Patients retain the right to keep their medical records private even after death. The laws surrounding just who has a legal right to view those records can lead to confusing and frustrating situations.

But new rules implemented through the HITECH Act’s HIPAA moficiation final rule have changed the rights of deceased patients and their loved ones to health information.

Below are frequently asked questions, recently updated to reflect the HITECH Act’s changes, on accessing a deceased patient’s medical records. (For more information, read a full feature article here.)

Q: Who may access a deceased person’s medical records?

A: The patient’s designated personal representative or the legal executor of his or her estate has a right under law to access the records.

If the patient died without naming a personal representative or executor, state law determines who by default possesses the right. States often establish a hierarchy of persons based on their relationship to the deceased person. Typically this begins with an adult member of the immediate family, such as a spouse, child, or sibling.

For those family members, relatives, and others who had access to the health information of the deceased prior to death, but had not qualified as a “personal representative” of the decedent under HIPAA Privacy Rule 164.502(g)(4) the final Privacy Rule allows covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the descendent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.

Q: Does this change the personal representative’s rights under HIPAA?

A: This change to the Privacy Rule does not change the authority of the decedent’s personal representative.  The personal representative continues to have the right to access the decedent’s protected health information and have authority to authorize use and disclosures of the decedent’s protected health information that are not otherwise permitted or required by the HIPAA Privacy Rule.

Q: What legal documents ensure the right to access a deceased patient’s medical records?

A: A combination of the patient’s death certificate and a court document establishing estate executorship is sufficient to establish one’s right. In some states, alternative documentation can also be used.

Where a person does not rise to the level of personal representative, the HITECH-HIPAA final rule at 164.510(b) permits, subject to any prior expressed preference of the individual, a covered entity to disclose relevant protected health information, which may include persons who held a healthcare proxy for the individual or a medical power of attorney.

Q: What documentation or information will I need to meet the “reasonable assurance” for access to decedent’s medical record if I am not the personal representative? 

A. Reasonable Assurance criteria could be met by the person by indicating to the covered entity how he or she is related to the decedent or offering sufficient details about the decedent’s circumstances prior to death to indicate involvement in the decedent’s care.

Q: Do I have to go to probate court and become the executor of the deceased’s estate in order to access his medical records?

A: It depends on the state. Some state laws require people to submit legal proof of executorship to healthcare organizations in order to access records.

Other states follow a hierarchy of who becomes, by default, the personal representative of a deceased patient if the patient dies without naming an executor (as described above).

The Privacy Rule removes only the HIPAA requirement to deceased protected health information for family members and others who were involved in the care or payment for care of the decedent prior to death.  Some states may be more stringent than HIPAA.

Q: How do I find my state’s requirements and restrictions for releasing a deceased patient’s medical record?

A: The HIM department supervisor or the privacy officer of a local hospital can provide details on your state’s release-of-information laws. A local legal assistance group, particularly one that assists seniors, is another good resource.

Q: Does HIPAA forbid me from seeing my deceased relative’s medical records?

A: The federal Health Insurance Portability and Accountability Act (HIPAA) grants privacy protections to a person’s medical information up to 50-years post death. However, HIPAA also establishes that a patient’s designated personal representative has a legal right to access the patient’s records. A healthcare provider must provide the records to his or her designated personal representative if one exists. HIPAA leaves the definition of a personal representative up to individual state law.

The final Privacy Rule now opens the ability for family members, relatives, and others, who may have had difficulty obtaining access to such information.  The amendment to 164.510(b) permits covered entities to disclose a decedent’s information to family members and others who were involved in the care or payment for care of the decedent prior to the death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.

However, these disclosures are permitted and not required and thus, a covered entity that questions the relationship of the person to the decedent or otherwise believes, based on the circumstances, that the disclosure of the decedent’s protected health information would not be appropriate, is not required to make the disclosure.

Q: I feel like I’m getting the run-around at my local hospital. Who can help me?

A: First talk to the hospital’s HIM department supervisor. Ask him or her to explain exactly what papers you would need to access the deceased patient’s record. The hospital’s privacy officer also can help determine if you have the right to access the record, and he or she can explain your specific state law.

If you are not allowed access to the records even if you have provided proper evidence of your right, file a written complaint with the Office for Civil Rights, which enforces the HIPAA privacy rule. Consulting an attorney who specializes in healthcare is another option.

Q: Is a signed HIPAA form authorizing release of medical records sufficient to view a patient’s records after his or her death?

A: Yes, the new provision 164.510(b) permits covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the descendent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.  This may include persons who held a healthcare proxy for the individual or a medical power of attorney or a signed HIPAA authorization form.

Q: Does a medical power of attorney grant access to a patient’s records after his or her death?

A: Yes, the new provision 164.510(b) permits covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the descendent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.  This may include persons who held a healthcare proxy for the individual or a medical power of attorney.

Q: Do special exemptions allow me to access the medical records of long-deceased patients for family genealogy projects or historical study?

A: Yes. The final Privacy Rule has removed a patient’s privacy rights 50 years after death and thus no longer subject to the Privacy Rule.  However, state laws may still apply.  Ask the facility what state law dictates.

Q: Is access to a deceased person’s psychiatric or substance abuse records treated any differently than access to other medical records?

A: HIPAA governs most healthcare providers and the records they keep; however, a different federal law governs many substance abuse programs (42 CFR Part 2). A substance abuse program can be covered under one, both, or neither regulation, depending on how it is funded.

Regarding deceased patient records, 42 CFR §2.15(b)(2) requires the facility to release records to a personal representative, such as an executor, administrator, or other person appointed under state law. However, stating that if there is no legally appointed personal representative, consent may be given by the patient’s spouse; if no spouse is present, consent may be given by any “responsible member” of the patient’s family.

Covered entities may continue to provide privacy protections to decedent information beyond the 50-year period, and may be required to do so under other applicable laws or as part of their professional responsibility.  Alternatively, covered entities may choose to destroy decedent’s information although other applicable law may prescribe or limit such destruction.

Psychiatric record disclosures follow the same rules as HIPAA, unless they receive additional protection under individual state law.

***

A special thank you to Mary Thomason, MSA, RHIA, CHPS, CISSP, senior compliance consultant at Intermountain Healthcare in Salt Lake City, for her contributions.

Other contributors, who updated this article in April 2013, include:

-Chris Apgar, CISSP, president of Apgar & Associates, LLC, a nationally recognized expert in information security, privacy, transaction and code sets, national identifier, HIPAA and electronic health information exchange.

-Judi Hofman CAP, CHP, CHSS, a privacy and information security officer for a four-hospital health system in central Oregon.  Hofman has been co-chair for the American Health Information Management Association’s ( national Privacy and Security Practice Council, is a contributing author, and presents nationally on HIPAA privacy and security.

-Kirk Nahra, JD, partner at Wiley Rein, a firm specializes in healthcare privacy law, and member of the Confidentiality, Privacy and Security subgroup for American Health Information Community (AHIC).