HIPAA and Medical Records After Death: Who Can Access Them and How to Request Copies

Navigating medical records after a loss can be confusing. This guide explains how HIPAA handles health information privacy after death, who may access a deceased person’s records, and the steps you can take to obtain copies while maintaining privacy rule compliance.

HIPAA Protections for Deceased Individuals

HIPAA’s Privacy Rule protects a deceased person’s protected health information (PHI) much like it does for a living patient. Covered entities—healthcare providers, health plans, and their business associates—must limit disclosures to what is permitted or authorized and apply the “minimum necessary” standard for most uses.

What counts as PHI

PHI includes any individually identifiable health information in any format—paper, electronic, or verbal—such as diagnoses, test results, treatment notes, billing details, and identifiers like name or date of birth.

Permitted disclosures without authorization

Even after death, HIPAA allows certain disclosures, including to coroners or medical examiners, funeral directors, organ procurement organizations, public health authorities, and when required by law or court order. Providers may also share limited information with people involved in the decedent’s care or payment using professional judgment, as described below.

Restrictions that still apply

Some records remain especially sensitive. Psychotherapy notes, substance use disorder treatment records governed by separate federal rules, and information compiled for legal proceedings have additional protections. Providers must maintain privacy rule compliance while evaluating any request.

Authorized Access by Personal Representatives

Under HIPAA, a decedent’s personal representative stands in the patient’s shoes and generally has the same access rights the patient would have had. State law determines who qualifies, most commonly the court-appointed executor or administrator of the estate.

Estate administration access rights

If you are the executor, administrator, or other court-recognized fiduciary, you may request, inspect, and receive copies of the designated record set. You may also direct records to a third party (for example, an attorney or insurer) or sign an authorization to release medical information naming that recipient.

Personal representative documentation

Be prepared to provide documentation proving your authority. Typical items include Letters Testamentary or Letters of Administration, a certified death certificate, and government-issued ID. Note that a durable power of attorney for healthcare usually ends at death, so it does not by itself establish post-death access.

Scope and limits

Personal representatives can request the full record, subject to standard HIPAA exclusions (such as psychotherapy notes). Providers may deny or limit access when another law restricts certain categories (for example, specific genetic or HIV-related data under state rules).

Access Rights of Family Members Involved in Care

Family members, close friends, or others who were involved in the decedent’s care or payment may receive information relevant to their involvement, unless doing so conflicts with the decedent’s known preference. This is a narrow, situational disclosure—not a blanket right to the complete chart.

What “relevant” means in practice

A provider might confirm the final diagnosis, medications, or circumstances surrounding death to someone who helped manage care. However, broad historical records or unrelated sensitive entries are not typically shared without personal representative authorization.

If broader access is needed

When a full copy of records is required, the family member should either become the personal representative under state law or obtain a signed authorization to release medical information from the personal representative.

Required Documentation for Medical Records Requests

Gathering complete paperwork upfront speeds processing and reduces back-and-forth with Release of Information (ROI) staff.

• Government-issued photo ID for the requester.
• Certified death certificate (common death certificate requirement).
• Personal representative documentation (e.g., Letters Testamentary/Administration, court order, or small-estate affidavit where allowed).
• Written request specifying patient name, date of birth, date of death, provider(s), date ranges, and the type of records needed.
• Authorization to release medical information if records are to be sent to a third party and you are not directing the disclosure as personal representative.
• Proof of relationship if relying on involvement-in-care disclosures rather than full estate administration access rights.

Format, timing, and fees

You can usually request electronic or paper copies. HIPAA requires covered entities to act on access requests within 30 days (with one 30-day extension and written explanation). Reasonable, cost-based fees may apply, and state medical record access laws may cap or further limit charges.

State-Specific Regulations on Medical Records Access

HIPAA sets a federal floor, but state medical record access laws can be stricter. States may define who qualifies as a personal representative, establish next-of-kin hierarchies, require specific forms, or impose additional protections for categories such as mental health, HIV, genetic testing, or reproductive health information.

States also regulate record retention periods and copy fees. Hospitals and clinics must follow both HIPAA and applicable state rules; when laws conflict, the more protective standard generally controls. Always verify any specialized state requirements before submitting your request.

Procedures for Requesting Copies of Deceased's Records

Step-by-step process

• Identify all providers and facilities involved in the decedent’s care and the specific date ranges you need.
• Assemble required documents: ID, death certificate, and personal representative documentation or proof of involvement in care.
• Contact the provider’s Health Information Management/ROI department to confirm submission methods (portal, mail, fax, or in person) and any provider-specific forms.
• Complete the request specifying records sought (e.g., discharge summaries, labs, imaging, billing), preferred format, and delivery method.
• If you are not the personal representative but need broader disclosure, include a signed authorization to release medical information from the personal representative.
• Track the request. Expect action within 30 days; if more time is needed, the provider should send a written extension notice explaining the delay.
• Review the records upon receipt. If something is missing, request the remainder or an accounting of disclosures. If you believe information is incorrect, you may request an amendment.
• If access is denied, ask for the denial in writing with the reason and instructions for appeal. You can also escalate through the provider’s privacy office.

Sample request language

“I am the court-appointed personal representative of the Estate of [Full Name], DOB [MM/DD/YYYY], DOD [MM/DD/YYYY]. Enclosed are my Letters [Testamentary/Administration], a certified death certificate, and ID. I request copies of the designated record set for care received from [Provider/Facility] between [dates], delivered [electronically/paper] to [address/email/fax]. Please advise of any reasonable, cost-based fees in advance.”

Duration of HIPAA Protections After Death

HIPAA protects a decedent’s PHI for 50 years from the date of death. After that period, the information is no longer PHI under HIPAA, though ethical duties and certain state laws may still influence disclosure. During the 50-year window, the rules described above govern access and permissible disclosures.

Key takeaways

• Personal representatives, proven by proper documentation, have the strongest access rights.
• Family members involved in care may receive information limited to their involvement unless the decedent objected.
• Expect a death certificate requirement, clear identity verification, and adherence to state-specific rules.
• Providers must act within HIPAA timelines and follow privacy rule compliance standards for every request.

FAQs

Who is considered a personal representative under HIPAA?

A personal representative is the person authorized under state law to act for the decedent—typically the court-appointed executor or administrator of the estate. Parents of a deceased minor or a court-appointed guardian may also qualify, depending on state rules and any limits imposed by other laws.

What documentation is needed to request a deceased person's medical records?

Most providers require government-issued ID, a certified death certificate, and personal representative documentation such as Letters Testamentary or Letters of Administration. If you want records sent to someone else, include an authorization to release medical information or direct the provider to send records to that person as permitted.

Can family members access medical records without being a personal representative?

They may receive information relevant to their involvement in the decedent’s care or payment, unless it conflicts with the decedent’s expressed wishes. This is not a right to the full record. Full access generally requires becoming the personal representative or obtaining authorization from the personal representative.

How long does HIPAA protect the health information of deceased individuals?

HIPAA protects a decedent’s PHI for 50 years from the date of death. After that period, the information is no longer protected under HIPAA, though other laws or ethical considerations may still apply.