Who Has Rights to a Deceased Patient’s Records?
[Editor's note, July 2010: The Office for Civil Rights has proposed modifications to HIPAA that would ease the release of deceased patient records.]
A son calls the HIM department and requests his deceased father’s medical records. Shortly afterward, the man’s wife requests the records, also. Then a man calls identifying himself as the executor of the estate. Who is authorized to access the records?
Determining appropriate release of a deceased patient’s medical records can be complex. HIPAA, sometimes blamed for denied requests, is rarely cause for a roadblock, however. The federal law does extend a person’s privacy rights into death, but it also explicitly requires facilities to release records to authorized individuals.
The complications typically come when a patient dies without having named a personal representative. In those instances, HIPAA defers to state law to determine access rights.
Though most state laws are sufficiently clear, the hierarchy may be complex, and some situations will still require judgment calls. Facility staff who are unclear on the law may err on the side of caution and refuse access rather than risk violating privacy laws. On the other extreme, they may release records without requesting proper verification or release them rather than upset or anger the requestor.
The best practice, experts say, is to gain knowledge of the law, share it, and request that patients identify their personal representatives during the admission process.
What Did HIPAA Change?
“The problem is a lot of people don’t really understand how HIPAA operates in collaboration with the existing state regulatory framework that they live in…” says Barry Herrin, JD, FACHE, a partner with the Atlanta-based law firm Smith Moore Leatherwood LLP. “HIPAA is not the bad guy here.”
HIPAA did not create a new rule, Herrin says, and in instances where it does prevent someone from accessing patient records, generally speaking, it is reinforcing existing state laws on how deceased patient matters are handled.
HIPAA leaves it up to states to determine who qualifies as a deceased patient’s personal representative-the person who has legal rights to access another’s medical record. This is clear cut when a patient has signed a HIPAA release or named an executor to his or her estate. But when a patient dies without doing either, HIPAA defaults to state law to determine the hierarchy of rights to that person’s estate and health records.
The privacy rule states that people have the same privacy rights in death as they do in life. But it also requires that healthcare facilities must release medical records to those people either appointed by the patient or who are deemed a personal representative by state law. Because of this, Herrin says that HIPAA law can actually help authorized individuals access deceased patient’s medical records.
HIPAA also requires a covered entity to verify the identity of a person requesting protected health information as well as their authority to such access. Just because someone is related to a deceased patient does not mean they have a right to their record. “There is a difference between identity and status,” Herrin says. “You have to verify both.”
Though HIPAA federalized this requirement, the act of authenticating requestors of protected health information was being done in many facilities long before HIPAA was passed. Aurora Healthcare, based in Milwaukee, WI, updated their information release policies to include specific language about verification following HIPAA implementation. But the rule did not change their practices significantly, says Peg Schmidt, RHIA, Aurora’s chief privacy officer.
Varying State Laws
State laws can get complicated regarding who has rights to access or authorize the release of a person’s record after death.
In Utah, pre-HIPAA policy was to follow a hierarchal next-of-kin list regarding who had authorization to a deceased patient’s record. But after HIPAA was implemented, some providers felt they needed clearer direction from the state on whether it was still legal to discuss a deceased patient’s medical care with his or her spouse, says Mary Thomason, MSA, RHIA, CHPS, CISSP, privacy compliance consultant with Intermountain Healthcare, based in Salt Lake City. Because of this, Utah legislators passed specific state laws to define exactly who qualifies as the personal representative of a deceased patient.
The executor has first rights to the patient’s records. But if no executor was named, the patient’s spouse or adult child can become the deceased’s personal representative. Proving status as a personal representative requires that a person must receive a letter of appointment from a probate court.
Even though the law is relatively clear, Thomason’s facility has had to deny records requests in the past and deal with disputes. A common dispute occurs when adult siblings want to deny record access to brothers and sisters. “In that case we basically say, ‘Hey, we are not the court. Go back to the probate court and find out who gets the letter of appointment to represent the estate, and that is the person we will deal with,’” Thomason says.
