Are medical examiners and coroners exempt from HIPAA compliance?

Are medical examiners (MEs) and coroners exempt from HIPAA compliance, and if so, to what extent? This question has implications for privacy rights that persist after death, access to sensitive medical information, and the public's interest in transparent death investigations.

Understanding HIPAA's scope and purpose

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) transformed how medical information is handled in the United States. Its Privacy Rule, implemented in 2003, established national standards to protect individuals' medical records and other personal health information. HIPAA applies to "covered entities" – health plans, healthcare clearinghouses, and healthcare providers that conduct certain electronic transactions – and their "business associates."

Protected Health Information (PHI) under HIPAA includes individually identifiable health information that relates to:

• A person's past, present, or future physical or mental health or condition
• The provision of healthcare to the individual
• Payment for healthcare services
• Information that identifies the individual or provides a reasonable basis for identification

Importantly, HIPAA's protections extend 50 years beyond an individual's death, acknowledging that privacy concerns don't vanish when someone dies. As a Connecticut Office of Legislative Research report notes, "Under federal law, the confidentiality of patient health information generally continues after the patient's death," and "HIPAA's privacy rule generally applies to a deceased person's health information to the same extent as to a living person's information." Amendments have clarified that covered entities must "protect health information for 50 years after the person's death."

Read also: The latest HIPAA updates and what's coming in 2025

The medical examiner and coroner exemption

Medical examiners and coroners occupy a unique position in the healthcare privacy sector. While they collect, analyze, and document sensitive medical information, they are generally not considered "covered entities" under HIPAA. As Victor W. Weedn notes in HIPAA and Access to Medical Information by Medical Examiner and Coroner Offices, "Medical examiner and coroner government offices are not covered entities."

This distinction is frequently misunderstood. Weedn observes that "Often, medical staff and sometimes their attorneys mistakenly believe that HIPAA prevents disclosure of medical records to medical examiner and coroner offices." This misconception can create barriers to death investigations that serve important public health and safety functions.

The specific language in the HIPAA Privacy Rule creates a clear exemption. As codified in 45 CFR § 164.512(g)(1), "A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law."

This provision allows healthcare providers to share PHI with MEs and coroners without violating HIPAA. Moreover, as Weedn emphasizes, "HIPAA specifically allows disclosure to law enforcement, public health, and medical examiner and coroners." The Connecticut legislative research confirms this exemption, noting that "covered entities may disclose protected health information to (1) funeral directors as necessary for them to carry out their duties, consistent with applicable law and (2) coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other duties authorized by law." But this raises a question: If MEs and coroners aren't covered entities themselves, what rules govern their handling of this sensitive information once they receive it?

The limits of the exemption

The exemption provided to MEs and coroners appears primarily focused on facilitating access to medical information necessary for death investigations. However, the boundaries of this exemption isn't clear when considering subsequent disclosure of that information to parties beyond the investigation itself.

As David R. Fowler explores in Public Figures, Professional Ethics, and the Media, this creates questions about the scope of the exemption: "MEs and coroners are exempt from HIPAA when gathering information while executing their statutory responsibility to determine a cause of death, but a number of ethical questions remain about the extent of HIPAA's authority to MEs' and coroners' practices." He further asks,: "Should exemption from HIPAA extend to MEs and coroners when releasing information to the public? Was this exemption intended by the legislature to apply to MEs and coroners for the purpose of investigation only?"

This question – whether the HIPAA exemption extends only to gathering information or also to releasing it – remains contested. The text of HIPAA itself doesn't explicitly address this distinction.

Legal interpretations

Legal interpretations differ, reflecting what is described in Are autopsy reports protected health information? as a fundamental challenge: "Autopsy reports present a challenge to HIPAA's framework. On one hand, they contain medical information regarding a deceased individual, including medical history, physical findings, and laboratory results – information that would be PHI if the person were alive. On the other hand, medical examiners (MEs) and coroners who perform autopsies and generate these reports are not typically considered 'covered entities' under HIPAA."

Some jurisdictions interpret the exemption narrowly, concluding that while MEs and coroners may access PHI without restriction, their subsequent disclosure of that information should still be governed by privacy principles. Others interpret the exemption broadly, concluding that since MEs and coroners aren't covered entities, none of their activities fall under HIPAA's jurisdiction.

State laws

In practice, state laws largely determine how autopsy reports and death investigation records are treated. These laws vary across jurisdictions, creating what Fowler describes as significant inconsistencies: "In some states, an autopsy report is public record and a death certificate is restricted (e.g., Maryland). In other states, the reverse is true (e.g., Virginia): an autopsy report is restricted and a death certificate is not."

This creates three general categories of state approaches:

Open records states: Some states like Ohio and Florida classify autopsy reports as public records available to anyone upon request, though Florida exempts photographs and video recordings.

Restricted access states: States like California and Pennsylvania limit access to immediate family members and those with legitimate interests (like insurers or researchers).

Hybrid approach states: Many states release limited information (cause and manner of death) while restricting access to detailed findings.

