There are many reasons that someone might request medical records for a deceased person, but these requests can be tricky. Learn what you need to know to stay compliant and handle the job right!

HIPAA Still Applies

Even though the person with medical records is now deceased, their information privacy rights live on in the form of HIPAA (Healthcare Insurance Portability and Accountability Act). It is important for those who work with medical records to understand the law surrounding records of the deceased, as these situations can become confusing and frustrating to individuals.

The HIPAA privacy rule governs to whom and for what reason medical information can be disclosed to another individual, or another covered entity (a medical provider or organization covered under HIPAA), for fifty years following death. Within those fifty years, the personal representative of the deceased, such as a surviving spouse or the executor of an estate, may authorize certain uses and access to the information.

After fifty years has passed following death, any records, case files, or photographs with identifiable health information can be disclosed without regard to HIPAA. This happens in the case of historical study, genealogy, and research.

Special Disclosures after Death

After death, a patient’s protected health information is generally treated the same as if they were living, except in the case of a number of special disclosures that are relevant to deceased individuals. These are:

  • To notify law enforcement of a death when there is suspicion of criminal conduct.
  • To coroners or medical examiners and funeral directors.
  • To organ procurement organizations, tissue banks, or other donation and transplantation entities.
  • For research that is based solely on the information of deceased individuals.

How Can a Family Member Access Records?

Case 1: Anyone involved in the decedent’s care or payment for care.

Most of the time a covered entity can release records to a family member or other person who was involved in the decedent’s healthcare or payment for care prior to death. This may include spouses, relatives, domestic partners, parents, children, other relatives, or friends. The records that can be disclosed are those which are relevant to the person’s involvement in the decedent’s care or payment for care. In addition, the covered entity may disclose PHI to notify a family member or other named personal representative of the decedent of the patient’s location, condition, and death.

It is important for the covered entity (hospital or similar) to verify that there is no documentation in the record preventing such disclosure of information to this individual. For example, if a patient had expressly prevented disclosure of information to a certain relative, then the covered entity must continue to honor that request.

Case 2: Personal representative of the estate.

For record requests for health information that are not relevant to care or payment, a covered entity must obtain a signed, written HIPAA authorization from a personal representative who can legally authorize the disclosure of all of the protected health information.

According to the HIPAA Privacy Rule, a personal representative of a deceased individual is defined as:

  • Legally authorized executor or administrator of the estate.
  • Next of kin or other family member as authorized under state law.

What Legal Documents are Needed?

Legally, the medical records department is required to verify the legal authority of a requestor – whether that is a person or another entity (such as a hospital or law office).

Although exact documentation can vary from state to state, the following items are almost always needed:

  • Identification of the requestor, such as driver’s license, passport, birth certificate.
  • A signed and dated HIPAA request form provided by the appointed executor or personal representative. In certain states, they will require the HIPAA request form to have a witness signature or notary public seal.
  • The patient’s death certificate.
  • The patient’s identifying information, such as date of birth and social security number.
  • A court document establishing the executor or representative of the estate.

Some states use a hierarchy of persons based on their relationship with the decedent to establish legal next of kin. This typically begins with the current spouse, then moves to adult children, parents, and siblings. The medical records department of each covered entity should know the exact law for the state and follow that hierarchy.

RecordQuest is a release of information service  (ROI) that partners with hospitals across the nation. We simplify the process with knowledgeable, expert staff, while ensuring that all legal requirements are met. Need help efficiently meeting requests for records? Contact us for more information about how we can help.

Start typing and press Enter to search

4 Ways to Protect PatientData
4 Ways to Protect Patient DataPHI, Security, Technology
Identify and Stop Fraudulent Information RequestsCompliance, Medical Records, Patients, PHI, ROI, Security, Technology