In order to protect the privacy and security of patients’ information, the Health Insurance Portability and Accountability Act (HIPAA) imposes substantial obligations on covered entities (certain providers, plans, and health care clearinghouses), as well as their business associates. These obligations can be intrusive and costly, and can require substantial investments in electronic systems and personnel. Thus, many covered entities ask – when do these obligations terminate? Specifically, are covered entities still required to safeguard the Protected Health Information (PHI) of deceased individuals?
Covered entities’ HIPAA obligations remain in full effect for a period of 50 years following the death of an individual. This requirement is relatively new; it was put into place by the Final HIPAA Omnibus Rule passed in 2013, before which HIPAA obligations survived indefinitely. In other words, for the 50 years after a patient dies, covered entities must continue to safeguard his or her PHI. Such PHI may not be used or disclosed in a way prohibited by HIPAA, and in the event that an authorization is needed, such authorization must be signed by the individual’s personal representative. If under applicable state law, an executor, administrator, or other individual has authority to act on behalf of a deceased individual or his or her estate, then that individual must be treated as a personal representative for purposes of information relevant to such personal representation. Once 50 years have passed following a person’s death, his or her information is no longer subject to HIPAA and may be used by a covered entity for any purpose or disposed of, as the covered entity sees fit.