In my day job I am the HIPAA Privacy and Security office for a small medical billing company. The Office of Civil Rights (OCR) recently made changes to the HIPAA laws via the Omnibus Rule that classifies records of persons who have been deceased for more than 50 years as not protected under HIPAA. You may wish to review the Final Rule, available at hhs.gov/ocr.
If you have records for folks who are still alive then things could get interesting. It all depends on who the donor is and whether they were considered a “covered entity” subject to HIPAA. In other words, if they were practicing medicine when HIPAA came into being, they could be subject to fines. Even if they were practicing pre-HIPAA, there are certainly morale issues.
And as far as your “no sensitive information would be shared,” even that could get someone in trouble. By today’s HIPAA standards, for a doctor even to admit to anyone that he is seeing a person as a patient is consider a possible unauthorised disclosure. But once the records are outside the medical community, I’m not sure what the legalities are.
It’s a tricky situation and has legal ramifications that you should investigate. If our museum were asked to take medical records that are after 1903, I would advise the curator to say no. (I say 1903 because there are very few +110 year olds still alive.) There are too many pitfalls.