Keep Personal Health Information (PHI) Safe After Death: A Complete Guide

Have you ever wondered what happens to your sensitive health information after you pass away? Losing a loved one is difficult, and protecting sensitive health information is essential, even after death.

In this comprehensive guide, we'll cover everything you need to know about PHI protection after death. We'll discuss what PHI is, the HIPAA Privacy Rule that applies after death, and ways to protect PHI. We'll also cover who has access to PHI after death, how to avoid breaches, and the consequences of a breach. Following the best practices outlined in this article ensures that you and your loved one's privacy and dignity are maintained.

What is PHI?

PHI, short for Personal Health Information, includes any medical data or records that can uniquely identify an individual. It encompasses your medical history, diagnoses, medication information, and contact details. Simply put, PHI is any information that can reveal your health status or past medical treatments.

Let's look at a few examples of PHI:

  • Medical history of the patient
  • Demographic information, such as name, address, driver’s license, and social security number
  • Test and laboratory results.
  • Diagnosis and treatment information
  • Prescription information
  • Medical imaging and photographs
  • Health insurance information
  • Payment details and billing records
  • Any health information that can be used to identify an individual

Any information that identifies an individual related to their physical or mental health falls within the definition of PHI.

HIPAA Privacy Rule

Now that we know what PHI is, we need to understand the rules that govern its protection. Enter the HIPAA Privacy Rule! The Health Insurance Portability and Accountability Act (HIPAA) includes guidelines that ensure patient healthcare information privacy and security.

So how does the HIPAA Privacy Rule apply after a person's death? According to HIPAA regulations, PHI protection continues after a person's death. In other words, the same privacy and security measures that apply while a person is alive also apply after they pass away. Covered entities must continue safeguarding the deceased person's health information and ensure it's not disclosed or misused.

 When someone passes away, healthcare providers must inform family members, legal representatives, and other authorized parties with a legitimate reason for PHI access.

How Long is PHI Protected?

But how long is PHI protected for, you may ask? Well, it depends on the state in which the person lived.

In most states, the PHI of a deceased individual is protected for at least 50 years after their death. Some states, such as California and Minnesota, have laws that extend the protection indefinitely for as long as the records exist. That can be quite a long time! 

These laws apply to covered entities such as healthcare providers, insurance companies, and other organizations that handle patients' PHI. After a person's death, their PHI remains confidential, and their privacy must be maintained. Healthcare providers must take necessary precautions to safeguard their PHI and ensure it's not disclosed or misused.

That being said, the Privacy Rule does not require covered entities to keep records forever. They can destroy records as needed, as permitted by the state or other applicable laws. Most states require that records be kept for a minimum of 10 years. So, if a covered entity destroys all records after ten years, they are technically only protecting information for ten years.

If someone's record has a detailed family history, this can get tricky. In this instance, people's records could be protected for hundreds of years. For more detailed information, take a look through the HHS.gov website under the decedent's FAQ

So why do these laws exist? Well, they're in place to prevent unauthorized access to PHI, which could lead to identity theft, financial loss, and harm to the individual to whom the information belongs. By extending the protection of PHI for a certain number of years after a person's death, it ensures that their privacy and dignity are respected.

PHI Protection Measures

Proper measures should be taken to protect a deceased person's PHI, including:

  1. Limited Access: The PHI of a deceased individual should be limited to those individuals who have a legitimate reason for access, such as legal representatives, family members, and healthcare providers.
  2. Deactivation of Online Accounts: Online accounts with healthcare providers, insurance companies, or any other platform that stores PHI should be deactivated or closed to prevent any future unauthorized access.
  3. Password Protection: Password protection should be employed for digital files and accounts storing PHI. Ensure that unique and strong passwords are used while employing additional security measures like two-factor authentication. It doesn’t hurt to change them every few months.
  4. Secure Storage: Physical copies of medical records or any other records must be securely stored in a fireproof safe to prevent unauthorized access.
  5. Legal Guidance: Seeking professional legal advice from experts can help ensure that all necessary precautions have been taken concerning PHI protection.

Each PHI security measure is crucial in maintaining the privacy and dignity of the deceased individual.

Who Can Access PHI After Death?

Access to a deceased person's PHI depends on factors like the person's relationship to the deceased individual, legal documentation provided to the covered entity, and state laws.
 

Under HIPAA regulations, legal representatives of the deceased person are allowed access to PHI strictly for administration purposes. Family members, relatives, and friends of the deceased person might not have automatic access to the individual's PHI unless they can provide legal documentation. Healthcare providers may also allow access to PHI for research and other purposes.

PHI Breaches

A PHI breach refers to the unauthorized access or release of personal health information. This breach could occur because of a malicious cyber-attack, negligence, or a disregard for HIPAA regulations.

When the PHI of a deceased person is breached, it can result in a wide range of consequences, including legal action, hefty fines, and reputational damage. Even though the law restricts the use of PHI after a person's death, any unauthorized disclosure of this information could lead to identity theft, financial loss, or harm to the deceased person's reputation and dignity.

For example, healthcare providers or insurance companies could face legal action and hefty fines for breaching confidentiality laws and failing to safeguard the PHI of a deceased person. In 2013, the University of Mississippi Medical Center had to pay $2.75 million in penalties for failing to secure the PHI of deceased individuals. A visitor stole a laptop from the Medical Intensive Care Unit (MICU), putting 10,000 patients at risk of identity theft.

Moreover, a PHI breach could potentially cause emotional distress and harm to the deceased person's family and loved ones. It could also impact their estate planning and inheritance matters. In some cases, the affected family members can take legal action against the responsible parties for the breach of their deceased loved one's PHI.

Consequences of a Breach

The consequences of a PHI breach can be severe, ranging from legal penalties to damage to an individual's health and financial situation. HIPAA regulations provide significant penalties for covered entities that breach PHI, and lawsuits are possible if the breach causes harm or a security breach.

To avoid breaches, all covered entities must follow all HIPAA regulations and employ robust security measures to protect PHI.

In conclusion, protecting PHI after the passing of a loved one is essential in maintaining their privacy and dignity. By understanding what constitutes PHI, the HIPAA Privacy Rule, who can access PHI after death, and the measures for protecting PHI, we can honor our loved one's memory. Always consult legal professionals and experts for advice and stay informed about relevant regulations and laws. Through education, preparation, and awareness, we can safeguard PHI and respect our loved one's privacy.

Ensure your medical office is HIPAA compliant and protect patient confidentiality. Invest in the professional development of your staff with our HIPAA for Medical Office Staff training. Equip your team with the knowledge and tools they need. Get started today!