Some of the most sensitive information in the world—our prescription history, medical records, sexual history, drug usage information, and more—is entering the digital world. The digitization of medical records is being sold as an opportunity to revolutionize healthcare. But while digital medical records surely come with special benefits, this technological innovation also has huge ramifications for our privacy.
EFF’s medical privacy project examines emerging issues in medical privacy, looking at how lagging medical privacy laws and swiftly advancing technological innovation leave patients vulnerable to having their medical data exposed, abused, or misconstrued.
We all want our medical information to be private, because we believe it should be something that’s between us and our health care providers. Unfortunately, this is often not the case.
Much personal health data circulates just in the process of providing and paying for treatment and prescriptions. Mandated reporting—for example, for public health purposes—vacuums up a huge volume of identifiable health information. And we all unthinkingly give up a lot of information about our health voluntarily or to receive a perceived benefit—posting online about an illness or condition, using a search engine to look for information about the flu, applying for a job, joining a gym, and acting in a variety of other ways.
Health privacy laws
The United States has no universal information privacy law that’s comparable, for instance, to the EU Data Protection Directive. The laws that exist are sector-specific and vary considerably. The baseline law for health information is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA offers some rights to patients, but it is severely limited because it only applies to an entity if it is what the law considers to be either a "covered entity"—namely: a health care provider, health plan, or health care clearinghouse—or a relevant business associate (BA). This means HIPAA doesn't apply to many entities who may receive medical information, such as an app on your cell phone or a genetic testing service like 23andme.
Realistically, HIPAA is a disclosure regulation law, not a privacy law: It regulates how your health information may be disclosed, both with and without your consent. No consent is necessary for treatment, payment, or health care operations. For example, your doctor can consult with another doctor about your latest injury without getting your consent because that’s part of treating your injury.
Individual medical information can also be disclosed without your consent for public health reporting, to assist law enforcement, and for judicial and administrative purposes, or to determine your eligibility for benefits and services. It can also be disclosed in ways you can’t find out about for national security purposes.
States can also protect medical privacy. As federal law, HIPAA establishes a national "floor," but allows states to have stronger patient privacy protections. California law in some areas is stronger than HIPAA.
In order to understand specific topics related to medical privacy, it's helpful to have an understanding of the patchwork of state and federal laws that apply to medical information. Read our guide to medical privacy law.
What information is in medical records?
Medical and non-medical information that’s collected and shared in medical records includes:
- Basic demographic data such as address, phone number(s), email address, age, gender, and race.
- Full name and account number and sometimes Social Security Number. Use of Social Security Numbers is disfavored because of the risk of ID theft. Because of this, some, though far from all, health providers now use an assigned patient ID number, rather than a Social Security Number.
- Medical history: diagnoses, treatments, diagnostic test results, and prescriptions, along with known medical conditions, allergies, and drug/alcohol/smoking habits.
- Billing and payment information.
- Information you provide on intake forms about your immediate family members, including any history of certain diseases, like cancer or diabetes.
When is medical information not covered by HIPAA?
In many situations, entities that are not covered by HIPAA have medical information. Sometimes other privacy laws apply to those entities, sometimes not.
Health information, if not complete records, finds its way into financial records; for example, when you pay for prescriptions or psychiatric treatment with a credit card. School records can contain records of physical exams, behavioral assessments, or treatment for sports injuries; this information is usually covered by FERPA (Family Educational Rights and Privacy Act). Employment records may contain health information, too.
There's also the digital sinkhole of information we voluntarily give up. This can be identifiable information on social media, health-related websites and chat groups, or mobile health and fitness apps. It can also be de-identified tracking information that every website collects and may be combining with other data to make it identifiable.
Who has access to your medical records?
Lots of agencies and organizations have legal access to medical information under HIPAA and many other laws. For a start, insurers generally have access—not just health plans, but life insurance, long-term care, and car insurance with medical reimbursement for injuries. Numerous government agencies also have access, including Medicare, Medicaid, Social Security Disability, Workers Comp, state and federal public health departments—the list goes on.
