Accessing a deceased person's protected health information (PHI) could become necessary for various reasons related to healthcare and legal matters. HIPAA, therefore, allows such access under specific conditions.
Can a deceased person's information be shared?
Yes, under certain circumstances, HIPAA allows for the PHI of a deceased individual to be shared. One situation involves disclosing the information for treatment purposes, which allows relevant medical information to be shared with a healthcare provider treating a surviving family member. Additionally, if the deceased person had a legally authorized representative or executor, that individual is considered a personal representative and can access the deceased individual's relevant health information. In this case, the personal representative can obtain the information needed without requiring further authorization.
See also: Disclosures of PHI that occur during litigation
Conditions for PHI to be accessed
For deceased individuals, disclosures are generally allowed unless they conflict with the individual's prior expressed preferences.
Right of access
- Individuals have the right to access their health records under the HIPAA Privacy Rule. This right extends to personal representatives, including those authorized to make healthcare-related decisions on the individual's behalf.
HIPAA Right of Access
- In cases where a family member lacks requisite authority, the deceased individual can use their HIPAA right of access to direct a covered entity to share their PHI with the family member.
- The request must be written, signed by the individual, and specify the recipient and address for the PHI.
Other Privacy Rule provisions
- The Privacy Rule allows covered entities to share information with family members or individuals involved in an individual's care or payment, unless the individual objects.
- In cases of incapacity, disclosures are permissible if the covered entity deems it in the individual's best interest.
- For deceased individuals, disclosures are generally allowed unless they conflict with the individual's prior expressed preferences.
Written authorization
- Covered entities can disclose an individual's health information, including to family members, if the individual provides prior written authorization.
See also: How HIPAA balances privacy with patient safety in crisis situations
Who can access this information?
- Healthcare providers for treatment purposes: Healthcare providers directly involved in treating a surviving family member's medical needs can access relevant PHI to ensure appropriate medical care.
- Legally authorized personal representative: An individual who is legally authorized, either through State or other applicable law, to act on behalf of the deceased person or their estate can access the deceased person's PHI.
- Individuals themselves (HIPAA Right of Access): The deceased can use their HIPAA right of access to direct a covered entity to share their PHI with family members or others. This includes providing written authorization for sharing.
- Covered entities disclosing to family members and relevant parties: Covered entities are permitted to share information with family members or others involved in an individual's care or payment, as long as the individual does not object, and the information shared is relevant to the person's involvement in care or payment.
- Covered entities with prior written authorization: Covered entities can disclose an individual's health information, including to family members, if the individual provides prior written authorization for the disclosure.
See also: HIPAA Compliant Email: The Definitive Guide