Since the HIPAA Privacy Rule protects a decedent’s health information for 50 years following the individual’s death, am I required to keep the decedent’s information for that period of time?

Answer:

No.  The Privacy Rule does not include medical record retention requirements and covered entities may destroy such records at the time permitted by State or other applicable law.


Content created by Office for Civil Rights (OCR)
Content last reviewed on September 18, 2013