Medical records typically contain highly confidential and sensitive information. Your records include medical tests or exams you had, medications that you've taken, medical diagnoses, personally identifying information, and contact information.
Understandably, people usually want to keep their medical records private to prevent people from learning their medical history without their permission. Fortunately, there are laws in place to protect your privacy.
The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. The law generally bars health care professionals from sharing a patient's medical records without receiving written permission from the patient.
When you start seeing a new medical provider, the provider will ask you to sign a release form that grants permission for certain staff members to access your record. That access must occur as part of your treatment and is generally very limited. Anyone who can use those records must follow HIPAA; they can't divulge any information to anyone other than the approved care team and you (this also includes treatment for any minor children you have).
If someone else wants to access your patient records, they must also get consent from you. You will have to sign an Authorization for Release of Medical Records form to give them permission. Schools may request a medical release form for student records, for example. If you want to see a different medical professional for additional treatment, that doctor will need to request a release as well if they are outside of the already approved care team.
In some circumstances, providers may share patient medical information without your authorization. Providers can share your medical information with your health insurance company to cover the cost of your treatment. Some government agencies may also get access to patient medical records in specific circumstances of public health. The police may be able to access medical records without patient consent if it's part of an investigation, but in most cases, they will need a warrant to do so.
If you receive a request to release your medical information to a third-party, you should make sure the form correctly protects your rights before you sign. The form should state:
HIPAA violations aren't limited to only intentionally released patient medical records, either. Health professionals and facilities must use specific security measures to protect access to that kind of information. That means if a medical practice is improperly storing patient records, you can take action against that practice if an unauthorized third party gets access to your files.
For written records, medical practices typically must keep patient records somewhere that's only accessible to approved personnel. When those approved people use the written records, they need to not leave them out where unauthorized people could see them.
For Electronic Health Records (EHR), the office must use proper software, equipment, and general security practices designed to prevent unauthorized access. If a hacker is able to gain access to patients' data, the strength of those protections would determine if the office would be liable:
If you believe that one of your health providers inappropriately shared your medical information with a third party, then you may file a complaint with their employer or with the federal government. The U.S. Department of Health and Human Services (HHS) oversees HIPAA regulations, and the Office for Civil Rights (OCR) handles the violation complaints.
You can file a complaint by mail, email, fax, or through the OCR Complaint Portal. Additionally, your complaint must:
You'll also need to provide standard information like your name, the date, your contact information, and your signature. If you intend to mail in a written complaint, you can access the required forms online from the HHS site.
People who violate HIPAA could face fines and even jail time, as well as lawsuits for financial compensation from affected patients.
Medical records are sensitive and personal. People can face discrimination, embarrassment, or other repercussions if their information is improperly shared. As such, medical records should be closely monitored and only shared when the patient provides authorization or the circumstances fall under one of the few specific exceptions to patient-approved release.