Healthcare Information Security

HIPAA and Compliance News

HIPAA Regulations and Family Medical History

By Elizabeth Snell

HIPAA regulations are meant to keep individuals’ PHI secure and out of the hands of unauthorized users. In previous weeks, HealthITSecurity.com has discussed how PHI should be handled in numerous situations, and in which situations it is allowed for covered entities and their business associates to disclose certain information.

Covered entities need to understand how family medical history ties into HIPAA regulations

But, what is the protocol when it comes to family medical history? What happens when individuals give background on their family’s medical history? Is that information now also protected? Are providers allowed to disclose PHI on one family member to another?

This week, we’ll break down how HIPAA regulations apply to family medical history, and discuss how covered entities are allowed to disclose information to individuals and their relatives.

When does information become PHI?

First, it is important to understand when and how information disclosed to healthcare providers or other covered entities is considered PHI and therefore, is protected under HIPAA regulations. The HIPAA Privacy Rule states that “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral” is considered PHI.

READ MORE: How Do HIPAA Regulations Apply After Death?

However, there are certain circumstances where PHI disclosure is allowed. In the case of giving information to relatives and family members acting on behalf of an individual, the Privacy Rule explains that “an individual’s informal permission to disclose to the individual’s family, relatives, or friends, or to other persons whom the individual identifies, protected health information directly relevant to that person’s involvement in the individual’s care or payment for care” is allowed.

For example, this allows an individual to pick up medication from a pharmacy on behalf of one of their relatives. In this scenario, it is up to the pharmacist to use his or her professional judgment, as well as experience with common practice to make reasonable decisions when it comes to the best patient care. It is not necessary for the patient in question to give the pharmacist the names of qualified individuals who can pick up medications beforehand.

“Similarly, a covered entity may rely on an individual’s informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the individual’s care of the individual’s location, general condition, or death,” according to the Privacy Rule.

Disclosing family medical history to a provider

Many individuals disclose certain information about their family medical history on regular checkups to their provider. But, what can this information then be used for? Are these individuals technically violating HIPAA by disclosing sensitive medical information?

READ MORE: Medical Record Security Key Focus in Indiana Senate Bill

According to HIPAA regulations, “individuals are free to provide their doctors with a complete family medical history or communicate with their doctors about conditions that run in the family.” However, once a provider has obtained this information, then it becomes part of the individual’s medical record and is considered part of the individual’s PHI.

“Thus, the individual (and not the family members included in the medical history) may exercise the rights under the HIPAA Privacy Rule to this information in the same fashion as any other information in the medical record, including the right of access, amendment, and the ability to authorize disclosure to others,” the rule explains.  

It is also important to note that a healthcare provider may disclose PHI to another provider when that information is requested to treat a family member of that individual. This falls under the portion of the Privacy Rule that discusses treatment purposes:

[A]n individual’s doctor can provide information to the doctor of the individual’s family member about the individual’s adverse reactions to anesthetics prior to the family member undergoing surgery. These uses and disclosures are permitted without the individual’s written authorization or other agreement with the exception of disclosures of psychotherapy notes, which requires the written authorization of the individual.

Healthcare providers are “permitted” to follow such practices though, and are not “required” under HIPAA regulations to actually do so. A physician can choose to not disclose PHI to another provider, even though they are technically allowed to do so under federal law. Moreover, individuals may place certain restrictions on their PHI, and if a provider has agreed to such restrictions, then the provider is bound by that requirement - unless an emergency situation should arise.   

READ MORE: Patients Allege Genetics Company Violated HIPAA Regulations

Finding the right balance between treatment and privacy

As with many aspects of HIPAA regulations, it is essential for healthcare providers and any other covered entity or business associate to understand that protecting a patient’s privacy is important, but should not necessarily override the treatment plan of that patient. In terms of family medical history, individuals are allowed to place restrictions on how their information could potentially be shared, and providers are allowed to potentially disclose PHI when it comes to the treatment of a family member of their patient.

By taking the time to review HIPAA regulations and understand how they apply to a particular entity is crucial, and will ensure that the organization is able to find the right balance between properly treating a patient and keeping that patient’s PHI secure.

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks