- Practice Management
Release of Deceased Patient Medical Records
To avoid violating HIPAA, it's important to know the guidelines on releasing deceased patient medical records and who may obtain the records.
When a patient passes away, those involved in settling the patient’s estate and/or next of kin may request release of the deceased patient’s medical records. The HIPAA Privacy Rule and state law inform who may receive the individual’s protected health information (“PHI”).
It is important to know who is entitled to deceased patient records because violating HIPAA could result in fines or other penalties.1 The following guidance will help you determine when to release deceased patient records, and when to deny a request for release.
HIPAA Guidance for Releasing Deceased Patient Medical Records
Under the HIPAA Privacy Rule, practitioners and practices must release a deceased patient’s PHI to three categories of individuals:2
- Physicians treating a family member of a deceased patient are entitled to the deceased’s records without written authorization when they are for purposes of the family member’s treatment. Limit disclosures to information relevant to the family member’s treatment.3,4
- Family members or other persons involved in the decedent’s health care or payment for care unless the decedent expressed their preference otherwise during their lifetime. Limit disclosures to information relevant to the person’s involvement in the decedent’s care.5
- This includes those who regularly attended appointments, made payments, or were otherwise involved in the patient’s care or payment for care.
- This does not include those who the decedent expressed verbally or in writing should not be given access to their PHI, even if the person was involved in their care or payment for care during the patient’s lifetime.
- This includes those who regularly attended appointments, made payments, or were otherwise involved in the patient’s care or payment for care.
- Personal representatives” 6,7 are those who have legal authority under applicable law (e.g. state, tribal, or military law) to act on behalf of the deceased patient.8
- This includes those with health care power of attorney, or another form of written authorization granted by the decedent or granted by another authorized “personal representative.”
- This often includes the executor or administrator of the decedent’s estate. Sometimes, this person is called the personal representative of the estate, not to be confused with a “personal representative” pursuant to the HIPAA regulations discussed in this guidance.
- Some states expressly include other individuals, such as family members, as “personal representatives” for purposes of disclosing the PHI of a deceased individual. Consult the following MICA member-state guidance for additional information on those who qualify as HIPAA “personal representatives” pursuant to state law.
- This includes those with health care power of attorney, or another form of written authorization granted by the decedent or granted by another authorized “personal representative.”
State Guidance for Releasing Deceased Patient Medical Records
Arizona Guidance 9
- Health care decision makers including anyone verified to have health care power of attorney, parents or guardians of minors who are authorized to make health care decisions, and guardians of an incapacitated adult authorized to make health care decisions are considered “personal representatives.”
- The personal representative or administrator of the decedent’s estate is a HIPAA “personal representative.” If there is no personal representative or administrator, PHI may be released to the following people in order of priority:
-
- The deceased patient’s spouse unless they were legally separated at the time of the patient’s death.
- The acting trustee of a trust created by the deceased patient either alone or with the patient’s spouse if the trust was a revocable inter vivos trust during the patient’s lifetime and the deceased patient was a beneficiary of the trust during his or her lifetime.
- An adult child of the deceased patient.
- A parent of the deceased patient.
- An adult brother or sister of the deceased patient.
- A guardian or conservator of the deceased patient at the time of the patient’s death.
- The deceased patient’s spouse unless they were legally separated at the time of the patient’s death.
Before releasing PHI, the provider or practice should request identity verification (e.g. a driver’s license or some other form of picture ID) and a written statement that there is no person higher in priority who will request access to the records.
The exception to the above hierarchy is if the patient, during his or her lifetime, or a person in a higher order of priority, has notified the health care practitioner or facility that the deceased patient opposed the release of the medical or payment records.
Utah Guidance 10
A deceased patient’s spouse and adult children may be recognized as “personal representatives” under HIPAA and receive the decedent’s PHI.
Colorado Guidance 11
Colorado law does not enumerate additional individuals entitled to a deceased patient’s PHI. Thus, a request from any individual who does not fall within the three categories listed in the HIPAA guidance above must be accompanied by a court order.
Nevada Guidance 12
Under Nevada law, the following individuals are entitled to a deceased patient’s PHI:
- The personal representative of the decedent’s estate.
- This includes an executor, administrator, a successor personal representative, or a special administrator of the decedent’s estate.13
- This includes an executor, administrator, a successor personal representative, or a special administrator of the decedent’s estate.13
- Any representative with the patient’s written authorization.
- Any trustee of a living trust created by a deceased patient.
- The parent or guardian of a deceased patient who died before reaching the age of majority.
MICA’s Risk Management Consultants are ready to respond to your questions and provide more information. You can reach a Consultant Monday – Friday 8am – 5pm Arizona Time at 800-352-0402 x 2137, 602-808-2137, or rm_info@micainsurance.com.
[1] Lab Pays $16,500 Settlement to HHS, Resolving Potential HIPAA Violation over Medical Records Request | HHS.gov
[2] Health Information of Deceased Individuals | HHS.gov
[3] 45 CFR § 164.502(a)(1)(ii)
[4] How a deceased individual's family can obtain the deceased's information relevant to their own health care | HHS.gov
[5] 45 CFR § 164.510(b)
[6] Guidance: Personal Representatives | HHS.gov
[7] Health Information of Deceased Individuals | HHS.gov
[10] Utah Code Ann. § 78B-5-619
[11] C.R.S. 25-1-801, C.R.S. 25-1-802
[13] NRS 132.265