Protected health information (PHI) is protected under HIPAA for 50 years after a person’s death. Once more than 50 years have passed since the date of death, the HIPAA Privacy Rule explicitly excludes that information from the definition of PHI, and covered entities can use or disclose it freely.
The 50-Year Protection Window
During those 50 years, a deceased person’s health information receives essentially the same level of protection as a living person’s. Hospitals, insurance companies, and other covered entities cannot release medical records, correspondence, physician notes, photographs, or any other individually identifiable health information without proper authorization. The clock starts on the actual date of death, not the date the records were created.
After the 50-year mark, the information is no longer considered PHI at all. A covered entity holding old medical records, physician diaries, casebooks, or photograph collections tied to someone who died more than 50 years ago can share that information without any HIPAA restrictions. This is particularly relevant for historians, genealogists, and researchers working with archival medical records.
Who Can Access Records During Those 50 Years
If you need a deceased family member’s medical records and the person died within the last 50 years, you generally need to go through their “personal representative.” Under HIPAA, a personal representative is an executor of the estate, an administrator, or anyone else who has legal authority under state law to act on behalf of the deceased person or their estate. This person steps into the shoes of the patient for privacy purposes, meaning they can authorize disclosures, request copies of records, and exercise other rights that the patient would have had while alive.
Simply being a spouse, child, or sibling does not automatically make you a personal representative. You typically need legal documentation, such as letters testamentary or court appointment as estate administrator, to prove your authority. The specific requirements vary by state.
Exceptions That Allow Disclosure Without Authorization
Even within the 50-year window, HIPAA carves out several situations where a covered entity can disclose a deceased person’s health information without authorization from a personal representative:
- Law enforcement: If there is suspicion that death resulted from criminal conduct, the entity can alert law enforcement.
- Coroners, medical examiners, and funeral directors: These professionals can receive health information as needed for their official duties.
- Research: Researchers conducting studies solely on decedents’ health information may access records under specific regulatory provisions.
- Organ and tissue donation: Organ procurement organizations can receive information to facilitate donation and transplantation.
State Laws May Add Longer Protections
The 50-year federal rule is a floor, not a ceiling. When state or other federal privacy laws conflict with HIPAA, providers must follow whichever law gives the individual greater privacy protection. In practice, this means certain categories of records can remain protected well beyond 50 years. Michigan, for example, requires that mental health records be protected for as long as the department maintains them, with no expiration date. Similar extended protections exist in various states for substance use treatment records, HIV/AIDS-related information, and records governed by state mental health codes.
If you are trying to access a deceased person’s records that involve sensitive categories like mental health treatment, substance use, or sexually transmitted infections, the facility may apply stricter state rules even if HIPAA would otherwise permit disclosure. It is worth checking your state’s specific health privacy statutes before assuming the 50-year federal timeline is the only rule that applies.