HIPAA Privacy for Deceased Patients: Who Can Access Medical Records and When

HIPAA Privacy Rule Duration

The HIPAA Privacy Rule continues to protect a decedent’s Protected Health Information for 50 years after the date of death. This fixed period applies regardless of when the records were created or whether an estate is still open. During these 50 years, covered entities and their business associates must maintain HIPAA Privacy Rule compliance when using or disclosing the information.

After the 50-year period ends, the information is no longer PHI under HIPAA, though professional ethics and other federal or state laws may still govern access and use. References in a decedent’s file to living relatives remain protected as those relatives’ PHI.

Authorized Recipients of Decedent PHI

HIPAA permits disclosures of decedent medical records to specific recipients for defined purposes. Identity and authority must be verified before any release.

Who may receive decedent PHI

• Personal representative of the decedent (for example, an Executor of Estate or court‑appointed administrator) who can exercise the individual’s rights and authorize disclosures.
• Family members and others involved in the decedent’s care or payment for care before death, to the extent the information is relevant to their involvement and not contrary to a known prior preference of the decedent.
• Health care providers treating another person (such as a surviving relative) when the decedent’s information is necessary for that person’s treatment.
• Coroners, medical examiners, and funeral directors as needed to carry out their duties.
• Organ procurement organizations and tissue/eye banks for cadaveric donation activities.
• Researchers conducting research solely on decedents’ information with required representations and safeguards.
• Public health, health oversight, law enforcement, and courts when disclosure is expressly permitted or required by law.

When none of these pathways applies, a valid Personal Representative Authorization (or other HIPAA‑compliant written authorization from the personal representative) is required before disclosing decedent PHI.

Disclosures for Treatment Purposes

Covered entities may use or disclose a decedent’s PHI for the treatment of another individual. Common examples include sharing relevant genetic test results or family history details with a clinician treating a surviving child or sibling.

While the minimum necessary standard does not apply to treatment, you should still disclose only information reasonably related to the receiving provider’s treatment need. Document what was shared, who requested it, and the treatment purpose.

Role of Personal Representatives

A personal representative stands in the decedent’s shoes for HIPAA purposes. Once verified, they can request access to the designated record set, obtain copies, authorize third‑party disclosures, and request amendments where appropriate.

Establishing personal representative status

• Executor named in a will with letters testamentary.
• Court‑appointed administrator or estate representative.
• Other persons recognized under applicable state law when no formal probate occurs.

Verification is essential. Acceptable proof typically includes court documents or similar instruments showing authority. If multiple personal representatives exist, follow applicable documents and state law to resolve conflicts before releasing decedent medical records.

Medical Record Retention Policies

HIPAA sets retention rules for HIPAA policies and required documentation (generally six years) but does not dictate how long providers must keep medical records themselves. Medical Record Retention periods for clinical files are primarily governed by state law, accreditation standards, and payer rules, which often differ by record type and patient age.

Providers commonly retain adult records for a period defined by state law and keep minors’ records until the age of majority plus additional years. Regardless of retention schedules, PHI Disclosure Limitations under HIPAA continue to apply for as long as the record exists and, after death, for 50 years.

When disposal is permitted, use secure destruction methods that prevent reconstruction of PHI, and maintain documentation of destruction consistent with HIPAA Privacy Rule compliance.

Rights of Surviving Family

Surviving family members do not automatically receive full access to a decedent’s PHI. Unless they are the personal representative, their access is limited to information relevant to their prior involvement in care or payment and only if not contrary to a known preference expressed by the decedent.

Family members may also obtain information needed for their own treatment, typically by having their treating provider request the specific details from the holder of the decedent’s records. Broad, non‑treatment disclosures still require authorization from the personal representative.

Limitations on PHI Disclosure

Apply the minimum necessary standard to most non‑treatment disclosures, disclose only what is appropriately relevant, and always verify the requester’s identity and authority. Maintain logs of disclosures when required and keep copies of any Personal Representative Authorizations.

Some categories carry heightened protections under federal or state law, including psychotherapy notes, substance use disorder records, certain mental health records, HIV/STD information, and genetic data. These may require specific authorizations even when the requester is a personal representative.

Marketing, sale of PHI, and most discretionary non‑treatment uses require explicit authorization from the personal representative. If a known preference of the decedent to limit disclosures exists, honor it unless another law requires release.

In summary, HIPAA privacy for deceased patients lasts 50 years, prioritizes the authority of a verified personal representative, permits narrowly tailored disclosures for involvement in care and treatment of others, and enforces strict PHI disclosure limitations with attention to applicable state and federal overlay laws.

FAQs

Who is authorized to access a deceased patient's medical records under HIPAA?

The decedent’s personal representative—such as an Executor of Estate or court‑appointed administrator—has the broadest access and may authorize disclosures. Others may receive limited information if they were involved in care or payment before death, if needed for the treatment of another person, or when disclosure is permitted or required by law.

How long does HIPAA protect a decedent's health information?

HIPAA protects a decedent’s PHI for 50 years after the date of death. During that period, the Privacy Rule governs uses and disclosures; after it ends, HIPAA no longer applies to the information, though other laws or ethical duties may still restrict access.

Can a family member obtain a deceased relative's medical information for treatment?

Yes. A provider may disclose relevant decedent PHI for the treatment of a surviving family member or another individual. Only information reasonably necessary for that treatment should be shared, and the disclosure should be documented.

What are the limitations on disclosing PHI of deceased individuals?

Disclosures must follow HIPAA’s permitted pathways, use the minimum necessary standard for non‑treatment purposes, verify identity and authority, and respect any known preferences of the decedent. Certain sensitive categories—like psychotherapy notes and substance use disorder records—often require special authorization even when a personal representative is requesting access.