In the United States, most patients believe that Health Insurance Portability and Accountability Act (HIPAA) laws keep our medical records private, shared only among our doctors, ourselves and maybe a loved one or caregiver. But those who believe that are wrong!
In fact, there are dozens of individuals and organizations that are legally allowed to access our medical records for a variety of reasons, either by request or by purchase. In some cases, we provide permission for their access. In others, permission isn't necessary. In still other cases, we provide permission without even realizing we've done so.
And then there are those who access our records illegally.
Here is a master list of people and organizations that are accessing our medical records on a regular basis, how they get them and why they want them.
Types of Medical Records Access
There are two general types of medical records that are shared or purchased. The first type is called an individually identifiable record, which focuses on personal attributes - a record with a person's name, doctors, insurers, diagnoses, treatments and more. This is the record we request when we want to review our own individual medical records.
The second type of medical record comes in a format called "aggregated." An aggregated medical record is a database of attributes, but it does not align an individual with his or her specific data. Instead, hundreds or thousands of records are compiled into several lists to make up one aggregated list. That process of inspection and creating lists is called "data mining." For example, a hospital might data mine all the records of patients who had heart bypass surgery. That minded, aggregated record might be comprised of 100 names of patients, separate from 25 different types of insurance, who were referred by 17 different primary care doctors, had surgery performed by 10 different surgeons and were discharged to a dozen different rehab centers after their surgery. The report has been "de-identified," meaning it doesn't tell which patient has which insurer, surgeon, primary or rehab center.
Who Has Legal Access to Your Individual, Personal Medical Records?
- You have a legal right to copies of your own medical records.
- Your loved one or caregiver may have the right to get copies of your medical records, too, but you may have to provide written permission.
- Your providers have a right to see and share your records with anyone else to whom you've granted permission. For example, if your primary care doctor refers you to a specialist, you will be asked to sign a form that says he or she can share your records with that specialist. Providers are considered by HIPAA to be "covered entities." Covered entities include doctors or other medical professionals, facilities like hospitals or laboratories, nursing homes, rehab centers, all payers and technology providers like the electronic health record companies that maintain electronic health records. As covered entities, they have very strict rules they must follow, and that includes getting written permission from you to share your records.
- Your payers have a right to get copies and use your medical records as specified in HIPAA laws. Insurance companies, Medicare, Medicaid, workers compensation, Social Security disability, Department of Veterans Affairs - any entity that pays for any portion of your healthcare needs may review your records. This may also include your employer if your employer helps fund your medical care. (see more about employer access below.)
- The government may have a right to your medical records. As cited above, any government agency that pays for any part of your healthcare needs may have legal access to your personal records. But other government agencies may have access, too. If you have been involved in any law enforcement activities as a perpetrator or a victim, your individual records may be requested if they affect any legal actions. If you've been in a workplace accident, the federal Occupational Safety and Health Administration may get involved. If your care of your children is questioned, the local child protective services may want to see your child's medical records.
Your employer may have access to some of your personal medical records, but that access is somewhat of a gray area. In most cases, you will have granted them permission, even if you don't realize it.
Many of the questions about employers and medical records are addressed by the U.S. Department of Labor or by your state labor department, and not by HIPAA laws. For example, the Family & Medical Leave Act may require some records be shared. An Americans with Disabilities Act filing may mean your records can be viewed by your employer or by a potential employer who has just offered you a job. Workers comp cases may allow employers to know more than you wish they did. Failure to pass a drug test may allow an employer access. If you are sick for an extended period of time, your employer may ask you for a doctor's excuse (which is a record.) Employer assistance programs may also affect your healthcare; for those employers who are self-funded (meaning, they are so large that they handle all health insurance themselves), the lines may be blurred between your employer as your payer and your employer as your employer.
- The Medical Information Bureau may have an individual record on you and is not subject to HIPAA laws.
- Prescription databases like IntelliScript (Milliman) and MedPoint (Ingenix) will very likely have data minded records on all prescription drugs you have purchased over the past five or more years. This information is usually used by life insurance or disability insurance companies to determine whether or not they will sell you insurance.
- How Might Your Medical Records Be Accessed by Mistake, Through Carelessness or Fraud?
- What About Those Aggregated Records? Who Accesses and Uses Aggregated Medical Records?