Keep the Information Flowing
Small contributions go a long way. Your donation to Consumer Action, a 501 (c)(3) nonprofit, nonpartisan organization, can help us cover the cost of research, writing, and translation of our materials. To keep our services free for those who need them. Select an amount to give.
Published: May 22, 2008
Updated: April 07, 2011
Sensitive Information - Privacy and Your Medical Records (2008)
Your medical records are not as private as you might think. This booklet explains some steps you can take to guard the privacy and accuracy of your medical records. The misuse of medical records has led to loss of jobs, discrimination, identity theft and embarrassment.
- This publication is not currently associated with any training series.
Table of Contents
- What could happen if my medical information got out?
- What do my medical records contain?
- What has happened to doctor-patient confidentiality?
- What laws protect the privacy of my medical records?
- HIPAA privacy rules
- What rights do I have under HIPAA?
- How can I protect the accuracy and privacy of my medical records?
You may believe that your medical records are safely tucked away from prying eyes, gossiping tongues and telemarketers. We share the most personal details with our doctors, therapists and other medical practitioners on the assumption that such information will never leave the office.
But your medical records are not as private as you might think. It’s ironic that the titles of movies you rent from a video store cannot be revealed without a court order while there is no agreement on a national level of how to keep medical records confidential.
Lack of medical records privacy has led to loss of jobs, discrimination, identity theft and embarrassment. These records contain sensitive data, such as illnesses that might carry social stigma and personal details about substance abuse, family planning and mental health. Many employers are informed when their workers obtain counseling through the company’s Employee Assistance Program. Increasingly, people are going online to seek medical information, buy prescription drugs and even receive counseling, raising serious privacy concerns. The rapid development of genetic testing also poses particular concern for the sanctity of medical records because of its potential for discrimination.
The government, health care providers, insurers and technology companies are driving a movement to create a secure system of electronic health records that could be accessed by health professionals and insurance companies nationwide. While there are potential advantages to such a system, such as allowing coordination of health records from various doctors that you consult, there also is the potential for privacy breaches that could allow sensitive health care information to fall into the wrong hands.
What could happen if my medical information got out?
Here are just a few examples of what can go wrong:
- An Atlanta truck driver lost his job after his insurance company told his employer that he had sought treatment for alcoholism.
- A pharmacist disclosed to a California woman that her ex-spouse was HIV positive, information she later used against him in a custody battle.
- A 30-year employee of the FBI was forced into early retirement when the FBI found his mental health prescription records while investigating the man’s therapist for fraud.
What do my medical records contain?
In all likelihood, you have more than one medical file. Because we are a mobile society with the freedom to consult medical practitioners of our choice and to purchase prescription drugs where we find the best prices, multiple records may exist. These are some of the details likely to be in your medical files:
- Your medical history
- Your family’s medical history
- Lab test results
- Prescribed medications
- Details of your lifestyle (which can include smoking, high risk sports and alcohol and drug use)
What has happened to doctor-patient confidentiality?
The rise of managed health care and electronic billing and records-keeping has drastically altered the way we share and store medical records. In the past, all you needed for privacy protection was a locked filing cabinet. Today, many different companies and providers have electronic access to your medical records—including employers, insurance companies, pharmacies, billing companies, medical records clearinghouses, third-party service providers and medical researchers. Electronic access to these records brings with it new questions and concerns about who needs your records and for what purposes.
Doctors and other medical practitioners consider patient records to be confidential and, in most cases, do their utmost to keep them private. Most medical providers will not release your records unless ordered to do so by a court. If your medical records are at issue in an insurance case or civil or criminal trial, a judge may issue a subpoena for your records.
What laws protect the privacy of my medical records?
Currently, there is no comprehensive federal law that fully protects the privacy of your medical records. The Americans with Disabilities Act (ADA) provides limited protection. For instance, the law forbids employers from asking job applicants for medical information or requiring a physical examination prior to offering them a job unless it is a blanket requirement for all employees.
The confidentiality of substance abuse and mental health treatment records are fully protected under federal law.
Some states have laws to protect medical records privacy, but the records covered vary widely from state to state.
HIPAA privacy rules
HIPAA (Health Insurance Portability and Accountability Act of 1996) gives patients some important rights to monitor their medical records, but leaves many key consumer privacy issues unresolved. A major gap in the federal rule exempts web sites that are not owned by a covered provider, plan or clearinghouse. This means that many popular medical advice, information and search web sites are not covered. The U.S. Department of Health and Human Services Office for Civil Rights enforces the law.
