Medical Records and Privacy
Medical records contain sensitive information, and increasing
computerization and other policy factors have increased threats to
their privacy. This page has information about
threats to privacy from modern record-keeping systems
and from legislation. It also includes
information about some current legal protections
and other methods for maintaining your medical
privacy. Finally, it provides links to other
information about medical record privacy.
What's In Your Medical Records?
Besides information about physical health, these records may
include infomation about family relationships, sexual behavior,
substance abuse, and even the private thoughts and feelings that come
with psychotheraphy. This information is often keyed to a social
security number. Because of a lack of consistent privacy protection
in the use of Social Security
Numbers, the information may be easily accessible.
Information from your medical records may influence your
credit, admission to educational institutions, and employment. It may
also affect your ability to get health insurance, or the rates you
pay for coverage (OTA report). More importantly, having others know
intimate details about your life may mean a loss of dignity and
Threats to Medical Record Privacy
- Administrative Actions. This includes errors that
release, misclassify or lose information. This includes
compromised accuracy, misuse by legitimate users, and uncontrolled
- Computerization. While in some situations
computerization increases privacy protection (for example, by
adding passwords to sensitive areas), it may also decrease privacy
protection for the following reasons.
- Computerization enables storage of large amounts of data in
small spaces. Thus when an intruder gains access, it is access
not just to certain discrete amount of data, but to larger
collections, and perhaps keys to even further information.
- Networked information is accessible from anywhere at any
time, allowing a larger number of people access. This increases
the possibility of mistakes or other problems such as misuse or
leaks of data.
- New databases and different types of data sets are more
easily created. This both drives demand for new information and
makes possible its creation.
- Information is easily gathered, exchanged and transmitted.
Thus potential dissemination theoretically limitless.
- Access by unrelated parties.
- Insurance companies. They may either check records
before approving treatment or who may check records before
- Drug companies. These companies may have deals
with doctors and hospitals, and who may use the list for
marketing. (Consumer Reports)
- For example, PCN (Physician's Computer Network) has
access to the patient records of 41,000 doctors, which is
about 10% of office-based doctors in the United States. By
participating in the PCN, a doctor requires a doctor to view
promotions from drug manufactures. In addition, PCN reserves
the right to copy information from the ocmputer to is won
and to sell if to other companies. Of course, this can only
be aggregate data, but may include ages, diagnoses,
treatments, and presciptions.
Most policies that consumers fill out have an
authorizations to relase information to the insurance
compnay. Most insurance policies sold in the U.S. and Canada
also give notice that a reprt may be filed with the Medical
Information Bureau (MIB), which is financed and run by the
insurance industry to detect fraudulent applications. Of
course, not everyone is included in the MIB database.
- Court subpoenas. Often a patient will be unaware when
her or his records have been subpoenaed. Even worse, unnecessary
information is often included when the records are not adequately
Legislative Risks to Medical Record Privacy
- A national medical records data bank without adequate privacy
- Medical ID cards.
- These are problematic because of the backup databank
necessary. They may also be a first step toward a national ID
- Medical Ethics
- The privacy portion of the Hippocratic Oath:
"Whatsoever I shall see or hear in the course of my intercourse
with men, if it be what should not be published abroad, I will
never divulge, holding such things to be holy secrets."
- The 1992 AMA statement, which states that medical
information must be confidential to the greatest possible
- Laws and Other Legal Protection
Privacy Act of 1974, which states that no federal agency
may disclose information without the consent of the person.
Agencies must also meet certain requirements for protecting the
- Other Federal Laws
- These laws only cover federal agencies, such as Medicare
and Medicaid. The bulk of medical records are covered by
various, inconsistent and often ineffectual state laws.
- This document allows you to look at the privacy laws,
including medical privacy laws, for each state. Only about
half of the states guarantee patients the right to see their
medical records (CR, Oct. 1994, p. 629). You can obtain more
information by looking in your state code or by contacting
- Tort Law. This may include defamation, breach of contract,
and other privacy-related torts.
Maintaining Medical Record Privacy
- Protect the privacy of your
social security number.
- Tell your physician everything necessary for proper treatment,
but "think twice before disclosing information that has no bearing
on your health." (Consumer Reports, Oct. 1994, p. 629).
- Ask your doctor if any of the records can be accessed from
outside th office. If so, ask for what purpose they may be
- Before the office sendes your medical records to another
party, such as an insurance company, ask to view them for
- Ask for a notification if the records are ever subpoenaed.
- Controlling access to other
Other Information about Medical Records