Are Medical Records Protected Under HIPAA After 50 Years? The 50‑Year Rule Explained

Are medical records protected under HIPAA after 50 years? In short: HIPAA protects a decedent’s information as Protected Health Information for 50 years from the date of death. During that period, covered entities must apply the Privacy Rule. After 50 years, HIPAA no longer applies to the decedent’s information, though other laws and policies may still limit access.

HIPAA Medical Record Retention Guidelines

What HIPAA does—and doesn’t—require

HIPAA governs privacy, security, and permissible Health Information Disclosure, but it does not set universal Medical Record Retention Periods for patient charts. That means HIPAA does not tell providers how long to keep medical records; those timelines come from state law, payer rules, accreditation standards, and business needs.

PHI protections vs. record retention

It helps to separate two ideas: (1) the privacy protections that apply to Protected Health Information, and (2) how long a record must be kept. An organization may be required by state law to retain a record for a specific time, even if HIPAA protections for a decedent eventually expire after 50 years. Your Documentation Retention Policy should clearly distinguish these obligations for Covered Entities Compliance.

Protections for Deceased Individuals Under HIPAA

The 50‑year protection window

For 50 years following an individual’s death, the person’s identifiable health information remains Protected Health Information under HIPAA. During this period, covered entities and business associates must apply safeguards, follow the minimum necessary standard, and verify the identity and authority of requestors. These rules exist to promote Deceased Individual Privacy and responsible Postmortem Data Protection.

Permitted uses and disclosures

• Personal representatives: Disclosures to the decedent’s legally authorized representative are generally permitted.
• Family and others involved in care: Limited sharing is allowed if consistent with the decedent’s known preferences.
• Public duties: Disclosures to coroners, medical examiners, funeral directors, organ and tissue procurement organizations, and for public health or required-by-law purposes.
• Research on decedents: Certain research uses are permitted with required representations or approvals.

State Laws on Medical Record Retention

Why state rules matter

States set most Medical Record Retention Periods. Requirements vary by provider type (hospital, clinic, physician practice), record type (e.g., imaging), and patient age. Many states require adult records to be kept for a defined number of years, while records for minors often must be retained until the age of majority plus additional years.

Interaction with HIPAA

HIPAA serves as a federal floor for privacy protections. If a state law is more protective of privacy or imposes longer retention, you must follow the stricter state standard. In other words, HIPAA does not “override” state retention rules; it largely defers to them while maintaining federal privacy baselines.

Implications of the 50-Year Rule

Years 0–50 after death

Within the first 50 years after death, treat the decedent’s information as PHI: apply safeguards, verify authority, and disclose only as permitted. Build workflows for personal representative requests and for lawful public duties, and document decisions to support Covered Entities Compliance.

After the 50‑year mark

Once 50 years have passed, the decedent’s information is no longer PHI under HIPAA and may be used or disclosed without HIPAA authorization. However, other laws, donor restrictions, archival policies, intellectual property concerns, and ethical considerations may still restrict access. When in doubt, evaluate requests through your organizational Postmortem Data Protection lens and minimize unnecessary disclosure.

• Update policies to recognize the 50‑year transition point.
• Configure EHR flags to track date of death and calculate the 50‑year window.
• Redact references to living individuals whose PHI remains protected.
• Train staff on handling genealogical, historical, and research inquiries.

Documentation Retention Requirements

The HIPAA six‑year rule

HIPAA requires covered entities and business associates to retain required documentation for at least six years from the date of creation or the date last in effect, whichever is later. This is separate from keeping medical records themselves and should be spelled out in your Documentation Retention Policy.

What to keep for six years (minimum)

• Privacy and security policies and procedures, including versions and effective dates.
• Notices of Privacy Practices and all prior versions.
• Authorizations, restrictions, and denials related to Health Information Disclosure.
• Business associate agreements and related amendments.
• Training materials, attendance records, sanctions, and complaint logs.
• Risk analyses, risk management plans, audit logs, and breach documentation.

Post-50-Year Health Information Status

Not PHI under HIPAA—but not always “open”

After 50 years, the decedent’s information is no longer Protected Health Information under HIPAA. That does not automatically make the records public. State archive rules, records‑owner policies, contractual restrictions, and professional ethics can still limit access or require redaction. References to living relatives, donors, or third parties remain those individuals’ PHI and must be protected.

Practical compliance steps

• Maintain a ledger of death dates to determine the 50‑year threshold.
• Screen requests for other applicable federal or state laws before disclosing.
• Apply minimum necessary and de‑identification where feasible.
• Document decisions to support accountability and audit readiness.

Conclusion

The 50‑year rule applies to a decedent’s PHI, not to how long records must be kept. Within 50 years of death, HIPAA privacy protections govern. After 50 years, HIPAA no longer applies to that decedent’s data, but other laws and policies may. Align your retention schedules with state law, keep HIPAA documentation for at least six years, and implement clear workflows to handle requests ethically and compliantly.

FAQs

How long does HIPAA protect medical records after death?

HIPAA protects a decedent’s identifiable health information for 50 years from the date of death. During that window, the information remains PHI and is subject to the Privacy Rule’s safeguards and permitted use/disclosure provisions.

What happens to medical records after 50 years under HIPAA?

After 50 years, the decedent’s information is no longer PHI under HIPAA, so HIPAA no longer restricts its use or disclosure. Access may still be limited by state law, archival policies, contracts, or ethical considerations, and information about living individuals in the file remains protected.

Do state laws override HIPAA retention requirements?

HIPAA does not set general medical record retention periods; state laws do. You must follow state retention rules and any more protective state privacy provisions. HIPAA serves as a federal privacy floor and coexists with state retention mandates.

Are covered entities required to retain documentation for six years?

Yes. Covered entities and business associates must retain required HIPAA documentation—such as policies, Notices of Privacy Practices, authorizations, training records, and risk analyses—for at least six years from creation or last effective date, independent of how long medical records are kept under state rules.