These state-level approaches essentially override the HIPAA question for practical purposes. ME and coroner offices must comply with their state's laws regarding record disclosure, regardless of how the HIPAA exemption is interpreted. This creates a legal landscape where, as the Connecticut Office of Legislative Research explains, "while the General Assembly cannot alter the HIPAA requirements, there could be situations where a change in state law would affect the permissibility under HIPAA of the disclosure of a deceased person's health information." However, federal law generally takes precedence, as "HIPAA preempts contrary state laws that provide less protection for individual health information."

The legislative intent question

To understand the true scope of the ME and coroner exemption, it's useful to consider the legislative intent behind it. Was HIPAA's exemption meant to simply facilitate investigations, or was it intended to remove death investigation records entirely from privacy protections?

Understanding HIPAA's original legislative priorities provides context for interpreting the ME and coroner exemption. As the Congressional Research Service explains, "HIPAA was enacted to improve the availability and continuity of health insurance coverage; promote long-term care insurance and the use of health savings accounts; and combat waste, fraud, and abuse, particularly in Medicare and Medicaid." The privacy protections were part of the broader "Administrative Simplification" subtitle, which aimed to "improve the efficiency of, and decrease costs within, the health care system by supporting a transition to standardized electronic administrative and financial transactions."

Significantly, the CRS notes that "Privacy (and security) of personal health data was to some extent a second-order policy priority in service of broader reform of the health care system." The privacy standards themselves were created somewhat reluctantly, as "the law directed the Department of Health and Human Services (HHS) Secretary to promulgate privacy standards should legislation addressing privacy of personal health information not be enacted within a specified timeframe."

This legislative context suggests that HIPAA's exemptions, including the one for medical examiners and coroners, were likely designed to prevent privacy protections from interfering with essential governmental functions rather than to create broad public disclosure rights. The primary purpose appears to have been to make sure death investigators could access necessary medical information without administrative barriers, with little evidence that Congress explicitly considered the subsequent disclosure question or intended to override state-level privacy protections for autopsy reports.

Professional standards and ethics

Beyond legal requirements, professional standards within the forensic pathology community often emphasize privacy and confidentiality. The National Association of Medical Examiners (NAME) addresses confidentiality in its Code of Ethics and Conduct, suggesting that regardless of legal requirements, there are ethical obligations to handle sensitive information appropriately.

As Fowler notes this professional perspective is significant: "The National Association of Medical Examiners, for example, states that 'the performance of forensic autopsy is the practice of medicine.' This suggests that an autopsy report is probably regarded by most MEs as an important part of a person's health record and perhaps as PHI."

This creates a situation where best practices may be more restrictive than minimum legal requirements in some jurisdictions.

Practical implications of the exemption

The ME and coroner exemption from HIPAA has several implications for different stakeholders:

For families of the deceased

Families may find their loved one's detailed medical information becomes public in states with open autopsy records, regardless of the deceased person's privacy preferences during life. This can be particularly distressing in high-profile cases or deaths involving stigmatized conditions. Under HIPAA, when healthcare providers need authorization to release protected health information about someone who has died, they must generally obtain "the authorization of the deceased person's personal representative before releasing the information," as noted in the Connecticut legislative research. However, this protection may not extend to information once it reaches ME and coroner offices, depending on state law.

For public health officials

Public health surveillance relies on accurate death investigation data. The exemption facilitates information sharing that supports public health monitoring, outbreak detection, and injury prevention efforts.

For law enforcement and legal proceedings

Criminal investigations and civil litigation often depend on death investigation findings. The exemption ensures these processes aren't unnecessarily hindered by privacy restrictions.

For media and public interest

Media organizations frequently cite public interest when requesting autopsy reports, particularly in high-profile cases. The exemption, combined with state open records laws, can facilitate this access.

Reform proposals and best practices

Policy approaches

ME and coroner offices can implement administrative policies that respect privacy while fulfilling public information responsibilities:

• Tiered access systems: Different levels of detail available to different categories of requesters
• Redaction protocols: Systematic approaches to removing particularly sensitive information before public release
• Family notification: Informing families when records are requested and what will be released
• Digital safeguards: Implementing technical measures to prevent unauthorized copying or distribution
  
  

Balancing mechanisms

Several models attempt to balance competing interests:

• Independent review boards: Some jurisdictions employ neutral panels to evaluate contested record requests
• Temporal restrictions: Implementing cooling-off periods before full reports become available
• Case-type distinctions: Different disclosure rules for different categories of deaths

FAQs

Can families prevent the release of autopsy reports if they object on privacy grounds?

Not always—state open records laws often override family objections in open-access jurisdictions.

Are medical examiner records subject to the same HIPAA protections as hospital records?

No, MEs and coroners aren't covered entities, so HIPAA protections typically don't apply to their records.

How do courts handle disputes over releasing autopsy information?

Courts usually weigh public interest against privacy but defer to state statutes unless constitutional rights are implicated.