Since the HIPAA Privacy Rule protects a decedent’s health information for 50 years following the individual’s death, am I required to keep the decedent’s information for that period of time?

Answer:

No.  The Privacy Rule does not include medical record retention requirements and covered entities may destroy such records at the time permitted by State or other applicable law. 

Still need help? Contact Us Contact Us