Protecting Patient Privacy: Navigating HIPAA Rules for Deceased Patients

There is a common misconception that it is acceptable to disclose a deceased individual’s medical information to their family members without their consent. However, this is not the case. Protected health information (PHI), which includes medical records and other health information, is strictly regulated by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

Under HIPAA, healthcare providers must maintain the confidentiality of a patient’s medical information for 50 years after death. This means that providers may not disclose a deceased patient’s medical information to family members without proper authorization unless certain conditions are met.

To disclose a deceased patient’s medical information to a family member, that individual must have been a “personal representative” of the deceased patient. A personal representative has the legal authority to make healthcare decisions on behalf of the patient. Examples include the parent of a minor child, an executor of the deceased patient’s estate, or an individual the patient named in a healthcare proxy.

When a family member claims to be a personal representative, it is essential for healthcare providers to verify this status before disclosing the deceased patient’s medical information. This verification process may involve requesting proof such as a copy of the deceased patient’s will or healthcare proxy, a court order establishing guardianship, or other legal documentation. This step is crucial in protecting patient privacy and preventing unauthorized disclosure.

It is important to note that disclosing a deceased patient’s medical information without HIPAA authorization or legal authority can result in serious consequences for healthcare providers, including civil money penalties for violating HIPAA. Therefore, healthcare providers must adhere to these rules and obtain proper authorization before disclosing a deceased patient’s medical information to family members.

Let's debunk a common myth: it is not acceptable to disclose medical information to family members after a patient dies. Healthcare providers must adhere to HIPAA regulations and obtain proper authorization or confirm the requester's status as a personal representative before disclosing a deceased patient’s medical information. Failure to do so can have serious legal and ethical implications.

For more “myth-busting,” follow me here on LinkedIn or DM me for more relevant content & information!