Does HIPAA require the decedent's information be kept for 50 years?

No, medical record retention obligations are not included in the Privacy Rule, and covered entities are free to destroy such records whenever state or other applicable legislation permits.

The HHS states that the Privacy Rule does not include a decedent's medical record retention requirements and "covered entities may destroy such records at the time permitted by State or other applicable law."

Does HIPAA still apply to the PHI of a deceased individual?

HIPAA's Privacy Rule protects the health information of the deceased for 50 years after their death, just as it does for living individuals. However, that does not mean records must be kept for 50 years. 

Protected health information (PHI) is still subject to HIPAA even after a person dies. The HIPAA Privacy Rule ensures that people's rights to privacy are respected by protecting the security and confidentiality of their health information. When sharing decedents' PHI, it must still be transmitted securely, with HIPAA compliant email being the easiest method.

When handling and releasing PHI of deceased individuals, covered entities must comply with the standards of the Privacy Rule, guaranteeing its confidentiality and security. The privacy rule notes some exceptions when using and sharing health information for purposes related to public health or other particular situations.

Personal representatives and PHI

Recent changes to the privacy rule expand the circumstances under which someone who was involved in a person's care or payment for care (but who is not the personal representative) can access the person's medical information after the person's death. These amendments also limit the time that covered entities must preserve health information to 50 years after the person's death.

The decedent's personal representative is the executor, administrator, or other person with authority under applicable law to act on behalf of the decedent or the decedent's estate.

Retention period of PHI

The retention period for PHI of a deceased person can vary depending on a combination of factors:

• State laws: State laws play a role in determining how long healthcare providers and facilities are required to retain medical records, including those of deceased individuals. These laws can vary widely from one state to another. Some states may specify a minimum retention period, while others leave it to the discretion of healthcare organizations.
• Type of record: Medical records may include various types of information, like clinical notes, diagnostic images, billing records, and administrative documents. Different types of records may have different retention requirements.
• Age of the deceased person: Some state laws or organizational policies may differentiate between the retention periods for adults and minors. Records of deceased adults might be kept for longer than records of deceased children.
• Legal considerations: If there are ongoing legal proceedings, claims, or investigations related to the decedent's medical history, healthcare providers may be obligated to retain the records until the legal matters are resolved.
• Organizational policies: Individual healthcare providers, hospitals, and medical facilities often establish their policies for the retention of medical records. 
• Ethics and best practices: In some cases, healthcare providers may choose to retain medical records for ethical or best practice reasons. For example, maintaining records for an extended period can assist with research, continuity of care for surviving family members, or quality improvement initiatives.
• Archival considerations: Some healthcare organizations may choose to archive medical records that are past their retention period. 
• Patient requests: In some cases, healthcare providers may be required to retain records longer than the standard retention period if requested by the patient or their personal representative.

Related: HIPAA and accessing a deceased relatives PHI

Discarding of PHI

Once the retention period expires, it is crucial to dispose of medical records securely. This includes shredding paper records and securely erasing electronic records to protect the privacy and confidentiality of the information.

Go deeper: How to properly dispose of electronic PHI under HIPAA