The HIPAA privacy and security rules generally apply to protected health information of deceased persons as well as the living. Providers may generally use or disclose such information as follows:

  1. Treatment, Payment, or Operations. As with living persons, HIPAA allows providers to use or disclose protected health information of deceased persons for purposes of treatment, payment, or the provider's healthcare operations, unless the provider has agreed otherwise. (See 45 CFR 164.506 and 164.522(a)). This may include treatment of other living relatives. As the Office for Civil Rights (OCR) explained, “disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.” (OCR FAQ, available here).
  2. To Family and Other Involved Persons. In the wake of the HIPAA Omnibus Rule, providers may now disclose protected health information about a decedent to a family member, relative, close friend, or other person identified by the decedent if: (1) the person was involved in the decedent’s care or payment for their healthcare prior to the decedent’s death; (2) such disclosure is not inconsistent with the decedent’s prior expressed preferences; and (3) the provider limits the disclosure to information relevant to the person’s involvement in the decedent’s care or payment. (45 CFR 164.510(b)(5)). “For example, a covered health care provider could describe the circumstances that led to an individual’s death to the decedent’s sister who is asking about her sibling’s death. In addition, a covered health care provider or pharmacy could disclose billing information or records to a family member of a decedent who is assisting with closing a decedent’s estate. However, in both cases, a provider generally should not share information about past, unrelated medical problems.” (OCR FAQ, available here).
  3. As Authorized by the Personal Representative. Providers may disclose protected health information to or as authorized by the decedent’s personal representative. (45 CFR 164.502(g)(4)). The “personal representative” is the executor, administrator, or other person with authority under applicable law to act on behalf of the decedent or the decedent’s estate. (Id.). The legally authorized representative is entitled to information regardless of their prior involvement in the decedent’s care or the decedent’s wishes as to such disclosure. (OCR FAQ, available here). When in doubt as to whether a person is the legally authorized “personal representative,” the provider may, but is not necessarily required to, request that the person provide proof of their authority or sign an affidavit attesting to their authority.
  4. Other Exceptions. As with living persons, providers may disclose protected health information about decedents as required by other laws or for certain public safety functions, e.g. to report abuse or communicable diseases; for certain law enforcement purposes, or; to prevent or lessen a serious and imminent threat of harm. (45 CFR 164.512). Providers should review the regulatory requirements before relying on one of these exceptions.
  5. After 50 Years. HIPAA no longer applies to information of persons who have been deceased for more than 50 years. (45 CFR 160.103, definition of “protected health information”).