Neurology & Pain Management Coding Alert

Reader Question:

Observe This Privacy Rule for Deceased Patients

Question: Per the Health Insurance Portability and Accountability Act (HIPAA), should we maintain a patient’s private health information after he dies? And if so, is there a time limit?

Montana Subscriber

Answer: If a patient passes away, that doesn’t make his HIPAA agreement null and void. In fact, the HIPAA Privacy Rule protects a patient’s individually identifiable health information for 50 years after the date of death, according to the HHS Office for Civil Rights (OCR).

“During the 50-year period of protection, the personal representative of the decedent (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the rights under the Privacy Rule with regard to the decedent’s health information, such as authorizing certain uses and disclosures of, and gaining access to, the information,” notes the OCR in 45 CFR 160.103 of the HIPAA Privacy Rule.

Keep in mind that if a family member needs information about the decedent’s healthcare specifically for the family member’s own healthcare treatment, the practice “may disclose a decedent’s protected health information, without authorization, to the healthcare provider who is treating the surviving relative,” the OCR says on its website in a separate question and answer.