Does HIPAA Apply after Death?
HIPAA applies after the death of an individual for a period of fifty years, during which time the same limits apply to permissible uses and disclosures of PHI as if the individual was still alive. In addition, if a covered entity wishes to use any of the deceasedโs PHI for a purpose not permitted by the Privacy Rule, it is necessary to obtain an authorization from the deceased individualโs personal representative.
It was not always the case that HIPAA applies after death for a period of fifty years. When the Privacy Rule was first proposed in 1999, the intention was to extend the privacy protections for a deceased individualโs PHI for only two years after their death. This meant that, after two years, a covered entity would be able to use the deceased individualโs PHI for any purpose (i.e., research, marketing, etc.) without authorization.
Because of concerns that PHI would be misused, the length of time HIPAA applies after the death of an individual was amended in the first Final Privacy Rule (ยง164.502(f)) to โas long as the covered entity maintains the informationโ. This was also a contentious clause because deceased individualsโ decedents would have no way of knowing whether PHI still existed after a state-mandated retention period for medical records had expired.
This issue was resolved in the HIPAA Omnibus Final Rule 2013, which amended the standard to read:
ย (f) Standard: Deceased individuals. A covered entity must comply with the requirements of this subpart [the Privacy Rule] with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.
What this Means for Uses and Disclosures of PHI
In the context of answering the question does HIPAA apply after death, all personally identifiable health information relating to the deceased individual – and any other information maintained in the same designated record set as the health information โ has the same Privacy, Security, and Breach Notification Rule protections for fifty years as if the individual was still alive.
This means that PHI can only be used or disclosed for a purpose permitted by the Privacy Rule. All other uses and disclosures of the deceased individualโs PHI must be authorized by a personal representative – usually the next of kin. In addition, all breach notifications must be sent to the next of kin unless an alternative personal representative was assigned prior to the individualโs death.
What the fifty year application of HIPAA protections following an individualโs death does not mean is that covered entities must retain the deceased individualโs PHI for fifty years. If, for example, state law mandates a minimum retention period of ten years, the covered entity can securely dispose of the PHI at any time after the state minimum retention period for medical records has expired.
Does HIPAA Apply After Death? Conclusion
HIPAA does apply after death for a period of fifty years. However, covered entities do not have to maintain a deceased individualโs PHI for any longer than state-mandated retention periods for medical records, notwithstanding that any HIPAA-related documentation maintained in a designated record set (i.e., a patient authorization) has to be retained for a minimum of six years in order to comply with the HIPAA record retention requirements.