We proposed to extend privacy protections to the protected health information of a deceased individual for two years following the date of death. During the two-year time frame, we proposed in the definition of "individual" that the right to control the deceased individual's protected health information would be held by an executor or administrator, or other person (e.g., next of kin) authorized under applicable law to act on behalf of the decedent's estate. The only proposed exception to this standard allowed for uses and disclosures of a decedent's protected health information for research purposes without the authorization of a legal representative and without the Institutional Review Board (IRB) or privacy board approval required (in proposed § 164.510(j)) for most other uses and disclosures for research.
In the final rule (§ 164.502(f)), we modify the standard to extend protection of protected health information about deceased individuals for as long as the covered entity maintains the information. We retain the exception for uses and disclosures for research purposes, now part of § 164.512(i), but also require that the covered entity take certain verification measures prior to release of the decedent's protected health information for such purposes (see §§ 164.514(h) and 164.512(i)(1)(iii)).
We remove from the definition of "individual" the provision related to deceased persons. Instead, we create a standard for "personal representatives" (§ 164.502(g), see discussion below) that requires a covered entity to treat a personal representative of an individual as the individual in certain circumstances, i.e., allows the representative to exercise the rights of the individual. With respect to deceased individuals, the final rule describes when a covered entity must allow a person who otherwise is permitted under applicable law to act with respect to the interest of the decedent or on behalf of the decedent's estate, to make decisions regarding the decedent's protected health information.
The final rule also adds a provision to § 164.512(g), that permits covered entities to disclose protected health information to a funeral director, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. Such disclosures are permitted both after death and in reasonable anticipation of death.