HIPAA FAQ – Decedents
No. The Privacy Rule does not require that a health care provider document a patient’s expressed preference not to have the provider discuss the details of the patient’s medical conditions or health care with family members of the patient. However, while not required, we expect many providers do so (e.g., by making a note in the patient’s medical file) as a means of ensuring the provider does not later violate the Rule by making such a disclosure. Such notes also would ensure that all current and future members of the workforce who are in a position to make such disclosures are aware of the individual’s objection.
In some cases, it will be readily apparent to the covered entity that a person is a family member, or was involved in the individual’s care prior to death, because the person would have made themselves known to the covered entity prior to the individual’s death by either visiting with or inquiring about the individual, or the individual would have identified such person as being a family member, or other person involved in his or her care or payment for care, to a member of the covered entity’s workforce. In other cases, the covered entity need just have reasonable assurance that the person is a family member of the decedent or other person who was involved in the individual’s care or payment for care prior to death. For example, the person may indicate to the covered entity how he or she is related to the decedent or offer sufficient details about the decedent’s circumstances prior to death to indicate involvement in the decedent’s care prior to death. The Privacy Rule does not require formal verification of the identity and authority of the person but rather permits the covered entity to rely on the exercise of professional judgment in making the disclosure.
Generally, no. The Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the decedent’s health care or payment for care prior to the decedent’s death, only if doing so is not inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. However, a family member that is a personal representative of the decedent (e.g., an executor or administrator of the decedent’s estate) is to be treated as the individual for purposes of the Privacy Rule with respect to protected health information relevant to the representation. In these cases, a covered health care provider may disclose relevant protected health information about the decedent to the family member, and the family member retains the right to receive a copy of the relevant information in the decedent’s medical record, without regard to the decedent’s prior objection.
Yes. The Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. This may include, depending on the circumstances, disclosures to spouses, parents, children, domestic partners, other relatives, or friends of the decedent, provided the information disclosed is limited to that which is relevant to the person’s involvement in the decedent’s care or payment for care. See 45 CFR 164.510(b)(5). For example, a covered health care provider could describe the circumstances that led to an individual’s death with the decedent’s sister who is asking about her sibling’s death. In addition, a covered health care provider or pharmacy could disclose billing information or records to a family member of a decedent who is assisting with closing a decedent’s estate. However, in both cases, a provider generally should not share information about past, unrelated medical problems.
No. When a covered health care provider, in the course of treating an individual or otherwise, collects an individual’s family health history, this information becomes part of the individual’s medical or other record and is treated as protected health information about the individual and not about the family member(s). Thus, even where an individual’s family health history includes information about family members who have been deceased for more than 50 years, the information is protected under the Privacy Rule as the health information of the individual.
No. The Privacy Rule does not include medical record retention requirements and covered entities may destroy such records at the time permitted by State or other applicable law.
Yes, for a period of 50 years following the date of death of the individual. During this period, the Privacy Rule protects the identifiable health information of the deceased individual to the same extent the Rule protects the health information of a living individual. However, in cases where a covered entity maintains a medical records archive or otherwise maintains health or medical records that contain identifiable health information on individuals who have been deceased for more than 50 years, such information is not considered protected health information and may be used or disclosed without regard to the Privacy Rule.
The HIPAA Privacy Rule recognizes that a deceased individual’s protected health information may be relevant to a family member’s health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative.
First, disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.
Second, a covered entity must treat a deceased individual’s legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation.
Therefore, if it is within the scope of such personal representative’s authority under other law, the Rule permits the personal representative to obtain the information or provide the appropriate authorization for its disclosure.