Does the HIPAA Privacy Rule limit an individual’s ability to gather and share family medical history information?

NO. The HIPAA Privacy Rule may limit how a covered entity (for example, a health plan or most heath care providers) uses or discloses individually identifiable health information, but does not prevent individuals, themselves, from gathering medical information about their family members or others, including their health care providers.  Thus, individuals are free to provide their doctors with a complete family medical history to communicate with their doctors about conditions that run in the family.

Does the HIPAA Privacy Rule limit what a doctor can do with a family medical history?

YES. If the doctor is a “covered entity” under the HIPAA Privacy Rule.  A doctor, who conducts certain financial and administrative transactions electronically, such as electronically billing Medicare or other payers for health care services, is considered a covered health care provider.  The HIPAA Privacy Rule limits how a covered health care provider may use or disclose protected health information.  The HIPAA Privacy Rule allows a covered health care provider to use or disclose protected health information (other than psychotherapy notes), including family history information, for treatment, payment, and health care operation purposes without obtaining the individual’s written authorization or other agreement.  The HIPAA Privacy Rule also generally allows covered entities to disclose protected health information without obtaining the individual’s written authorization or other agreement for certain purposes to benefit the public, for example, circumstances that involve public health research or health oversight activities.

When a covered health care provider, in the course of treating and individual, collectors or otherwise obtains an individual’s family medical history, this becomes part of the individual’s medical record and is treated as “protected health information” about the individual.  Thus, the individual (and not the family members included in the medical history) may exercise the rights under the HIPAA Privacy Rule to this information in the same fashion as any other information in the medical record, including the right of access, amendment, and the ability to authorize disclosure to others.