How Long Do HIPAA Rules Apply After Patient Death?

Does HIPAA protect patient information forever? What happens to those privacy safeguards once a patient passes away? These are common questions in healthcare, and the answers are more complicated than you might think.

In this blog post, we assess the duration for which HIPAA applies after death, shedding light on the implications for families as well as providers.

What Is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. Originally approved in 1996, this federal law protects the privacy and security of people's health information in the United States.

HIPAA sets rules for the use and sharing of Protected Health Information (PHI) to safeguard patient security, privacy, and confidentiality. These prohibitions apply to both specific protected entities and their business associations.

Who Enforces HIPAA?

With something as vital as healthcare information, you may be curious about who enforces HIPAA regulations. This responsibility actually goes to the Office for Civil Rights (OCR). They ensure your healthcare information stays private by investigating complaints, conducting compliance reviews, educating health and social service workers, and taking corrective actions when necessary.

How Many Years After a Person’s Death Is PHI Protected?

It’s a good question. Unfortunately, death happens to everyone. So, does HIPAA apply even after death? The answer, in short, is that HIPAA Privacy Rules continue to guard a deceased person's privacy for 50 years following their death.

This fifty-year period is specifically designed to protect the deceased's interests and maintain the living relatives' privacy expectations. This regulation protects a decedent's health information from illegal access, use, or disclosure.

After this period, the deceased individual's PHI is no longer protected under HIPAA rules. As a result, it can be used and released without the individual's permission, violating privacy rules, or risking legal consequences.

However, this doesn't mean health records are up for grabs immediately after someone dies. Only specific individuals or entities are allowed to have access to such information.

What Are Estate Planning Exceptions?

The health information of the deceased can be accessed by their personal representatives, including executors, administrators, or others with the power to act on the deceased's behalf or on behalf of the individual's estate. However, their access rights are akin to the deceased's rights while alive and extend only as far as necessary to represent the estate.

Covered entities, such as healthcare providers, have some leeway about disclosing a decedent's PHI to family members or others involved in the deceased's care or handling the payment for care before the death. The PHI shared must be relevant to the person's involvement, and such disclosure is permissible. The only exception would be if it contradicts the deceased's previously expressed desire, as known to the covered entity.

It's essential to understand HIPAA also permits uses and disclosures for research on the decedent's PHI. To access PHI for research after a patient's death, covered entities must get representations from the researcher that PHI is necessary and meet additional procedural requirements.

Is It a HIPAA Violation To Say Someone Died?

Generally, saying someone died is not considered a HIPAA violation.

However, the HIPAA Privacy Rule outlines who can be informed of a person's death. It allows covered entities to communicate details about the deceased to friends, family, and other people the deceased person designated. To obtain that information, this group's disclosures must still comply with HIPAA's verification criteria.

The covered entity should only disclose necessary information and respect any pre-existing wishes that were known prior to the patient's death. It's important to avoid disclosing information not relevant to the purpose.

HIPAA violations when confirming death generally arise when a member of the workforce:

• Share information with unauthorized individuals
• Discloses excessive information about the deceased
• Reveals information the deceased did not want disclosed

Are There HIPAA Accessibility Restrictions After Someone’s Death?

When trying to access their medical information, patients and their primary care partners may encounter a variety of obstacles. When loved ones want access to the deceased's records, they often run into even more difficult obstacles. These access-related obstacles are notably underreported.

You must be a legally recognized "personal representative" of the deceased, such as an executor or administrator of their estate, and present the healthcare provider with the required paperwork, such as a death certificate, in order to access the deceased person's medical records. This enables you to request the deceased person's PHI on their behalf in accordance with HIPAA regulations. Proof of your legal authority, in the form of a signed authorization form and a death certificate, will be required.

How Can You Ensure HIPAA Compliance? 

To summarize, after a person's passing, the regulations concerning privacy and protection of medical information, known as HIPAA after death, remain in effect for half a century post-passing. Regulations control access to decedent's PHI, ensuring confidentiality and dignity during vulnerable times for the departed and their loved ones.

Don't leave your healthcare organization vulnerable! Stay ahead of the curve with our comprehensive online HIPAA training courses. Whether you’re a healthcare worker, mental health provider, dental office professional, or medical office staff, our tailored courses have got you covered. Act now and ensure your team complies with the latest HIPAA regulations!

Disclaimer: It is important to note, this article is provided for general informational purposes and does not constitute legal advice. Always consult with a qualified legal professional regarding HIPAA requirements and compliance issues.