HIPAA, passed to protect health insurance coverage for workers and their families when they change or lose their jobs, was amended in 2003. The original law included cost-saving provisions that promote electronic records-keeping and transmission. It also required that safeguards be put in place to protect the security and confidentiality of medical information as it is shared electronically.
HIPAA has been expanded to cover all written, oral and electronic medical records and other personally identifiable health information. All health and life insurance plans and health care providers, including doctors, dentists, medical groups, hospitals, clinics and pharmacies, as well as “business associates” who use protected health information, such as lawyers and data processing and billing firms, must comply with the law or face civil and/or criminal penalties.
However, a study by Phoenix Health Systems (2006) found that only 56% of providers had federal security standards in place.
What rights do I have under HIPAA?
- Health care providers and health plans must give patients a clear, written explanation—called a “notice”—of how their medical record information will be used.
- Patient consent is required before providers can release medical information.
- Patients have the right to restrict uses and disclosures of their medical information as well as the right to revoke prior consent by submitting a written request to the provider.
- Providers and health plans are required to give patients copies of their medical records upon request.
- Providers are required to give non-health care entities only the minimum amount of medical information necessary. For example, a billing company only has access to the portions of your medical record relevant to billing, not the whole record.
- Patients have the right to file a formal complaint with their provider or the Department of Health and Human Services about violations of the law.
How can I protect the accuracy and privacy of my medical records?
It is worth a little trouble to make sure your medical records are both accurate and secure. Mix-ups can occur and they could affect your ability to get health coverage or life insurance in the future. In some cases, you can take steps to limit the people and companies who have access to your medical records.
- Talk to your doctor about privacy concerns. Ask how the office ensures that records do not fall into the wrong hands. Ask about the kind of information that must be provided for insurance or public health purposes.
- Request a copy of your medical record from your doctor and check your records for accuracy. You may be asked to pay for copying your records. Correct any mistakes with your doctor. Under federal law, medical providers and health plans are required to give patients copies of their medical records upon request. All states give patients some degree of access to their medical records, but the laws differ. The Center on Medical Record Rights and Privacy of the Georgetown University’s Health Policy Institute offers descriptions of all state medical privacy laws. (See "For More Information".)
- Request a free copy of your medical record from the Medical Information Bureau (MIB), a centralized database of medical records used by more than 750 insurance companies to obtain information about health and life insurance applicants. The MIB has the medical records of only people who have applied for individual insurance in the last seven years with an MIB member company, and who have a condition, employment or hobby that is considered significant to health or life expectancy.
Medical Information Bureau
866-692-6901 (TTY: 866-346-3642);
- Read medical record release authorization forms before signing them and edit them to prevent blanket authorization and limit the time period in which your authorization is effective. Cross out general authorizations and replace them with specific dates and portions of your record relevant to the treatment you are receiving. If appropriate, note in writing that you refuse any secondary use of the information. Initial your changes.
- Be careful when providing personal medical information for health surveys, health screenings, to obtain free samples or when you visit health web sites or online chat rooms. Personal information given out in any of these ways is not secure and could be used for marketing and other purposes. Most health web sites are unregulated by any government agency.
- If you order medical supplies directly from a medical supply company, ask it not to share your name, address or telephone number with any other companies.
Don’t risk your health
Your privacy is important, but don’t withhold medical information from your doctor because of privacy concerns. Discuss your concerns about medical record privacy with your doctor. In any setting, if you are asked for medical details you find inappropriate, ask why such information is needed.
Sensitive Information - Privacy and Your Medical Records (2008)
File Name: medical_privacy.pdf
File Size: 0.26MB
For More Information
- Center on Medical Record Rights and Privacy
- Consumer Action
Leave a message for our referral and advice switchboard and a counselor will return your call.
415-777-9635 or 213-624-8327; TTY: 415-777-9456
e-mail: [email protected]
- Privacy Rights Clearinghouse
- U.S. Department of Health and Human Services
Office for Civil Rights
- Health Privacy Project
- Patient Privacy Rights
- Substance Abuse & Mental Health Services Administration
(Learn more about the confidentiality of substance abuse and mental health treatment records.)
- U.S. Equal Employment Opportunity Commission
(This agency enforces the Americans with Disabilities Act.)
Consumer Action’s Privacy Information Project
© 2008 Consumer Action. Rights Reserved.
Support Consumer Action
Join Our Email List
Consumer Help Desk
- Help Desk
- Submit Your Complaints
- Presente su queja
- Frequently Asked Questions
- Links to Consumer Resources
- Consumer Service Guide (CSG)
- Consumer Booknotes