The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protects the identifiable health information of a deceased individual for 50 years following their death. This period of protection for decedent health information considers the privacy interests of surviving relatives and other individuals with a relationship to the decedent. During this time, the personal representative of the decedent can exercise rights under the Privacy Rule, such as authorizing certain uses and disclosures of, and gaining access to, the information. After the 50-year period, the information is no longer considered protected health information, and can be disclosed without regard to the Privacy Rule.
Characteristics | Values |
---|---|
How long do HIPAA Privacy Rule protections apply after death? | 50 years |
Who can enforce protection? | The personal representative of the deceased individual |
Who is a personal representative? | The executor, administrator, or other person who has authority under applicable State or other law to act on behalf of the decedent or the decedent’s estate |
What rights do personal representatives have? | The general right to authorize certain uses and disclosures of PHI, and the general right to access the PHI |
What rights do individuals who are not personal representatives have? | The HIPAA Privacy Rule permits a covered entity to disclose the relevant PHI of the deceased individual to those family members or other persons involved in the individual’s healthcare or payment for care prior to the individual’s death |
Are there exceptions to this? | Disclosure is not permitted if it is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity |
Are there special circumstances permitting disclosure during the 50-year period? | Yes, including disclosures to alert law enforcement to a death, to coroners, for research, and to organ procurement organizations |
When is a written authorization required? | For uses or disclosures of a decedent’s health information not otherwise permitted by the HIPAA Privacy Rule |
What You'll Learn
- The HIPAA Privacy Rule protects the identifiable health information of a deceased individual for 50 years after their death
- After 50 years, identifiable health information is no longer protected
- Family members can access a deceased individual's health information if it is relevant to their own healthcare
- A deceased individual's personal representative can exercise rights under the Privacy Rule
- Special circumstances permit disclosure of a decedent's health information during the 50-year protection period
The HIPAA Privacy Rule protects the identifiable health information of a deceased individual for 50 years after their death
The HIPAA Privacy Rule offers protections for the identifiable health information of a deceased individual for 50 years after their death. This means that for 50 years, a decedent's health information is protected to the same extent as the health information of a living individual.
During this 50-year period, the personal representative of the deceased individual (i.e., the person with legal authority to act on behalf of the decedent or their estate) can exercise rights under the Privacy Rule, such as authorizing certain uses and disclosures of the decedent's identifiable health information, and accessing it.
The Privacy Rule also permits a covered entity to disclose the relevant protected health information of the decedent to family members or other persons involved in the individual's healthcare or payment for care prior to death, unless doing so contradicts a known prior expressed preference of the deceased individual.
After the 50-year period has passed, the identifiable health information of the deceased is no longer considered protected health information, and it can be used or disclosed without regard to the Privacy Rule.
This extended period of protection for a decedent's health information balances the privacy interests of surviving relatives and others connected to the deceased with the need for historians, biographers, and others to access old records for historical purposes.
Levitical Law: Still Relevant or Archaic Today?
You may want to see also
After 50 years, identifiable health information is no longer protected
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protects identifiable health information of a deceased individual for 50 years following their death. This period of protection is in place to balance the privacy interests of surviving relatives and other individuals who had a relationship with the deceased, with the need for archivists, biographers, historians, and others to access old or ancient records for historical purposes.
During these 50 years, the privacy rule protects the health information of the deceased to the same extent that it would if they were alive. However, there are some special disclosure provisions that apply to the deceased. For example, covered entities are permitted to disclose a decedent's health information to alert law enforcement if their death was suspected to have resulted from criminal conduct. Another example is that disclosures can be made to coroners, medical examiners, and funeral directors.
After the 50-year period has passed, identifiable health information is no longer considered protected health information under the HIPAA Privacy Rule. This means that covered entities, such as health care providers, that maintain medical records, correspondence files, physician diaries, or photograph collections containing identifiable health information on individuals who have been deceased for more than 50 years may use or disclose this information without regard to the Privacy Rule.
It is important to note that the HIPAA Privacy Rule provides ways for surviving family members to obtain the protected health information of a deceased relative. Firstly, disclosures of protected health information for treatment purposes do not require authorization, so a covered entity may disclose a decedent's protected health information to a health care provider treating a surviving relative without authorization. Secondly, a covered entity must treat a deceased individual's legally authorized executor or administrator, or a person who is otherwise legally authorized to act on behalf of the deceased or their estate, as a personal representative with respect to protected health information. This allows the personal representative to obtain the information or authorize its disclosure if it is within their scope of authority under the law.
HIPAA Laws: Do Dentists Need to Comply?
You may want to see also
Family members can access a deceased individual's health information if it is relevant to their own healthcare
The HIPAA Privacy Rule recognises that a deceased individual's health information may be relevant to a family member's healthcare. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative.
