Defend Your Data
Data Defense Kit Join Background Information Information About You Keep Informed

Medical Records Privacy

Who Has Access to Your Records?
Today, individual health and medical data can be collected, combined, analyzed and distributed faster and easier than ever before. Data collection of health and other records has become an enormous industry in response to demands from a wide variety of potential users of that data, including:

  • Insurance companies that issue life, health and disability insurance. The companies use data to pay claims, for utilization review (the process of deciding whether an enrollee should receive certain health care treatments, often used by HMOs as a cost control measure), and for underwriting and coverage decisions. Virtually every insurance company offering these types of policies requires you to release your medical records to them before they will grant you coverage.

    Many life insurance companies also require applicants to sign a release to access that individual's record at the Medical Information Bureau, which collects medical information on individuals from applications submitted to its member companies. In fact, these member companies are required to report medical conditions that are "significant to health or longevity," including height and weight, blood pressure, ECG readings and lab results, as well as non-medical information such as an adverse driving record and participation in "dangerous" sports.

  • Employers, who use health data to identify employees who may be costly in the future, and to reduce their health care and workers compensation costs. A 1996 poll by the University of Illinois found that 35% of Fortune 500 companies use medical data in their employment decisions. (Note: The Americans with Disabilities Act specifically states that an employer may not ask specific questions about an applicant's disability conditions or require a medical exam before an offer of employment is made.) Employers get access to medical records through a waiver signed by employees, usually as part of the employee's application for medical insurance

  • Health care providers and facilities, which use the data for research, to bill insurance companies and other payers, to coordinate diagnosis and treatment options between different departments or facilities, and to monitor quality assurance.

Americans Are Concerned About Their Privacy
Technological advances that allow central storage of vast amounts of health information and the number of people who can access that information are of great concern to consumers. A 1994 ACLU poll found that:

  • 75 percent of respondents are concerned a "great deal" or "fair amount" about health insurance companies putting medical information about them into a computer information bank that others have access to.
  • 60 percent believe that health insurance data is accessed by others for secondary uses.
  • 70 percent are concerned a "great deal" or "fair amount" about insurance companies getting more information about them than is needed from their doctor.
And a January 1999 survey by the California HealthCare Foundation found that one in five adults in the United States believes that a health care provider, insurance plan, government agency, or employer has improperly disclosed personal medical information. Half of those affected say that disclosure resulted in personal embarrassment or harm.

The Need for Medical Privacy Legislation
Currently, the United States has no coherent, consistent privacy policy. What exists is a patchwork of privacy laws that protect movie rentals, books we check out at libraries, and cable television records. There is no federal law to protect the far more sensitive medical, insurance or employment records. While there seems to be widespread agreement that medical privacy legislation is needed, there are conflicting views about what such legislation should look like. Congress, the Clinton Administration, scientists, health insurance organizations, datamining firms and other businesses, privacy advocates and law enforcement agencies are all engaged in complicated maneuvering over medical records and who should have access to individual data.

These battles began with the passage of "Administrative Simplification," a little-known amendment to the 1996 Health Insurance and Portability Act, which required the Department of Health and Human Services to make medical privacy recommendations to Congress. However, instead of improving the privacy of individual medical records, the recommendations made by HHS contain a grave threat to privacy: a mandate to assign every American a "unique health identifier." This de facto national I.D. would give government agencies and corporations access to a massive database of our most private information like Social Security Numbers, medical conditions,and financial information.

Unless Congress passes privacy legislation by August 1999, HHS can establish its recommendations as binding rules. States, however, could provide greater privacy protections for their residents.

What You Can Do to Protect Your Medical Privacy
Send a FREE FAX to your members of Congress telling them that privacy rights must be part of any “Patients’ Bill of Rights”.

Request a copy of your file from the Medical Information Bureau by downloading a copy of the MIB Request Form (requires Adobe Acrobat Reader) and sending it to the MIB. There is an $8.00 charge for this search.

The Privacy Rights Clearinghouse also offer these tips:

1. When you are asked to sign a waiver for the release of your medical records, try to limit the amount of information released. Instead of signing the "blanket waiver," cross it out and write in more specific terms.

  • Example of blanket waiver: I authorize any physician, hospital or other medical provider to release to [insurer] any information regarding my medical history, symptoms, treatment, exam results or diagnosis.
  • Edited waiver: I authorize my records to be released from [X hospital, clinic or doctor] for the [date of treatment] as relates to [the condition treated].

2. If you want a specific condition to be held in confidence by your personal physician, bring a written request to the appointment that revokes your consent to release medical information to the insurance company and/or to your employer for that visit; you must also pay for the visit yourself rather than obtain reimbursement from the insurance company. To be especially certain of confidentiality, you may need to see a different physician altogether and pay the bill yourself, forgoing reimbursement from the insurance company.

3. Use caution when filling out medical questionnaires. Find out if you must complete it, what its purpose is, and who will have access to the information that is compiled. Also, before participating in informal health screenings, find out what uses will be made of the medical information that is collected. Use the same caution when visiting Web sites and when participating in online discussion groups.

4. Ask your health care provider to use caution when photocopying portions of your medical records for others. Sometimes more of your medical record is copied than is necessary.

5. If your records are subpoenaed for a legal proceeding, they become a public record. Ask the court to allow only a specific portion of your medical record to be seen or not to be open at all. A judge will decide what parts, if any, of your medical record should be considered private. After the case is decided, you can also ask the judge to "seal" the court records containing your medical information.

6. Find out if your health care provider has a policy on the use of cordless and cellular phones and fax machines when discussing and transmitting medical information. Cordless and cellular telephones are not as private as standard "wired" telephones. Because they transmit by radio wave, phone conversations can be overheard on various electronic devices.

Fax machines offer far less privacy than the mail. Frequently many people in an office have access to fax transmissions. Staff members at all levels of the organization should take precautions to preserve confidentiality when sending and receiving medical documents by fax machine.

DEFEND YOUR DATA

Unless we quickly oppose further intrusions into our privacy, what little control we still have over our own personal information will soon disappear. That's why the ACLU has launched its Defend Your Data Campaign. We're urging our members and everyone who values their increasingly fragile right to privacy to support the campaign.

Take Action Now -- -- -- Join the ACLU

Defend Your DataACLU HomeFeedback