Businesses Should Consider Privacy Law Following Employees' Death, Says Lawyer
Laws like the Health Insurance Portability and Accountability Act (HIPAA), state and federal privacy laws, other laws and common law precedents in areas like copyright and survivor privacy apply to people after death and businesses should take them into consideration when dealing with personal information of the deceased, said Alex Ferrate, commercial attorney, in an IAPP blog Thursday.
Sign up for a free preview to unlock the rest of this article
“Because the EU General Data Protection Regulation's definition of personally identifiable information only applies to living people, technology and other professionals sometimes infer that privacy laws do not apply to the deceased,” said Ferrate. “However, this inference is misleading … [HIPAA], a federal law that mainly covers health care providers and insurers, expressly extends protections to the personal health information of dead people -- and for 50 years after their death.”
Given that consent often justifies the disclosure of personal identifiable information or personal health information, “consent is the starting point for the conversation about privacy considerations upon the death of an employee among privacy pros,” Ferrate said. “The question we need to address is: What is effective consent to disclosures of PII or PHI about a deceased employee that balances respect for deceased employees and their loved ones with the continuity needs of the business or other organization?”