Published: April 02, 2003

Sensitive Information - Privacy and Your Medical Records

Your medical records are not as private as you might think. This booklet explains some steps you can take to guard the privacy and accuracy of your medical records. The misuse of medical records has led to loss of jobs, discrimination, identity theft and embarrassment.

How private are your medical records?

Most people believe their medical records are safely tucked away from prying eyes, gossiping tongues and telemarketers. We share the most personal details with our doctors, therapists and other medical practitioners on the assumption that such information will never leave the office.

But your medical records are not as private as you might think. It’s ironic that the titles of movies you rent from a video store cannot be revealed without a court order while, until recently, there has been no agreement on a national level of how to keep medical records confidential.

Lack of medical records privacy has led to loss of jobs, discrimination, identity theft and embarrassment. These records contain sensitive data, such as illnesses that might carry social stigma and personal details about substance abuse, family planning and mental health. Many employers are informed when their workers obtain counseling through the company’s Employee Assistance Program. Increasingly, people are going online to seek medical information, buy prescription drugs and even receive counseling, raising serious privacy concerns. The rapid development of genetic testing also poses particular concern for the sanctity of medical records because of its potential for discrimination.

What could happen if my medical information got out?

Here are just a few examples of what can go wrong:

• In 1998 an Atlanta truck driver lost his job after his insurance company told his employer that he had sought treatment for alcoholism.
• In 1998 a Longs Drugs pharmacist disclosed to a California woman that her ex-spouse was HIV positive, information she later used against him in a custody battle.
• In October and November 2001 the complete psychological records of 62 children and teens were posted on the University of Montana’s public web site for eight days before the error was caught.

What do my medical records contain?

In all likelihood, you have more than one medical file. Because we are a mobile society with the freedom to consult medical practitioners of our choice and to purchase prescription drugs where we find the best prices, multiple records may exist. These are some of the details likely to be in your medical files:

• Your medical history
• Your family’s medical history
• Lab test results
• Prescribed medications
• Details of your lifestyle (which can include smoking, high risk sports and alcohol and drug use)

What has happened to doctor-patient confidentiality?

The rise of managed health care and electronic billing and records-keeping has drastically altered the way we share and store medical records. In the past, all you needed for privacy protection was a locked filing cabinet. Today, many different companies and providers have electronic access to your medical records—including employers, insurance companies, pharmacies, billing companies, medical records clearinghouses, third-party service providers and medical researchers. Electronic access to these records has brought with it new questions and concerns about who needs your records and for what purposes.

Doctors and other medical practitioners consider patient records to be confidential and, in most cases, do their utmost to keep them private. Most medical providers will not release your records unless ordered to do so by a court. If your medical records are at issue in an insurance case or civil or criminal trial, a judge may issue a subpoena for your records.

What laws protect the privacy of my medical records?

New federal rules protecting the privacy of medical records are an outgrowth of a 1996 federal law passed to protect health insurance coverage for workers and their families when they change or lose their jobs. This law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), includes cost-saving provisions that promote electronic records-keeping and transmission. The law also requires that safeguards be put in place to protect the security and confidentiality of medical information as it is shared electronically.

The new rule, as adopted, covers all written, oral and electronic medical records and other personally identifiable health information. All health and life insurance plans and health care providers, including doctors, dentists, medical groups, hospitals, clinics and pharmacies, as well as “business associates” who use protected health information, such as lawyers and data processing and billing firms, must comply with the law or face civil and/or criminal penalties. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights enforces the law. (Download an HHS medical privacy complaint form - a PDF file.)

Web sites that are not associated with a covered provider, plan or clearinghouse will not be required to follow federal medical privacy rules.

What rights do I have under the new law?

While the law was intended to strengthen our medical privacy rights, changes to the medical privacy rule shortly before it went into effect weakened the regulations.

