Understanding posthumous data protections

The United States operates on a fragmented mix of federal regulations, state laws, and ethical guidelines. In terms of federal legislation, HIPAA sets in place specific protections for the protected health information (PHI) of deceased individuals for 50 years after their death. The Mayo Clinic study titled Medical Privacy After Death states, “the 50-year window of protection spanning roughly 2 generations is intended to strike an effective balance between the competing interests of family privacy and public access.” During this period, PHI is treated with the same confidentiality as that of living individuals and disclosures typically require authorizations from a personal representative like an executor or administrators of the estate. 

Common law generally does not extend privacy rights to the deceased since these rights are considered personal and terminate upon death. Generally, this means that issues like defamation or invasion of privacy cannot be pursued posthumously by family members. Some states have enacted statutes that provide limited protections for digital assets or personal information through wills or estate planning. 

The ethical dilemmas in posthumous healthcare data privacy

At times, there can be tension regarding preserving individual privacy rights and allowing scientific advancement through access to health data. While HIPAA requires 50-year protection of deceased individuals' PHI, researchers often circumvent consent requirements by de-identifying data or waiting until protections expire. This raises questions about whether posthumous data use respects the original intent of privacy preferences expressed during life. Surviving family members may also face conflicts between honoring a deceased relative’s privacy and pursuing personal or legal interests in accessing sensitive health records. 

The principles guiding posthumous data protection emphasize human dignity, transparency, and continuity of privacy preferences. The Oxford Internet Institute’s ethical framework prioritizes human dignity through five pillars: respect for persons, promotion of the common good, citizen science rights, data governance quality, and accountability. These align with the “continuity principle” identified in digital privacy studies, which argues that antemortem privacy settings (e.g., social media visibility or EHR access permissions) should persist after death unless explicitly overridden by legal directives. 

There are still implementation gaps, 47% of surveyed Americans express willingness to donate health data posthumously for research, and existing laws like HIPAA and the Common Rule create ambiguity by exempting decedent data from standard human-subject research protections.

HIPAA and its limitations on deceased individuals' data 

According to a journal article by Kate C. Ashley on the data of deceased individuals, “In 2018, the Connecticut Supreme Court interpreted HIPAA as creating a private right of action when an individual sued a clinic for violating her HIPAA rights by disclosing her medical information to a third party without her knowledge or consent. However, the consensus among the federal courts of appeal remains that HIPAA neither creates nor implies a private right of action. The remaining remedies in HIPAA are fines against the violating entity, which still vindicate a patient’s right to privacy.79 It remains clear that Congress intended to protect posthumous privacy to personal health information and incorporated that intention in HIPAA’s statutory framework.”

§164.510(b) permits disclosures to family members or others involved in the deceased’s care or payment, provided the disclosure aligns with the individual’s known preferences, while §164.512(g) allows PHI sharing with coroners, medical examiners, and funeral directors to fulfill legal duties. 

HIPAA also authorizes disclosures to law enforcement if death results from suspected criminal conduct and facilitates organ donation efforts by allowing PHI access for procurement organizations. §164.512(i)(1)(iii) enables researchers to use decedents’ PHI without authorization if studies focus solely on deceased subjects, creating ethical tensions between privacy and scientific advancement.

Despite these protections, HIPAA’s limitations reveal systemic gaps. The 50-year protection period, while theoretically preserving dignity, risks obsolescence in an era of digitized, perpetual data storage, as PHI becomes unprotected after this timeframe. 

Personal representatives (e.g., estate executors) gain full access to PHI under §164.502(f), even if the deceased previously objected, undermining posthumous autonomy. The law also defers stricter state privacy statutes, leading to jurisdictional inconsistencies, California’s Confidentiality of Medical Information Act, for example, imposes indefinite protections for mental health records, conflicting with HIPAA’s expiration rule.

The timelines associated with deceased patient data 

1. 50-year PHI protection: HIPAA mandates that covered entities protect a deceased individual’s PHI for 50 years post-mortem under 45 CFR §164.502(f) unless state laws preempt with stricter requirements.
2. Minimum retention period: HIPAA requires healthcare providers to retain medical records for at least six years from the date of death, but state laws may extend this timeframe.
3. State law variations:

• • California requires indefinite protection of PHI under its Confidentiality of Medical Information Act.
  • Massachusetts mandates the retention of some records for 20 years post-death.
  • Minnesota imposes indefinite protections for “individual permanent medical records.”

1. Record destruction: Covered entities may destroy PHI after meeting state retention requirements (e.g., 7–10 years in most states), ending HIPAA protections for that data.
2. Family health history: PHI containing information about deceased relatives (e.g., family medical history) remains protected under HIPAA for 50 years from the living patient’s death, even if the relatives died earlier.
3. Access requests: Personal representatives must receive a response within 30 days (extendable by 30 days) regarding access to deceased PHI.

