Question: According to HIPAA, should we maintain a patient’s private health information after he dies? And, is there a time limit? Washington Subscriber Answer: If a patient passes away, that doesn’t make his Health Insurance Portability and Accountability Act (HIPAA) agreement null and void. In fact, the HIPAA Privacy Rule protects a patient’s individually identifiable health information for 50 years after the date of death, according to the HHS Office for Civil Rights (OCR). “During the 50-year period of protection, the personal representative of the decedent (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the rights under the Privacy Rule with regard to the decedent’s health information, such as authorizing certain uses and disclosures of, and gaining access to, the information,” notes the OCR in 45 CFR 160.103 of the HIPAA Privacy Rule. Keep in mind that if a family member needs information about the decedent’s healthcare specifically for the family member’s own healthcare treatment, the practice “may disclose a decedent’s protected health information, without authorization, to the healthcare provider who is treating the surviving relative,” the OCR says on its website in a separate question and answer.