Some of the most sensitive information in the world—our prescription history, medical records, sexual history, drug usage information, and more—is entering the digital world. The digitization of medical records is being sold as an opportunity to revolutionize healthcare. But while digital medical records surely come with special benefits, this technological innovation also has huge ramifications for our privacy.
EFF’s medical privacy project examines emerging issues in medical privacy, looking at how lagging medical privacy laws and swiftly advancing technological innovation leave patients vulnerable to having their medical data exposed, abused, or misconstrued.
We all want our medical information to be private, because we believe it should be something that’s between us and our health care providers. Unfortunately, this is often not the case.
Much personal health data circulates just in the process of providing and paying for treatment and prescriptions. Mandated reporting—for example, for public health purposes—vacuums up a huge volume of identifiable health information. And we all unthinkingly give up a lot of information about our health voluntarily or to receive a perceived benefit—posting online about an illness or condition, using a search engine to look for information about the flu, applying for a job, joining a gym, and acting in a variety of other ways.
Health privacy laws
The United States has no universal information privacy law that’s comparable, for instance, to the EU Data Protection Directive. The laws that exist are sector-specific and vary considerably. The baseline law for health information is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA offers some rights to patients, but it is severely limited because it only applies to an entity if it is what the law considers to be either a "covered entity"—namely: a health care provider, health plan, or health care clearinghouse—or a relevant business associate (BA). This means HIPAA doesn't apply to many entities who may receive medical information, such as an app on your cell phone or a genetic testing service like 23andme.
Realistically, HIPAA is a disclosure regulation law, not a privacy law: It regulates how your health information may be disclosed, both with and without your consent. No consent is necessary for treatment, payment, or health care operations. For example, your doctor can consult with another doctor about your latest injury without getting your consent because that’s part of treating your injury.
Individual medical information can also be disclosed without your consent for public health reporting, to assist law enforcement, and for judicial and administrative purposes, or to determine your eligibility for benefits and services. It can also be disclosed in ways you can’t find out about for national security purposes.
States can also protect medical privacy. As federal law, HIPAA establishes a national "floor," but allows states to have stronger patient privacy protections. California law in some areas is stronger than HIPAA.
In order to understand specific topics related to medical privacy, it's helpful to have an understanding of the patchwork of state and federal laws that apply to medical information. Read our guide to medical privacy law.
What information is in medical records?
Medical and non-medical information that’s collected and shared in medical records includes:
- Basic demographic data such as address, phone number(s), email address, age, gender, and race.
- Full name and account number and sometimes Social Security Number. Use of Social Security Numbers is disfavored because of the risk of ID theft. Because of this, some, though far from all, health providers now use an assigned patient ID number, rather than a Social Security Number.
- Medical history: diagnoses, treatments, diagnostic test results, and prescriptions, along with known medical conditions, allergies, and drug/alcohol/smoking habits.
- Billing and payment information.
- Information you provide on intake forms about your immediate family members, including any history of certain diseases, like cancer or diabetes.
When is medical information not covered by HIPAA?
In many situations, entities that are not covered by HIPAA have medical information. Sometimes other privacy laws apply to those entities, sometimes not.
Health information, if not complete records, finds its way into financial records; for example, when you pay for prescriptions or psychiatric treatment with a credit card. School records can contain records of physical exams, behavioral assessments, or treatment for sports injuries; this information is usually covered by FERPA (Family Educational Rights and Privacy Act). Employment records may contain health information, too.
There's also the digital sinkhole of information we voluntarily give up. This can be identifiable information on social media, health-related websites and chat groups, or mobile health and fitness apps. It can also be de-identified tracking information that every website collects and may be combining with other data to make it identifiable.
Who has access to your medical records?
Lots of agencies and organizations have legal access to medical information under HIPAA and many other laws. For a start, insurers generally have access—not just health plans, but life insurance, long-term care, and car insurance with medical reimbursement for injuries. Numerous government agencies also have access, including Medicare, Medicaid, Social Security Disability, Workers Comp, state and federal public health departments—the list goes on.
