Deceased patients and privacy

Q: I've been told that the HIPAA privacy rule no longer applies after a patient dies. Is this correct?

A: No. Under HIPAA, doctors and other covered entities must protect the health information of a deceased patient. But in deciding who may access this medical information or authorize its release, HIPAA defers to individual state law. For instance, if you're in a state that permits an executor, administrator, or other authorized person to act on behalf of the deceased or his estate, you must treat that person as the patient's "personal representative," with all the rights to protected medical information that the patient herself enjoyed before her death.

Although broad, these rights are not unlimited. For example, access to psychotherapy notes (notes maintained by a mental health professional separate from the medical record) may be denied. Doctors may also deny access to the patient's medical record if they or another licensed healthcare professional believe it's reasonably likely that granting such access will endanger someone's life or physical safety. If you do deny access, the patient's personal representative retains the right to appeal the denial to a neutral third party.