HIPAA and Obituaries: What Covered Entities Can Share, and When

HIPAA Privacy Rule and Deceased Individuals

HIPAA protects a deceased person’s Protected Health Information for 50 years after the date of death. During that period, covered entities must apply the same Privacy Rule Compliance principles that govern living patients, including verifying requestors and limiting what is disclosed.

Protected Health Information includes any data that identifies the individual and relates to past, present, or future health care or payment. In an obituary context, that can include diagnoses, treatment dates, locations of care, and even photographs if they link the person to medical details.

Use the minimum necessary standard. If a disclosure is permitted—such as to a coroner or a Personal Representative—share only what is reasonably needed to fulfill the request, not the entire chart.

Key implications for obituary scenarios

• Obituaries are typically written by families or funeral homes, which are not HIPAA covered entities. The HIPAA risk arises when a covered entity supplies PHI for an obituary without proper authority.
• After 50 years, the information is no longer PHI under HIPAA, but other laws or ethical duties may still apply.

Disclosure to Family Members

Covered entities may disclose PHI relevant to a deceased patient’s care or payment to family members and others who were involved in the individual’s care prior to death. This permissive disclosure is limited to information directly related to their involvement.

Honor any known preferences the patient expressed while alive. If the individual objected to sharing with a particular person, do not disclose to that person. When in doubt, make a focused disclosure (for example, a medication list needed for managing the estate’s bills) rather than broad records.

Practical steps

• Confirm the caller’s relationship and role in care or payment before death.
• Disclose only what is necessary for the stated purpose; avoid causes of death or sensitive notes unless required.
• Document your rationale and the scope of the disclosure.

Personal Representatives' Rights

A Personal Representative—such as an executor, administrator, or other person authorized under state law to act for the estate—steps into the shoes of the deceased for HIPAA purposes. With proper proof, they may access the decedent’s PHI and authorize further disclosures, including Disclosure Authorization for obituary details.

Validate authority before releasing records. Acceptable proof often includes letters testamentary, letters of administration, or a court order. If multiple people claim authority, pause and seek clarification rather than disclosing prematurely.

Covered entities may decline to treat someone as a Personal Representative if doing so could endanger another person, consistent with HIPAA’s protective provisions and applicable state law.

Facility Directory Information Disclosure

Facility Directory rules allow limited disclosures—name, location in the facility, general condition, and religious affiliation (to clergy)—when someone asks for the patient by name. Patients can agree or object, and entities use professional judgment when the patient cannot agree.

Directory permissions generally apply during an admission. After death, promptly remove the individual from the Facility Directory and avoid new directory-based disclosures. Do not share cause of death or other medical details via directory practices.

Media and public inquiries

• Route requests to your privacy or communications office.
• If any disclosure is made, confine it to what HIPAA permits and your policy requires; never disclose diagnosis or cause of death without proper authorization or a legal mandate.

Public Health and Legal Disclosures

HIPAA permits certain disclosures of PHI about decedents without authorization under the Public Health Exception and other legal pathways. Always apply the minimum necessary principle and confirm the requestor’s legal authority.

Common permitted disclosures

• Coroner Disclosure and medical examiner requests to identify a deceased person, determine cause of death, or perform other official duties.
• Disclosures to funeral directors as needed to carry out their responsibilities, including prior to and in reasonable anticipation of death.
• Disclosures required by law, such as reporting deaths to vital records offices or responding to a court order or subpoena that meets HIPAA requirements.
• Disclosures to organ procurement organizations or for tissue donation, when applicable.
• Law enforcement disclosures in specified circumstances, such as to alert authorities to a death that may have resulted from criminal conduct.

Limitations on Sharing Obituary Information

Covered entities should not draft, edit, or supply obituary content that reveals PHI unless they have a valid Disclosure Authorization from the Personal Representative or a clear legal basis. Sharing a diagnosis, treatment history, or cause of death for publication typically requires authorization.

Family members and funeral homes may publish obituaries without HIPAA constraints, but the covered entity must not be the source of PHI unless permitted. If asked for “just a few details,” provide only what HIPAA allows—often nothing beyond what a lawful request specifically requires.

De-identification as an option

If information is truly de-identified (no reasonable basis to identify the individual), it is not PHI. However, obituaries inherently identify the person, so de-identification rarely applies to obituary content sourced from medical records.

Compliance Best Practices for Covered Entities

• Adopt a clear policy for obituary-related requests that centers on Privacy Rule Compliance, role verification, and minimum necessary disclosures.
• Verify identity and authority every time: determine if the requestor is a Personal Representative, a family member involved in care, or an official with legal authority.
• Use decision trees or checklists to channel requests: family-involved care questions, Personal Representative requests, Facility Directory inquiries, and Public Health Exception/legal requests.
• Require written Disclosure Authorization from the Personal Representative before supplying PHI for publication, especially for diagnosis or cause of death.
• Train staff and route media calls to designated leads; maintain logs of requests and responses.
• Coordinate with counsel when requests are complex, contested, or cross state lines.
• Reassess disclosures against the 50-year rule and state law nuances before releasing legacy records.

In short, HIPAA and obituaries intersect when covered entities are asked to confirm or supply medical details. Anchor every response in role verification, minimum necessary, and a valid legal pathway or authorization.

FAQs.

Is sharing an obituary considered a HIPAA violation?

Publishing an obituary by a family or funeral home is not a HIPAA issue because they are not covered entities. A HIPAA violation can occur if a covered entity provides Protected Health Information for an obituary without a permissible basis or a valid Disclosure Authorization from the Personal Representative.

Who can legally access a deceased person’s health information?

The Personal Representative of the estate has primary access rights. Covered entities may also disclose limited, relevant PHI to family or others involved in care or payment before death, and to coroners, medical examiners, funeral directors, public health authorities, organ procurement organizations, and law enforcement when the law permits.

What information about a deceased individual can covered entities disclose publicly?

Generally, none beyond what HIPAA expressly permits. Do not publicly disclose diagnosis, treatment details, or cause of death without authorization or a legal mandate. Facility Directory disclosures are limited and should cease after death; avoid using directory practices to release obituary information.

Can family members request health information after death?

Yes. If they were involved in care or payment, they may receive PHI relevant to that involvement. For broader access—such as full records or confirmation of cause of death—the Personal Representative should submit documentation of authority, and the covered entity should disclose only the minimum necessary information.