According to the Department of Health and Human Services, “When a covered health care provider, in the course of treating an individual or otherwise, collects an individual’s family health history, this information becomes part of the individual’s medical or other record and is treated as protected health information about the individual and not about the family member(s). Thus, even where an individual’s family health history includes information about family members who have been deceased for more than 50 years, the information is protected under the Privacy Rule as the health information of the individual.”
The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual.
According to the American Medical Association, “A patient’s designated personal representative or legal executor of their estate has a right by law to access and copy the deceased’s medical records. To request access to the deceased’s medical records, the designated personal representative or executor of the estate will typically need to present the following to establish proof of authorization:
• documentation verifying personal representative status or estate executorship;
• the patient’s death certificate; and
• completed medical records request form”
For medical records that are over 50 years old, researchers and historians may access them without authorization. This provision facilitate historical research while still maintaining privacy for more recent records.
However, before the end of the 50-year period, the University of Colorado’s Office of Regulatory Compliance’s states, “To use or disclose PHI of the deceased for research, covered entities are not required to obtain authorization from the personal representative or next of kin, a waiver or an alteration of the authorization, or a data use agreement. However, the covered entity must obtain from the researcher who is seeking access to the decedent’s PHI: 1) oral or written representations that the use and disclosure is sought solely for research on the PHI of decedents, 2) oral or written representations that the PHI for which use or disclosure is sought is necessary for the research purposes, and 3) documentation, at the request of the covered entity, of the death of the individuals whose PHI is sought by the researchers.”
When it comes to family medical history:
State laws may provide additional protection beyond HIPAA. Some states have stricter privacy laws that extend protection periods or provide additional safeguards for medical information, regardless of age.
For example, California's Confidentiality of Medical Information Act (CMIA) provides stronger privacy protections than HIPAA in several ways. The CMIA applies to a broader range of entities than just HIPAA-covered entities, including many businesses that maintain medical information. It also imposes stricter penalties for unauthorized disclosures and gives patients greater rights to sue for damages when their medical information is improperly disclosed. Unlike HIPAA, which focuses primarily on living individuals, the CMIA continues strong protections for deceased patients' medical information without a specific time limitation, effectively providing indefinite protection beyond HIPAA's 50-year post-death period.
Even when records are old enough to lose HIPAA protection, consider:
No, HIPAA protection only applies to family health history that is included as part of an individual's medical record.
The personal representative should seek legal advice and obtain the appropriate documentation, such as proof of executorship or a death certificate, to request access.
Organizations should stay informed about both HIPAA and state laws, establish clear policies, and seek legal counsel to navigate complex privacy requirements.
After the 50-year HIPAA protection period, state laws may still offer continued privacy protections, depending on the jurisdiction.