Question: As a skilled nursing facility, what are our responsibilities for protecting or distributing private health information, in regard to HIPAA, to a resident’s family when a resident dies? What if family members that our facility doesn’t know request a resident’s information, especially if they claim it’s for their own personal healthcare knowledge? Ohio Subscriber Answer: The HHS Office for Civil Rights (OCR) addresses these questions on its website. As a covered entity (CE), a nursing facility has responsibilities to ensure that a resident’s privacy is protected, even after death. “In some cases, it will be readily apparent to the covered entity that a person is a family member, or was involved in the individual’s care prior to death, because the person would have made themselves known to the covered entity prior to the individual’s death by either visiting with or inquiring about the individual, or the individual would have identified such person as being a family member, or other person involved in his or her care or payment for care, to a member of the covered entity’s workforce,” the OCR says. “In other cases, the covered entity just needs to have reasonable assurance that the person is a family member of the decedent or other person who was involved in the individual’s care or payment for care prior to death. For example, the person may indicate to the covered entity how he or she is related to the decedent or offer sufficient details about the decedent’s circumstances prior to death to indicate involvement in the decedent’s care prior to death. The Privacy Rule does not require formal verification of the identity and authority of the person but rather permits the covered entity to rely on the exercise of professional judgment in making the disclosure,” the OCR says. However, the HIPAA Privacy Rule takes decedents’ rights into account as well. “The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative,” the OCR says. Your facility can recommend that the family member’s physician reach out to your facility directly. “Disclosures of protected health information for treatment purposes — even the treatment of another individual — do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative,” the OCR says.