AHLA’s Health Law Weekly, “How Does HIPAA Apply to Deceased Patients?,” by Abbye Alexander, Esq., Christopher Tellner, Esq., and Henry Norwood, Esq., 6-27-2025
Kaufman Dolowich’s Abbye Alexander, Christopher Tellner and Henry Norwood discuss the HIPAA rules surrounding who may access the health information of a deceased patient, how a qualified party may request access and how providers must address requests for information.
See the full article below:
The Health Insurance Portability and Accountability Act (HIPAA) protects patients’ health information and provides patients with specific rights of access, but to what extent do HIPAA’s protections apply to deceased patients? A deceased patient’s health information in the possession of their providers may contain necessary information for submitting health insurance claims, investigating causes of death, or understanding the patient’s treatment and health history, among other reasons. Parties interested in this information may include the patient’s loved ones, beneficiaries, or estate administrators. These parties may have competing interests, complicating matters from the standpoint of the providers in possession of the information.
To resolve these issues, HIPAA provides a series of rules surrounding who may access the health information of a deceased patient, how a qualified party may request access, and how providers must address requests for this information. Understanding these rules is critical to providers and patients in addressing this sensitive issue, which most providers will face at some point.
HIPAA Protection of a Deceased Patient
When a patient passes away, the protections afforded by HIPAA do not dissolve. Rather, a deceased patient’s records are given the same protections as the records of a living patient. Providers are required to comply with the requirements of HIPAA’s Privacy Rule and Security Rule even after a patient has passed away. This protection does not last forever, as HIPAA only requires that providers protect a deceased patient’s records for 50 years after the patient has died. After this 50-year period has expired, providers may disclose the deceased patient’s health information freely because the information loses its HIPAA-protected status as protected health information.
There are certain exceptions to providers’ obligation to safeguard health information that apply to deceased patients, but not to living patients. These exceptions allow providers to disclose a deceased patient’s health information under the following circumstances: (1) to aid coroners, medical examiners, and directors of funeral services; (2) to aid law enforcement when the patient’s death may have been caused by a criminal act; (3) to aid organ bank and transplant organizations; and (4) to aid in research specifically dedicated to the health information of deceased patients. Disclosures of the decedent’s health information must be documented to the same extent as the health information of a living patient.
Who Can Access the Health Information of a Deceased Patient?
HIPAA establishes two categories of individuals who may step into the shoes of a deceased patient and assume the patient’s HIPAA rights. These individuals take on the patient’s rights of access to their health information and to demand an accounting of all prior disclosures made by the provider. The duties owed by providers under the Privacy and Security Rules are owed to the persons assuming the deceased patient’s HIPAA rights.
First, a deceased patient’s family members or close friends may access the patient’s HIPAA-protected information under certain circumstances. Specifically, when a family member or close friend was involved in the patient’s health care or payment for health care prior to their death, they may access the patient’s health information after death. The extent to which a family member or friend may access the decedent’s information is limited to the extent they were involved in the patient’s care prior to death. For example, a family member who was involved in a patient’s payment for health services would be entitled to access the patient’s health information related to payment, but not other purposes. A close friend who was involved in the patient’s receipt of care prior to death would be entitled to access health information related to their care, but not for other purposes. The focus of the rule is on the individual’s prior involvement in the patient’s health care, rather than the closeness of the relationship.
Second, a deceased patient’s personal representative or other person with legal authority to act for the decedent after death assumes the patient’s HIPAA rights. This rule is not limited to a representative with specific, enumerated rights regarding the patient’s health care (for example, a designation of health care surrogate or health proxy), rather, any individual with the legal right to manage the decedent’s affairs may assume the patient’s rights under HIPAA. This rule extends to a representative appointed to manage the decedent’s affairs by a legal instrument executed by the decedent (most often a will) or a representative by operation of law or otherwise (such as the decedent’s next of kin).
Responding to Requests for a Deceased Patient’s Health Information
Whenever a provider or other covered entity receives a request for access to a deceased patient’s health information, the provider should first inquire as to the person requesting access. Does the person requesting access fall within one of the four exceptions to the rules? Is the person a family member or close friend who was involved in the patient’s health care? Is the person an authorized representative of the patient? If any of these questions are answered in the affirmative, the next inquiry is as to the scope of the person’s request. The information requested must be related to the purpose of the request (e.g. a request from law enforcement must be tied to a suspicion of criminal conduct and in furtherance of such an investigation, a request from a family member or close friend must be related to their prior involvement in the patient’s health care). If the answer to this question is also affirmative, the information may be disclosed, subject to an important exception.
A caveat to the disclosure requirements applicable to deceased patients pertains to the patient’s instructions or wishes in the event of their death. If a patient conveys that they do not desire their health information to be shared with certain individuals in the event of their death and this information is known by the provider or covered entity, the patient’s instructions must be honored. This caveat only applies to disclosures to family members or close friends.
Providers should request a copy of any legal instrument that may operate to grant another person the decedent’s HIPAA rights. Doing so helps providers verify the requestor’s identity and entitlement to access, while decreasing the likelihood that providers will commit unauthorized disclosures under HIPAA. Further, most states in the country have passed some form of health information privacy law that may afford greater or additional rights applicable to the privacy rights of deceased patients. Understanding any additional rights under state law is important to ensure providers are in compliance.
Conclusion
The legal requirements imposed by HIPAA on providers can be daunting when faced with an active request from a personal representative, loved one, or other individual regarding a deceased patient’s health information. Understanding these rules ahead of time can help providers create protocols to ensure any future access approvals and denials are HIPAA-compliant.
About the Authors
Chris Tellner and Abbye Alexander are Co-Chairs of the Health Care/Managed Care practice group of Kaufman Dolowich LLP and Henry Norwood is Of Counsel within the group. They represent health care professionals, organizations, including health plans and administrators, patients, and facilities, including long-term care facilities, assisted living facilities, rehabilitation centers and doctors in professional liability defense matters.
Copyright 2025, American Health Law Association, Washington, DC. Reprint permission granted