Are Your Medical Records Private

Like most Americans, you probably believe:

  •  What you tell your doctor is totally private
  •  If you sign “privacy notices” at a doctor’s office, a pharmacy, a hospital or a lab your health records will not be used or disclosed without your permission
  •  No one can look at your sensitive health records, prescriptions, or tests without your permission

None of these assumptions are true.

By Patient Privacy Rights Foundation.

The chilling news about health privacy is – YOU HAVE NONE.

FACT:  Patient consent is no longer required to share health records, no matter how embarrassing or intensely personal the contents may be.

What about HIPAA?

The Amended HIPAA Privacy Rule (2003) states only that you must receive a Privacy Notice telling you how your personal health information will be used and disclosed: Section 164.520(c) (2) (i) (A). Privacy Notices are often mistaken for consent forms, but they are simply notices telling you what will happen to your medical records.

What about Electronic Health Records?

Electronic health records are supposed to be progressive, save lives and money.  In fact, privacy is the key to progress with Health Information Technology (HIT). The potential benefits of electronic health systems cannot be realized unless Americans have confidence that ironclad privacy protections are in place for online health records, databases, and networks. As Americans realize how open their records actually are, they will avoid treatment and be much more selective about important information they share with their doctors. No one should have to choose between privacy and health.

Q. Who has access to your health records?
A. Over 4 million businesses, many outside the healthcare industry, including:

  •     Insurance companies
  •     Government agencies especially if you receive Medicare, Medicaid, SCHIP, SSI, Workers Comp or any local, state or federal assistance
  •     Employers
  •     Banks, Financial Institutions
  •     Researchers
  •     If you are involved in a court case, your health records can be subpoenaed and available to the public
  •     Marketers
  •     Drug companies
  •     Data miners
  •     Transcribers in and outside the U.S.
  •     Many health websites collect information about you

Q: Can my personal health information be used and disclosed without any notice to me or without my informed consent at the time of treatment?

A: Yes. While your doctor may wish to protect your information, once the records are sent out of their offices, they can no longer control who can see or use your information.
Example: information about a depressed person’s attempted suicide and hospitalization can be used and disclosed without any notice to him/her without his/her consent and even if he/she objects.

Q: Can my insurer or employer get my health records without my permission?

A: Yes.
The Amended HIPAA Privacy Rule gives health plans and self-insured employers broad authority (“regulatory permission”) to get information without consent that is far more extensive than is needed for billing or any other reason related to a specific individual’s health care. Other uses for which health plans and employers are authorized to obtain use and disclose an individual’s health information without consent include:

  •     Due diligence in connection with the sale or transfer of assets;
  •     Certain types of marketing;
  •     Business planning and development;
  •     Business management and general administrative activities; and
  •     Underwriting, premium rating and other activities relating to the creation, renewal or replacement of     a contract of health insurance. Section 164.501

Example: A depressed person’s health plan or employer would have regulatory permission from the federal government to obtain the information about his/her attempted suicide and hospitalization without his/her knowledge or consent if the information was needed for any of the above business purposes, as well as for treatment or payment.

Even more disturbing, the Amended Rule would authorize the individual’s health plan or employer to use and disclose that information even if the suicide attempt and hospitalization occurred before the Amended Privacy Rule went into effect on April 14, 2003.

Q. What is a “self-insured employer”?

A. A self-insured employer does not contract with an insurance company to insure their employees. Instead they have enough employees to do their own risk pooling like an insurance company would. These employers are called “Self-Insured.” During the past couple of decades, the number of employers who have become self-insured has increased dramatically, starting with large employers and spreading to those with fewer employees. Some examples of self-insured employers are: Walmart, Microsoft and IBM.

Q: I thought I signed a Privacy Notice at my doctor’s office giving consent to use my information. What’s in that Privacy Notice?

A: Those are not “consent forms” but a list of the ways in which your doctor or provider may use or share your information. You no longer have the “right of consent” with the Amended HIPAA Privacy Rule Rule, effective April 2003. “Covered entities” are required to provide notice to individuals of the uses and disclosures of identifiable health information that may be made under the Amended HIPAA Privacy Rule as well as the rights of the individual and legal duties of covered entities. Section 164.520 (a). These notices are called Privacy Notices.

Covered entities must “make a good faith effort” to obtain written acknowledgement of receipt by the individual of the Privacy Notice. Section 164.520(c) (2) (ii). When you sign those notices you are only acknowledging that you’ve received a copy of the many ways your provider may use your information.

Privacy Notices are likely to be lengthy, because HIPAA authorizes so many broad uses and disclosures of identifiable health information. Unfortunately, your rights are quite short. You cannot REQUIRE anything of your provider. You can only make REQUESTS.

Q: What is a “covered entity”?

A: According to the amended HIPAA Privacy Rule “covered entity” is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.
Over 4 million businesses, corporations, government agencies, professionals, and individuals handle personal health information (PHI) electronically and therefore must comply with the HIPAA Privacy Rule. Consultations between direct and indirect treatment providers are expressly permitted under the Original Rule. 65 Fed. Reg. at 82,510. The Amended Rule did not change this permission.

Q: Can I prevent my doctor from reporting a certain procedure to my insurance company?

A: No. The Amended HIPAA Privacy Rule does not provide any method for an individual to prevent any procedure, treatment, medical test, or prescription from being reported to his/her insurance company. This is because the Amended Rule provides regulatory permission for the individual’s insurance company to obtain virtually any personal health information from an individual’s doctor as long as they can assert that they need it for treatment, payment or health care operations.

Even if the individual asks the doctor to not report the procedure, the doctor need not agree. Any medical treatment can be reported over the individual’s objections. Even health information about procedures paid for privately can be reported. The original Privacy Rule stated that information about procedures paid for out of pocket would not be disclosed, but that statement was in the context of a discussion of the right of consent which was included in the original Rule but repealed in the Amended Rule. See 65 Fed. Reg. at 82,512.

Since the Amended Rule allows for the use and disclosure without consent of personal health information for the insurance company’s business operations, clearly such information can be used and disclosed regardless of whether the individual paid out-of-pocket.

Example: a depressed patient could not prevent the health information about his/her hospitalization from being reported by his physician to his insurance company.

Q. Are my prescriptions private?

A. No. All 51,000 pharmacies in the U.S. are wired for data mining. You cannot keep your prescriptions private, even if you pay cash. Selling prescription records is a multi-billion dollar a year industry: In 2006 IMS Health reported revenues of $2 Billion for selling prescription records (that’s just one company!).

Not ONE DIME of the billions in annual revenues generated from selling your personal health information go to help a single sick person.

What can be done?

Download these forms to help protect your health privacy.



440,000 Killed   |   500,000 Bankrupt


Preventable medical errors and sky-high medical bills threaten all Americans, even those on Medicare. APRA is a nonprofit organization working to protect our members. Membership is now open to the public. There is no charge.


Learn More