Are Medical Records Protected After Death? HIPAA Rules, Time Limits, and Who Can Access Them

HIPAA Protection Period

What the Privacy Rule protects

Under the HIPAA Privacy Rule, a deceased person’s Protected Health Information (PHI)—often called decedent health information—remains protected for 50 years after the date of death. During this period, a covered entity such as a health care provider, health plan, or health care clearinghouse, and its business associates, must safeguard confidentiality and disclose information only as permitted by HIPAA.

Scope and limits

The 50-year protection applies to all PHI maintained by covered entities, regardless of where it is stored or who created it. Standard HIPAA principles still apply, including verification of requestors and the “minimum necessary” rule for most disclosures. Certain disclosures remain expressly permitted, such as to coroners, medical examiners, funeral directors, and Organ Procurement Organizations to facilitate donation and transplantation.

After the 50-year mark

Once 50 years have passed, the information is no longer PHI under HIPAA. However, other laws—such as state confidentiality statutes, medical record laws, or professional ethics rules—may continue to restrict access or impose conditions on use and disclosure.

Personal Representative Access

Who qualifies as a personal representative

A “Personal Representative” is the person legally authorized under applicable law to act for the decedent or the estate (for example, an executor, administrator, or court-appointed representative). HIPAA requires covered entities to treat this person as the decedent for privacy purposes, giving them the same right to access the medical record as the individual would have had.

What documentation you’ll need

Expect to provide proof of identity and authority, such as letters testamentary, letters of administration, or a court order. Covered entities may use their standard request forms and verification procedures before releasing records to a Personal Representative.

Timing and scope of access

Once properly verified, a Personal Representative generally has the right of access to inspect or obtain copies within HIPAA’s standard time frames (with limited extensions when necessary). Access does not extend to psychotherapy notes or information compiled in anticipation of litigation, and other federal or state laws may impose additional restrictions on sensitive categories of information.

If there are multiple representatives or disputes

When more than one person claims authority, the covered entity will follow applicable state law and may require resolution of the dispute before disclosing PHI. If a Personal Representative is in place, their direction typically controls over other requestors.

Family Member Access

Permissive disclosures based on involvement in care

HIPAA permits—but does not require—covered entities to share relevant decedent health information with a family member, relative, close friend, or other person who was involved in the individual’s care or payment for care prior to death. The disclosure must be limited to information directly related to that person’s involvement and must not conflict with any known preferences expressed by the decedent.

How much information can be shared

Only the minimum necessary information may be shared to meet the purpose. For instance, a provider may confirm details about treatment or billing that the family member helped manage, but this does not grant a blanket right to the entire medical record.

When a Personal Representative exists

If a verified Personal Representative requests confidentiality or objects to disclosure to others, the covered entity will generally defer to the Personal Representative’s authority, consistent with HIPAA and applicable state law.

Record Retention Requirements

HIPAA vs. medical record retention

HIPAA sets privacy and security standards but does not dictate how long medical records themselves must be kept. It does require retention of HIPAA-related documentation (such as privacy policies, notices, and authorizations) for six years. The retention period for the medical record is established by state law and, in some cases, by program or accreditation requirements.

Typical state requirements

States commonly require providers to retain adult patient records for a defined period—often 5 to 10 years—and longer for minors (for example, a set number of years after the patient reaches the age of majority). These rules apply regardless of whether the patient is living or deceased. Providers may maintain records longer than the minimum where risk, business, or clinical needs warrant.

Secure storage and disposal

While records are retained, they remain subject to HIPAA if within the 50-year period. When disposing of records, covered entities and their business associates must use secure destruction methods to prevent unauthorized access to PHI.

Disclosure for Research

Decedent-only research

HIPAA allows covered entities to use or disclose decedent health information for research when the researcher represents that the information is sought solely for research on decedents, the PHI is necessary for the research, and documentation of death will be provided upon request. An authorization or IRB/Privacy Board waiver is not required for decedent-only studies.

Studies that include living individuals

If a project involves both living individuals and decedents, HIPAA’s standard pathways apply for the living individuals’ PHI (for example, individual authorization, an IRB/Privacy Board waiver of authorization, or use of a limited data set with a data use agreement). Only the decedent portion of the data qualifies for the decedent-only pathway.

Minimum necessary and safeguards

Even when disclosure is permitted, covered entities should limit PHI to the minimum necessary for the study and may apply additional safeguards—such as data use agreements or secure research environments—to protect confidentiality.

Disclosure to Law Enforcement

When disclosure is allowed without authorization

HIPAA permits limited disclosures of PHI to law enforcement without authorization in specific situations, including to report a death that may have resulted from criminal conduct, to identify or locate a suspect or material witness, to report a crime on the premises, or when required by other laws. Only information reasonably necessary for the purpose may be shared.

Court orders and other legal process

Covered entities may disclose PHI in response to a court order, warrant, or other lawful process. Subpoenas and administrative requests must meet HIPAA’s conditions before PHI is released, and disclosures should be documented according to the entity’s policies.

Examiners and donation-related disclosures

Disclosures to medical examiners and coroners are permitted to identify a decedent, determine a cause of death, or perform other authorized duties. Providers may also disclose PHI to Organ Procurement Organizations to facilitate organ, eye, or tissue donation and transplantation activities.

State Law Variations

Who counts as a Personal Representative

HIPAA defers to “applicable law” to determine who has authority after death. State probate statutes and court orders define who serves as executor or administrator and what powers they hold. Some states also permit certain next of kin to act when no court appointment exists.

More-protective privacy rules

HIPAA is a federal floor. If a state law is more protective of privacy—for example, for mental health, substance use disorder, HIV, genetic information, or reproductive health—covered entities must follow the more stringent state rule when handling decedent health information.

Retention rules differ by state

Minimum record retention periods are set primarily by state law and may vary by provider type (hospital, clinic, physician practice). These state rules operate independently of HIPAA’s 50-year protection period.

Key takeaways

• Medical records are protected under the HIPAA Privacy Rule for 50 years after death.
• A verified Personal Representative has the strongest right to access; others may receive limited information based on involvement in care or payment.
• HIPAA does not set medical record retention periods; state laws and program rules do.
• Disclosures for research, law enforcement, examiners, and Organ Procurement Organizations are allowed in defined circumstances and should follow the minimum necessary standard.
• State laws can be more protective and will control where they are stricter than HIPAA.

FAQs.

How long are medical records protected after death?

Under the HIPAA Privacy Rule, a decedent’s PHI is protected for 50 years from the date of death. After 50 years, the information is no longer PHI under HIPAA, though other laws or ethical standards may still limit access or use.

Who can access a deceased individual's medical records?

The Personal Representative—such as an executor or court-appointed administrator—has the right to access the record, subject to standard HIPAA exclusions and any stricter laws. Absent that status, HIPAA permits covered entities to share limited, relevant information with family members or others involved in the person’s care or payment for care, provided the disclosure aligns with known preferences and the minimum necessary standard.

Does HIPAA allow disclosure of deceased individuals' health information for research?

Yes. For decedent-only research, HIPAA allows disclosure when the researcher represents that the PHI is solely for research on decedents, is necessary for the project, and proof of death will be provided upon request. If living individuals’ data are included, standard authorization or waiver pathways apply for those records.

Can law enforcement access medical records after death?

Law enforcement may receive PHI without authorization in defined situations, such as reporting a death potentially resulting from criminal conduct, complying with a court order or warrant, or other permitted law enforcement purposes. Disclosures must be limited to the information necessary for the purpose and documented according to policy.