HHS Data Breach Notice Rule Applies to Deceased Persons' Data, Too

Lora Bentley

I've written about the HITECH Act and the data breach notification rule it adds to the Health Insurance Portability and Accountability Act a few times now. But something came across my desk this morning worth mentioning again.


Rebecca Hall at Realtime Community points out that the data breach notification rule promulgated by the U.S. Department of Health and Human Services pursuant to the HITECH Act even applies to individuals the covered entity (hospital, clinic, pharmacy, etc.) knows to be deceased.


In other words, if a breach occurs and the protected health information of a deceased person is put at risk thereby, the covered entity is required to notify the deceased person's "next of kin or personal representative." Hall says, "Many organizations will not think of this, because this is not a stipulation within many/most of the other 48 state and territory laws."


The HHS rule has been published in the Federal Register for public comment and is available online in a PDF version.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.