Paubox blog: HIPAA compliant email made easy

HIPAA and family trees

Written by Kirsten Peremore | August 29, 2024

HIPAA does not typically apply to genetic testing companies seeking family tree information, as these companies are not covered entities under HIPAA, which means family tree data collected and shared by these services may not be protected under this law.

 

The Privacy Rule and family medical information

According to HHS guidance,The HIPAA Privacy Rule may limit how a covered entity (for example, a health plan or most health care providers) uses or discloses individually identifiable health information, but does not prevent individuals, themselves, from gathering medical information about their family members or from deciding to share this information with family members or others, including their health care providers.”

When a covered entity handles family medical information, it can share medical information with family members in certain situations. For instance, if a patient is receiving treatment and a family member is involved, a doctor might share relevant information about the patient's condition with them to ensure they can provide proper support. However, regarding genetic information or family medical history, HIPAA has special provisions. 

These provisions prevent health plans from using or disclosing genetic information for underwriting purposes, which include things like deciding eligibility for benefits or setting premium rates. Family trees, which often include genetic information and family medical histories, fall under this protection. It means that while a doctor could discuss your health history with relatives to help manage or treat a genetic condition, they must always do so in ways that comply with HIPAA's Privacy Rule.

 

When can individuals access the protected health information (PHI) of relatives 

Individuals can access the protected health information (PHI) of relatives under certain conditions, including:

  • With the explicit consent of the relative, allowing the sharing of their PHI.
  • If the individual is a personal representative legally authorized to make healthcare decisions for the relative, typically in cases where the relative is a minor or incapacitated.
  • When the relative is involved in the care or payment for care of the individual, and the patient does not object to the sharing of information.
  • If the patient is deceased, family members or other persons who were involved in the care or payment for care of the deceased may access the PHI related to their involvement, unless doing so is contrary to the deceased’s previously expressed preference that is known to the covered entity.
  • In emergency situations where knowing the PHI is necessary to treat the patient if the patient is not capable of agreeing or objecting to sharing the information.

The privacy implications of direct to consumer genetic testing

Genetic testing companies like 23andMe are not typically considered "covered entities" under HIPAA, which means the strict privacy rules of HIPAA usually do not apply to them. The situation becomes complicated because while an individual might choose to share their genetic data, it could unintentionally expose health information about their relatives without their consent. 

For instance, if a genetic test indicates a risk for a hereditary condition, it might imply that the individual's relatives are also at risk. It raises ethical and privacy concerns about informed consent, where ideally, everyone affected by the information should agree to this exposure.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Which laws apply to genetic information? 

The Genetic Information Nondiscrimination Act (GINA) and various state laws apply to genetic information.

 

When does a covered entity commonly handle genetic information? 

A covered entity, like a healthcare provider or insurer, commonly handles genetic information when it's part of a patient's medical records or used for health assessments.

 

What makes genetic testing different from PHI?

Genetic testing is different from PHI because it often includes data about potential future health risks and ancestral DNA, not just current health status.