top of page
Search

After Death: Navigating Compliance When Legal Authority Is Unclear

  • Writer: Jessica Zeff
    Jessica Zeff
  • Feb 13
  • 3 min read

Deceased patient medical records HIPAA illustration showing a family silhouette with a heart icon separated by a dotted boundary from a secured medical records folder with a lock and shield, representing empathy for families balanced with privacy protections and disclosure requirements after death.

Requests for access to a deceased patient’s medical records can present significant legal and operational challenges for healthcare organizations. While such requests are common, especially from grieving family members, they must be evaluated in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and relevant state laws.


The question often arises:


Can we release a deceased patient’s records to a family member if there is no legal documentation, such as an executor appointment or probate proceeding?

The answer is more complex than it may initially appear.


HIPAA Requirements for Disclosures of Deceased Individuals’ PHI

Pursuant to 45 CFR § 164.502(f), HIPAA protections extend to a decedent’s protected health information (PHI) for 50 years following the date of death. During that period, disclosures of PHI are permitted only under specific conditions.


The two primary pathways for disclosure are:


  1. Personal Representative of the Estate


    HIPAA permits disclosure of PHI to an individual who, under applicable state law, is authorized to act on behalf of the decedent or the decedent’s estate. This typically includes individuals with legal authority such as executors, administrators, or court-appointed personal representatives. Documentation such as Letters Testamentary or Letters of Administration is generally required to confirm this status.

  2. Persons Involved in Care or Payment Prior to Death


    Under 45 CFR § 164.510(b)(5), covered entities may disclose limited PHI to family members or others involved in the decedent’s care or payment for care prior to death, but only if:

    • The information is relevant to their prior involvement, and

    • The disclosure is not inconsistent with any known prior expressed preferences of the decedent


This provision does not authorize full access to the entire medical record and should be applied conservatively.


Practical Application: A Common Scenario

A frequently encountered situation is when an adult child requests a copy of their deceased parent’s complete medical records, yet no estate has been opened, and no one holds legal authority to act on the patient’s behalf.


This request, while understandable, does not automatically entitle the individual to access the record. Without formal authorization under state law, the requestor is not considered a personal representative for HIPAA purposes.


In evaluating such requests, a helpful decision-making lens is:


“If the patient were alive, would we provide this information to the requestor without their written authorization?”

If the answer is no, then absent a HIPAA-permitted exception or valid legal authority, the organization may not want to release the requested records.


The Role of State Law

While HIPAA provides the federal framework, state law may define who qualifies as a personal representative and whether certain relatives—such as adult children or surviving spouses—have rights to access records. Some state laws broaden access, while others impose strict limitations.


Importantly, the applicable state law is often the law of the jurisdiction where the decedent resided or where the estate is being administered, not necessarily where the healthcare provider is located.


Due diligence requires a case-by-case analysis that includes:


  • Identifying the relevant jurisdiction

  • Reviewing statutory definitions of personal representative

  • Understanding any state-specific access rights for relatives

  • Consulting legal counsel as necessary


Policy Recommendations

Given the complexity and variability involved, healthcare organizations should consider the following practices:


  • Develop a formal policy for handling requests for deceased patients’ records, aligned with HIPAA and applicable state law

  • Define documentation requirements for verifying personal representative status

  • Establish internal review procedures for exceptions or limited disclosures

  • Train staff on distinguishing between full record requests and disclosures permitted under HIPAA's care/payment provision

  • Document all decisions and disclosures thoroughly, including legal basis and scope of information released


Conclusion

Requests for access to a deceased individual’s medical records must be approached with a strong understanding of HIPAA, careful review of applicable state laws, and clear organizational policies. While empathy for grieving family members is critical, so too is ensuring that disclosures are legally authorized and appropriately limited.


Do you have questions about this blog?Please contact jessicazeff@simplycomplianceconsulting.com.

 

Comments

bottom of page