Does HIPAA Apply to All Medical Records After Death? The 50-Year Rule, Exceptions, and Who Can Access Them

HIPAA Protection Period for Deceased Individuals

Under HIPAA, a deceased person’s Protected Health Information remains protected for 50 years from the date of death. During this period, covered entities—such as health care providers, health plans, and clearinghouses—and their business associates must handle decedent health information just as carefully as they do for living patients.

This protection applies to most clinical content, including diagnoses, labs, imaging, and mental health records, though special categories (like psychotherapy notes) have additional restrictions. The 50-year clock starts on the date of death, not the date the record was created.

Disclosure Exceptions during the 50-year period

• Coroners, medical examiners, and funeral directors may receive information needed to perform their duties.
• Organ, eye, and tissue procurement organizations may receive information to facilitate donation.
• Public health authorities and health oversight agencies may receive information for authorized purposes.
• Law enforcement and courts may receive information under specific legal processes.
• Researchers may use decedent health information when requirements for decedent-only research are met.

Access Rights of Personal Representatives

HIPAA treats a decedent’s Personal Representative as if they were the individual. If you are legally authorized under state law to act for the estate, you can exercise the HIPAA right of access to the designated record set, including asking for copies in your chosen format and directing records to a third party.

Covered entities must verify your identity and authority before releasing records. Certain limited exclusions and denial bases still apply—for example, psychotherapy notes and information compiled for litigation are not subject to the standard access right, and narrowly tailored denials may apply to protect safety or privacy interests.

Proving personal representative status

• Provide a certified death certificate and evidence of authority (for example, letters testamentary or letters of administration).
• If state law recognizes another authorized person, supply the documentation that confers that authority.
• Request only what you need; while the “minimum necessary” standard does not limit disclosures to a personal representative, targeted requests speed fulfillment.

Disclosure to Family Members

Without being a Personal Representative, a family member or someone involved in care or payment may receive information relevant to their involvement. The disclosure must not conflict with any known preference of the decedent and should be limited to what is pertinent to that person’s role.

These are permissive disclosures, not entitlements to the entire chart. Covered entities rely on professional judgment, may ask for reasonable verification of the relationship, and should limit disclosures to the minimum necessary for the purpose.

What “relevant information” typically includes

• Updates about the circumstances of death or recent treatment.
• Details needed to help settle final bills the family member helped pay.
• Information necessary to support caregiving roles the person performed before death.

Post-50-Year Status of Medical Records

After 50 years, a decedent’s medical records are no longer PHI under HIPAA, so HIPAA’s privacy restrictions cease to apply. However, access is not automatically unrestricted: other federal rules, state confidentiality statutes, professional ethics, and facility policies may still govern whether and how records are shared.

Organizations often continue to evaluate requests carefully, balancing historical, research, or educational value with residual privacy concerns and any applicable legal requirements outside HIPAA.

Record Retention and State Law Requirements

HIPAA sets no general medical record retention period for patient charts. It does require covered entities to retain HIPAA-related policies and documentation for at least six years, but medical record retention is primarily a matter of state law and other regulations.

Many states require retention of adult records for a set number of years (often 7–10) and longer for minors. Providers may keep records longer than state minimums, and when records are destroyed, they must use secure methods that protect confidentiality.

Key points for record retention

• State law controls how long records must be kept and how they may be destroyed.
• Retention periods are independent of HIPAA’s 50-year privacy rule; a record can be destroyed before or after the 50-year mark if state law allows.
• Secure destruction safeguards apply while information remains PHI and are a best practice even thereafter.

Access by Executors and Administrators

Executors and administrators are common types of Personal Representatives in estate administration. If you serve in one of these roles, you can request copies of decedent health information to handle tasks such as insurance claims, benefits appeals, or litigation.

How to request records

• Submit a written HIPAA access request to the covered entity, attaching a certified death certificate and your letters testamentary or administration.
• Specify the date range, types of records, and preferred format (paper or electronic). You may direct records to your attorney or another third party.
• Expect fulfillment within HIPAA timelines for access; reasonable, cost-based fees for copies may apply.

Special situations

• Small-estate procedures: If your state permits, alternate documentation may suffice when no formal probate occurs.
• Multiple representatives: Any co-representative generally may act, unless a court order or state law requires joint action.
• Scope limits: Your authority extends to the decedent’s records; it does not grant access to the PHI of living relatives contained in the file, which may be redacted.

Protection of Family Health History

A decedent’s chart often contains family health history and genetic information. Because those details can reveal the PHI of living relatives, covered entities typically limit or redact third-party identifiers when responding to requests that do not require the entire record.

When disclosing to family members involved in care, the minimum necessary standard applies. When disclosing to a Personal Representative, the minimum necessary standard does not apply, but providers still strive to protect the privacy of living individuals by removing unrelated third-party data when feasible and consistent with governing rules.

Practical tips

• Ask for targeted sections (for example, terminal hospitalization, medications, or billing) to reduce the chance of exposing unrelated family information.
• If you need family history for clinical reasons, request a summary rather than the full chart when appropriate.
• If you see living relatives’ sensitive details in released records, ask the provider whether a redacted version is available for broader distribution.

Conclusion

HIPAA protects decedent health information for 50 years, granting full access rights to a Personal Representative and permitting limited, relevant disclosures to family involved in care. After 50 years, HIPAA no longer applies, but state record retention rules, other privacy laws, and ethical duties may still shape access. Knowing your role, the applicable documentation, and the disclosure exceptions helps you obtain what you need while safeguarding everyone’s privacy.

FAQs.

How long does HIPAA protect medical records after death?

For 50 years from the date of death. During that time, the information remains Protected Health Information and is governed by HIPAA’s privacy rules and disclosure exceptions.

Who can access a deceased person's medical records under HIPAA?

A Personal Representative with legal authority under state law (such as an executor or administrator) has the same access rights as the individual. Others may receive limited, relevant information if they were involved in care or payment, and certain entities (like coroners or organ procurement organizations) may receive information under specific exceptions.

What happens to medical records after the 50-year HIPAA protection period?

They are no longer PHI under HIPAA, so HIPAA no longer restricts disclosure. However, state confidentiality laws, institutional policies, and other rules may still govern access and release practices.

Can family members obtain medical records after a patient's death?

Yes, but the process depends on their role. Family members who are Personal Representatives can request the full designated record set. Family members involved in care may receive information relevant to their involvement, but not the entire chart, unless authorized or recognized as the Personal Representative under state law.