Pathology/Lab Coding Alert

Reader Question:

Follow HIPAA Beyond the Grave

Question: Is our lab required to maintain a patient’s private health information after the patient’s death? If so, is there a time limit with the requirement?

Codify Subscriber

Answer: The HIPAA agreement does not become null and void following a patient’s death. In fact, the HIPAA Privacy Rule protects a patient’s individually identifiable health information for 50 years after the date of death, according to the HHS Office for Civil Rights (OCR).

“During the 50-year period of protection, the personal representative of the decedent (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the rights under the Privacy Rule with regard to the decedent’s health information, such as authorizing certain uses and disclosures of, and gaining access to, the information,” notes the OCR in 45 CFR 160.103 of the HIPAA Privacy Rule.

Keep in mind that if a family member needs information about the decedent’s healthcare specifically for the family member’s own healthcare treatment, the practice “may disclose a decedent’s protected health information, without authorization, to the healthcare provider who is treating the surviving relative,” the OCR says on its website in a separate question and answer.

Resource: For a closer look at the HIPAA Privacy Rule, visit www.hhs.gov/hipaa/for-professionals/privacy/guidance/health-information-of-deceased-individuals/index.html.