Cardiology Coding Alert

Reader Questions:

Learn How HIPAA Relates to Patient’s Death

Question: If a patient passes away, how long does my practice need to maintain their private health information (PHI), according to Health Insurance Portability and Accountability Act (HIPAA) regulations?

Maine Subscriber

Answer: When a patient passes away, their HIPAA agreement is not suddenly terminated. According to the HHS Office for Civil Rights (OCR), the HIPAA Privacy Rule protects a patient’s individually identifiable health information for 50 years following the date of death.

“A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual,” HHS-OCR says in 45 CFR 164.502 of the Privacy Rule. The Privacy Rule also states, “If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.”

Additionally, if a family member requests the PHI of the deceased individual as it could pertain to their own health care, the “covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative,” the HHS-OCR states in a separate FAQ on its website.