T
HE HIPAA PRIVACY RULE
Frequently Asked Questions About
Family Medical History Information
U.S. Department of Health and Human Services • Office for Civil Rights
1. Does the HIPAA Privacy Rule limit an individual’s ability to gather and share family medical
history information?
No. The HIPAA Privacy Rule may limit how a covered entity (for example, a health plan or most health
care providers) uses or discloses individually identifiable health information, but does not prevent
individuals, themselves, from gathering medical information about their family members or from deciding
to share this information with family members or others, including their health care providers. Thus,
individuals are free to provide their doctors with a complete family medical history or communicate with
their doctors about conditions that run in the family.
2. Does the HIPAA Privacy Rule limit what a doctor can do with a family medical history?
Yes, if the doctor is a “covered entity” under the HIPAA Privacy Rule. A doctor, who conducts certain
financial and administrative transactions electronically, such as electronically billing Medicare or other
payers for health care services, is considered a covered health care provider. The HIPAA Privacy Rule
limits how a covered health care provider may use or disclose protected health information. The HIPAA
Privacy Rule allows a covered health care provider to use or disclose protected health information (other
than psychotherapy notes), including family history information, for treatment, payment, and health care
operation purposes without obtaining the individual’s written authorization or other agreement. The
HIPAA Privacy Rule also generally allows covered entities to disclose protected health information
without obtaining the individual’s written authorization or other agreement for certain purposes to benefit
the public, for example, circumstances that involve public health research or health oversight activities.
When a covered health care provider, in the course of treating an individual, collects or otherwise obtains
an individual’s family medical history, this information becomes part of the individual’s medical record
and is treated as “protected health information” about the individual. Thus, the individual (and not the
family members included in the medical history) may exercise the rights under the HIPAA Privacy Rule
to this information in the same fashion as any other information in the medical record, including the right
of access, amendment, and the ability to authorize disclosure to others.