Last Updated: Feb 24, 2023
By Andrew C. Harvan, Esq., PAMED’s legal and regulatory analyst
The Pennsylvania Medical Society (PAMED) often receives questions from member physicians regarding who can access a deceased patient’s medical records. To help answer these questions, I will review some of the laws and regulations concerning such access. The following is a brief overview of some of the rules and regulations that physicians should be aware of regarding access to a decedent’s medical records.
Brief HIPAA Overview
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying rules set forth a number of policies and protections that safeguard the privacy of an individual’s protected health information (PHI). The HIPAA Privacy Rule (which can be found at 45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards which covered entities must follow to protect the privacy of PHI. Most health care providers are considered a covered entity for HIPAA purposes.
The Privacy Rule requires physicians and other health care providers to protect the confidentiality of their patients’ medical records and other PHI. Generally, a patient authorization is required for any internal use of PHI or external disclosure to someone other than the patient or the patient’s personal representative.
Privacy & Retention of a Decedent’s Medical Records
HIPAA’s privacy protections continue to apply to an individual’s PHI for 50 years following their death. However, this does not mean that a physician must retain a deceased patient’s medical records for 50 years. Medical records must be retained in accordance with physician licensing board retention requirements.
In Pennsylvania, physicians are required to retain medical records for adult patients for at least seven years from the last date-of-service. This requirement is codified in nearly identical regulations enacted by the State Board of Medicine, 49 Pa. Code §16.95, and the State Board of Osteopathic Medicine, 49 Pa. Code §25.213.
Retention requirements differ slightly for the medical records of minor patients. For additional information on medical record retention, see a previous blog I wrote on this subject.
Who Can Access a Decedent’s Medical Records Under HIPAA?
According to the Privacy Rule — see 45 CFR §164.502(g)(4) — the executor or administrator of a decedent’s estate is to be treated as the decedent’s personal representative. An executor is an individual named by a decedent in their will to administer the decedent’s estate. An administrator refers to an individual appointed by a court to administer an estate if the decedent left no will.
A personal representative is a person authorized to act on behalf of an individual in making health care related decisions and is to be treated as the individual for HIPAA purposes. Thus, a personal representative generally has the same rights to access a deceased individual’s PHI as the individual would have had themselves. However, there is some PHI, such as psychotherapy notes, that even individuals do not have a right of access to (see 45 CFR §164.524(a)).
HIPAA does not limit disclosure of a decedent’s health information to executors and administrators of estates. A covered entity may disclose certain details of a decedent’s PHI to the health care provider of a surviving relative for purposes of treatment to said relative. Such disclosure, however, must be limited to only that information relevant to the treatment of the surviving relative.
Additionally, HIPAA also permits a covered entity to disclose a decedent’s PHI to family members or other persons involved in the health care or payment of care for the decedent prior to death, see 45 CFR §164.510(b)(5). Such disclosure is permitted only to the extent that it is consistent with any prior expressed preference of the deceased individual. An individual may instruct a covered entity not to discuss certain details with their family. If a covered entity is aware of these preferences, the covered entity must continue to respect the individual’s wishes even after the individual’s death, unless the family member seeking PHI is a personal representative of the decedent (i.e. the executor or administrator of the decedent’s estate).
The Privacy Rule also permits covered entities to disclose a decedent’s PHI without prior authorization to other certain parties in limited circumstances. For example, a covered entity may disclose a decedent’s PHI to a coroner or medical examiner for purposes of identifying a deceased person, determining a cause of death, or other duties as authorized by law.
Regulations promulgated by the Pennsylvania Department of Health (DOH), which can be found at 28 Pa. Code § 115.29, require hospitals to provide, upon a request following the death of a patient, to the executor of the decedent’s estate or, in the absence of an executor, the next of kin responsible for the disposition of the remains, access to all medical records of the deceased patient. This regulatory provision applies only in situations where a decedent’s medical records are being requested from a hospital.
Where Can I Find Additional Information?
The U.S. Department of Health and Humans Services (HHS) has a frequently asked questions (FAQ) page regarding access to a deceased individual’s PHI under HIPAA. These FAQs provide further detail on much of the information I have highlighted above.
PAMED has a wealth of information on HIPAA compliance that can be accessed at www.pamedsoc.org/HIPAA. And, find PAMED’s general legal information on medical records at www.pamedsoc.org/medicalrecords.
PAMED’s Quick Consult on “Confidentiality of Medical Records and Other Personal Health Information” details HIPAA’s Privacy Rule and is available to all PAMED members.
PAMED members with questions can also contact our Knowledge Center at 855-PAMED4U (855-726-3348) or KnowledgeCenter@pamedsoc.org.