The situation in Wisconsin is more complicated. In Wisconsin, different laws govern the release of records for behavioral health records and general medical records.
With behavioral health records, access rights first go to the executor of the estate. If there is no executor, the patient’s spouse has sole rights of access. If there is no spouse or executor, a “responsible member of the patient’s family” comes next, Schmidt explains.
With the general record, the patient’s personal representative and spouse or domestic partner share access rights equally. “None is higher than the other, none can cancel out the other’s authority,” Schmidt says. If those individuals do not exist, then the personal representative is defined as any adult member of the deceased patient’s immediate family, such as children, parents, grandchildren, siblings, and even spouses of siblings.
All share equal rights to the record. Discretion is left up to the healthcare staff handling the request to decide if record requestors meet state law requirements as a personal representative. No one official document is required for access.
Common Disputes
With so many people authorized to access the record in Wisconsin, verification issues can arise. At Aurora Healthcare, the burden of proof lies with the requestor. Providing that proof is not always easy, and it can lead to people being denied access.
“The verification of some of these situations becomes a little difficult,” Schmidt says. “They have to prove their relationship to the deceased, and that is not always easy for them to do.”
A spouse can present a marriage certificate, but brothers and sisters lack comparable documents that show their relationship to the deceased. “They have to be able to just prove their standing in the family and their relationship to that person any way that they feel they can,” she says. It is up to staff to decide whether someone has provided adequate proof that they are authorized to access a deceased patient’s record.
“These are just things that you do to the best of your ability,” Schmidt says. “You are always looking for that comfort feeling of ‘this feels right’ or ‘this doesn’t.’ And sometimes that is all you are left with.”
Wisconsin state law leaves the potential that legally authorized individuals could be denied deceased patients health records due to their inability to prove their authorization. However, Schmidt says the law has worked well at her facility, and she hasn’t encountered many problems with verification.
People become upset when they feel entitled to the patient’s medical record even though state law blocks their access, Thomason says. In most state law, a healthcare agent for a patient loses authority after the patient dies. If that agent was not named as an executor to the deceased patient’s estate, and is not related to the deceased, then that person is denied access, even though they most likely would feel entitled to the records.
Another common situation occurs when a patient dies and the spouse breaks all contact with the deceased’s immediate family, Schmidt says. The deceased’s siblings would not have authorization to access the records because the spouse holds all rights of access. “If the spouse really has moved on, the immediate family probably feels they have a right to that patient’s record, and technically they do not,” Schmidt says. “Those situations get hard.”
In July Wisconsin legislators amended state confidentially laws to allow domestic partners the same authority over a patient’s records as a spouse. However, the change was only for general records, and it did not affect laws governing behavioral health medical records-an oversight Schmidt says could lead to some problems.
But the change will still help with a number of situations. “Somebody who took care of someone for 20 years and suddenly loses all authority, and the family steps in and kicks them out,” she says, “we have seen that. So I think it will help some people.”
Preventing Ambiguity
The most direct way for facilities to prevent record access disputes is to require patients to sign release of information authorizations or name their personal representative upon their admittance, Herrin says. Many healthcare facilities only ask patients for the name of someone they can contact in an emergency or the person who is the responsible party on their account. These questions do not identify who may legally access their medical records.
If a patient has not declared an executor or personal representative, Herrin recommends that a patient advocate or other staff member assist in filling out the proper paper work. A HIPAA authorization form specifically identifies who can access their medical records before and after their death. This form should be filled out during or just after patient registration.
Federal law requires hospitals to ask admitted patients if they have an advance directive. Many facilities merely ask patients if they have an executor of their estate or have assigned a durable power of attorney, but they do not collect the actual advance directive documents, Herrin says. Requiring that these documents be included in the medical record on the front end can save hours of arguing if disputes arise later.
“It is that kind of preparation that HIPAA specifically allowed that people are not taking advantage of,” Herrin says. “They are treating HIPAA as a shield, instead of a sword.”
Best Practices
Unless state law dictates otherwise, healthcare facilities should require that requesters present a court-authorized document showing they have authority to see the record. A hospital is not a court, and staff should not have the responsibly of determining who has first authorization rights.