Firstly, disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorisation. This means that a covered entity may disclose a decedent's protected health information, without authorisation, to the healthcare provider treating the surviving relative.
Secondly, a covered entity must treat a deceased individual's legally authorised executor or administrator, or a person who is otherwise legally authorised to act on behalf of the deceased individual or their estate, as a personal representative with respect to protected health information relevant to such representation. Therefore, if it is within the scope of such personal representation, the Rule permits the personal representative to obtain the information or provide the appropriate authorisation for its disclosure.
The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death. This period of protection for decedent health information balances the privacy interests of surviving relatives and other individuals with a relationship to the decedent, with the need for archivists, biographers, historians, and others to access old or ancient records on deceased individuals for historical purposes.
During the 50-year period of protection, the personal representative of the decedent has the ability to exercise the rights under the Privacy Rule with regard to the decedent's health information, such as authorising certain uses and disclosures of, and gaining access to, the information.
In addition, the Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member or other person who was involved in the individual's healthcare or payment for care prior to their death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. This may include disclosures to spouses, parents, children, domestic partners, other relatives, or friends of the decedent, provided the information disclosed is relevant to the person's involvement in the decedent's care or payment for care.
Leviticus Laws: Still Relevant or Outdated?
You may want to see also
A deceased individual's personal representative can exercise rights under the Privacy Rule
The HIPAA Privacy Rule protects the identifiable health information of a deceased individual for 50 years following their death. During this time, a deceased individual's personal representative—that is, a person with the authority under applicable law to act on behalf of the individual or their estate—can exercise rights under the Privacy Rule. This includes the ability to authorise certain uses and disclosures of the decedent's health information, and to gain access to it.
The personal representative can be an executor, administrator, or other person who has authority under state or other law to act on behalf of the decedent or their estate. This may include a person with a power of attorney or court-appointed legal guardian.
The Privacy Rule requires covered entities to treat the personal representative as the individual with respect to uses and disclosures of the individual's protected health information, as well as the individual's rights under the Rule. This means that covered entities must provide the personal representative with an accounting of disclosures and provide access to the decedent's protected health information.
It is important to note that the personal representative's authority to act on behalf of the deceased individual is derived from their authority under applicable law to make healthcare decisions for the individual. If the personal representative's authority is limited to specific healthcare decisions, then their access to protected health information is also limited to information relevant to those specific decisions.
Additionally, in cases of suspected abuse, neglect, or endangerment, a covered entity may choose not to treat the personal representative as such if it is determined that doing so would not be in the best interests of the individual.
After the 50-year period of protection, the Privacy Rule no longer applies to the health information of the deceased individual, and the personal representative no longer has the same rights to authorise disclosures or access the information.
Truancy Laws in PA: Do They Apply to 18-Year-Olds?
You may want to see also
Special circumstances permit disclosure of a decedent's health information during the 50-year protection period
The HIPAA Privacy Rule protects the identifiable health information of a decedent for 50 years following their death. During this time, the privacy rule generally protects a decedent's health information to the same extent as that of a living individual. However, there are special circumstances that permit the disclosure of a decedent's health information during this 50-year protection period.
One such circumstance is when a covered entity, such as a healthcare provider, discloses a decedent's health information to alert law enforcement to the death of the individual when there is a suspicion that death resulted from criminal conduct. Another circumstance is when a covered entity discloses information to coroners, medical examiners, or funeral directors. Additionally, disclosures are permitted for research that is solely focused on the protected health information of decedents.
Furthermore, covered entities are allowed to disclose a decedent's health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue. This is to facilitate organ, eye, or tissue donation and transplantation. During the 50-year protection period, covered entities may also disclose a decedent's protected health information to family members or other persons involved in the individual's healthcare or payment for care prior to their death, unless doing so contradicts any prior expressed preference of the deceased.
Lemon Law: Does It Cover Your Home Appliances?
You may want to see also
Frequently asked questions
Yes, the HIPAA Privacy Rule protects the identifiable health information of a deceased individual for 50 years following their death.
The personal representative of the deceased individual can enforce protection of their PHI. This person has the authority to act on behalf of the deceased or their estate. They can authorize certain uses and disclosures of PHI and access the PHI.
The HIPAA Privacy Rule permits covered entities to disclose relevant PHI to family members or other persons involved in the individual's healthcare or payment for care prior to their death, unless it goes against the deceased individual's prior expressed preference.
Yes, there are a number of special disclosure provisions relevant to deceased individuals, including:
- Alerting law enforcement to the death if there is a suspicion of criminal conduct.
- Disclosing information to coroners, medical examiners, and funeral directors.
- Researching protected health information of decedents.
- Facilitating organ, eye, or tissue donation and transplantation.