You don't need to be a celebrity to have valid concerns that your medical records might be stolen or read by others. Over the past three years, almost 21 million patients have had their medical records exposed in data security breaches, according to the Department of Health and Human Services.
The Health Insurance Portability and Accountability Act (HIPAA), a federal law that sets a national standard for privacy, provides limited privacy for medical records maintained by health care providers, health plans and health clearinghouses, but a good deal of medical information falls outside the protection of this law.
To see how caregiving is transforming, visit AARP’s caregiving and technology series.
Here are answers to 10 questions you may have about privacy laws concerning your medical information.
1. Who can get access to my medical information?
A. Whoever is providing your care, as well as the organizations funding that care. And, sometimes, the government.
Doctors, nurses and hospitals need to share your information to ensure that you're getting the proper treatment and meds, and that none of those treatments conflict. Insurance companies require the same information to verify claims. Government agencies may request medical records to verify claims made through Social Security, disability and workers' compensation. The government can also get access to your medical information for public health purposes, such as reporting diseases and collecting vital statistics, and to make required reports to law enforcement.
2. Does my employer have access to my medical records or insurance claims?
A. Absolutely not. HIPAA prohibits employers from accessing patient records or insurance claims because it could result in discrimination. If an employer wants to see any of your medical information, the employer would need to receive your written permission. Under HIPAA, your supervisor or human resource officials can request a doctor's note or information about your health only if needed to administer sick leave, workers' compensation, wellness programs or health insurance.
3. What rights do I have to access and control my health information?
A. Health insurers and providers must make your health records available to you upon request, allow you to copy the records and make corrections. Insurers and providers have an obligation to tell you how your health information may be used or shared. Even if you undergo genetic testing, federal regulations make that information subject to the same privacy protections of HIPAA. A 2008 federal law prohibits employers from denying you a job or firing you, and health insurers from refusing coverage, based on genetic information.
If you believe your rights have been violated, you can file a complaint with your provider or health insurer or with the U.S. Department of Health and Human Services.
4. Can family members see my medical records?
A. It depends. Although federal law does not prohibit ordinary health care practices — such as hospital staff discussing your condition and your treatment options with family members, or picking up a prescription for a relative — you must give written permission for your loved ones to see your official medical records. By designating family members as your "personal representative" in a signed letter or form, you give the health care providers the coverage they require to avoid HIPAA violations. So it's a good idea for you and aging parents — or adult children — to designate one another as personal representatives in case the need arises.
5. Is my health information vulnerable because of widespread use of electronic medical records?
A. Electronic medical records (EMRs) provide health care providers with quick access to your information and a real-time tool to improve the quality of health care, as well as prevent medical errors and increase administrative efficiencies. In spite of their convenience, EMRs may make it harder to protect your privacy; when information is communicated electronically, there is always potential for security breaches. But keep in mind that providers of EMRs are laser-focused on these dangers, making EMRs more reliable and less vulnerable than an open chart left on a hospital counter.
6. If I lose my insurance and apply on the open market, can my new insurance company contact my old insurance company to review my claims history to determine my coverage or rates?
A. Absolutely not. One insurance company sharing your claims history with another would be considered unauthorized disclosure to a third party, which is a HIPAA violation. Insurers may access individual doctors' files for underwriting purposes, but only once you disclose your physicians' names in your application for coverage.
7. Can my health information be used for marketing purposes?
A. Not unless you give permission or take part in free health screenings.
Individual and group health plans, health care clearinghouses and health care providers may not disclose health information for marketing or provide data to a third party for marketing in exchange for direct or indirect payment unless there is authorization from the patient. There's one big loophole: If you take part in free or low-cost health screenings that are conducted at health fairs, shopping malls and pharmacies, your information may be provided to marketers.
8. Can my health information be used for research?
A. Yes, but your name can't be released. Private researchers and government agencies compiling health data outcomes commonly have access to patient medical records under conditions of confidentiality. Your name may be seen on some of the records, but the researchers are prohibited from making that public.
9. Is my prescription drug information protected?
A. Pharmacies can turn over anonymous prescription data to companies that collect and sell this information to pharmaceutical companies. Drug company representatives, knowing your doctor's name — but not yours — can call the doctor and suggest other medications to prescribe for a specific condition just like yours.
10. Can debt collection agencies access information about unpaid medical bills?
A. Yes, but not detailed information about specific treatments. Overdue debts to doctors and hospitals can be reported to collection agencies and show up on your credit report. Information provided includes your name and address, your date of birth, Social Security number, your payment history and the name of the health provider owed money.