Private medical information
isn't so private
Your private medical information may not be so private.
While the Health Insurance Portability and Accountability Act, or
HIPAA, was supposed to ensure a national standard for medical-record
privacy, significant loopholes, as well as a lack of federal enforcement,
could leave your records open to prying eyes.
When you're treated for a medical
condition, hundreds of people have access to your medical records
and health information. These include doctors and medical staff
as well as insurance-company workers, government workers, pharmacists
and drug store staff members, says Robert Gellman, a privacy and
information policy consultant in Washington, D.C.
"There's a real disconnect here. For a long time
people have had the idea that their medical records are confidential,
and that's not true, and it hasn't been true for a long time,"
he says. "When someone else is paying for your health care,
there are enormous numbers of institutions and individuals who can
get your medical records."
was intended to clarify rules for the electronic transfer of medical records and
health data between health providers, insurance companies, the government and
other interested parties. Electronic databases are full of private medical information,
and breaches in these databases are depressingly common. In the one case prosecuted
under HIPAA, a terminally ill hospital patient was the victim of identity theft
by a hospital employee.
There are numerous ways outside of HIPAA that your
medical information could become public. If you participate in online
e-mail lists or attend a health fair or free medical screening,
any information you provide isn't covered by HIPAA. In addition,
law enforcement personnel may access your records, as can your employer
and life- and car-insurance companies.
Before HIPAA, many consumers didn't have an explicit
right to examine their own medical records or obtain copies of them. Now, according
to the Privacy Rights Clearinghouse, you have the right to view, copy and request
changes to your medical records.
What kind of information is in your medical records?
Here's a rundown of what you're likely to find:
- Your medical history, as given to health-care providers
including primary care physicians, specialists, eye care providers,
dentists, nurses, therapists and chiropractors. This can include
information about your lifestyle, such as whether you smoke or
use drugs, and data about your family members' medical backgrounds.
- Lab-test results, including blood tests, urine
tests, mammograms and X-rays.
- Medications prescribed, including anti-depressants
and birth control.
of surgeries and other medical procedures.
- Results of genetic
- Records of any medical conditions you may have,
such as cancer, AIDS, sexually transmitted diseases and hepatitis.
try to make the point to people that they have no universal protections of their
medical records. Just because the information is medical doesn't mean it will
remain private," says Tena Friery, research director at the Privacy
If your medical records are disclosed under an exception
to HIPAA, there's no requirement to notify you. So your records
may be circulating without your knowing. You can find out who has
accessed your medical records during the last six years, but that
disclosure has several important exceptions, including companies
who request your records for health-care treatment, payment and
Under HIPAA, you must sign a disclosure stating
how your medical information will be used and under what circumstances
it will be revealed every time you visit a new health-care provider.
Health-care providers must make copies of their privacy policies
available to the public. Consumers have signed millions of these
privacy notices, but most people don't take the time to read or