RIP Your HIPAA Rights Aren’t Buried With You

Mike Semel

By Mike Semel
Twitter: @SemelConsulting

Just because you die your medical information isn’t free for the taking. The HITECH Act of 2009 says that your HIPAA privacy rights continue for 50 years past your death, providing safeguards but also questions, confusion, and frustration.

Patients can designate who is authorized to get access to their medical records. Signing release forms is a common practice and often lists spouses, children, caregivers, and friends.

So who can get your medical records after you die? The HITECH Act authorizes your personal representative, the person authorized by you or the state to settle your estate. Why 50 years? According to the government, “this period of protection for decedent health information balances the privacy interests of surviving relatives and other individuals with a relationship to the decedent, with the need for archivists, biographers, historians, and others to access old or ancient records on deceased individuals for historical purposes.”


There are a few situations where your records can be released without the permission of your personal representative, who may not be known for a time after your death.

  1. To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct;
  2. To coroners or medical examiners and funeral directors;
  3. For research that is solely on the protected health information of decedents;
  4. To organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation;
  5. To a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the deceased individual that is known to the covered entity. This may include disclosures to spouses, parents, children, domestic partners, other relatives, or friends of the decedent, provided the information disclosed is limited to that which is relevant to the person’s involvement in the decedent’s care or payment for care.

Be Careful

Recently HHS issued guidance that legally-married same sex couples are entitled to the same rights as heterosexual married couples, even if the state they are in does not recognize same-sex marriage.

State laws may add further protections to the information if it relates to HIV/AIDS, substance abuse, or mental health care.

In our era of divorces, re-marriages, cohabitation, step-parents/step-children, and lawsuits, issues sometimes arise when there is conflict with a family member’s spouse or partner. Several of these situations have grabbed headlines when families were fighting over their loved one’s remains, and when allegations were made about whether ‘Mom’ or ‘Dad’ received proper health care prior to death. Your role in your organization may put you in the middle of an ugly family dispute when someone demands medical records.

When to Get Leagal Advice

Reading the general guidance may not answer questions specific to your situation.

Also, don’t assume you have to immediately comply with a subpoena from an attorney, which does not carry the legal weight of a court order signed by a judge. Don’t be intimidated by a subpoena; make sure providing the requested information doesn’t violate your patient’s rights under HIPAA, even if they have passed on.

If you aren’t absolutely sure what to do, consult an attorney familiar with HIPAA and any applicable state laws. Always consult a qualified HIPAA attorney when you receive a subpoena for medical records.

For more information go to OCR privacy pages.

AHIMA (the American Health Information Management Association) provides good guidance on deceased patient medical records:

This article was originally published on Semel Consulting and is republished here with permission.