“Why should the hospital spend all its time and resources hiring a lawyer to fight this fight [between people over records],” Herrin says. “Just tell them, ‘Look, whatever court of whatever county handles disputes about who is in charge. You all go fight about it there and tell me who won.’”
HIM professionals in general err on the conservative side when releasing medical information, Schmidt says. “We are trying to err on protecting that person’s privacy, and [we] just try to make that judgment call thinking in terms of the best interest of the patient as a human being,” she says.
There are varying reasons why patients may not want family members to access their records after death. A common reason for privacy, Herrin says, is when a person is dying from a “catastrophic disease” such as HIV and does not want family members or others to know. The patient deliberately shielded his or her health information from them while alive, and that decision must be protected after death. Release of information staff should not be tempted to simply release a record rather than deal with irate requestors, Herrin says.
“If it is your medical information or your mother’s, and something happens to you or her, do you want everybody in your family poking around in that stuff?” Herrin says. “If the answer to that question is no, then you can’t be mad at HIPAA for making a person go and become the personal representative of a deceased patient’s estate. Because that is precisely what it is intended to do-to stop people from poking around in your stuff.”
Thomason can see how facilities that do not have ample access to legal council could restrict their policies rather than break the law by issuing records to an unauthorized person. But ignorance of the law is not an excuse, she says.
HIM professionals responding to a release of information request have a duty to explain why a record request is denied, Schmidt says. Aurora Healthcare keeps the state’s hierarchical chart of authority on hand for staff to reference. Facilities can also keep a sample copy of a valid court document to show requestors how to become a personal representative or executor, Thomason says.
“Part of our role is to educate the requestor on the true facts of why they can or can’t [access the record] or what the rules are,” Schmidt says. “I would sure hope we never see someone just give an outright ‘Well, it is HIPAA.’ Because that is never really the answer, directly.”
For answers to frequently asked questions on this topic, see “Accessing Deceased Patient Records—FAQ.”
Position in UK on releasing medical records. In the link below:
http://webarchive.nationalarchives.gov.uk/+/www.dh.gov.uk/en/Managingyourorganisation/Informationpolicy/Patientconfidentialityandcaldicottguardians/FAQ/DH_065886
my husband died nov 14 2012…tryiny to obtain medical records no luck…..it’s crazee seems like everyone else can get affavidaits and other info concerning my husband but me…i need to know what has been left in his life so creditors and anybody else trying to capitalize in life.
What rule does the State of Indiana follow for releasing records of a deceased patient? It is confusing for Medical Records Staff with so many variations.
Thank you
my 59 year old brother recently died of kidney failure, secondary to liver failure.He had been on several meds for the past 20 yrs for bi-polar disease. I do not believe his liver function labs were being drawn or I do not see how this could have happened so suddenly. When I used to ask him about the lab draws he would tell me “no, they weren’t drawn” What is the HIPPA law in IN. He was not married, and there is no executer, no estate, he was destitute living in a nursing home at the time of his death.
What about records that are over 100 years old and were the working notes of the doctor, such as a daily journal of visits and treatments? Do later generations of the family still have some right to keep those records confidential?
How can I get my deceased mothers Medical Record? I live in Ohio and my mother recently passed away in an assisted living facility in Ohio
The guy that talked about the Aggrieved Son was what is going on today. My daughter is dead at 27 because of what’s allowed to go on in these hopitals.
Common sense plus Constitution: A patient’s death in a hospital comes within the public domain and responsibility lies squarely on the hospital for such deaths. This rule was incorporated all over the world in view of large MEDICAL EXPERIMENTATION prohibited by national constitutions Apex Court judgments as well as by all International Covenants law. Doctors indulging in such practices to escape prosecution in criminal courts as well as consumer courts have created such horrid rules. Drugs do not affect property rights.Death Certificates decide probate court orders.Dead patient’s records when are accesible by all provided there are reasons to suspect that the patient died under mysterious circumstances and on account of medical experimentation.
ph: 911141630607 or 911141634913
Aggrieved son
— Anil
March 3rd, 2012 at 11:51 pm
My son Frank Jones Burgs Jr. died on August6,2012. He drowned in the Cumberland Rive in Nashville,Tn. he was reportedly bullied by the boys that were with him at the time of his death. His information was released before any of our family was told. Someone Posted it on Facebook. A Family member saw it on Facebook and called our family. We were notified of his death by the police and his school on Monday August8,2012. He could not swim. The Police went by what the boys told them happened as to how he ended up in the water.