In addition, the Medical Information Bureau (MIB) collects all the medical records you’re required to release when you apply for insurance. After 2014, however, the Affordable Care Act (ACA) will eliminate the use of pre-existing conditions as a factor for getting health insurance, so patients won't need to release medical records as part of the application process. These records help insurers verify that you’ve filled out your application truthfully.
There are also Pharmacy Benefit Managers (PBMs), which administer drug benefit programs for health plans. PBMs have your entire prescription history—drugs, dates, dosage, and who prescribed them—because part of their role is to check your eligibility and get approval for your medication. They also sell de-identified information (not covered by HIPAA because personally identifiable information has been removed) to data miners, who resell it packaged as different types of reports.
Employers have access to health information in background checks when you apply for a job, although they’re supposed to get your written permission first. If they operate or contract out employee wellness programs, they may have access to information about whether you’re exercising or losing weight, have really quit smoking, or are succeeding in controlling your anger management problem.
As mentioned above, there are standard exceptions to consent to access medical records for law enforcement, as well as exceptions for judicial and administrative processes. Information obtained for national security purposes is more mysterious, and you are unlikely to know your records have been disclosed unless you’re unfortunate enough to find yourself the subject of government prosecution.
Another area outside the boundaries of regulations where people give up medical information is in informal health screenings, at health fairs, and through commercially administered vaccine programs (like flu shots at Costco or shingles vaccinations at Walgreen’s).
|Summary: Who may have access to your medical information?|
Long term disability insurance
Medical Information Bureau
Pharmacy Benefit Managers
Government agencies, like Medicare, Medicaid, Social Security Disability, Workers Comp
State and federal public health department
Law enforcement and courts
National security entities
What rights or control do you have over your medical information?
You are at the back of the line when it comes to having a say about what happens with your personal health information, but you do have some rights.
You must be given a notice of privacy practices (NPP) that tells you how providers use your information (which means you have no choice) and what your rights are. A provider needs your written authorization to disclose information about STDs, substance abuse treatment, and psychotherapy notes. Written authorization is also necessary for any kind of marketing other than prescription reminders. You can ask for and receive copies of your records and request corrections. If you pay for your own treatment and ask a provider not to disclose the information to an insurer, it can’t be disclosed.
In addition, medical information can be exposed in a data breach, whether through the negligence of a healthcare provider, the acts of a malicious hacker, or through some other means. From 2005-2013, the Privacy Rights Clearinghouse collected reports of 1,118 breaches of medical data that potentially exposed over 29,000,000 sensitive records. In some cases, breaches of medical records can also result in significant fines. The federal government now also publishes medical data breach information, which includes an estimate of the number of individuals affected.
Policies for sharing health information electronically aren’t settled yet, but the default appears to be that no additional consent is required beyond the assumed HIPAA consent for treatment, payment, and health care operations for putting your medical records into the digital data stream.
Read more about medical privacy law.
Resources and blogs:
CalOHII (California Office of Health Information Integrity) has a useful and well-organized section on federal and California laws and regulations concerning health information privacy.
California Health Information Law Identification (CHILI) CHILI is a search tool that assists in identifying California statutes and regulations related to the privacy, access, and security of individually identifiable health information.
California Office of the Attorney General (for links to all of California’s privacy laws)
Center for Democracy and Technology's Health Privacy Project
Department of Health and Human Services and Department of Education: Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records. [pdf] (for how FERPA and HIPAA interact)
Indiana University Center for Bioethics Newborn Blood Spot Banking: Approaches to Consent - PredictER Law and Policy Update
National Human Genome Research Institute Genome Statute and Legislation Database
Privacy Rights Clearinghouse's Medical Privacy Project
The UC Berkeley Chancellor’s Office has a good summary of the Information Practices Act.
