§164.502(f) Standard: Deceased individuals: A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.

From § 160.103 Definitions.
Protected health information means individually identifiable health information: (1) Except as provided in paragraph (2) of this definition,[….]
(2) Protected health information excludes individually identifiable health information: [….] (iv) Regarding a person who has been deceased for more than 50 years.

Audit Inquiry

Do the covered entity’s policies and procedures protect the deceased individual’s PHI consistent with the established performance criterion? Inquire of management.
Obtain and review policies and procedures regarding use and disclosure of deceased individuals’ PHIs. Evaluate whether the policies and procedures are consistent with the established performance criterion.