A nurse is reviewing the medical record if a client who has a new prescription for famotidine

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) law makes rules about who is allowed to see patients' medical records. Most people believe that their health information can only be accessed by their providers and the people they give permission to (like family members).

You might be surprised to learn that other people and organizations can see your medical records without your permission.

This article will go over how medical record privacy works. While it's not a complete list, you will learn about some common examples of who can access your records. You will also find out why they want your information and what they can use it for.

Dozens of people and organizations are legally allowed to see your medical records. They can make a request or purchase access to them.

In some cases, you need to give them permission to access your record. However, your permission is not always required. Sometimes, you've given permission for someone to access your record without realizing it—for example, by signing a consent form.

While there are safeguards in place to try to prevent it, individuals or groups sometimes are able to access medical records illegally.

According to the U.S. Department of Health and Human Services, there were at least 3,054 healthcare data breaches between 2009 and 2019. More than 230,954,151 medical records were included in these breaches.

There are many people and groups who are allowed to access your medical records. You have the right to see your records, as do the people you give permission to (like family members). People who are involved in your care, like providers and health insurance companies, can also see your records.

There are two general types of medical records that are shared or purchased: individually identifiable records and aggregated records.

• Individually identifiable record: This type of record has personal data, such as a person's name, doctors, insurers, diagnoses, treatments, and more. This is the record you request to review your medical records.
• Aggregated medical record: This type of record is a database that includes lots of different data called attributes. This type of record is not used to identify one person. Instead, hundreds or even thousands of records are put into lists. All those lists together make up one, large aggregated list. This process is called "data mining."

Here's an example of data mining: A hospital may decide to mine the data of all of the records of patients who have had heart bypass surgery.

The aggregated record could have hundreds of patients in it. They are all categorized using different factors, such as the type of insurance they have or who their healthcare providers are.

An individually identifiable record has information like your name and date of birth that can be used to identify you. An aggregated medical record is "de-identified. That means that it does not identify you or include any medical procedure, diagnosis, or practitioner in your records.

Certain people and organizations have the right to access your medical records. They are classified as covered entities under HIPAA. This means that they have the right to access your records under specific regulatory guidelines.

Covered entities include:

• Doctors and allied medical professionals
• Healthcare facilities (e.g. hospitals, labs, nursing homes)
• Payers (e.g. Medicare, health insurance companies)
• Technology providers that maintain electronic health records
• The government

As covered entities, they have very strict rules they must follow. One of the most important rules is that they must have written permission from you to share your records.

Here are the other rules laid out by HIPAA:

• You have a legal right to copies of your own medical records.
• A loved one or caregiver may have the right to get copies of your medical records if you give them permission to.
• Your healthcare providers have a right to see and share your records with anyone that you have given permission. For example, if your primary care doctor refers you to a specialist, you might be asked to sign a form that says they can share your records with that specialist.
• Your healthcare payers have a right to get copies of and use your medical records according to HIPAA laws. Insurance companies, Medicare, Medicaid, workers compensation, Social Security disability, the Department of Veterans Affairs, or any institutional entity that pays for any portion of your healthcare might need to review your records.
• Federal and state governments may have a right to your medical records. In addition to medical payment, other agencies may have access to your records as well. For example, law enforcement and child protective services might be able to see your records if a subpoena is obtained. If you're in a workplace accident, the federal Occupational Safety and Health Administration (OSHA) might need to review your records.
• Medical Information Bureau (the MIB Group) is a non-profit entity that was founded more than 125 years ago. It provides information to life insurance companies to assess a person's eligibility for coverage. The MIB Group may have an individual record on you that is not subject to HIPAA laws.
• Prescription databases like IntelliScript (Milliman) and MedPoint (Ingenix) very likely have data-mined records on all the prescription drugs you have bought over the past 5 or more years. This information is used by life insurance or disability insurance companies to determine whether or not they will sell you insurance.

Employers are not covered by HIPAA. Even if they pay for your insurance or medical care out of pocket, HIPAA does not allow your employer to access your medical records or insurance claims because it could lead to discrimination.

Other than you and the people who give permission to, there are others who are legally able to ask for your medical records. A few examples are health insurance providers, law enforcement, and the government.

However, employers are not allowed to access your records even if they pay for some of your healthcare.

In some cases, unauthorized access to medical records is intentional and criminal. In other cases, the disclosure is the result of someone's carelessness—even yours.

You often hear about hackers who have illegally gained access to thousands of private records, whether they are health records, credit card records, or other sources of information.

Medical information is a prime target for hackers because thieves make a lot of money from medical identity theft.

However, hackers are not looking for a specific individual's records. Instead, they just want to get as many records that are not aggregated as possible.

