hipaa rules for deceased patients

Understanding HIPAA Rules for Deceased Patients: Privacy After Death

When a patient dies, their medical records remain protected for at least 50 years following the death date as per the HIPAA Privacy Rule. When it comes to matters involving death and its legal implications, knowing HIPAA regulations is crucial to ensure that the patient’s privacy legacy lives on.

And in case you’re wondering whether there are also HIPAA rules for deceased patients, the short answer is yes. However, it is worth noting that only specific provisions apply. Read on to learn more about what HIPAA rules apply after death and why you should be aware of them to avoid violations and fines.

hipaa regulations for deceased patients

Who May Access a Deceased Patient’s Medical Records?

Under the HIPAA Privacy Rule 45 CFR §164.502(g)(4), a deceased patient’s medical records will immediately go into the care of a personal representative or the next of kin. If the patient dies and leaves no will, the court will appoint an administrator to supervise an estate or the authorized trustee who will act on behalf of the deceased.

However, HIPAA does not restrict a decedent’s health information to executors and administrators of estates. Organizations can also disclose a decedent’s protected health information (PHI) to a surviving relative for treatment purposes. Other family members involved in making healthcare decisions or payment of the deceased patient’s treatments before death are also allowed access.

HIPAA Rules for Deceased Patients

Regardless of a patient’s health condition, the HIPAA Privacy Rule generally protects the PHI relevant to the individual’s past, present, or future health status. Organizations and medical providers must also respect the individuals’ wishes on how they want to disclose their records for a period of 50 years after they pass on.

Understanding HIPAA Rules for Deceased Patients: Privacy After Death

Common HIPAA Violations for Deceased Patients

Unlike usual complaints, HIPAA-related violations for deceased patients are infrequent. Most cases only happen when a healthcare staff accidentally or intentionally discloses the decedent’s information to unauthorized individuals. In addition, sharing more than what’s relevant about the deceased, including what was explicitly prohibited by the patient, is not permitted.

It is also worth noting that not all providers are subject to the HIPAA regulations for deceased patients. For instance, if a private nursing home staff disclosed their dead patient’s information, it is not considered a HIPAA violation. The said nursing home is not required to safeguard the individual’s PHI.

Nonetheless, it is crucial to remember that the HIPAA Privacy Rule generally applies the same way as handling a living individual’s PHI. Similarly, a personal representative of the alive or deceased patient can authorize disclosures on the individual’s behalf.

Disclosing Protected Health Information (PHI) for Deceased Patients

Aside from the next of kin and the decedent’s estate, the deceased patient may have also expressed their preferences for disclosure to their medical provider. In this case, some information may not be accessible to the family members as instructed by the patient. If so, the covered entity should respect the individual’s wishes. However, this exception does not apply to a relative who has been legally designated as a personal representative.

Under limited circumstances, the HIPAA Privacy Rule allows covered entities to release a deceased patient’s PHI even without authorization. This particularly applies to medical examiners or forensic pathologists tasked to identify the patient’s cause of death as authorized by law.

Understanding HIPAA Rules for Deceased Patients: Privacy After Death

Exceptions to HIPAA’s Privacy Rule for Deceased Patients

For 50 years, the HIPAA Privacy Rule will protect a deceased person’s medical records, like when they were alive. However, there are also a few special disclosure provisions.

Here are some of the exceptions for the disclosure of the deceased patient’s medical records:

  • If there was some foul play associated with the patient’s death
  • If the medical providers need the deceased PHI solely for research
  • If medical practitioners need to procure or transplant the organs of the dead patient (i.e., organ donors)

Ensure Compliance While Safeguarding Your Patient’s Privacy Legacy

Your patient’s death does not signal the end of your duties to protect their confidential and sensitive medical information. Ensuring HIPAA compliance even after death is the same as safeguarding a living person’s PHI. Now more than ever, it is essential to understand how you handle your deceased patient’s medical records not just as your duty but also as a way of expressing your respect to the bereaved family.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
is doximity hipaa-compliant
Is Doximity HIPAA-Compliant?

Is Doximity HIPAA-compliant? Find out if this medical networking platform meets the necessary security and privacy standards required by HIPAA.

Read Story
people working using nonprofit software
Enterprise Fax Software & Its 6 Amazing Benefits

Is your office still sending important documents using a fax machine? Consider if this is the right time for you…

Read Story
privacy breaches in healthcare
Privacy Breaches in Healthcare: Recent Incidents and Impact on Patient Data

These recent privacy breaches in healthcare shed light on the urgent need for stronger security measures and stricter privacy regulations.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.