In March 2002, the Bush administration amended the medical privacy rule so that doctors and hospitals do not have to obtain written consent from patients before using or disclosing medical information for treatment, the payment of claims or any of a long list of health care operations such as setting insurance premiums and measuring physician competence.

New consumer rights under the law are bulleted below. Providers and practitioners were given wiggle room allowing them to cite many reasons to avoid complying with the new consumer rights - including potential litigation, physician or institution choice, involvement in clinical research trials, concern that release of information might harm the patient, accuracy of requested corrections and government investigations. (Click here for a PDF version (42 pages) of the Privacy Rule.)

• You have the unconditional right to be informed of the data-handling practices of medical practitioners and providers. [§164.520]
• You have the right to request—but not necessarily obtain—privacy protection for your protected health information. [§164.522]
• You have the right to review and copy your medical record. [§164.524]
• You have the right to request that inaccuracies in your medical record be corrected. [§164.526]
• You have the right to know who has accessed your medical record. [§164.528]
  To learn more about the federal medical privacy rule, read "Standards for Privacy of Individually Identifiable Health Information."

The Americans with Disabilities Act (ADA) provides limited protection. For instance, the law forbids employers from asking job applicants for medical information or requiring a physical examination prior to offering them a job. (Existing employees may be asked to submit to a physical exam if it is a blanket requirement for all employees with similar jobs in the company.)

Some states have laws to protect medical records privacy, but the records covered vary widely from state to state.

How can I protect the accuracy and privacy of my medical records?

It is worth a little trouble to make sure your medical records are both accurate and secure. Mix-ups can occur and they could affect your ability to get health coverage or life insurance in the future. In some cases, you can take steps to limit who has access to your medical records.

• Request a copy of your medical record from your doctor. Forty-three states give patients some degree of access to their medical records, but the laws differ. For example, Montana gives patients the right to access their medical records, but the law specifically excludes pharmacy records. In seven states patients have no legal right to access their records (Arkansas, Iowa, Kansas, Nebraska, North Dakota, Utah and Vermont), but you can ask your doctor anyway. The Georgetown University Health Privacy Project web site (www.healthprivacy.org) includes a state-by-state listing of medical privacy laws.
  
  If you are able to obtain a copy of your medical record, check it for accuracy. Correct any mistakes with your doctor.
  
  Don’t risk your health
  
  Your privacy is important, but don’t withhold medical information from your doctor because of privacy concerns. Discuss your concerns about medical record privacy with your doctor. In any setting, if you are asked for medical details you find inappropriate, ask why such information is needed.
• Request a copy of your medical record from the Medical Information Bureau (MIB), a centralized database of medical records used by more than 750 insurance companies to obtain information about health and life insurance applicants. The MIB has the medical records of only about 15 million people on file. If your medical record is on file, you can order a copy (for $8.50) and check it for accuracy.
  Medical Information Bureau
  P.O. Box 105, Essex Station
  Boston, MA 02112
  (617) 426-3660
  www.mib.com
• Read medical record release authorization forms before signing them and edit them to prevent blanket authorization and limit the time period in which your authorization is effective. Cross out general authorizations and replace them with specific dates and portions of your record relevant to the treatment you are receiving. If appropriate, note in writing that you refuse any secondary use of the information. Initial your changes.
• Be careful when providing personal medical information for health surveys, health screenings, to obtain free samples or when you visit health web sites or online chat rooms. Personal information given out in any of these ways is not secure and could be used for marketing and other purposes. Most health web sites are unregulated by any government agency and will stay that way even after comprehensive medical privacy regulation goes into effect in 2003.
• If you order medical supplies directly from a medical supply company, ask it not to share your name, address or telephone number with any other companies.

Links from Article

For More Information

Download PDF

No Download Available

Keywords

Medical Privacy, Medical Records, Medical History, Laws Protect Medical Privacy, Privacy Rights

Sponsors

Notes

Category

Privacy Rights   ♦   Health   ♦  

Copyright

© 2003 Consumer Action. Rights Reserved.