How can a covered entity determine whether a person is a family member, or person involved in an individual’s care prior to death, for purposes of sharing protected health information about the decedent after death?
In some cases, it will be readily apparent to the covered entity that a person is a family member, or was involved in the individual’s care prior to death, because the person would have made themselves known to the covered entity prior to the individual’s death by either visiting with or inquiring about the individual, or the individual would have identified such person as being a family member, or other person involved in his or her care or payment for care, to a member of the covered entity’s workforce. In other cases, the covered entity need just have reasonable assurance that the person is a family member of the decedent or other person who was involved in the individual’s care or payment for care prior to death. For example, the person may indicate to the covered entity how he or she is related to the decedent or offer sufficient details about the decedent’s circumstances prior to death to indicate involvement in the decedent’s care prior to death. The Privacy Rule does not require formal verification of the identity and authority of the person but rather permits the covered entity to rely on the exercise of professional judgment in making the disclosure.