Skip Navigation

Do the HIPAA Privacy Rule protections apply to the health information of deceased individuals?

Answer:

Yes, for a period of 50 years following the date of death of the individual.  During this period, the Privacy Rule protects the identifiable health information of the deceased individual to the same extent the Rule protects the health information of a living individual.  However, in cases where a covered entity maintains a medical records archive or otherwise maintains health or medical records that contain identifiable health information on individuals who have been deceased for more than 50 years, such information is not considered protected health information and may be used or disclosed without regard to the Privacy Rule.