Who Can Access or Receive the PHI of Deceased Individuals?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Under the HIPAA Privacy Rule, the PHI of a deceased person must be treated the same way that PHI would have been treated during the deceased person’s lifetime, for a period of 50 years following the death of the individual. In other words, the PHI of a deceased individual is protected for 50 years following that person’s death. Once the patient has been deceased for over fifty years, the PHI loses its status as PHI, and therefore falls out of HIPAA's regulatory scope. 

If, under state law, an executor, administrator, or other person has the authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat that person as a personal representative with respect to the deceased person’s PHI. For purposes of the law, the personal representative has the same rights with respect to the PHI as the deceased patient would have had if the patient were still alive.

Can Family Members, Relatives, or Close Personal Friends Access the PHI of Deceased Individuals?
Under the HIPAA Privacy Rule, a covered entity may disclose PHI to a family member, other relative, or a close personal friend of the deceased patient, or any other person identified by the individual during their lifetime, IF the protected health information is directly relevant to the family member’s (or other relative’s, or close personal friend’s) involvement with the individual’s health care or payment related to the individual’s health care.  The covered entity may also disclose, to the same class of persons (family members, other relatives, or close personal friends who were involved in the deceased's healthcare or payment related to that healthcare) PHI to the class

This disclosure to the family member, other relative, or close personal friend, may not be made if the disclosure is inconsistent with any prior expressed preference of the individual that is known to the covered entity. (If, for example, the deceased patient had told a practice, “I do not want you discussing my health information with my father,” the practice would have to honor that request if that father asked for PHI to be disclosed to the father after the patient’s death).

In addition, if the family member, other relative, or close personal friend had no involvement with the person’s healthcare or payment related to their healthcare, a covered entity cannot disclose PHI to the family member, other relative, or close personal friend. In other words, the mere fact of a relationship or close friendship is as an insufficient basis for disclosure. 

Can the PHI of Deceased Individuals be Used for Other Purposes Not Listed Above?
A covered entity may, without having to obtain written authorization and without having to afford the opportunity to agree or object to the disclosure, may: Disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for these same purposes.

A covered entity may, without having to obtain written authorization and without having to afford the opportunity to agree or object to the disclosure, may also disclose the deceased PHI to: (1)  alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (§ 164.512(f)(4)); (2) for research that is solely on the protected health information of decedents (§ 164.512(i)(1)(iii)); and (3) to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation (§ 164.512(h)).  

Does HIPAA Contain Other Rules About Deceased Patients?
Under the HIPAA Breach Notification Rule, affected individuals, the Department of Health and Human Services (HHS), and in some instances, prominent media outlets, must be notified of a breach of unsecured PHI. 

The Breach Notification Rule requires that covered entities notify affected individuals of breaches of unsecured PHI by written notification by first-class mail. The written notification must be sent to the last known address of the individual. If the individual agrees to electronic notice and such agreement has not been withdrawn, the notification may, in the alternative, be delivered by electronic mail.

If the covered entity knows that the individual is deceased and has the address of the next of kin or personal representative of the individual, the covered entity must provide written notification by first-class mail either to the next of kin or personal representative of the individual.