How private are your medical records?

A longtime UCLA Medical Center employee was recently fired for improperly looking at the medical records of 61 patients including Britney Spears, Maria Shriver, and Farrah Fawcett.

An unencrypted laptop containing MRI reports, names, dates of birth, and some Social Security numbers of people in a National Institutes of Health clinical trial had been stolen from the trunk of an employee's car. 

A former patient-admissions employee at New York-Presbyterian Hospital/Weill Cornell Medical Center was arrested for allegedly accessing nearly 50,000 computerized patient records and selling at least 2,000 of them.

Isolated incidents? Regardless, many of us are left to wonder: How private are my medical records?

What are our medical records?

First, let's be clear about what medical records are. We're talking about your (and often your family's) medical history, lifestyle choices (smoking, for example), bills, claims, prescriptions, lab results, medical opinions, appointment histories, results of operations and other medical procedures, genetic testing, participation in research projects, and even information provided on insurance applications—including your Social Security number.

The doctor-patient privilege has been in place for decades to keep this information as private as possible, but today more people have access to our medical records than ever. With the increased digitalization of records and sharing of information across the medical field, we are forced to put our privacy concerns in the hands of doctors' offices, hospitals, medical centers, insurance companies, employers, health maintenance organizations (HMO), and pharmaceutical companies.

What privacy protections are there?

The federal Health Insurance Portability and Accountability Act (HIPAA) has set a national standard for the handling of electronically stored medical records by health care providers, health plans, and health clearinghouses. Notably, your financial records, your child's school records, and your employment files are not included under the HIPAA protection.

Under the HIPAA, individuals have to sign a Notice of Privacy Practices from health care providers, which outlines the provider's privacy policies. After this notice is signed, your medical records can be disclosed for "routine" purposes without any further consent or notification on your part. This notice must also include instructions on how you can obtain copies of your own records.

The intent of the HIPAA was that medical information would be more easily transmitted among those organizations that need access, particularly in cases of emergency or transfer of providers. The HIPAA states, "In a matter of seconds, a person's most profoundly private information can be shared with hundreds, thousands, even millions of individuals and organizations at the same time ..."

This language, of course, was meant to praise the beneficial effects of the Act, but when read with the possibility of computer hackers, mishandling of data, and employee fallibility in mind, it can sound downright scary.

Indeed since the HIPAA's implementation in 2003, the Department of Health and Human Services has seen about 35,000 reports of privacy breaches—but hasn't fined anyone. "Voluntary compliance," though, has been achieved in 6,000 cases according the department.

Since 2003, the Department of Justice has reportedly filed 200 criminal cases under a statute that includes the HIPAA, although it is not clear how many of those are actually HIPAA-related.

Speaking of the federal government, another organization that may have access to your medical records is the Federal Bureau of Investigation (FBI). Under the Patriot Act, the FBI can get a warrant to secure your medical records during the course of an investigation to protect against international terrorism. Like the HIPAA, the Patriot Act does not require that notice be given to you regarding the turning over of your medical files.

Remember that while your state can't offer less privacy protection than what the HIPAA provides, it may offer more.

Personal healthcare records

Aside from traditional health care organizations, there are even more plans to computerize records and put them online through electronic medical record management of Personal Healthcare Records (PHRs).

Microsoft has already instituted "HealthVault," which provides online medical record management to individuals. Google is currently running a pilot program with a similar system called "Google Health." Both would allow users to input personal and medical information and control the level of access to specified parties and to revoke consent at any time.

Additionally, some employers such as IBM offer the opportunity to create PHRs through services like WebMD.

Note that many of these PHR services do not fall under the regulations of HIPAA, so read the privacy policies and terms of use carefully and be sure to check for any changes when sent updated notices.

Ways to protect privacy of medical records

While the law offers some protection, you can also take some measures to help keep your medical records private. The Privacy Right Clearinghouse recommends several things you can do, including these five:

• When asked to sign release, try to limit the amount of information divulged by crossing out the boilerplate language and filling in more exacting terms.
• Discuss your confidentiality concerns with your doctor.
• Ask your health care provider to not photocopy more records than necessary.
• Ask about your health care provider's policy on use of wireless communication and fax machines.
• Be aware that marketing-related questionnaires and health screening at malls and other public places may gather and distribute your medical information.

Whether medical records are computerized, online, or simply on paper, there is always an element of human error and the danger of misappropriation. The best thing you can do to protect your privacy is be aware of your rights, the applicable laws, and keep as close an eye as possible on how your records are used, stored, and transmitted.

After all, they are yours.