HIPAA Compliance Checklist: Sharing Obituaries, Patient Deaths, and Public Notices

When an individual dies, HIPAA still governs how you handle and share their Individually Identifiable Health Information. This HIPAA Compliance Checklist focuses on obituaries, confirmation of patient deaths, and public notices so you can communicate compassionately while honoring the Privacy Rule.

Your goal is to disclose only what is permitted, to the right people, for the right reasons, and with the minimum necessary detail. The sections below translate core requirements into clear, actionable steps for clinical, communications, and health information teams.

Overview of HIPAA Privacy Rule

The Privacy Rule protects Individually Identifiable Health Information (PHI) for 50 years after a person’s death. Unless an express permission or Privacy Rule exception applies, you may not disclose a decedent’s diagnosis, treatment details, time or cause of death, or even the fact that the person was your patient.

Permitted uses and disclosures fall into defined buckets: treatment, payment, health care operations; disclosures with a valid authorization; and specific Privacy Rule Exceptions (for example, Vital Statistics Reporting, law enforcement, or Disclosure to Coroners and Disclosure to Funeral Directors). For any permitted disclosure, apply the minimum necessary standard and verify the recipient’s identity and authority.

Quick compliance checklist

• Confirm the purpose: treatment/operations, Personal Representative Authorization, or a defined Privacy Rule exception.
• Verify who is asking and their role (media, family, personal representative, public official) before sharing any PHI.
• Limit to minimum necessary details; avoid cause/time of death unless explicitly authorized or required.
• Document the decision and disclosure pathway; escalate edge cases to your privacy officer.
• Coordinate public notices through approved channels; use Mass Casualty Disclosure Protocols when activated.
• Remember the 50-year protection window after death.

Permitted Disclosures to Family and Friends

You may share limited PHI with a decedent’s family, friends, or others involved in the person’s care or payment, when relevant to their involvement and not contrary to any known preference of the individual. Use professional judgment to decide what is appropriate, and disclose only what the person needs to know (for example, that the individual has died and basic information needed to arrange services).

This pathway does not authorize broad public statements or detailed medical history. If a requester seeks comprehensive records or wishes to release information publicly, direct them to obtain Personal Representative Authorization from the decedent’s legally recognized representative.

Practical steps

• Authenticate the requester and relationship (photo ID, documentation, or in-person recognition by staff).
• Share only information pertinent to their involvement (e.g., logistics, where to retrieve belongings, general circumstances without diagnosis).
• Decline requests for clinical detail or public release; route those to the personal representative process.

Guidelines for Media Disclosures

Media inquiries require heightened caution. Without authorization, you generally may not confirm that a named individual was your patient, disclose their death, or discuss medical details. Limited “facility directory” disclosures allow you to share a current patient’s location and general condition to someone who asks for the patient by name—provided the patient has not objected—but this pathway is narrow and typically does not cover confirming deaths or sharing cause of death.

For public statements, work through your privacy officer and communications lead. Provide de-identified summaries where possible (for example, “We treated multiple individuals” without names or unique details). If officials activate Mass Casualty Disclosure Protocols, you may share limited PHI with emergency management or disaster relief organizations to help notify family and reunify patients; this does not authorize releasing identifiable PHI to the press.

Do’s and don’ts with the press

• Do provide de-identified, aggregate updates where appropriate.
• Do coordinate with law enforcement or public health when they are the lead agency.
• Don’t confirm a person’s death, cause of death, or treatment status without Personal Representative Authorization or a specific legal requirement.
• Don’t rely on an obituary or social media post as your permission to confirm a care relationship.

Role of Personal Representatives

A personal representative is the person legally authorized to act for the decedent (for example, executor or administrator of the estate under state law). With Personal Representative Authorization, you may disclose PHI consistent with the scope of that authority, including confirmation of death or details needed for an obituary.

