Obituary Sharing Under HIPAA: Requirements, Risks, and Practical Examples

HIPAA Privacy Rule and Decedent Information

Under HIPAA, Protected Health Information (PHI) for a deceased individual remains protected for 50 years after death. You must treat decedent PHI disclosure with the same care you apply to living patients, unless a specific HIPAA permission applies.

Permissible disclosures include sharing with the personal representative (e.g., executor), funeral directors as needed for their duties, and family or others involved in the person’s care—so long as it isn’t contrary to known preferences. Always follow the minimum necessary standard and your HIPAA compliance policies, and remember state laws or ethical rules may be stricter.

Practical examples

• OK: Providing cause-of-death details to a funeral director when necessary to complete required documents.
• OK: Discussing relevant information with a spouse who was involved in care, if not inconsistent with the decedent’s wishes.
• Not OK: Publicly confirming that the deceased was your patient without authorization or another HIPAA permission.

Sharing Obituaries on Social Media

Even if an obituary is public, posting, sharing, or commenting from an official account can reveal a patient relationship and constitute a disclosure. Without authorization or a specific HIPAA permission, this may be an unauthorized PHI disclosure.

Use patient privacy safeguards: avoid naming patients, diagnoses, dates, photos, or locations tied to your services. If your organization wishes to express condolences, keep the message generic and institution-focused, and never confirm treatment or residency.

Practical examples

• OK: “Our thoughts are with all families in our community who are grieving.”
• Not OK: “We will miss caring for [Name], who bravely battled [Condition] at our clinic.”
• Borderline: Sharing a news obituary link from the organization’s account can still signal a treatment relationship—avoid it unless an authorization explicitly permits public acknowledgment.

Risks of Unauthorized PHI Sharing

Unauthorized PHI disclosure on social platforms, websites, email, or texts can trigger reportable breaches. Consequences include federal and state investigations, PHI breach penalties, corrective action plans, and reputational harm that erodes community trust.

Common pitfalls include posting tributes with identifiable details, replying to public comments that confirm a patient relationship, or re-sharing media stories in ways that tie the individual to your services. Train staff to pause, escalate, and use approved messaging.

Risk scenarios and impact

• Staff comment “We’ll miss our patient” on a public post → unauthorized disclosure and potential breach notification.
• Misdirected condolence email containing PHI → reportable incident with forensics and remediation costs.
• Front-desk verbal confirmation of the decedent’s last visit → improper disclosure and complaint to regulators.

Verifying Identity Before Sharing PHI

Before sharing any decedent information, verify both identity and authority. Ask for government ID and documentation naming the personal representative, or use call-back procedures to numbers on file. For phone requests, use predefined security questions or a patient-created passcode.

Confirm need-to-know and apply minimum necessary. Funeral directors may receive what is needed to carry out their duties; the press and general public may not. Never rely solely on a public obituary to justify disclosure.

Practical examples

• Executor requests records: obtain letters of appointment, verify ID, release only requested portions.
• Sibling asks for cause of death: confirm involvement in care and absence of contrary preferences before sharing limited details.
• Media inquiry: decline and refer to approved public statements that contain no PHI.

Avoiding PHI in Email Subject Lines

Email subject lines and headers may be viewable to unintended parties and stored in logs. For Electronic PHI Transmission, avoid names, diagnoses, medical record numbers, dates of birth, or any unique identifiers in subjects.

Use secure messaging portals or encrypted email for the body, and keep subjects generic (e.g., “Confidential message from your care team”). If a subject must aid sorting, use internal ticket numbers or non-identifying references.

Examples: better vs. risky subjects

• Better: “Confidential message regarding your recent visit.”
• Better: “Secure portal notification – action requested.”
• Risky: “[Patient Name] – Hospice Plan & Morphine Dosing.”
• Risky: “Autopsy for [Name], DOB 01/02/1970.”

Acceptable Content in Sympathy Cards

Keep sympathy cards warm yet non-identifying. Avoid confirming the person was a patient, referencing conditions, care locations, or dates. Express condolences from the organization or care team without including PHI.

If a family has publicly shared details, you still should not repeat them in communication that originates from your role as a provider unless you have clear authorization. When unsure, route messages through your privacy team.

Practical examples

• OK: “We are saddened by your loss and are keeping your family in our thoughts.”
• OK: “Wishing you comfort and peace during this difficult time.”
• Not OK: “Caring for [Name] during their final week in our unit was an honor.”

Proper Disposal of PHI

Paper PHI must be rendered unreadable and indecipherable—shred, pulverize, or pulp. Never discard intact files in regular trash or unlocked bins. Maintain chain-of-custody with vetted vendors and document destruction.

For electronic media, follow NIST-aligned sanitization (clear, purge, or destroy) for drives, phones, copiers, and backups. Disable and wipe devices before reassignment, and include media in your asset inventory and disposal logs.

Practical examples

• Locked consoles with scheduled on-site shredding and certificates of destruction.
• Decommissioned laptops sanitized and verified before recycling; failed drives physically destroyed.
• End-of-life EHR backups encrypted and disposed per retention schedules and policy.

Conclusion

Obituary sharing under HIPAA requires strict attention to HIPAA compliance, avoiding unauthorized PHI disclosure, and applying patient privacy safeguards. Verify authority before any decedent PHI disclosure, keep electronic PHI transmission secure, and dispose of PHI properly. When in doubt, choose non-identifying communication and escalate to privacy leaders.

FAQs.

Is sharing a public obituary a HIPAA violation?

It can be if your sharing confirms or implies a treatment relationship or includes PHI within 50 years of death. Public availability does not waive HIPAA; you still need authorization or a specific permission to disclose.

Can healthcare providers share decedent information under HIPAA?

Yes, in limited situations: with the personal representative, with family or others involved in care (if not contrary to known preferences), for funeral directors’ duties, and as otherwise permitted by HIPAA. Apply minimum necessary and any stricter state requirements.

What are the risks of sharing PHI on social media?

Risks include reportable breaches, PHI breach penalties, corrective action plans, and reputational harm. Even brief acknowledgments or comments can reveal PHI; train staff and use pre-approved non-identifying messaging.

How should PHI be disposed of to comply with HIPAA?

Render paper PHI unreadable (shred, pulverize, or pulp) and sanitize or destroy electronic media per recognized standards before reuse or disposal. Maintain chain-of-custody, vendor agreements, and documented destruction logs.