QUESTION: Does the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule protect individually identifiable health information of deceased individuals?
ANSWER: Yes, for a certain period of time. The Privacy Rule protects a deceased’s individually identifiable health information for 50 years following the date of death of the individual. It does this by specifically excluding from the definition of “protected health information” individually identifiable health information of an individual who has been deceased for over 50 years (45 C.F.R. §160.103).
As the U.S. Department of Health & Human Services (“HHS”) explains on its website “This period of protection for decedent health information balances the privacy interests of surviving relatives and other individuals with a relationship to the decedent, with the need for archivists, biographers, historians, and others to access old or ancient records on deceased individuals for historical purposes.”