Background: It is unclear how the Health Insurance Portability and Accountability Act (HIPAA) should be interpreted in the context of sharing of genomic information between family members.
Methods: The authors analyzed the HIPAA Privacy Rule, reviewed the literature and constructed a clinical scenario to inform how HIPAA can be interpreted for multiple forms of patient- and provider-mediated genetic risk notification.
Results: Under HIPAA, healthcare providers can lawfully notify relatives to recommend genetic risk assessment using multiple approaches, including supporting the patient telling their own relatives, contacting relatives directly with the patient's authorization, or contacting a relative's provider directly.
Conclusions: Multiple forms of patient- or provider-mediated contact of relatives are already legally permissible under HIPAA, are consistent with ethical obligations of care to patients and their families, and could result in improved population health through identification of clinically actionable disease risk. Unanswered questions remain about implementation and impacts of provider-mediated programs.
Keywords: HIPAA; familial implications; genetic testing; genomics; physician duty; privacy.
© The Author(s) 2020. Published by Oxford University Press on behalf of Duke University School of Law, Harvard Law School, Oxford University Press, and Stanford Law School. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com.