Are Medical Records Private?

Not as Much as You May Think

nurse in a medical file storage room
Ian Hooten/Science Photo Library/Getty Images

In the United States, most patients believe that Health Insurance Portability and Accountability Act (HIPAA) laws keep our medical records private, shared only amongst our doctors, ourselves, and maybe a loved one or caregiver. But those who believe that are wrong!

In fact, there are dozens of individuals and organizations that are legally allowed to access our medical records for a variety of reasons, either by request or by purchase. In some cases, we provide permission for their access. In others, permission isn't necessary. In still other cases, we provide permission without even realizing we've done so.

And then there are those who access our records illegally.

Here is a master list of people and organizations that are accessing our medical records on a regular basis, how they get them and why they want them.

Types of Medical Records Access

There are two general types of medical records that are shared or purchased. The first type is called an individually identifiable record, which focuses on personal attributes — a record with a person's name, doctors, insurers, diagnoses, treatments, and more. This is the record we request when we want to review our own individual medical records.

The second type of medical record comes in a format called aggregated. An aggregated medical record is a database of attributes, but it does not align an individual with his or her specific data. Instead, hundreds or thousands of records are compiled into several lists to make up one aggregated list. That process of inspection and creating lists is called "data mining." For example, a hospital might data mine all the records of patients who had heart bypass surgery. That mined, aggregated record might be comprised of 100 names of patients, separate from 25 different types of insurance, who were referred by 17 different primary care doctors, had surgery performed by 10 different surgeons, and were discharged to a dozen different rehab centers after their surgery. The report has been "de-identified," meaning it doesn't tell which patient has which insurer, surgeon, primary or rehab center.

Who Has Legal Access to Your Individual, Personal Medical Records?

  • You have a legal right to copies of your own medical records.
  • Your loved one or caregiver may have the right to get copies of your medical records, too, but you may have to provide written permission.
  • Your providers have a right to see and share your records with anyone else to whom you've granted permission. For example, if your primary care doctor refers you to a specialist, you will be asked to sign a form that says he or she can share your records with that specialist. Providers are considered by HIPAA to be covered entities. Covered entities include doctors or other medical professionals, facilities like hospitals or laboratories, nursing homes, rehab centers, all payers and technology providers like the electronic health record companies that maintain electronic health records. As covered entities, they have very strict rules they must follow, and that includes getting written permission from you to share your records.
  • Your payers have a right to get copies and use your medical records as specified in HIPAA laws. Insurance companies, Medicare, Medicaid, workers compensation, Social Security disability, Department of Veterans Affairs – any entity that pays for any portion of your healthcare needs may review your records. This may also include your employer if your employer helps fund your medical care. (See more about employer access below.)
  • The government may have a right to your medical records. As cited above, any government agency that pays for any part of your healthcare needs may have legal access to your personal records. But other government agencies may have access, too. If you have been involved in any law enforcement activities as a perpetrator or a victim, your individual records may be requested if they affect any legal actions. If you've been in a workplace accident, the federal Occupational Safety and Health Administration may get involved. If your care of your children is questioned, the local child protective services may want to see your child's medical records.
  • Your employer may have access to some of your personal medical records, but that access is somewhat of a gray area. In most cases, you will have granted them permission, even if you don't realize it.Many of the questions about employers and medical records are addressed by the U.S. Department of Labor or by your state labor department, and not by HIPAA laws. For example, the Family & Medical Leave Act may require some records be shared. An Americans with Disabilities Act filing may mean your records can be viewed by your employer or by a potential employer who has just offered you a job. Workers comp cases may allow employers to know more than you wish they did. Failure to pass a drug test may allow an employer access. If you are sick for an extended period of time, your employer may ask you for a doctor's excuse, which is a record. Employer assistance programs may also affect your healthcare; for those employers who are self-funded (meaning, they are so large that they handle all health insurance themselves), the lines may be blurred between your employer as your payer and your employer as your employer.
  • The Medical Information Bureau may have an individual record on you and is not subject to HIPAA laws.
  • Prescription databases like IntelliScript (Milliman) and MedPoint (Ingenix) will very likely have data minded records on all prescription drugs you have purchased over the past five or more years. This information is usually used by life insurance or disability insurance companies to determine whether or not they will sell you insurance.

How Your Medical Records Might Be Accessed by Mistake

  • Hackers: We read in the news almost daily about hackers who have gained access to thousands of private records, whether they are health records, credit card records or other sources of information. Medical information is a prime target because thieves make so much money from medical identity theft. They aren't looking for a specific individual's records; instead, they seek as many records as possible, although not aggregated. It's illegal, of course, but it happens all too frequently.
  • Targeted Illegal Access: Another illegal form of access might be aimed at a specific individual's records. A business might pay someone under the table to get hold of a potential employee's medical record, or a soon-to-be-divorced spouse might seek information on the one he or she is divorcing. We do hear in the news about celebrities whose personal medical records are stolen regularly.
  • Accidental Leaks: There are other ways our private medical information might unintentionally become public, even though that makes it no less egregious. A leased copy machine in a doctor's office is returned to the leasing company with thousands of copied paper medical records in its memory. The same thing can happen with computer hard drives that have failed. But just because the drives don't work with that computer anymore doesn't mean someone can't retrieve the data.
  • Giving Information About Ourselves: And sometimes we actually give away all kinds of information about ourselves without realizing what we are doing. When we search online, many websites plant pieces of code into our computers, called "cookies," then use that data to help them make money. Or maybe you order medical devices (like a blood pressure cuff or a pair of crutches) or over-the-counter drugs or even information (see Johns Hopkins White Papers) that lets organizations know what your medical problems are and that you are in search of treatment information.
  • Your Purchase Information: Do you use a shopper's loyalty reward card? That gives away more information than you can imagine, not only about the foods you eat – or don't eat – but also about the other purchases you make in that store, especially if they have a prescription drug counter.

Who Accesses and Uses Aggregated Medical Records?

When our records are put together in an aggregated form, they can be used for a variety of reasons. Regardless, these organizations have a right to aggregate the information and share or sell it, as long as it has been de-identified.

  • Research: Aggregated data may be used in research. The conclusions reached by using the data can help patients of the future.
  • Selling Data: Sometimes hospitals and other covered entities will sell their aggregated data. A hospital sells its data about a thousand patients who had back surgery to a company that sells wheelchairs. A pharmacy sells its data about its 5,000 customers who filled cholesterol drug prescriptions to the local heart center. Aggregated data are used for marketing purposes in ways too numerous to list, and are a large source of revenue for many of the organizations that work with patients.
  • Outreach and Fundraising: Nonprofit and charitable organizations may use aggregated data to help them do outreach for fundraising. Local organizations may team with the hospitals or other facilities that aggregate their data. State, national or international organizations find other ways to access this aggregated data, too. Of course, we find ourselves on their fundraising lists when we take an interest in their cause, which means they can also aggregate their own data to sell to another organization that wants to know that we took an interest.
  • FICO, the company that produces credit scores, has begun producing medication adherence scores. They claim it's not an individual record, that it's simply an assignment of a number. Their number is actually a judgment that has been developed using other aggregated data like the neighborhood you live in and the car you drive (among other attributes) to determine how likely you are to take the medicine you've been prescribed.

No doubt there are many more uses for aggregated medical data. This short list is just a start to give you a sense of the ways aggregated data may be used.

Was this page helpful?