How Long is PHI Protected after Death?
The question of how long is PHI protected after death is often answered with “fifty years”, but that answer refers to how long is PHI protected after death by HIPAA – and, even in this context, “fifty years” is not necessarily the correct answer.
The HIPAA Privacy Rule places a limit of fifty years on how long covered entities have to protect the privacy of individually identifiable health information after an individual`s death. The time period was chosen to balance the privacy interests of surviving relatives and the demands of archivists, biographers, and other interested parties who wish to access records of deceased individuals for historical purposes.
During the fifty years following an individual’s death, the same protections must be applied to the deceased individual`s Protected Health Information (PHI) as if the individual were still alive. Additionally, during this period, the decedent’s personal representatives have the right to request copies of the decedent’s PHI and authorize uses and disclosures of the decedent’s PHI not otherwise required or permitted by the HIPAA Privacy Rule.
Medical Records Do Not Have To Be Retained for Fifty Years
However, the protections of the HIPAA Privacy Rule and the rights of the decedent’s personal representatives only apply for as long as PHI is in a covered entity’s possession. In most states, medical records have to be retained for a maximum of ten years after an individual’s death. There are exceptions – for example, Massachusetts requires some patient records to be retained for twenty years – but generally, most medical records are destroyed well within fifty years.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
For most covered entities, destroying records at the earliest allowable opportunity is a sound business decision. Storing fifty years of digital PHI can consume petabytes of space and even the cheapest archive cloud storage can cost thousands of dollars per year for an average sized medical center. Furthermore, once medical records past their required retention periods are destroyed, it is no longer necessary to safeguard their confidentiality, integrity, or availability.
Therefore, a more accurate answer to the question how long is PHI protected after death could be “up to 50 years”. However, this answer is not entirely accurate because there are circumstances in which PHI can be protected by HIPAA for more than fifty years after an individual`s death and circumstances in which medical records can be protected for more than fifty years by state privacy laws that preempt HIPAA.
How PHI can be Protected by HIPAA for More than Fifty Years
On the HHS.gov website, there is a lot of information relating to how long is PHI protected after death including a “decedents FAQ”. One of the questions in the FAQ asks whether an individual’s family health history maintained in their medical record loses its protection when it involves family members who have been deceased for more than fifty years. The answer to the question implies PHI can be protected after death by HIPAA for hundreds of years.
“When a covered health care provider, in the course of treating an individual or otherwise, collects an individual’s family health history, this information becomes part of the individual’s medical or other record and is treated as protected health information about the individual and not about the family member(s). Thus, even where an individual’s family health history includes information about family members who have been deceased for more than 50 years, the information is protected under the Privacy Rule as the health information of the individual.”
How Long is PHI Protected after Death According to State Laws?
State laws preempt HIPAA when they are “more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 (the Privacy Rule)”. There are two examples of when state privacy laws may require the protection of PHI for more than fifty years after the death of an individual.
The first is when a covered entity does not destroy medical records at the end of their required retention period and stores them indefinitely. A number of states have passed legislation with more stringent protections than the HIPAA Privacy Rule that do not stipulate when those protections expire (for example, California’s Confidentiality of Medical Information Act). In these states, it would be a violation of state law to remove the protection of PHI fifty years after an individual has died.
The second example is when states mandate that covered entities maintain an “individual permanent medical record” – effectively a summary of each patient’s medical history. In some states, the protection of these summaries is governed by HIPAA; but in states such as Minnesota – which has introduced legislation similar to that in California – state law will pre-empt HIPAA and any PHI in the individual permanent medical records will have to be protected indefinitely.
How Long is PHI Protected? = How Long is a Piece of String?
In conclusion, although the HIPAA Privacy Rule states covered entities have to protect individually identifiable health information for fifty years after an individual`s death, if a covered entity destroys an individual’s PHI after seven years, the covered entity only has to protect the PHI for seven years. Conversely, if a state law that preempts HIPAA states an individual permanent medical record has to be protected indefinitely, a covered entity might have to protect PHI forever.
Therefore, there is no single correct answer to the question how long is PHI protected after death, as the period of protection can be subject to a covered entity’s retention policies, whether or not an individual’s medical record includes distant family health history, state laws that preempt HIPAA, or HIPAA itself. If your organization is unsure about its compliance requirements in relation to how long is PHI protected after death, you should seek advice from a compliance expert.
