Are Medical Records Private?

In the United States, most people believe that Health Insurance Portability and Accountability Act (HIPAA) laws keep medical records private, shared only amongst a person's doctors, themselves, and maybe a loved one or caregiver. But you may be surprised to learn that others have access to your records and don't need anyone's consent to do so.

Nurse in a medical file storage room
Ian Hooten / Science Photo Library / Getty Images

In fact, there are dozens of individuals and organizations that are legally allowed to access your medical records for a variety of reasons, either by request or by purchase.

In some cases, you provide permission for their access. In others, permission isn't necessary. In still other cases, you provide permission without even realizing we've done so. And then there are those who access our records illegally.

According to the U.S. Department of Health and Human Services, there were no less than 3,054 healthcare data breaches between 2009 and 2019, resulting in the exposure of 230,954,151 medical records.

Here is a master list of people and organizations that are accessing your medical records on a regular basis, how they get them, and why they want them.

Types of Medical Record Access

There are two general types of medical records that are shared or purchased. The first is called an individually identifiable record, which focuses on personal attributes, such as a record with a person's name, doctors, insurers, diagnoses, treatments, and more. This is the record you request to review your medical records.

The second type comes in a format called an aggregated medical record. An aggregated medical record is a database of attributes, but it not used to identify any individual per se. Instead, hundreds or thousands of records are compiled into several lists to make up one aggregated list.

That process is called "data mining." For example, a hospital may decide to mine data of all of the records of patients who have had a heart bypass surgery. The aggregated record may be composed of hundreds of patients, categorized by types of insurance and further sub-categorized by primary care doctors, surgeons, and numerous other possible categories.

As opposed to individually identifiable records, an aggregated medical record is "de-identified," meaning that neither your identity nor any medical procedure, diagnosis, or practitioner in your records is disclosed.

Right of Access

Under HIPAA, certain individuals and entities have the right to access your medical records. They are classified as covered entities under HIPAA, meaning that they have the right to access under specific regulatory guidelines.

Covered entities include doctors and allied medical professionals, facilities (like hospitals, labs, and nursing homes), payers (like Medicare and health insurance), technology providers that maintain electronic health records, and the government.

As covered entities, they have very strict rules they must follow, and that includes getting written permission from you to share your records. Under HIPAA, the general guidelines are as follows:

  • You have a legal right to copies of your own medical records.
  • A loved one or caregiver may have the right to get copies of your medical records, too, but you may have to provide written permission.
  • Your health care providers have a right to see and share your records with anyone else to whom you've granted permission. For example, if your primary care doctor refers you to a specialist, you may be asked to sign a form that says he or she can share your records with that specialist.
  • Your payers have a right to get copies and use your medical records as specified in HIPAA laws. Insurance companies, Medicare, Medicaid, workers compensation, Social Security disability, Department of Veterans Affairs, or any institutional entity that pays for any portion of your healthcare needs may review your records.
  • Federal and state government may have a right to your medical records. In addition to medical payment, other agencies may have access, such as law enforcement and child protective services if a subpoena is obtained. If you've been in a workplace accident, the federal Occupational Safety and Health Administration (OSHA) may get involved.
  • Medical Information Bureau, also known as the MIB Group, may have an individual record on you and is not subject to HIPAA laws. The MIB Group is a non-profit entity found more than 125 years ago that provides information to life insurance to assess eligibility for coverage.
  • Prescription databases like IntelliScript (Milliman) and MedPoint (Ingenix) very likely have data-mined records on all prescription drugs you purchased over the past five or more years. This information is used by life insurance or disability insurance companies to determine whether or not they will sell you insurance.

One entity not covered under HIPAA are employers. Even if they pay for your insurance or medical care out of pocket, HIPAA prohibits them from accessing medical records or insurance claims as it could result in discrimination.

Where Illegal Disclosure Occurs

In some cases, the unauthorized access to medical records is intentional and criminal. In other cases, a disclosure may be the result of the carelessness of our health provider or ourselves. Examples include the following.

Hackers

The news almost daily has reports about hackers who have gained access to thousands of private records, whether they are health records, credit card records, or other sources of information.

Medical information is a prime target because thieves make so much money from medical identity theft. They aren't looking for a specific individual's records; instead, they seek as many records as possible, although not aggregated. It's illegal, of course, but it happens all too frequently.

Targeted Illegal Access

Another illegal form of access is aimed at a specific individual's records. A business might pay someone to get hold of a potential employee's medical record, or a spouse might seek information on the person they are divorcing. You may hear in the news about celebrities whose personal medical records are stolen.

Accidental Leaks

There are other ways your private medical information might unintentionally become public, even though that makes it no less egregious. A leased copy machine in a doctor's office is returned to the leasing company with thousands of copied paper medical records in its memory.

The same thing can happen with computer hard drives that have failed. But just because the drives don't work with that computer any more doesn't mean someone can't retrieve the data.

You often allow entities access to your records without even knowing it. Life insurance is one example where people sign away their medical privacy for coverage. Home DNA tests are a growing concern as the providers can use your information however they choose.

How Aggregated Records Are Used

When records are put together in an aggregated form, they can be used for a variety of reasons. Regardless, these organizations have a right to aggregate the information and share or sell it, as long as it has been de-identified.

Research

Aggregated data may be used in research. The conclusions reached by using the data can help patients in the future.

Selling Data

Sometimes hospitals and other covered entities will sell their aggregated data. A hospital sells its data about a thousand patients who had back surgery to a company that sells wheelchairs. A pharmacy sells its data about its 5,000 customers who filled cholesterol drug prescriptions to the local heart center.

Aggregated data are used for marketing purposes in ways too numerous to list, and are a large source of revenue for many of the organizations that work with patients.

Outreach and Fundraising

Nonprofit and charitable organizations may use aggregated data to help them do outreach for fundraising. Local organizations may team with the hospitals or other facilities that aggregate their data. State, national or international organizations find other ways to access this aggregated data, too.

Of course, you can find yourself on their fundraising lists when you take an interest in their cause, which means they can also aggregate their own data to sell to another organization that wants to know that you took an interest.

No doubt there are many more uses for aggregated medical data. This short list is just a start to give you a sense of the ways aggregated data may be used.

Was this page helpful?
Article Sources
Verywell Health uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read our editorial process to learn more about how we fact-check and keep our content accurate, reliable, and trustworthy.
  1. U.S. Government Publishing Office. Public Law 104 - 191 - Health Insurance Portability and Accountability Act of 1996. govinfo.gov

  2. HIPAA Journal. Healthcare Data Breach Statistics. hipaajournal.com

  3. U.S. Department of Health & Human Services. Summary of the HIPAA Privacy Rule. Published July 26, 2013.

  4. Centers for Disease Control and Prevention. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Updated September 14, 2018. cdc.gov