Abstract Background It is unclear how the Health Insurance Portability and Accountability Act (HIPAA) should be interpreted in the context of sharing of genomic information between family members. Methods The authors analyzed the HIPAA Privacy Rule, reviewed the literature and constructed a clinical scenario to inform how HIPAA can be interpreted for multiple forms of patient- and provider-mediated genetic risk notification. Results Under HIPAA, healthcare providers can lawfully notify relatives to recommend genetic risk assessment using multiple approaches, including supporting the patient telling their own relatives, contacting relatives directly with the patient’s authorization, or contacting a relative’s provider directly. Conclusions Multiple forms of patient- or provider-mediated contact of relatives are already legally permissible under HIPAA, are consistent with ethical obligations of care to patients and their families, and could result in improved population health through identification of clinically actionable disease risk. Unanswered questions remain about implementation and impacts of provider-mediated programs.