Where Does HIPAA Come into Play After a Death?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that established the national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to address the use and disclosure of individuals’ health information by entities subject to the rule. They also implemented the HIPAA Security Rule to protect all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form.

The goal of this law is to:

  • Provide portability
  • Combat fraud and abuse through Medicaid integrity
  • Simplify administrative aspects
  • Protect privacy and security of private health information

What Entities are Covered under HIPAA?

All health care providers, individuals operating health plans (health, dental, vision, and prescription drug users), mental health care, Medicare, Medicaid, health care clearinghouses, and business associates using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity.

What is Permitted Under HIPAA?

A covered entity can use and disclose protected health information without the authority of the individual if:

  • Disclosure is made to the individual;
  • The information is for treatment, payment, and health care operations;
  • If incident to an otherwise permitted use and disclosure; and
  • It is in the best interest and benefit of the public (legal requirements, public health activities, health oversight, law enforcement, organ donation, etc.).

Does HIPAA Apply to Decedents?

In short, yes. After someone dies, when some may argue that their personal information should not matter and could, therefore, be disclosed, their surviving family and friends might want to keep the decedent’s health information protected. For whatever reason – whether it is famous individuals keeping their diagnoses under wraps or people who had stigmatized diseases not wanting that sensitive information to go to the public – the descendants of the person who died can be justifiably protected.

The covered entities and business associates are mandated to uphold the confidentiality of health information pertaining to the individual and make sure it is handled and transferred responsibly as the law permits. According to the U.S. Department of Health and Human Services, the HIPAA Privacy Rule:

“…explicitly excludes from the definition of ‘protected health information’ individually identifiable health information regarding a person who has been deceased for more than 50 years… During the 50-year period of protection, the personal representative of the decedent (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent’s estate) has the ability to exercise the rights under the Privacy Rule with regard to the decedent’s health information, such as authorizing certain uses and disclosures of, and gaining access to, the information.”

Are There Exceptions?

Every rule has its fair share of exceptions, and protecting health information under HIPAA after death is no different.

There are four major exceptions:

  1. To alert law enforcement to the decedent’s death when there is suspicion that their death resulted from criminal conduct;
  2. To coroners or other medical examiners or funeral directors;
  3. To conduct research solely on the decedent’s protected health information; or
  4. To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation.

In addition to these exceptions, there are more situational exceptions. For example, if someone was involved in the decedent’s health care or payment before they died, the health care provider may release partial information about the decedent.

Before someone dies, they can state that they want certain health information never to be released, and the covered entity must adhere to that information.

There are instances where the release of protected health information is strictly prohibited under HIPAA and would, thus, require written authorization from the decedent’s representative. The representative needs authorization to act under whatever state they were given that power and can include executors of the decedent’s estate.

Despite these exceptions, HIPAA protects the vast majority of the decedent’s health information from the public for the time covered.


HIPAA regulations are not discarded immediately upon death. The HIPAA Privacy Rule protects individually identifiable health information pertaining to a deceased individual for fifty years following their death, but, beyond those fifty years, the information is no longer protected and can, therefore, be disclosed or used freely.

EstateGrid simplifies post-death logistics. Sign up today.

Kubloss, Inc. (dba EstateGrid) has placed the information on this website as a service to the general public. It is not intended as legal, financial, or health advice or as a substitute for the particularized advice of a qualified professional. It is provided as is without warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non‐infringement.