Verify authority with appropriate documentation (letters testamentary, court appointment, or other state-recognized proof). If multiple individuals claim authority, pause disclosures until the conflict is resolved. You may limit or deny disclosures if doing so is necessary to prevent endangerment or when state law restricts a particular category of sensitive information.

Disclosures to Coroners and Funeral Directors

You may provide PHI to a coroner or medical examiner for identification, determining cause of death, or other duties—this is a permitted disclosure and does not require authorization. Disclosure to Coroners can include clinical information relevant to determining cause and manner of death.

You may also make Disclosure to Funeral Directors as needed to carry out their duties, and you may share information in reasonable anticipation of death to help them prepare. Coordinate promptly so arrangements proceed without unnecessary delay, and disclose only what is necessary for identification, transport, embalming, cremation, or memorial planning.

Separately, Vital Statistics Reporting to public health authorities (for example, completion of death certificates) is permitted or required by law; send only the information requested on official forms.

Protection Duration After Death

HIPAA protects a decedent’s PHI for 50 years after the date of death. During this period, the same rules and safeguards apply as for living patients, including verification, minimum necessary, and permitted-use pathways. After 50 years, the information is no longer PHI under HIPAA, but other laws, ethical duties, or institutional policies may still influence how you share historic records.

In practice, keep release decisions conservative during the 50-year window. Avoid public disclosure of cause of death or detailed history unless a lawful basis clearly applies.

Exceptions in Disclosure Restrictions

The Privacy Rule includes targeted Privacy Rule Exceptions that can apply when a patient has died. Use them precisely, document the rationale, and disclose only what is necessary.

Common exceptions relevant to deaths

• Required by law: Vital Statistics Reporting, death certificates, and other mandated submissions.
• Coroners, medical examiners, and funeral directors: As needed to perform their official duties, including prior to and in reasonable anticipation of death.
• Organ and tissue donation: Coordination with procurement organizations to facilitate donation.
• Law enforcement and public safety: Limited disclosures to locate a missing person, report a death that may have resulted from crime, or avert a serious and imminent threat.
• Public health and disaster relief: Limited sharing with public health authorities or disaster relief organizations under Mass Casualty Disclosure Protocols to assist with family notification and reunification.
• Research on decedents: PHI may be used/disclosed for research that solely involves decedents, with required representations and safeguards.

Operational guardrails

• Minimum necessary: Tailor every disclosure to the smallest amount of information that achieves the purpose.
• Verification: Confirm identity and authority of requesters before releasing information.
• Documentation: Record what you disclosed, the legal basis, and to whom.
• De-identification: When feasible, remove identifiers and share aggregate information instead of PHI.

Conclusion

Handled well, public communication after a death is compassionate, accurate, and compliant. Anchor every decision to a clear purpose, confirm the requester’s authority, apply minimum necessary, and rely on Personal Representative Authorization or precise exceptions such as Disclosure to Coroners, Disclosure to Funeral Directors, and Vital Statistics Reporting. When in doubt, pause and consult your privacy officer.

FAQs

Is sharing an obituary with health details a HIPAA violation?

It can be if you are a covered entity or business associate and your act of sharing confirms a care relationship or adds health details without authorization or a valid exception. Even if the family published the obituary, you should not amplify or confirm diagnosis, treatment, time, or cause of death. Obtain Personal Representative Authorization or share only de-identified, non-confirming information through approved channels.

Who can authorize disclosure of a deceased patient's health information?

The decedent’s personal representative under applicable state law (for example, an executor or court-appointed administrator) can authorize disclosures within the scope of their authority. Absent that, you may share limited information with family or others involved in the person’s care or payment when relevant to their involvement, but broad public disclosures require formal authorization or a specific Privacy Rule exception.

Can hospitals confirm a patient's death to the media without authorization?

Generally no. Confirming that a named individual was a patient or disclosing their death is a PHI disclosure that typically requires Personal Representative Authorization or a legal mandate. Provide only de-identified statements to the press, and coordinate with law enforcement or public health when they are the lead for public updates. Vital Statistics Reporting flows to government authorities—not to media outlets.