A deceased person's protected health information (PHI) is treated with a certain level of confidentiality and privacy protections, even after their death.
Does HIPAA still apply to PHI after a person dies?
HIPAA continues to apply to PHI even after a person dies. The HIPAA Privacy Rule safeguards the confidentiality and security of individuals' health information, ensuring their privacy rights are protected. This rule extends its provisions to the identifiable health information of deceased individuals.
Covered entities, including healthcare providers and health insurers, are obligated to adhere to the Privacy Rule's requirements when handling and disclosing the PHI of deceased individuals, ensuring that it is kept confidential and secure. While the Privacy Rule acknowledges the significance of privacy protection for deceased individuals, it also recognizes that certain exceptions may apply to the use and disclosure of health information for public health purposes or other specific circumstances.
See also: What is protected health information (PHI)?
What disclosures of PHI occur after a person dies?
- Notification of family or personal representatives: Covered entities may disclose PHI to inform the deceased's family members or personal representatives about their death and related matters.
- Medical examiner or coroner: PHI may be disclosed to a medical examiner or coroner to determine the cause of death or for other death investigation purposes.
- Public health reporting: If required by law, PHI may be disclosed to public health authorities for reporting vital statistics or other public health activities.
- Research purposes: In certain cases, PHI of deceased individuals may be used for research purposes, provided that appropriate privacy safeguards are in place and approval from an Institutional Review Board (IRB) is obtained.
- Organ donation: PHI may be disclosed to facilitate organ or tissue donation, if applicable, and with proper authorization.
- Law enforcement: PHI may be disclosed to law enforcement in specific situations, such as identifying or locating a suspect, witness, or missing person.
- Health oversight activities: PHI may be disclosed to government agencies responsible for monitoring and ensuring compliance with healthcare laws and regulations.
- Litigation and legal proceedings: PHI may be disclosed in response to a court order or subpoena or in other circumstances where required by law.
See also: HIPAA Compliant Email: The Definitive Guide
For how long is PHI protected?
When it comes to deceased individuals, the Privacy Rule extends its protection for a specific duration, typically 50 years after the person's death. During this 50-year period, the PHI of deceased individuals is treated with the same level of confidentiality and security as that of living individuals.