Dead or alive, patients have the same privacy protections under federal healthcare privacy rules, legal experts warn.
So while there's a growing public interest in data that providers are amassing on COVID-19 deaths, HIPAA tightly regulates how that information can—or more importantly, can't—be shared.
"The (HIPAA) Privacy Rule treats the health information of those who have passed away the same as if they were living," said David Holtzman, an executive adviser for cybersecurity consulting firm CynergisTek and a former senior adviser at HHS' Office for Civil Rights, the agency that enforces HIPAA.
Under HIPAA, hospitals are required to limit the use and disclosure of data for 50 years after a patient's death. While hospitals are allowed to share that data with public health authorities, a patchwork of state laws limit how that data will be collected and used. And that could impede broader efforts to understand the full imact of COVID-19.
There's a few special disclosure provisions for the deceased—for sharing medical data with law enforcement, coroners, medical examiners, funeral directors and organ procurement organizations—but HIPAA otherwise requires hospitals to protect medical data to the same extent as they would for a living patient.
That means a hospital can share the number of COVID-19 deaths they've had, but largely can't share details about a specific patient death with the public or news media, beyond general information about their condition.
So long as patients haven't asked to restrict access, HIPAA allows hospitals to share limited patient information with members of the public who ask for the patient by name, including sharing that the patient has died or general information about their health condition. Hospitals can't, however, offer up specific medical details like diagnoses.
"If someone asks about a particular patient by name, they're allowed to confirm that patient's status, but they don't have to," said Valerie Montague, a partner at law firm Nixon Peabody who focuses on health information privacy and security issues, "which is why I think you're seeing some healthcare facilities that are not providing that information."
Hospitals are allowed to disclose additional medical details to some family members, coroners, medical examiners and public health authorities.
But how some of those disclosures work—and what happens with the information from that point—varies by state law.
"It will become a state-by-state analysis with some of these issues," said Meghan O'Connor, an attorney who chairs law firm Quarles & Brady's health IT, privacy and security team. "State public health laws have various requirements and options for reporting. Some states have permissive public health reporting, and some states have mandatory reporting obligations."
That means that although most states are publicly releasing some information about COVID-19 cases, not all are, and the data being collected isn't consistent.
The Trump administration has emphasized the need for hospitals to share patient data related to the novel coronavirus with state health departments and the federal government to help better understand the disease and track its spread. To date, at least 14,600 have died from the disease in the U.S., according to the Centers for Disease Control and Prevention.
HHS has been relaxing some portions of HIPAA to make it easier to report COVID-19 information to public health authorities. Last week, the department's Office for Civil Rights said it won't impose penalties on business associates that offer "good-faith" disclosures of protected health information for public health purposes during the COVID-19 emergency, even if the company isn't expressly permitted to do so by the HIPAA covered entity it works with.
After someone dies, there's also the question of sharing medical data with coroners and medical examiners, if the cause of death is unclear.
That can require some medical data from hospitals, but legal experts warn that the information won't be covered by HIPAA once it's transmitted, unless the coroner or medical examiner is part of a covered entity.
HHS under HIPAA doesn't have statutory authority to regulate whether most coroners or medical examiners re-disclose protected health information. In fact, if a healthcare provider shares patient data with a coroner or medical examiner, how that data is subsequently regulated varies by both state law and what type of organization they're employed by.
There's no uniform system for investigating deaths in the U.S., according to the National Association of Medical Examiners.
"The laws in each state govern what information is releasable from a medical examiner or coroner," said Dr. Sally Aiken, NAME's president, in an email.
"In my own state, Washington, our records are confidential, and can be released to a select few: prosecutors, immediate family members, etc.," she shared as an example. "Florida and other states consider medical examiner records as nearly 'open,' and subject to public records requests."
Lack of standard guidance for COVID-19 has provided some challenges on the local level. In South Carolina, coroners are asking the state attorney general whether they're allowed to release the names and ages of people who have died of COVID-19 to the public, as they might for other unusual deaths. Natural deaths from disease typically aren't considered unusual deaths.
Hospitals, regardless of what state they're based in, should only share the minimum necessary information with coroners and medical examiners to ensure compliance with HIPAA, said Lani Dornfeld, a healthcare attorney at law firm Brach Eichler. Under HIPAA, covered entities are required to include only the "minimum necessary" amount of medical data when sharing information.
"HIPAA's minimum necessary standard would not be met if the entirety of that record was sent over to the coroner," Dornfeld said. "Hospitals do have to show some caution in how much they release."