Does HIPAA Apply after Death?

Does HIPAA Apply after Death? HIPAAGuide.net

HIPAA applies after the death of an individual for a period of fifty years, during which time the same limits apply to permissible uses and disclosures of PHI as if the individual was still alive. In addition, if a covered entity wishes to use any of the deceased’s PHI for a purpose not permitted by the Privacy Rule, it is necessary to obtain an authorization from the deceased individual’s personal representative.

It was not always the case that HIPAA applies after death for a period of fifty years. When the Privacy Rule was first proposed in 1999, the intention was to extend the privacy protections for a deceased individual’s PHI for only two years after their death. This meant that, after two years, a covered entity would be able to use the deceased individual’s PHI for any purpose (i.e., research, marketing, etc.) without authorization.

Because of concerns that PHI would be misused, the length of time HIPAA applies after the death of an individual was amended in the first Final Privacy Rule (§164.502(f)) to “as long as the covered entity maintains the information”. This was also a contentious clause because deceased individuals’ decedents would have no way of knowing whether PHI still existed after a state-mandated retention period for medical records had expired.

This issue was resolved in the HIPAA Omnibus Final Rule 2013, which amended the standard to read:

 (f) Standard: Deceased individuals. A covered entity must comply with the requirements of this subpart [the Privacy Rule] with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.

What this Means for Uses and Disclosures of PHI

In the context of answering the question does HIPAA apply after death, all personally identifiable health information relating to the deceased individual – and any other information maintained in the same designated record set as the health information – has the same Privacy, Security, and Breach Notification Rule protections for fifty years as if the individual was still alive.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

This means that PHI can only be used or disclosed for a purpose permitted by the Privacy Rule. All other uses and disclosures of the deceased individual’s PHI must be authorized by a personal representative – usually the next of kin. In addition, all breach notifications must be sent to the next of kin unless an alternative personal representative was assigned prior to the individual’s death.

What the fifty year application of HIPAA protections following an individual’s death does not mean is that covered entities must retain the deceased individual’s PHI for fifty years. If, for example, state law mandates a minimum retention period of ten years, the covered entity can securely dispose of the PHI at any time after the state minimum retention period for medical records has expired.

Does HIPAA Apply After Death? Conclusion

HIPAA does apply after death for a period of fifty years. However, covered entities do not have to maintain a deceased individual’s PHI for any longer than state-mandated retention periods for medical records, notwithstanding that any HIPAA-related documentation maintained in a designated record set (i.e., a patient authorization) has to be retained for a minimum of six years in order to comply with the HIPAA record retention requirements.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/