Another illegal form of access involves an individual patient's records.

For example, a business might pay someone to get a potential employee's medical record. In another situation, a spouse might look for the records of a person they're divorcing. Sometimes, celebrities' medical records are stolen.

There are other ways that your private medical information might unintentionally become public.

For example, if your doctor's office leases a copy machine, thousands of copied paper medical records are stored in its memory. When the machine goes back to the company, the records might go with it.

The same thing can happen when computer hard drives fail. You might assume that if the computer isn't working, the records couldn't be accessed.

However, just because drives no longer work with a computer does not mean that someone can't get the data that's on them.

When You Sign Away Your Privacy

You often give entities permission to access your records without even knowing it. Here are a few common examples that you might not have thought of before:

• Life insurance: The forms you sign when you get life insurance coverage usually give the company permission to access your records.
• Home DNA or health tests: When you use home health testing services, the companies can use your health information however they choose.

People may illegally access medical records. For example, hackers might try to get thousands of records from a healthcare system or an individual might try to get their spouse's records without permission.

Sometimes, people are careless with sensitive information and their mistakes lead to breaches. If you are not careful, you might sign paperwork giving access to your records without realizing it.

Medical records in an aggregated form are used for many different reasons. Once the information has been de-identified (meaning that no one patient is identifiable), organizations have the right to aggregate the information, then share or sell it.

Aggregated data is often used in research. The studies using the data may help patients in the future.

Sometimes, hospitals and other covered entities will sell aggregated data.

For example, a hospital could sell its data on 1,000 patients who had back surgery to a company that sells wheelchairs.

In another example, a pharmacy could sell its data on 5,000 customers who filled cholesterol drug prescriptions to the local heart center.

Aggregated data can also be used for marketing purposes. It is a large source of revenue for many organizations that work with patients.

Nonprofit and charitable organizations can use aggregated data to help them do outreach for fundraising.

Local organizations can team with hospitals or other facilities that aggregate patient data. State, national or international organizations find other ways to access the data.

If you take an interest in an organization's cause, you might be on their fundraising lists. Then, you'll be included when they aggregate their data to sell to another organization that wants to know who is interested in the organization.

Aggregated medical record data can be used for many purposes, such as research, marketing, and fundraising.

In the U.S., there are laws that control who can see your health information. There are also rules about how that information can be used.

While your medical records are protected and private, they can be legally accessed by more people or groups than you might realize. Sometimes your permission is needed, but not always.

It's also possible for medical records to be accessed illegally, such as when hackers breach a healthcare system.

In some cases, data from thousands of patients are put together. When this is done, no one patient is easy to identify. This aggregated data is "de-identified." This type of data can be used for many things, like marketing and research.

As a patient, you have many rights and responsibilities. One of your rights is the ability to access your medical record. You can also give other people, like providers, family members, and insurance companies, permission to see your records.

There are also times when your records might be accessed without your permission. For example, law enforcement or agencies that handle workplace injuries can ask to see your records.

Sometimes, you may not even realize that you've given an individual or group permission to get your records and use the data however they want. That's why it's important to always read "the fine print" when you are signing up for services like life insurance or home DNA tests.

Frequently Asked Questions

• How does HIPAA protect personal medical information?

  The Health Insurance Portability and Accountability Act (HIPAA) rules how and with whom your personal medical information can be shared.

  Under HIPAA, you have a legal right to get copies of your medical records. You also have the right to share your documents with anyone you choose as long as you sign a consent or release form. 

  HIPAA also lets payers see your medical records. Insurance companies, Medicare, Medicaid, workers comp, disability, the VA, or any institution that pays for part of your healthcare can ask for your records.

  Life insurance and prescription databases can also access your records. Even the government can view your medical records in some circumstances. 

• Are all medical records linked?

  In the U.S., individual medical records are not automatically linked. If you see more than one provider in the same hospital or healthcare system, your digital health records can usually be accessed by all the providers in the system.

  You will need to contact the facility where the record was started for providers in different health systems. The health information department will have you sign a release form to request the sharing of your records with providers at an outside organization.

• Can you sue someone for disclosing medical information?

  It is illegal to share protected health information under HIPAA, but the act also does not let people sue for monetary compensation after a breach.

  If you believe your health information was shared illegally, you can file a complaint with the U.S. Department of Health and Human Services.

• Can a parent access a minor's medical records under HIPPA?

  Yes, though there are a few exceptions and they can vary by state. Instances where a minor's medical records can be withheld from parents include:

  • When parental consent is not required under state or other applicable laws and the minor is the one who consented to care.
  • If a minor receives care under a court order or under the direction of a person appointed by the court.
  • When a parent agreed that the minor and healthcare provider may have a confidential relationship.