My father died in 2010. My brother was my father’s personal representative and executor of his estate. Before her death, my mother acted as my father’s guardian and received his social security in her name for him. She told me it was because he was incompetent. According to Social Security, her appointment required a doctor’s certification. My father’s medical records will show he was incompetent to create the changes to his will that my brother and his friends benefited from due to undue influence. I have avoided conflict with my brother because he becomes furious and protective when any suggestion has been made that my father was not competent. Mom died in 1999 and my brother took over my father’s affairs. My research shows that his disability retirement in 1978 resulted from his doctor’s opinion. That doctor is likely also deceased. This is a small community and I wonder if his medical records have been passed on to the doctor that treated him until his death. How should I proceed to get access to my father’s medical records?
Thank you.
My stepsister had the POA from my Father and my Father and I was denied access to him. Now he is deceased and I was not contacted but found out by accident and still no one will give me any information. This whole ordeal has seemed fishy from the beginning and now that he is deceased isnt there something I can do?
What are the regulations for the state of Florida?
where does one find the answers to the preceding questions?Ruth Marmer ruthmezquita@gmail.com
Where can I read the answers to the preceding questions?
Why aren’t my grandmother’s records available to me when that cretin of a husband was screwing the housekeeper back in the 1920′s. His name, Henry C. Hearn and her name Pauline Paeskes Fulk and she assumed the name of Hearn after my grandfather committed my grandmother after she caught the housekeeper (Pauline) having sex with Henry. She must have threatened divorce and alimoney. He had wealth and so got her committed. It was a common occurrence. I want to know what happened to her and I need those records for medical history re my family. It is wrong to use HPPA against relatives and the law needs to be changed NOW!
Forgot to add that I was deprived of the love and affection of my grandmother, thereby having no grandmother because my maternal grandmother died before I was born and my father’s mother wrongfully committed by that cretin Henry C. Hearn. I think that Jacksonville State Hospital for the Insane (what a label to hang on patients!) located in Jacksonville, IL is afraid that people will sue the State of Illinois with it broke behind. I recommend that we make this as public as possible.
I agree with the following which was posted above by Anil and Ann. The murderers are getting away with experimentation and are and were as bad as the Nazis!
The guy that talked about the Aggrieved Son was what is going on today. My daughter is dead at 27 because of what’s allowed to go on in these hopitals.
“Common sense plus Constitution: A patient’s death in a hospital comes within the public domain and responsibility lies squarely on the hospital for such deaths. This rule was incorporated all over the world in view of large MEDICAL EXPERIMENTATION prohibited by national constitutions Apex Court judgments as well as by all International Covenants law. Doctors indulging in such practices to escape prosecution in criminal courts as well as consumer courts have created such horrid rules.”
They will implement any rules to stymie the common people to keep them from accessing information to which relatives have a right. We need to petition Congress NOW!
Kathy in re your gr grandmother who died in Colorado hospital, please contact your congressperson and senators and request that they look into this. It is a poorly wrought law. We should have a right to their records and this law is constructed to repel any sort of lawsuit against the states that run the hospitals. We need to write Obama about it as well. Just send him the same letter you send the congresspeople and senators. I am doing that. I happen to live in backassward Colorado but Illinois is even more obstructive. They have a psychiatrist in charge of their programs and they obfuscate everything. Hang in there and challenge them with your representatives. Let those lazy creeps in congress earn their money for a change.
Do patients have the right to request records that our health care facility “receives from” other health care providers? What are the current California, Federal, and HIPAA Laws on this?
how would i go about obtaining my grandmothers medical records from Plainview Texas? can you send your response to the email listed above?
