Family Medical History FAQs 1.12.09.doc

HE HIPAA PRIVACY RULE

Frequently Asked Questions About

Family Medical History Information

U.S. Department of Health and Human Services • Office for Civil Rights

1. Does the HIPAA Privacy Rule limit an individual’s ability to gather and share family medical

history information?

No. The HIPAA Privacy Rule may limit how a covered entity (for example, a health plan or most health

care providers) uses or discloses individually identifiable health information, but does not prevent

individuals, themselves, from gathering medical information about their family members or from deciding

to share this information with family members or others, including their health care providers. Thus,

individuals are free to provide their doctors with a complete family medical history or communicate with

their doctors about conditions that run in the family.

2. Does the HIPAA Privacy Rule limit what a doctor can do with a family medical history?

Yes, if the doctor is a “covered entity” under the HIPAA Privacy Rule. A doctor, who conducts certain

financial and administrative transactions electronically, such as electronically billing Medicare or other

payers for health care services, is considered a covered health care provider. The HIPAA Privacy Rule

limits how a covered health care provider may use or disclose protected health information. The HIPAA

Privacy Rule allows a covered health care provider to use or disclose protected health information (other

than psychotherapy notes), including family history information, for treatment, payment, and health care

operation purposes without obtaining the individual’s written authorization or other agreement. The

HIPAA Privacy Rule also generally allows covered entities to disclose protected health information

without obtaining the individual’s written authorization or other agreement for certain purposes to benefit

the public, for example, circumstances that involve public health research or health oversight activities.

When a covered health care provider, in the course of treating an individual, collects or otherwise obtains

an individual’s family medical history, this information becomes part of the individual’s medical record

and is treated as “protected health information” about the individual. Thus, the individual (and not the

family members included in the medical history) may exercise the rights under the HIPAA Privacy Rule

to this information in the same fashion as any other information in the medical record, including the right

of access, amendment, and the ability to authorize disclosure to others.

THE HIPAA PRIVACY RULE AND FAMILY MEDICAL HISTORY

3. Under the HIPAA Privacy Rule, may a health care provider disclose protected health information

about an individual to another provider, when such information is requested for the treatment of a

family member of the individual?

Yes. The HIPAA Privacy Rule permits a covered health care provider to use or disclose protected health

information for treatment purposes. While in most cases, the treatment will be provided to the individual,

the HIPAA Privacy Rule does allow the information to be used or disclosed for the treatment of others.

Thus, the Rule does permit a doctor to disclose protected health information about a patient to another

health care provider for the purpose of treating another patient (e.g., to assist the other health care provider

with treating a family member of the doctor’s patient). For example, an individual’s doctor can provide

information to the doctor of the individual’s family member about the individual’s adverse reactions to

anesthetics prior to the family member undergoing surgery. These uses and disclosures are permitted

without the individual’s written authorization or other agreement with the exception of disclosures of

psychotherapy notes, which requires the written authorization of the individual.

However, the HIPAA Privacy Rule permits but does not require a covered health care provider to disclose

the requested protected health information. Thus, the doctor with the protected health information may

decline to share the information even if the Rule would allow it. The HIPAA Privacy Rule may also

impose other limitations on these disclosures. Under 45 CFR § 164.522, individuals have the right to

request additional restrictions on the use or disclosure of protected health information for treatment,

payment, or health care operations purposes. If the health care provider has agreed to the requested

restriction, then the doctor is bound by that agreement and (except in emergency treatment situations)

would not be permitted to share the information. However, the health care provider maintaining the

records does not have to agree to the requested restriction. For example, an individual who has obtained a

genetic test may request that the health care provider not use or disclose the test results. If the health care

provider agrees to the restriction, the information could not be shared with providers treating other family

members who are seeking to identify their own genetic health risks.

Page 2 of 2 The HIPAA Privacy Rule and Family Medical History