HIPAA and Deceased Patients: How the Privacy Rule Applies for 50 Years After Death (45 CFR 164.502(f))

Executive Summary

Many small healthcare practices mistakenly assume that a patient’s death ends their responsibility to protect that individual’s medical records. In reality, HIPAA’s Privacy Rule continues to apply to a patient’s protected health information (PHI) for 50 years after their death, as mandated by 45 CFR § 164.502(f). This article outlines what small clinics must do to remain compliant, when disclosures are permitted, who qualifies as a personal representative, and how to handle requests from family, attorneys, and third parties. With clear procedures and documentation, small practices can protect patient privacy and avoid penalties even after life ends.

Introduction

When a patient passes away, healthcare obligations don’t. Under HIPAA, PHI is still considered protected for decades following a person’s death. This often surprises small practices, especially those dealing with estates, family disputes, or medical examiners. Failure to follow proper procedures when releasing or withholding deceased patient information can result in privacy breaches, OCR audits, or even lawsuits from family members.

This guide explains how to properly navigate the post-mortem privacy provisions under HIPAA, focusing on practical steps for small offices and sole practitioners who may not have in-house compliance teams.

Understanding the 50-Year Rule Under HIPAA

The provision in question, § 164.502(f), states:

“A covered entity must comply with the requirements of this subpart with respect to protected health information of a deceased individual for a period of 50 years following the death of the individual.”

This means that PHI must be safeguarded in the same way as if the patient were alive, including applying the minimum necessary standard, verifying requestors’ identities, and limiting disclosures to allowable purposes.

Even though the patient is deceased, their privacy lives on.

Who Can Access PHI After Death?

1. Personal Representatives

HIPAA permits access to PHI by a personal representative of the deceased, typically:

• An executor of the estate
• An administrator appointed by probate court
• An individual with lawful authority to act on behalf of the deceased or the estate

Documentation must be collected to verify legal authority. Acceptable forms include:

• Letters testamentary
• Letters of administration
• Court orders
• Durable powers of attorney that survive death (depending on state law)

Once verified, the personal representative is treated as the patient under HIPAA, meaning they have the right to request, receive, or direct the disclosure of PHI.

2. Family Members and Others Involved in Care

HIPAA allows disclosures of PHI to family members or individuals involved in the decedent’s care or payment prior to death, provided:

• The PHI is relevant to that involvement
• The disclosure is not inconsistent with prior patient preferences
• No objections exist from a known personal representative

For example, a sibling who helped coordinate hospice care may be provided the decedent’s medical summary upon request unless the patient objected during life or a legal representative directs otherwise.

3. Legal and Government Entities

HIPAA allows disclosures without authorization in the following post-mortem situations:

• Medical examiners or coroners (for identifying cause of death)
• Funeral directors (to carry out services)
• Law enforcement (when required by law)
• Organ procurement organizations (for donation purposes)
• Public health officials (tracking certain diseases or conditions)

These are considered permitted disclosures under HIPAA, but documentation or identification should still be verified and logged.

Case Study: Unauthorized Disclosure After a Patient’s Death

In 2021, a behavioral health clinic committed a serious HIPAA violation involving the disclosure of a deceased patient’s protected health information (PHI). The incident began when a man called the clinic claiming to be the brother of a recently deceased patient. He explained that he had helped care for his sister in her final months and requested a copy of her therapy notes “for closure.” Without asking for legal documentation or verifying his relationship or authority, a staff member faxed the full therapy notes to the caller’s office.

Several weeks later, the patient’s adult daughter, who had been officially appointed as executor of the estate, filed a complaint with the Office for Civil Rights (OCR). She informed OCR that the brother was estranged from the family and had not been involved in the patient’s care. More importantly, he had no legal authority to access her records.

OCR launched an investigation and found that the clinic had violated the HIPAA Privacy Rule under 45 CFR 164.502(f), which governs access to PHI after a patient’s death. Specifically, the clinic failed to confirm the legal authority of the requester, did not apply the minimum necessary standard, and lacked a formal policy for handling PHI after death.

To resolve the issue, the clinic entered a resolution agreement requiring revised post-mortem disclosure procedures, full staff retraining, and six months of compliance monitoring. This case highlights the critical importance of verifying legal authority before releasing any records, even after a patient has passed away.

Lesson: Treat disclosures after death with the same level of scrutiny as any other PHI request. When in doubt, verify and document.

Best Practices for Small Practices Handling Deceased Patient Records

1. Verify Identity and Authority

Always request documentation to confirm the requestor’s role. This may include:

• Government-issued ID
• Court documents
• A copy of the death certificate (when needed)
• Signed authorization from the estate’s legal representative

Create a form or checklist to standardize the process across your staff.

2. Apply the Minimum Necessary Standard

Only disclose the minimum amount of PHI necessary for the requested purpose. For example:

• A billing agent needs access to financial records not mental health notes
• A family member involved in care may receive a general treatment summary, not full visit notes or psychotherapy content

3. Retain Documentation of Disclosures

Keep records of:

• Who made the request
• Their relationship to the deceased
• What documentation they provided
• What information was released and when

Store this in the patient’s file and retain it for a minimum of six years, per HIPAA record keeping rules.

4. Train Staff on Post-mortem Disclosures

HIPAA training for new and existing staff should include a section on how to handle deceased patient records, including:

• Who qualifies as a personal representative
• What disclosures require authorization
• When it’s okay to share with funeral directors or public health entities

5. Update Your Policies and Notice of Privacy Practices

Ensure your written HIPAA policies address the handling of PHI after a patient’s death. Your Notice of Privacy Practices (NPP) should also mention:

• Patient rights and protections post-death
• Who may request records
• When the practice may decline disclosure

Quick Reference Chart: PHI Disclosures After Death

Regulatory References and Guidance

• 45 CFR § 164.502(f) – Protection of Deceased Individuals’ PHI
• HHS Guidance on Deceased Individuals
• OCR FAQs on HIPAA and Death
• NIST Guide to HIPAA Security

Final Takeaways and Recommendations

HIPAA compliance doesn’t end at death. For small practices, the post-mortem handling of PHI requires careful verification, documentation, and training. Your responsibility includes ensuring that:

• Only legally authorized individuals access deceased patient data
• PHI is not disclosed beyond what is necessary or permitted
• Disclosures are tracked and aligned with federal rules

Take the time now to build a procedure for handling these requests. A simple checklist and a trained front office can prevent costly compliance errors and honor your obligation to protect patient privacy both in life and beyond.