45 CFR 160.103, paragraph (2)(iv) of the definition of “protected health information”
The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual. This period of protection for decedent health information balances the privacy interests of surviving relatives and other individuals with a relationship to the decedent, with the need for archivists, biographers, historians, and others to access old or ancient records on deceased individuals for historical purposes. During the 50-year period of protection, the personal representative of the decedent (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the rights under the Privacy Rule with regard to the decedent’s health information, such as authorizing certain uses and disclosures of, and gaining access to, the information. With respect to family members or other persons involved in the individual’s health care or payment for care prior to the individual’s death, but who are not personal representatives, the Privacy Rule permits a covered entity to disclose the relevant protected health information of the decedent to such persons, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity.
How the Rule Works
The HIPAA Privacy Rule applies to the individually identifiable health information of a decedent for 50 years following the date of death of the individual. The Rule explicitly excludes from the definition of “protected health information” individually identifiable health information regarding a person who has been deceased for more than 50 years. See paragraph (2)(iv) of the definition of “protected health information” at § 160.103. Thus, for example, a HIPAA covered entity that maintains health or medical records, correspondence files, physician diaries and casebooks, or photograph collections that contain identifiable health information on individuals who have been deceased for more than 50 years may use or disclose the information without regard to the Privacy Rule because the information is not considered protected health information.
During the 50-year period of protection, the Privacy Rule generally protects a decedent’s health information to the same extent the Rule protects the health information of living individuals but does include a number of special disclosure provisions relevant to deceased individuals. These include provisions that permit a covered entity to disclose a decedent’s health information: (1) to alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (§ 164.512(f)(4)); (2) to coroners or medical examiners and funeral directors (§ 164.512(g)); (3) for research that is solely on the protected health information of decedents (§ 164.512(i)(1)(iii)); and (4) to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation (§ 164.512(h)). In addition, the Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. This may include disclosures to spouses, parents, children, domestic partners, other relatives, or friends of the decedent, provided the information disclosed is limited to that which is relevant to the person’s involvement in the decedent’s care or payment for care. See 45 CFR 164.510(b)(5). For uses or disclosures of a decedent’s health information not otherwise permitted by the Privacy Rule, a covered entity must obtain a written HIPAA authorization from a personal representative of the decedent who can authorize the disclosure. A decedent’s personal representative is an executor, administrator, or other person who has authority under applicable State or other law to act on behalf of the decedent or the decedent’s estate. See 45 CFR 164.502(g)(4), as well as guidance on personal representatives available at: https://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalreps.html, for more information.
Frequently Asked Questions on Decedents