In 2010, New York Presbyterian Hospital and Columbia University Medical Center left a server on a shared network unsecured, making the electronic health records of 6,800 patients available on the open internet. The exposure was only found when a family member searched for their deceased partner’s medical records on Google. Together, New York Presbyterian and Columbia were fined $4.8 million, the largest HIPAA fine ever at the time.
While the case could be viewed as a cybersecurity failure, it is also a reminder that HIPAA does not expire when a patient dies. The people left behind, executors, spouses, and adult children, often have no idea what their legal standing is when they go looking for records.
PHI outlives the patient
According to the HHS guidance on the health information of the deceased, “The HIPAA Privacy Rule protects the individually identifiable health information about a decedent for 50 years following the date of death of the individual. The period of protection for decedent health information balances the privacy interests of surviving relatives and other individuals with a relationship to the decedent.” For that time period, covered entities owe the same duty of confidentiality to a deceased patient’s records as they do to a living patient’s, with a limited number of additional disclosure pathways for law enforcement, coroners, organ procurement, and decedent-only research.
It also means a decedent’s health information is within a healthcare organization’s compliance obligations for decades after the last bill was ever sent, well beyond the point at which most families think any privacy protection matters.
Who actually has the right to ask
HIPAA does not automatically recognize next of kin as key to a decedent's chart. Rather, the rule is based on a particular legal role, i.e., the personal representative, usually the executor or administrator of the estate, or some other person with legal authority to act for the decedent. A personal representative generally has the same right to access PHI as the patient would have had, if alive.
A report from the National Academies on caregiver access to health information notes, “A caregiver who is the individual's “personal representative” has the authority, under applicable law, to act on behalf of an individual in making decisions related to health care and has the same rights of access.” A caregiver who relies on only a signed HIPAA authorization is not equal to a personal representative, because the report states that the Privacy Rule is permissive and the principle of minimum necessary disclosure applies. The ruling means means that a spouse or adult child without documented legal authority can be lawfully denied access even when their request appears obviously reasonable to the person handling it.
Physicians and staff have the same ambiguity. A Baylor University Medical Center Proceedings article on record requests confirms that the deceased's personal representative is entitled to receive records. The personal representative is usually appointed by a probate court. Front-desk and medical records staff are, in effect, being asked to make a legal determination they were never trained to make, under time pressure, from a grieving family member standing at the counter.
Where estate documents fall short
Estate planning attorneys are perceiving the situation as a drafting problem. HIPAA’s protections continue to protect a decedent’s records after death, and without explicit HIPAA authorization language in the governing estate documents, an executor may be denied access altogether.
Awareness of this issue has led estate planning practitioners to increasingly include a separate HIPAA authorization clause within advance directives, in addition to the financial and healthcare powers of attorney, to avoid the need for a court order after the fact to obtain access to records. As the report from the National Academies states, “Many people may need and want their health care proxy to have access to their health information prior to… losing capacity.”
The gap between what a will says and what HIPAA requires can stall the exact administrative tasks an executor is trying to complete: settling a life insurance claim, resolving a billing dispute, or verifying a diagnosis relevant to a special needs trust or hereditary condition affecting surviving family members.
The compliance exposure sits on both sides of the request
For covered entities, the risk extends beyond the front desk's mistakes. Records departments must verify a requester's legal authority, typically a death certificate, letters testamentary, or comparable court documentation, before releasing anything beyond what treatment or payment purposes already permit.
There is also a research and data-retention dimension that organizations tend to overlook. A JAMIA perspective piece on post-mortem EHR data notes that the decedent provisions in HIPAA are "a powerful and underused research option that simplifies ethical review," but only when institutions have a defined process for verifying death status and personal representative authority in the first place. Without that process, organizations either sit on usable data indefinitely or risk disclosing it improperly.
Once a legitimate request clears verification, how the records move matters just as much as who requested them. Paubox's analysis of healthcare email breaches in 2025 found that vendor and business associate email exposures represented 28% of recorded healthcare email incidents, and separate Paubox reporting for small healthcare practices found that healthcare breaches took an average of 224 days to detect and another 84 days to contain. Records requests tied to estates often route through third parties, release-of-information vendors, billing companies, and records custodians, which means the same vendor-oversight risk that shows up in every other HIPAA breach report applies here, too.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQs
Can family members access a deceased relative’s medical records for genetic or hereditary health reasons?
HIPAA allows a covered entity to disclose a deceased person’s protected health information to a healthcare provider treating a surviving family member when the information is relevant to that family member’s care.
Does a HIPAA authorization signed before death still work after the person dies?
It can, depending on how the authorization was written. HHS states that a HIPAA authorization remains valid until its stated expiration date or expiration event, unless the individual revoked it in writing before then.
Can a deceased person’s prior wishes stop family members from receiving information?
Yes, HIPAA permits certain disclosures to family members, relatives, close friends, or others involved in the person’s care or payment before death, but not when the disclosure would conflict with the deceased person’s known prior preference.
