Are Death Records Protected by HIPAA? Privacy Rules and Access After Death

HIPAA Protection Duration for Deceased Individuals

Yes. A decedent’s protected health information (PHI) remains protected by HIPAA for 50 years after the date of death. During this period, covered entities must apply the same core safeguards they use for living patients, with limited, rule-based exceptions.

“Death records” can mean different things. Medical charts, billing files, and other PHI created by a healthcare provider are covered by HIPAA. Vital records like death certificates are issued by government registrars and follow separate state rules, not the HIPAA Privacy Rule.

After the 50-year window ends, the information is no longer PHI under HIPAA. That does not automatically make it public; access may still be limited by state laws, archival policies, or ethical considerations.

Access Rights of Personal Representatives

Under the Privacy Rule, a deceased individual’s personal representative is treated like the individual for access purposes. Typically, this is the court‑appointed executor or administrator of the estate, or another person with legal authorization under state law to act for the decedent or the estate.

To exercise this right, you generally must provide proof of identity plus legal authority (for example, letters testamentary or letters of administration). A health care power of attorney usually ends at death, so it does not by itself confer post‑death access.

A personal representative may request copies of the designated record set, subject to permissible exclusions (such as psychotherapy notes) and reasonable, cost‑based copy fees. Covered entities must respond within standard HIPAA timelines, even when the request concerns decedent PHI.

Permitted Disclosures Without Authorization

HIPAA allows certain decedent PHI disclosures without a written authorization, provided the minimum necessary standard is applied and no known prior objection from the individual is violated. Common examples include:

• To family members or others involved in the person’s care or payment before death, limited to information relevant to their involvement and absent any known contrary preference.
• To coroners, medical examiners, and funeral directors as needed to identify a decedent, determine cause of death, or carry out their duties.
• To organ or tissue procurement organizations to facilitate donation and transplantation.
• For research that is solely about decedents, when required representations are obtained from the researcher.
• For law enforcement purposes, such as identifying or locating a decedent, when the rule’s conditions are met.
• As required by other laws, or to prevent or lessen a serious and imminent threat to health or safety.

These pathways permit, but do not compel, disclosure. A covered entity may still limit or deny a request when another law restricts release or when privacy risks outweigh the purpose.

Handling of Protected Health Information After 50 Years

Once 50 years have elapsed after death, the individual’s information is no longer PHI under HIPAA. At that point, a covered entity may disclose records at its discretion, consistent with institutional policy and any applicable state or federal laws that still apply.

HIPAA does not set a medical record PHI retention period. It requires certain compliance documents to be retained for six years, but actual medical record retention is driven by state statutes and professional standards. Providers may therefore keep records well beyond 50 years even though HIPAA protections have ended.

If you seek very old records for genealogy or historical research, expect archival procedures, identity checks, and possible redactions—even when HIPAA no longer applies.

Legal Authority and Privacy Compliance

Privacy Rule compliance hinges on verifying who you are and what authority you have. Covered entities must reasonably verify identity and legal authorization, ensure compliance with the minimum necessary standard for disclosure, and document their decisions to meet privacy rule compliance obligations.

Some categories of information remain especially sensitive. Psychotherapy notes are excluded from the standard right of access. Substance use disorder records and certain genetic information can be subject to additional federal or state restrictions. When rules conflict, the stricter law typically governs.

For the smoothest process, submit a clear, written request that identifies your role (for example, personal representative), specifies the records and dates you need, and acknowledges that reasonable, cost‑based fees may apply.

Role of Covered Entities in Disclosure

Hospitals, clinics, and health plans manage decedent PHI through structured release‑of‑information workflows. Staff first confirm the requestor’s identity and legal authority, then evaluate whether the request fits a permitted pathway or requires an authorization.

They limit disclosures to the minimum necessary, exclude records that are not subject to access, and respond within HIPAA’s standard timeframe. When denying in whole or in part, they explain the basis and, when applicable, outline review options. They may charge reasonable, cost‑based fees for copies and transmission.

In summary, HIPAA shields a decedent’s protected health information for 50 years, recognizes a legally authorized personal representative as the stand‑in for the individual, and allows targeted, minimum‑necessary disclosures without authorization in specific circumstances. After 50 years, HIPAA no longer applies, but other laws and policies can still shape access.

FAQs.

Who Can Access a Deceased Person’s Health Records Under HIPAA?

The decedent’s personal representative—such as a court‑appointed executor or administrator with legal authorization—has the same access rights the individual would have had, subject to limited exclusions and reasonable, cost‑based fees.

How Long Does HIPAA Protect Death Records?

HIPAA protects a decedent’s PHI for 50 years from the date of death. During that period, covered entities must follow the Privacy Rule when handling requests and disclosures.

Can Family Members Access a Deceased Relative’s PHI Without Authorization?

Possibly. A covered entity may share relevant information with family or others involved in the person’s care or payment before death, unless doing so conflicts with a known preference. The information shared must be limited to what is relevant to their involvement.

What Happens to Health Information After the HIPAA Protection Period Ends?

After 50 years, the information is no longer PHI under HIPAA. Access then depends on the covered entity’s policies and any other applicable laws; records may still be retained and released at the entity’s discretion.