How do the advancements in genetic data impact deceased patients

Studies reveal that stakeholders, including researchers, family members, and Institutional Review Boards, often disagree on whether actionable genetic findings should be disclosed to relatives, especially when the deceased’s preferences are unknown or contradictory. For example, relatives may benefit from learning about pathogenic mutations like BRCA2, but concerns arise over whether such disclosures respect the autonomy of the deceased. 

The Human Tissue Act (HTA) provides a framework for accessing stored biological samples but differentiates between tissue and DNA samples, complicating consent requirements. Biobank policies also frequently omit provisions for the post-mortem use of genetic data, creating uncertainty for researchers and families seeking access.

The risk of identity theft from deceased patients’ records

A 2024 investigation by Cynerio uncovered dark web vendors selling 60,000 medical records of deceased individuals, including death dates. Fraudsters exploit these records to commit identity theft, open fraudulent credit accounts, or obtain medical supplies. For example, stolen data might be used to impersonate the deceased to secure loans or prescription drugs, leveraging the lack of oversight post-mortem. 

Thieves often target deceased patients’ data from hospitals, nursing homes, or funeral homes. For instance, fraudsters may skim obituaries for personal details or illegally purchase Social Security numbers (SSNs) linked to the deceased. Survivors like Krista Nugent-Thomas (from a separate Newfoundland cyberattack case) faced challenges verifying if her late husband’s SSN was compromised, highlighting the risk of fraud against estates. In the U.S., families are advised to “mask” SSNs in patient records and cancel driver’s licenses post-mortem to mitigate risks. 

When can the health data of deceased individuals be accessed

1. Personal representatives (e.g., executors, and administrators) may access records with legal documentation under HIPAA and state laws.
2. Surviving spouses or next of kin (e.g., adult children, parents) can request records if involved in the deceased’s care or payment, provided no prior objections exist.
3. Individuals with claims arising from the deceased’s death (e.g., clinical negligence, insurance disputes) may access relevant records.
4. Coroners, medical examiners, or funeral directors can access PHI to fulfill legal duties (e.g., determining cause of death).
5. Law enforcement may obtain PHI if death is suspected to result from criminal conduct.
6. Researchers may use de-identified or anonymized data without consent if studies focus solely on deceased subjects.
7. Organ procurement organizations can access PHI to facilitate donations.
8. Public health authorities may disclose PHI to prevent harm to others (e.g., infectious disease outbreaks).
9. Court orders can compel disclosure if familial disputes or legal claims require access.
10. After 50 years post-mortem, PHI loses HIPAA protections and may be accessed for genealogy, research, or historical studies.
11. Ethical exceptions permit disclosure if withholding information would cause serious harm to others or if the deceased explicitly consented to posthumous sharing.

How to securely share the PHI of deceased individuals 

1. Obtain written consent from the deceased’s representative (e.g., executor, administrator) before disclosing PHI, unless an exception applies under HIPAA. For example, a covered entity must confirm the representative’s legal authority via probate documents or state-specific authorization forms.
2. Transmit PHI using HIPAA compliant email platforms like Paubox that encrypt data in transit and at rest. 
3. Disclose PHI only under HIPAA-recognized exceptions:

• • Law enforcement: If death is suspected to result from criminal conduct.
  • Coroners/medical examiners: To determine the cause of death.
  • Organ procurement organizations: To facilitate donations.
  • Family members: If involved in the deceased’s care/payment and no prior objections exist.

1. Share only the minimum PHI required for the purpose (e.g., disclose a death certificate to a funeral director but omit full medical history).
2. Comply with state and federal laws.

• • HIPAA: Protects PHI for 50 years post-mortem.
  • 42 CFR Part 2: Imposes indefinite protections for substance use disorder treatment records.
  • State laws: Some extend protections (e.g., California’s indefinite mental health safeguards).

1. Maintain records of PHI disclosures, including the recipient, purpose, and date, to ensure accountability. 
2. Retire or securely destroy PHI after the applicable protection period ends, adhering to federal and state retention laws.

FAQs

Does HIPAA apply to coroners and law enforcement? 

Coroners and law enforcement agencies are generally not considered covered entities under HIPAA; therefore, they are not required to comply with HIPAA. However, healthcare providers may disclose PHI to these officials under specific circumstances.

Do hospitals and healthcare providers have a duty to secure deceased individuals' PHI, even beyond HIPAA’s scope?

Yes, hospitals and healthcare providers are obligated to protect the PHI of deceased individuals for 50 years following the date of death, as stipulated by the HIPAA Privacy Rule.

Are there state-level laws that offer stronger privacy protections beyond HIPAA?

Yes, certain state laws provide more stringent privacy protections than HIPAA. For example, New York's Public Health Law Section 18 offers greater patient privacy protections, and California's Confidentiality of Medical Information Act (CMIA) imposes stricter requirements on the disclosure of medical information.

Who qualifies as a “personal representative” under HIPAA for a deceased individual?

A personal representative is typically an individual with legal authority to act on behalf of the deceased, such as:

• An executor or administrator of the estate
• A court-appointed guardian
• A legally authorized family member, depending on state laws