Are autopsy reports protected health information? 

According to the NIH article Legal, Social, and Ethical Issues, “Autopsy reports, while containing valuable medical information, are not typically included in the same category as medical records that come from ongoing care or treatment. However, they are sometimes treated as PHI if they contain identifiable information about the deceased.”

While autopsy reports undoubtedly contain sensitive medical information, they are not generally considered PHI unless they are also accompanied by identifiable information that links the decedent to the report. The HIPAA privacy rule protects the protected health information (PHI) of the living. However, it also extends these protections to the health information of the deceased for 50 years from their date of death.

Confidentiality laws regarding autopsy reports may vary, and autopsy reports may still be bound by privacy laws in some states.

Read also: How to handle family requests for deceased patient records

Understanding protected health information

Protected Health Information includes any individually identifiable health information that relates to:

• The individual's past, present, or future physical or mental health condition
• The provision of healthcare to the individual
• The past, present, or future payment for the provision of healthcare to the individual

This information becomes PHI when it is created or received by a "covered entity" – healthcare providers, health plans, or healthcare clearinghouses – and identifies the individual or provides a reasonable basis for identification.

Related: Examples of protected health information (PHI) in healthcare

The HIPAA paradox for autopsy reports

Autopsy reports present a challenge to HIPAA's framework. On one hand, they contain medical information regarding a deceased individual, including medical history, physical findings, and laboratory results – information that would be PHI if the person were alive. On the other hand, medical examiners (MEs) and coroners who perform autopsies and generate these reports are not typically considered "covered entities" under HIPAA.

Autopsy reports are not necessarily PHI because they deal with deceased individuals. Medical examiners or coroners are, nevertheless, bound by laws that regulate how they manage and release autopsy reports. Sometimes privacy can be trumped by public health issues, and reports can be released to public health authorities if the cause of death is attributable to a communicable disease.

The NIH article explains, “In the United States, health care institutions and employees must protect a patient's right to privacy and confidentiality—even after death—unless exceptions by law apply, such as in the case of communicable diseases.” 

Related: What is a covered entity under HIPAA?

Death and the continuation of privacy rights

Under HIPAA, privacy protections don't immediately cease upon death. The law extends privacy protections for 50 years after an individual's death. However, this protection only applies to PHI held by covered entities. Since MEs and coroners typically aren't covered entities, this protection may not extend to autopsy reports they generate.

Related: HIPAA rules for deceased patients

State-by-state variations

“Autopsy authorization laws vary significantly by jurisdiction. In the United States, autopsy laws originate from Old English common law, with local jurisdictions establishing policies that may require the pathologist to know the relevant statutes in their region,” explains the NIH article.

For instance:

• Public record states: In states like Ohio and Washington, autopsy reports are generally considered public records, available to anyone who requests them, with minimal redactions.
• Restricted access states: States like California and New York restrict access to immediate family members, with provisions for others to access them through court orders or specific legal circumstances.
• Hybrid approach states: Some states, like Florida, maintain autopsy reports as confidential medical records but release cause and manner of death information.

The medical perspective

From a medical standpoint, many pathologists and medical examiners consider autopsy reports to be medical records, regardless of their legal classification. According to David R. Fowler in Public Figures, Professional Ethics, and the Media, “The National Association of Medical Examiners has stated that ‘the performance of forensic autopsy is the practice of medicine,’” suggesting that autopsy reports should be treated as medical records with appropriate privacy protections.

The public interest perspective

1. Public health surveillance: Transparent autopsy findings can identify emerging health threats or patterns.
2. Accountability: Public access can ensure proper investigations in cases of suspicious deaths.
3. Research: Accessible autopsy data can support medical and public health research.
4. Historical documentation: These records are important historical documents for understanding mortality patterns.

However, these public interests must be balanced against privacy concerns and the potential for harm to survivors:

Family privacy and emotional harm

For families of the deceased, the release of detailed autopsy information can cause emotional distress. Intimate details about a loved one's medical conditions, physical state at death, or circumstances of death can be traumatizing when made public.

Elizabeth McCartha Jones, the mother of Sarah Jones, a camera assistant who tragically lost her life on the set of the film "Midnight Rider," voiced her distress over the publication of her daughter's autopsy details. In an open letter, she wrote:​ "I am totally stunned, I am totally appalled, and I am ashamed of the callous reporter who leaked the autopsy report of our daughter for the world to see."

The digital complication

The digital age has increased autopsy report privacy issues. What might have been available to individuals willing to make a trip to a county clerk's office can now, potentially, be sent around the globe in an instant. Once digitized, these records can be irretrievably stored and made searchable, forming a permanent digital record of sensitive medical details.

The permanent nature of digital records raises serious questions about whether laws passed in an era of paper records are adequate to protect privacy in the internet age.

A balanced approach

Some jurisdictions are developing more balanced approaches to autopsy report privacy:

1. Tiered access systems: Different portions of autopsy reports are available to different parties based on their relationship to the deceased or legitimate need for information.
2. Redacted public versions: Creating public versions that exclude sensitive medical details while providing information relevant to public interest.
3. Temporal restrictions: Implementing time periods after which more complete information becomes available.
4. Case-type distinctions: Different privacy standards for natural deaths versus those involving criminal investigations.

Best practices for medical examiners and coroners

While changes in the law are gradual, medical examiners and coroners can adopt best practices reconciling privacy with public needs:

1. Privacy orientation: Treat autopsy reports as confidential medical records unless specific exceptions apply.
2. Separate public summaries: Create separate summary documents with cause and manner of death for public release.
3. Family notification: Inform families about what information might become public and when.
4. Digital security: Implement data security practices for electronic autopsy records.
5. Ethical review: Establish ethics committees to review difficult cases involving competing interests.

FAQs

Can a family member request changes or redactions to an autopsy report?

In most states, families cannot request changes to the report itself, but they may challenge its release in court under privacy or emotional distress grounds.

Are autopsy photos and videos treated the same as written autopsy reports?

No, photos and videos are often subject to stricter privacy protections and may require a court order to access.

Do journalists have legal rights to access autopsy reports?

In public record states, journalists can often access autopsy reports without restriction, though access to graphic content may be limited.

How do HIPAA rules apply to unidentified decedents?

HIPAA does not apply to unidentified individuals unless or until identity and related health information are established and held by a covered entity.

Are autopsy reports of minors treated differently than those of adults?

Some jurisdictions offer greater privacy protections for minors, especially when the cause of death involves abuse or sensitive circumstances.