Thanks,
Lee
My great-grandfather was an inmate at Manhattan State Asylum for the Insane (now Manhattan Psychiatric Institute) from 1901 until his death in 1944. He was born in 1859 and lived 85 years. I requested his records and was turned down due to HIPPA privacy laws. Here is the situation: His only surviving child died in 1967. His grandson (my father) is almost 90, never knew of the existence of this grandfather, and now has almost no memory anyway. I am the eldest of his children. I only learned of this great-grandfather while doing family genealogy. I am a clinically trained social worker (ret.) and as such have extensive knowledge of mental disorders. There are some people in my family who have had interpersonal difficulties, and my belief is that knowledge of my great-grandfather’s diagnosis would shed light on some current problems and arm the younger ones with knowledge that may impact their future decisions. Can anyone hazard a guess as to my chances of contesting the HIPAA regulations in this case?
I want to collect some information for the express purpose of obtaining information on a family disease (hht -in my late husband’s family)whereby possiblily stopping and/or decreasing the horrible effects of this disease. My children and grandchildren are at least the 3rd and 4th generation of African Americans who are dieing every year from hht. At the present time, I want to put together a log of deseased members for research for all remaining family members as well as for my only leaving son, our oldest son passed away at the age of 40, who will be going before a social security board. Can I purchase death certificates for my brother in-laws, and nephews.
Please email back with an answer.
For Ohio, see Ohio Revised Code Section 2317.02(B)(1)(a) and its subparts. This is not intended as legal advice.
All Hippa does is tear families apart. Then to make matters worse it covers up doctors who make mistakes and do not or will not take responisbility for them
When a husband dies, a son or wife should be able to get copies of his medical record.
They should NOT have to go through the expense of hiring a lawyer.
My family is participating in a research project evaluating to identify a genetic marker for a syndrome that affects many of us,, my brother who is now deceased probably was affected by this disorder.. his widow never remarried but his now adult son may be affected by this disorder which can have deadly repercussions,, While being treated by his Dr back in the 1970s he was doing amazingly well for a long period of time while being treated with mega doses of vitamins,,would my nephew need his mothers consent or assistance to obtain these records or can I as sister request these records or is court permission still required,, we live in michigan,, other medical records such as lab values during this time are also of importance,, how do we begin this process.. his vitamin therapy was done for mental health reasons but through research over the last 30 some years it has been ascertained that this condition may be genetic and possibly mitochondrial..in origin. Many of his pertinent records are held by the local Mental Health clinic and I do realise privacy issues are very important in the Mental Health system.. my brother has been deceased over 30 years now,, kcb
At the time of my brother’s death, my mom was assigned as medical power of attorney. He was still married at time of death but was estranged from his wife for several years. The wife had to be called to the funeral home to sign permission for cremation. Who has a right to request his medical records?
My 22yr old son died due to overdosing on his medication on August 28,2011. Although he was an adult he resided with in Naperville , IL. I want access to my son’s medical history including doctor’s notes as I need to understand the state of mind he was in at the time. Do I need to hire an attorney to subpeona the records or is there any other way of obtains his medical Records. I have sent two letters by registered mail to the doctor’s last known address in Oakbrook Terrace, IL that came back undeliverable. I sent an email to the doctor that he did not respond to. My son was seeing a psychiatrist for his anxiety and depression disorder . Do I as the mother of the deceased have rights to his medical records? OR what steps do I need to take to get his records released to me?
I have looked all over with no luck. My son recently passed away from what they are saying accidential overdose at a local hospital. He was a federal inmate, but died at a local hospital. How do I go about getting his medical records from the hospital and the prison? He passed away in the state of Indiana.
Hi- this article is extremely informative. I work at a small CAH facility which has an attached LTC facility with ventilator patients. We often have patient who have no DHPOA and are unresponsive and/or show no signs of cognition. I have instructed family to go through the court system to obtain guardianship. Is this correct or should I do different? Our facility has no set in stone policies and I would like to correct this.
Thank you