World Privacy Forum's Patient's Guide to HIPAA
EFF Related Content: Medical Privacy
- While you can delete your Facebook account or leave your Fitbit at home if you’re going somewhere you’d rather not be tracked, you can’t simply turn off your pacemaker. Not only does deactivating a pacemaker require a doctor, in some cases doctors actually refuse . What happens when privacy violations...
- Privacy issues are moving under our skin—now the devices that keep us alive and healthy can also be used against us in the court of law. What happens when privacy violations are committed by devices inside of us, devices that we can’t just turn off via settings? “EFF is concerned...
- The Affordable Care Act (ACA) provisions for employee wellness programs give employers the power to reward or penalize their employees based on whether they complete health screenings and participate in fitness programs. While wellness programs are often welcomed, they put most employees in a bind: give your employer access to...
- The new policy was first publicized last month in an article by the Tulsa World newspaper, sparking a flurry of news reports cautioning that the school was encroaching on student privacy. But the Electronic Frontier Foundation and others have said that as long as location tracking is not part of...
- The U.S. Department of Health and Human Services (HHS) has proposed a sweeping update to the federal regulations that govern scientific experiments involving human subjects, whether it’s studying behavior, testing biological specimens, or analyzing DNA. While the proposed policy [ .pdf ] generally moves in the right direction, EFF...
- Date:Thu, 01/07/2016
- In one of the darkest chapters in medical ethics, the United States government ran an experiment from the 1930s to the 1970s in which it withheld treatment and medical information from rural African-American men suffering from syphilis. The public uproar generated by the Tuskegee Syphilis Study eventually resulted...
- Others looked more to innovations that eroded human health. Individuals voted to scrap cigarettes and heroin. Jillian York, of the Electronic Frontier Foundation, wants to annul “genetic testing for the masses.”
- San Francisco—The Electronic Frontier Foundation (EFF) is urging the California Supreme Court to rule that law enforcement agents need a warrant to search records revealing which Californians were prescribed controlled substances to treat conditions such as anxiety, pain, attention disorders, and insomnia. In an amicus brief filed...
- Date:Fri, 10/23/2015
- In practical terms, the revamp means that Verizon will no longer insert the tracking headers whenever customers' visit unencrypted sites, according to Nate Cardozo, an attorney with the digital rights group Electronic Frontier Foundation. Instead, the headers will be used on sites affiliated with AOL's ad network -- which reaches...
- A civil liberties group that previously had criticized the administration said the latest changes show a strong commitment to protecting privacy. Still, the Electronic Frontier Foundation said there's room for improvement. Administration officials said they are open to that. "We applaud HealthCare.gov's decision to support 'Do Not Track' and give...
- "It sounds like a gold mine for ID thieves," said Jeremy Gillula, staff technologist for the Electronic Frontier Foundation, a civil liberties group focused on technology. "I'm kind of surprised that this information was never compromised."
- San Francisco – Responding to a troubling rise in law enforcement’s use of high-tech surveillance devices that are often hidden from the communities where they’re used, the Electronic Frontier Foundation (EFF) today launched the Street-Level Surveillance Project (SLS) , a Web portal loaded with comprehensive, easy-to-access information on...
- Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a civil liberties group, notes: "All large collections of sensitive personal data are at risk." When it comes to potential fraud , "healthcare data is considered more valuable on the open market," he says. "Obviously it matters how well...
- "A basic privacy principle is that you don't retain data any longer than you have to," said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. "Even 10 years feels long to me," Tien said.
- Date:Fri, 05/01/2015
- Activists say the battle is half won. "The court left intact Section 69A, the government website blocking procedure, despite the lack of either judicial review or transparency in how or which sites are blocked," says James S Tyre, special counsel for Electronic Frontier Foundation, a San Francisco-based advocacy group. "This...
- “I think of HIPAA like Swiss cheese: it’s full of holes everywhere,” Rainey Reitman with the Electronic Frontier Foundation, told the Investigative Unit. Reitman serves as the director of the Activism Team for the non-profit. EFF’s website states its mission as “defending civil liberties in the digital world.” Reitman says...