General Surgery Coding Alert

Reader Question:

HIPAA Holds After Death

Question: Do HIPAA regulations require us to maintain a patient’s private health information after the patient dies, and if so, for how long?

Codify Subscriber

Answer: If a patient passes away, that doesn’t make his HIPAA agreement null and void. In fact, the HIPAA Privacy Rule protects a patient’s individually identifiable health information for 50 years after the date of death, according to the HHS Office for Civil Rights (OCR).

“During the 50-year period of protection, the personal representative of the decedent (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the rights under the Privacy Rule with regard to the decedent’s health information, such as authorizing certain uses and disclosures of, and gaining access to, the information,” notes the OCR in 45 CFR 160.103 of the HIPAA Privacy Rule.

Keep in mind that if a family member needs information about the decedent’s healthcare specifically for the family member’s own healthcare treatment, the practice “may disclose a decedent’s protected health information, without authorization, to the healthcare provider who is treating the surviving relative,” the OCR says on its website in a separate question and answer.

Resource: For a closer look at the HIPAA Privacy Rule, visit www.hhs.gov/hipaa/for-professionals/privacy/guidance/health-information-of-deceased-individuals/index.html.