Under the HIPAA Privacy Rule, may a health care provider disclose protected health information about an individual to another provider, when such information is requested for the treatment of a family member of the individual?

Yes. The HIPAA Privacy Rule permits a covered health care provider to use or disclose protected health information for treatment purposes. While in most cases, the treatment will be provided to the individual, the HIPAA Privacy Rule does allow the information to be used or disclosed for the treatment of others. Thus, the Rule does permit a doctor to disclose protected health information about a patient to another health care provider for the purpose of treating another patient (e.g., to assist the other health care provider with treating a family member of the doctor’s patient). For example, an individual’s doctor can provide information to the doctor of the individual’s family member about the individual’s adverse reactions to anesthetics prior to the family member undergoing surgery. These uses and disclosures are permitted without the individual’s written authorization or other agreement with the exception of disclosures of psychotherapy notes, which requires the written authorization of the individual. 

However, the HIPAA Privacy Rule permits but does not require a covered health care provider to disclose the requested protected health information. Thus, the doctor with the protected health information may decline to share the information even if the Rule would allow it. The HIPAA Privacy Rule may also impose other limitations on these disclosures. Under 45 CFR § 164.522, individuals have the right to request additional restrictions on the use or disclosure of protected health information for treatment, payment, or health care operations purposes. If the health care provider has agreed to the requested restriction, then the doctor is bound by that agreement and (except in emergency treatment situations) would not be permitted to share the information. However, the health care provider maintaining the records does not have to agree to the requested restriction. For example, an individual who has obtained a genetic test may request that the health care provider not use or disclose the test results. If the health care provider agrees to the restriction, the information could not be shared with providers treating other family members who are seeking to identify their own genetic health risks.

Created 1/13/09

Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013