Best Practices for Sharing Death Notices Without Violating HIPAA

HIPAA Privacy Rule and Deceased Individuals

The HIPAA Privacy Rule continues to protect a decedent’s Protected Health Information for 50 years after the date of death. This posthumous data protection covers health status, clinical details, and even the fact that someone received care from a specific facility. After 50 years, these records are no longer PHI under HIPAA, though other laws or policies may still apply.

HIPAA applies to covered entities and their business associates, not to private individuals acting in a personal capacity. When you work for or on behalf of a healthcare provider, health plan, or clearinghouse, you must handle any death-related communications with the same care you apply to living patients.

Remember that vital records (such as official death certificates) are handled through required public health processes. Your ability to disclose PHI outside those processes remains limited unless a specific permission or exception applies.

Permitted Disclosures of Protected Health Information

You may disclose PHI about a deceased individual without written authorization only when a HIPAA permission applies, and only for the purpose allowed. Common permissions include:

• To a personal representative for Personal Representative Access consistent with their legal authority.
• To family members or others involved in the individual’s care or payment before death, when relevant to their involvement and not contrary to the decedent’s known preferences.
• To coroners and medical examiners to identify the decedent, determine cause of death, or perform other official duties.
• To funeral directors as needed to carry out their responsibilities; disclosures may occur before and after death.
• Organ Procurement Disclosures to organ procurement organizations to facilitate donation and transplantation.
• To public health or vital statistics authorities as required by law.
• For research with an institutional review or privacy board waiver and appropriate safeguards.
• When required by law, court order, or other legal process.

If a requested disclosure falls outside these permissions, obtain valid written authorization from the personal representative before sharing any PHI.

Minimum Necessary Standard for PHI Sharing

When a HIPAA permission allows you to share PHI, you must still apply the Minimum Necessary Disclosure principle. Share only the information reasonably necessary for the specific purpose, not the entire record by default.

How to apply “minimum necessary” in practice

• Define the purpose first (for example, confirming date of death to a funeral director).
• Limit the data elements to those necessary (such as name and date of death; exclude diagnoses unless specifically needed).
• Use role-based access and standardized checklists to prevent over-disclosure.
• Document what was disclosed, to whom, why, and under which HIPAA permission.

The minimum necessary standard does not apply to disclosures for treatment, to the individual or personal representative exercising access rights, or to disclosures required by law; otherwise, use it consistently.

Role of Personal Representatives and Family Members

The personal representative is the executor, administrator, or other person legally authorized to act on behalf of the decedent or estate. Once you verify this status, the personal representative generally has the same access rights the individual would have had, within the 50-year protection period.

Family members are not automatically personal representatives. You may share limited PHI with a spouse, relative, or friend who was involved in care or payment before death, but only information relevant to their involvement and only if the disclosure is not inconsistent with the decedent’s known preferences.

Verification and conflict handling

• Verify authority with letters testamentary, court appointment, or comparable documentation before granting Personal Representative Access.
• If multiple parties request PHI, prioritize the documented personal representative. If disputes arise, pause disclosures until authority is resolved.
• Record the decision path and the minimum necessary rationale for any family disclosures.

Disclosure to Law Enforcement and Medical Examiners

Certain Law Enforcement Exceptions allow disclosures without authorization, but only within defined boundaries and usually subject to minimum necessary. Examples include:

• Alerting law enforcement about a death that may have resulted from criminal conduct.
• Responding to requests to identify or locate a decedent or to provide limited information in emergencies.
• Complying with warrants, subpoenas, or orders that meet HIPAA’s conditions.

You may disclose PHI to medical examiners and coroners for identification, cause-of-death determinations, and other official duties. You may also disclose relevant information to funeral directors to facilitate their work, including before the time of death when necessary for arrangements.

Written Authorization Requirements

When no HIPAA permission applies, you must obtain a valid written authorization from the personal representative before disclosing PHI. This includes public announcements that reveal diagnoses, treatment details, provider names, or other clinical facts.

Elements of a valid authorization

• Description of the specific information to be disclosed.
• Recipient(s) and purpose of the disclosure.
• Expiration date or event.
• Signature of the personal representative and a statement of their authority.
• Notice of the right to revoke and any conditions or limitations.

Separate, more stringent permissions are required for certain sensitive records, such as psychotherapy notes or substance use disorder information. Maintain copies of all authorizations and revocations for your retention period.

Public Sharing of Death Information

Before posting death notices or condolences, determine whether you are acting as a covered entity or on its behalf. If so, avoid revealing PHI unless a HIPAA permission applies or you have written authorization from the personal representative.

Do’s for compliant notices

• Center the message on condolences rather than care details.
• If disclosure is permitted, share only what is necessary (for example, name and date of death) and nothing more.
• Confirm and document the applicable HIPAA permission or obtain authorization in advance.
• Coordinate with privacy, legal, and communications teams; keep an audit trail.

Don’ts that risk violations

• Do not state or imply the person was your patient unless a permission applies or you have authorization.
• Do not include diagnoses, treatment dates, provider names, room numbers, or facility locations without a clear legal basis.
• Do not rely on “public knowledge” or a news story as permission to disclose PHI.

Conclusion

HIPAA’s posthumous data protection is real and enforceable. By confirming your role, using only permitted pathways, and applying the minimum necessary standard, you can share respectful death notices without exposing Protected Health Information or creating avoidable risk.

FAQs.

Is sharing an obituary considered a HIPAA violation?

Usually no. Obituaries shared by family, friends, or media are not HIPAA-regulated. However, covered entities may not contribute PHI to an obituary or confirm clinical details unless a HIPAA permission applies or they have written authorization from the personal representative.

Who can legally access a deceased individual’s health information?

The legally recognized personal representative (such as an executor or court-appointed administrator) generally has access rights for 50 years after the date of death. Others may receive limited PHI only under specific permissions and only the minimum necessary for the purpose.

What information can be disclosed without authorization after death?

Disclosures are permitted for defined purposes: to medical examiners and coroners, funeral directors, organ procurement organizations, public health or vital records authorities, certain research uses with approvals, family or others involved in care when relevant, law enforcement under narrow exceptions, and disclosures required by law. Anything outside these categories requires authorization.

Can family members share PHI of the deceased publicly?

Family members acting in a personal capacity are not bound by HIPAA, though they should respect privacy wishes. Covered entities, however, remain bound and cannot confirm or supplement what family members have shared unless a permission applies or a valid authorization is on file.