Handling PHI Disclosure for Genealogists

Handling PHI Disclosure for Genealogists

Awareness of your responsibility for protecting client and family medical information is essential.

Heritage societies and genealogists often request access to personal health information (PHI) of patients and the deceased and are, therefore, subject to HIPAA privacy and security rules. To prevent a HIPAA compliance breach that could lead to possible jail time and a lofty fine, it’s important to know what heritage society researchers and genealogists do, how they handle PHI, and your role in disclosure of information for their research.

Experience Speaks Volumes

When I was young, I was an idealist. I thought, “What you don’t know, won’t hurt you.” Now that I have grown up and have over 40 years of career experience under my belt, I know ignorance can indeed hurt you. It’s no excuse in the eyes of the law, and you can go to jail for it. When you understand the ramifications of the HIPAA security and privacy rules and PHI breaches, you can avoid breaches and the consequences that come with them.

Ensure Clients’ Identity and Intentions

The first critical point of engagement should be for the researcher to identify the client and his or her intentions. Proper client identification is important because certain documents might be discovered to which the “purposed” client is not entitled, such as in the case of heritage or estate matters.

Heritage societies use a notary to detect false identification. Notaries are critical in the discovery process for heritage matters because they are licensed to investigate the identities and to check for false identification proofs, such as government photo identification and Social Security cards. The use of a false Social Security card, birth certificate, or drivers’ licenses is punishable up to 15 years in jail, with no statute of limitations. (Justice, August 30, 2012)

A genealogist or historian must identify the applicant or client before engagement; not knowing your applicant or client is not a legitimate excuse that will keep you out of jail if a HIPAA breach occurs. Not properly checking the identification of the person can lead to her or him fraudulently obtaining health records and other financial information. There are cases where people are serving 45 years in jail, and have received fines as much as $158 million for such offenses.

How Medical Records for Research Affect You

When a heritage society is asked to obtain records for a person, it might include health records such as birth certificates, death certificates, and even DNA results. These records fall under HIPAA, and should never be copied, scanned, or sent over the Internet via email. Genealogists also should never hold these records in their care because the risk is too high. Violations of healthcare records carry penalties of 20 years imprisonment and million dollar fines. (American Medical Association, February 17, 2009)

If you mail medical record documents to a heritage society, you must be clear in your disclosures that these places of business are beyond your control. If you don’t know what a genealogist or heritage society is doing with the documents, make sure this is disclosed to the client.

The information discovered may affect estate or title of property documents. They might also assist in property settlements with divorce or annulment. To leverage risk, make sure:

  • The client is entitled to see the documents. Disclose in all cases to every client what and how you will retain the files.
  • You have permission for sending or copying documents.
  • You know where you are sending documents. Over 83 percent of medical facilities and financial institutions holding files of persons are breached.
  • You know to whom you are sending documents and what they are doing with those documents. You bear the full responsibility of the law for sending and storage of information belonging to the client.
  • You safeguard this information for five years. The Office of Inspector General and the Department of Justice have the right to check your safeguards at any time during this period. Occupational Safety and Health Administration also has the right to investigate and arrest you for any reason stated or not stated at any time.

Remember Who You Are

You are a member of a professional organization, and know what your code of ethics dictates you to do. If you volunteer for a non-profit organization, such as a heritage group or first response organization, never avoid the duties and responsibilities of protecting client information.

Recently there has been a wave of interest in DNA tracking and publishing of this information; avoid retaining and accepting this information. When handling PHI, please advise your clients to carefully review the disclosures with their attorneys before they undergo any DNA testing. You have a responsibility to your clients/patients to make them aware of the possible consequences. If you send any documents, disclose this to your client, even if you are volunteering without pay.

Helping people to discover their roots is very rewarding, but it comes with much responsibility. Pay attention to those around you and their intentions. Knowing the heritage society, genealogist, and customer, and what you can legally do to help them, is a critical part of your responsibility. What you don’t know can hurt you.


American Medical Association, HIPAA Violations and Enforcement, AMA and 42 USC 132o-5, 1-3; February 17, 2009.

Dictionary, B. L., Ignorantia juris non excusat, St. Paul: Black’s Law Dictionary, 2014.

Justice, 9. C.-A, False Identification, 18 USC 1028 (a) (7), Department of Justice, August 30, 2012).

AMA, HIPAA Violations and Enforcement, 42 USC 1320-5, 1-3; February 17, 2009.

Justice, O., Office of Public Affairs; Harris County, Texas: Justice News, September 15, 2015.

George J. Annas, J. M., The New England Journal of Medicine, “HIPAA Regulations – A New Era of Medical Records Privacy?” 5120 et, seq., April 10, 2003.


Joseph de Beauchamp, PhD, carries Doctorates of Philosophy in Theology, Finance, and Psychology. He runs a Medical Level I secured facility enforced under HIPAA, works as a recovery agent for government payers, and serves hospice patients in heritage and genealogical societies as both a chaplain and advisor. He has helped over 70,000 families and patients in a career spanning over 40 years. De Beauchamp is a member of the Las Vegas, Nev., local chapter.


Leave a Reply

Your email address will not be published. Required fields are marked *