Pulmonology Coding Alert

Question: How long do I need to maintain a patient's private health information after that patient dies, per Health Insurance Portability and Accountability Act (HIPAA) regulations?

Codify Subscriber

Answer: If a patient passes away, that doesn't make his or her HIPAA agreement null and void. In fact, the HIPAA Privacy Rule protects a patient's individually identifiable health information for 50 years after the date of death, according to the HHS Office for Civil Rights(OCR).

"During the 50-year period of protection, the personal representative of the decedent (i.e., the person under applicable law with authority to act on behalf of the decedent or the decedent's estate) has the ability to exercise the rights under the Privacy Rule with regard to the decedent's health information, such as authorizing certain uses and disclosures of, and gaining access to, the information," HHS-OCR says in 45 CFR 160.103 of the Privacy Rule.

Keep in mind that if a family member needs information about the decedent's healthcare specifically for the family member's own healthcare treatment, the practice "may disclose a decedent's protected health information, without authorization, to the healthcare provider who is treating the surviving relative," HHS-OCR says on its website in a separate question and answer.