stating that someone has died does not constitute a HIPAA violation.

How HIPAA protects patient information after death

According to the U.S. Department of Health and Human Services (HHS), “The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual.” This regulation ensures that protected health information (PHI) remains confidential both during a patient’s lifetime and for 50 years after their passing.

During this period, healthcare providers must uphold the same level of privacy and security for the deceased’s PHI as they would for a living patient. Access is generally restricted to specific individuals, such as the personal representative of the deceased’s estate, typically designated through a will or estate plan.

In some cases, family members involved in the deceased’s care or payment for care may be granted limited access to PHI. However, this depends on whether the deceased had set specific privacy preferences before their death.

Read more: Does HIPAA require the decedent's information be kept for 50 years? 

Who is subject to HIPAA rules?

Not all organizations are subject to the HIPAA privacy rule. HIPAA applies only to covered entities and their business associates. A covered entity includes healthcare providers, health plans, and healthcare clearinghouses that handle protected health information (PHI).

For example, suppose an employee of a private nursing home that is not a covered entity reveals that a resident has died. In that case, it is not a HIPAA violation because the facility is not required to protect individually identifiable health information under HIPAA. However, such a disclosure could violate state privacy laws.

Read also: What is a covered entity under HIPAA? 

Who can be told someone has died under HIPAA?

The HIPAA privacy rule allows covered entities to disclose information about deceased individuals to specific people, but only in certain circumstances. These permitted disclosures are outlined in §164.510(b) and §164.512(g) of the HIPAA regulations:

Family, close friends, and others involved in care

Covered entities may disclose information about a deceased person to:

• Family members, relatives, and close personal friends of the deceased.
• Individuals identified by the deceased while they were alive as persons who could receive such information.
• Persons involved in the deceased's healthcare or payment for healthcare before their death.

These disclosures must be limited to the minimum necessary information and must comply with any known wishes of the deceased.

Coroners, medical examiners, and funeral directors

Under §164.512(g), covered entities may disclose PHI to:

• Coroners and medical examiners to identify the deceased or determine the cause of death.
• Funeral directors as necessary to carry out their duties.

For example, a hospital may disclose a patient’s death to the funeral home handling the arrangements, but should not share additional medical details unless required for official purposes.

When is saying someone died a HIPAA violation?

A HIPAA violation occurs when a covered entity or its workforce improperly discloses protected health information about a deceased individual. Some common violations include:

• Disclosing information to someone not permitted under HIPAA.
• Revealing more than the minimum necessary information.
• Disclosing information the deceased explicitly did not want to be shared.

For example, if a nurse in a hospital tells a reporter that a celebrity patient has died and also provides details about their illness, this would be a HIPAA violation. However, simply confirming the death without additional medical details may not violate HIPAA.

The role of personal representatives

A deceased individual's personal representative, usually their next of kin, has the same authority as the individual would have had in life regarding the disclosure of PHI. If a personal representative authorizes a disclosure that would otherwise violate HIPAA, the disclosure is no longer a violation.

For instance, if a patient’s next of kin allows a doctor to release medical details about their death, the disclosure is permitted under HIPAA. However, if the next of kin is unaware of the disclosure or objects to it, it may be considered a violation.

Related: Do personal representatives need to be HIPAA compliant? 

In the news

A 34-year-old man was convicted of unlawfully accessing the private medical information of the late U.S. Supreme Court Justice Ruth Bader Ginsburg. Trent J. Russell was found guilty of wrongfully obtaining Ginsburg's private health data and destroying records related to the federal investigation that ensued. The incident occurred in 2019, when Ginsburg's hospital chart surfaced on the online message board 4chan, sparking a flurry of conspiracy theories about the justice's health and even false claims of her death.

The case stresses the value of protecting patient privacy, even after death, and the consequences that can arise from breaching this trust. The unauthorized access and online dissemination of Ginsburg's information illustrate the harm that can result from weak data security practices. Healthcare organizations must enforce stringent policies to ensure sensitive patient information is protected at all times.

FAQs

Are there any exceptions to HIPAA's privacy protections for deceased individuals?

HIPAA's privacy protections for deceased individuals are subject to certain exceptions, particularly in cases where the disclosure of the deceased's medical records is necessary to prevent harm or protect public health and safety. 

What are the consequences of violating HIPAA regulations regarding the privacy of deceased individuals' medical records?

Violating HIPAA regulations regarding the privacy of deceased individuals' medical records can result in civil monetary penalties, corrective action plans, and reputational damage for healthcare providers and covered entities.

What happens to a deceased individual's medical records if the healthcare provider ceases operations or is acquired by another entity?

If a healthcare provider ceases operations or is acquired by another entity, the responsibility for maintaining and safeguarding the deceased individual's medical records typically transfers to the successor entity or custodian designated by law.

Can individuals specify their preferences regarding the disclosure of their medical records after death under HIPAA?

HIPAA allows individuals to specify their preferences regarding the disclosure of their medical records after death through advance directives, such as healthcare proxies, living wills, or durable powers of attorney for healthcare. 

Learn more: HIPAA Compliant Email: The Definitive Guide