In addition, the Medical Information Bureau (MIB) collects all the medical records you’re required to release when you apply for insurance. After 2014, however, the Affordable Care Act (ACA) will eliminate the use of pre-existing conditions as a factor for getting health insurance, so patients won't need to release medical records as part of the application process. These records help insurers verify that you’ve filled out your application truthfully.
There are also Pharmacy Benefit Managers (PBMs), which administer drug benefit programs for health plans. PBMs have your entire prescription history—drugs, dates, dosage, and who prescribed them—because part of their role is to check your eligibility and get approval for your medication. They also sell de-identified information (not covered by HIPAA because personally identifiable information has been removed) to data miners, who resell it packaged as different types of reports.
Employers have access to health information in background checks when you apply for a job, although they’re supposed to get your written permission first. If they operate or contract out employee wellness programs, they may have access to information about whether you’re exercising or losing weight, have really quit smoking, or are succeeding in controlling your anger management problem.
As mentioned above, there are standard exceptions to consent to access medical records for law enforcement, as well as exceptions for judicial and administrative processes. Information obtained for national security purposes is more mysterious, and you are unlikely to know your records have been disclosed unless you’re unfortunate enough to find yourself the subject of government prosecution.
Another area outside the boundaries of regulations where people give up medical information is in informal health screenings, at health fairs, and through commercially administered vaccine programs (like flu shots at Costco or shingles vaccinations at Walgreen’s).
|Summary: Who may have access to your medical information?|
Long term disability insurance
Medical Information Bureau
Pharmacy Benefit Managers
Government agencies, like Medicare, Medicaid, Social Security Disability, Workers Comp
State and federal public health department
Law enforcement and courts
National security entities
What rights or control do you have over your medical information?
You are at the back of the line when it comes to having a say about what happens with your personal health information, but you do have some rights.
You must be given a notice of privacy practices (NPP) that tells you how providers use your information (which means you have no choice) and what your rights are. A provider needs your written authorization to disclose information about STDs, substance abuse treatment, and psychotherapy notes. Written authorization is also necessary for any kind of marketing other than prescription reminders. You can ask for and receive copies of your records and request corrections. If you pay for your own treatment and ask a provider not to disclose the information to an insurer, it can’t be disclosed.
In addition, medical information can be exposed in a data breach, whether through the negligence of a healthcare provider, the acts of a malicious hacker, or through some other means. From 2005-2013, the Privacy Rights Clearinghouse collected reports of 1,118 breaches of medical data that potentially exposed over 29,000,000 sensitive records. In some cases, breaches of medical records can also result in significant fines. The federal government now also publishes medical data breach information, which includes an estimate of the number of individuals affected.
Policies for sharing health information electronically aren’t settled yet, but the default appears to be that no additional consent is required beyond the assumed HIPAA consent for treatment, payment, and health care operations for putting your medical records into the digital data stream.
Read more about medical privacy law.
Resources and blogs:
CalOHII (California Office of Health Information Integrity) has a useful and well-organized section on federal and California laws and regulations concerning health information privacy.
California Health Information Law Identification (CHILI) CHILI is a search tool that assists in identifying California statutes and regulations related to the privacy, access, and security of individually identifiable health information.
California Office of the Attorney General (for links to all of California’s privacy laws)
Center for Democracy and Technology's Health Privacy Project
Department of Health and Human Services and Department of Education: Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records. [pdf] (for how FERPA and HIPAA interact)
Indiana University Center for Bioethics Newborn Blood Spot Banking: Approaches to Consent - PredictER Law and Policy Update
National Human Genome Research Institute Genome Statute and Legislation Database
Privacy Rights Clearinghouse's Medical Privacy Project
The UC Berkeley Chancellor’s Office has a good summary of the Information Practices Act.
World Privacy Forum's Patient's Guide to HIPAA