Are Medical Records Private?

nurse in a medical file storage room
Ian Hooten/Science Photo Library/Getty Images

In the United States, most people believe that Health Insurance Portability and Accountability Act (HIPAA) laws keep our medical records private, shared only amongst our doctors, ourselves, and maybe a loved one or caregiver. But those who believe that may be surprised to learn that others have access to their records and don't need anyone's consent to do so.

In fact, there are dozens of individuals and organizations that are legally allowed to access our medical records for a variety of reasons, either by request or by purchase. In some cases, we provide permission for their access. In others, permission isn't necessary. In still other cases, we provide permission without even realizing we've done so.

And then there are those who access our records illegally.

According to the U.S. Department of Health and Human Services, there were no less than 2,181 healthcare data breaches between 2009 and 2017, resulting in the exposure of 176,709,305 medical records.

Here is a master list of people and organizations that are accessing our medical records on a regular basis, how they get them and why they want them.

Types of Medical Record Access

There are two general types of medical records that are shared or purchased. The first type is called an individually identifiable record, which focuses on personal attributes, such as a record with a person's name, doctors, insurers, diagnoses, treatments, and more. This is the record we request when we want to review our own medical records.

The second type comes in a format called an aggregated medical record. An aggregated medical record is a database of attributes, but it not used to identity of any individual per se. Instead, hundreds or thousands of records are compiled into several lists to make up one aggregated list.

That process is called "data mining." For example, a hospital may decide to mine data of all of the records of patients who have had a heart bypass surgery. The aggregated record may be comprised of hundreds of patients, categorized by types of insurance and further sub-categorized by primary care doctors, surgeons, and numerous other possible categories.

As opposed to individually identifiable records, an aggregated medical record is "de-identified," meaning that neither your identity nor any medical procedure, diagnosis, or practitioner in your records is disclosed.

Right of Access

Under HIPAA, certain individuals and entities have the right to access your medical records. They are classified as covered entities under HIPAA, meaning that they have the right to access under specific regulatory guidelines.

Covered entities include doctors and allied medical professionals, facilities (like hospitals, labs, and nursing homes), payers (like Medicare and health insurance), technology providers that maintain electronic health records, and the government.

As covered entities, they have very strict rules they must follow, and that includes getting written permission from you to share your records. Under HIPAA, the general guidelines are as follows:

  • You have a legal right to copies of your own medical records.
  • A loved one or caregiver may have the right to get copies of your medical records, too, but you may have to provide written permission.
  • Your health care providers have a right to see and share your records with anyone else to whom you've granted permission. For example, if your primary care doctor refers you to a specialist, you may be asked to sign a form that says he or she can share your records with that specialist.
  • Your payers have a right to get copies and use your medical records as specified in HIPAA laws. Insurance companies, Medicare, Medicaid, workers compensation, Social Security disability, Department of Veterans Affairs, or any institutional entity that pays for any portion of your healthcare needs may review your records.
  • Federal and state government may have a right to your medical records. In addition to medical payment, other agencies may have access, such as law enforcement and child protective services if a subpoena is obtained. If you've been in a workplace accident, the federal Occupational Safety and Health Administration (OSHA) may get involved.
  • Medical Information Bureau, also known as the MIB Group, may have an individual record on you and is not subject to HIPAA laws. The MIB Group is a non-profit entity found more than 100 years ago that provides information to life insurance to assess eligibility for coverage.
  • Prescription databases like IntelliScript (Milliman) and MedPoint (Ingenix) will very likely have data minded records on all prescription drugs you have purchased over the past five or more years. This information is usually used by life insurance or disability insurance companies to determine whether or not they will sell you insurance.

One entity not covered under HIPAA are employers. Even if they pay for your insurance or medical care out of pocket, HIPAA prohibits them from accessing medical records or insurance claims as it could result in discrimination.

Where Illegal Disclosure Occurs

In some cases, the unauthorized access to medical records is intentional and criminal. In other cases, a disclosure may be the result of the carelessness of our health provider or ourselves. Example include.

  • Hackers: We read in the news almost daily about hackers who have gained access to thousands of private records, whether they are health records, credit card records or other sources of information. Medical information is a prime target because thieves make so much money from medical identity theft. They aren't looking for a specific individual's records; instead, they seek as many records as possible, although not aggregated. It's illegal, of course, but it happens all too frequently.
  • Targeted illegal access: Another illegal form of access might be aimed at a specific individual's records. A business might pay someone under the table to get hold of a potential employee's medical record, or a soon-to-be-divorced spouse might seek information on the one he or she is divorcing. We do hear in the news about celebrities whose personal medical records are stolen regularly.
  • Accidental leaks: There are other ways our private medical information might unintentionally become public, even though that makes it no less egregious. A leased copy machine in a doctor's office is returned to the leasing company with thousands of copied paper medical records in its memory. The same thing can happen with computer hard drives that have failed. But just because the drives don't work with that computer anymore doesn't mean someone can't retrieve the data.

    We often allow entities access to our records without even knowing it. Life insurance is one example where we sign away our medical privacy for coverage. Home DNA tests are a growing concern as the providers can use your information however they choose.

    How Aggregated Records Are Used

    When our records are put together in an aggregated form, they can be used for a variety of reasons. Regardless, these organizations have a right to aggregate the information and share or sell it, as long as it has been de-identified.

    • Research: Aggregated data may be used in research. The conclusions reached by using the data can help patients of the future.
    • Selling data: Sometimes hospitals and other covered entities will sell their aggregated data. A hospital sells its data about a thousand patients who had back surgery to a company that sells wheelchairs. A pharmacy sells its data about its 5,000 customers who filled cholesterol drug prescriptions to the local heart center. Aggregated data are used for marketing purposes in ways too numerous to list, and are a large source of revenue for many of the organizations that work with patients.
    • Outreach and fundraising: Nonprofit and charitable organizations may use aggregated data to help them do outreach for fundraising. Local organizations may team with the hospitals or other facilities that aggregate their data. State, national or international organizations find other ways to access this aggregated data, too. Of course, we find ourselves on their fundraising lists when we take an interest in their cause, which means they can also aggregate their own data to sell to another organization that wants to know that we took an interest.

      No doubt there are many more uses for aggregated medical data. This short list is just a start to give you a sense of the ways aggregated data may be used.

      Was this page helpful?