posted by Chris Dimick
Note: this article has been updated to reflect changes implemented through the HITECH Act.
Patients retain the right to keep their medical records private even after death. The laws surrounding just who has a legal right to view those records can lead to confusing and frustrating situations.
Below are frequently asked questions on accessing a deceased patient’s medical records. (For more information, read a full feature article here.) A special thank you to Mary Thomason, MSA, RHIA, CHPS, CISSP, senior compliance consultant at Intermountain Healthcare in Salt Lake City, for her contributions.
Note: Currently proposed federal legislation would make it easier for people to access a deceased patient’s records, allowing healthcare providers to disclose records to a wider range of people. This FAQ will be updated as needed when the final rules are published.
Q: Who may access a deceased person’s medical records?
A: The patient’s designated personal representative or the legal executor of his or her estate has a right under law to access the records. These are the only people who by law have a right to view or copy the records.
If the patient died without naming a personal representative or executor, state law determines who by default possesses the right. States often establish a hierarchy of persons based on their relationship to the deceased person. Typically this begins with an adult member of the immediate family, such as a spouse, child, or sibling.
Q: What legal documents ensure the right to access a deceased patient’s medical records?
A: A combination of the patient’s death certificate and a court document establishing estate executorship is sufficient to establish one’s right. In some states, alternative documentation can also be used.
Q: Do I have to go to probate court and become the executor of the deceased’s estate in order to access his medical records?
A: It depends on the state. Some state laws require people to submit legal proof of executorship to healthcare organizations in order to access records.
Other states follow a hierarchy of who becomes, by default, the personal representative of a deceased patient if the patient dies without naming an executor (as described above).
Q: How do I find my state’s requirements and restrictions for releasing a deceased patient’s medical record?
A: The HIM department supervisor or the privacy officer of a local hospital can provide details on your state’s release-of-information laws. A local legal assistance group, particularly one that assists seniors, is another good resource.
Q: Does HIPAA forbid me from seeing my deceased relative’s medical records?
A: The federal Health Insurance Portability and Accountability Act (HIPAA) grants privacy protections to a person’s medical information even after death. However, HIPAA also establishes that a patient’s designated personal representative has a legal right to access the patient’s records. A healthcare provider must provide the records to his or her designated personal representative if one exists.
However, HIPAA leaves the definition of a personal representative up to individual state law. In general, in order to be a personal representative of another adult, you must have legal authority to act for the adult in making decisions related to his or her healthcare. If the person is deceased, you must have received the legal authority over his or her estate, as defined by state law.
Q: I feel like I’m getting the run-around at my local hospital. Who can help me?
A: First talk to the hospital’s HIM department supervisor. Ask him or her to explain exactly what papers you would need to access the deceased patient’s record. The hospital’s privacy officer also can help determine if you have the right to access the record, and he or she can explain your specific state law.
If you are not allowed access to the records even if you have provided proper evidence of your right, file a written complaint with the Office for Civil Rights, which enforces the HIPAA privacy rule. Consulting an attorney who specializes in healthcare is another option.
Q: Is a signed HIPAA form authorizing release of medical records sufficient to view a patient’s records after his or her death?
A: No. HIPAA release forms and the powers they grant expire upon the patient’s death.
Q: Does a medical power of attorney grant access to a patient’s records after his or her death?
A: No. The rights conveyed by a medical power of attorney expire upon the patient’s death.
Q: Do special exemptions allow me to access the medical records of long-deceased patients for family genealogy projects or historical study?
A: No. Currently under HIPAA, a patient’s privacy rights never expire. The same federal and state laws apply no matter how long the patient has been deceased.
Because the patient’s legal executor is likely deceased as well, access will be determined according to a state law that appoints other individuals as legal representatives when an executor is not named or is no longer available. Ask the facility what state law dictates.
Note: Currently proposed federal legislation would remove a patient’s privacy rights 50 years after death. This FAQ will be updated once the final rule is published.
Q: Is access to a deceased person’s psychiatric or substance abuse records treated any differently than access to other medical records?
A: HIPAA governs most healthcare providers and the records they keep; however, a different federal law governs many substance abuse programs (42 CFR Part 2). A substance abuse program can be covered under one, both, or neither regulation, depending on how it is funded.
Regarding deceased patient records, 42 CFR §2.15(b)(2) is similar to HIPAA. It requires the facility to release records to a personal representative, such as an executor, administrator, or other person appointed under state law. However, the law is more liberal than HIPAA, stating that if there is no legally appointed personal representative, consent may be given by the patient’s spouse; if no spouse is present, consent may be given by any “responsible member” of the patient’s family.
Psychiatric record disclosures follow the same rules as HIPAA, unless they receive additional protection under individual state law.