he next time you have a heart-to-heart with your doctor, consider who may, in effect, be "listening in." No one else may be in the room. But the information that ends up in the medical record your health-care provider keeps may pass before more eyes than you think.

"People assume that doctor/patient privilege protects their medical records," says Zoe Hudson, policy analyst for the Health Privacy Project at Georgetown University, Washington, D.C. "In fact, that's not true. There are many users of that information, both legitimate and suspect."

It's wise to know who all those parties are with potential access to your health information—and to take what steps you can to try to protect your privacy.
     no federal law
     exists to set
     minimum privacy

medical information
may pass before
more eyes
than you think.
What's in your medical record?
Any time you visit a health-care professional—doctor, dentist, psychiatrist, or chiropractor—information about the examinations, tests, and treatments you receive goes into your medical record. It also lists illnesses you've had, medical procedures and surgeries you've undergone, and prescriptions you've taken. And it contains your family medical history and lifestyle-related health information, such as how much alcohol you typically consume and whether you indulge in bungee jumping or other high-risk activity.

Your medical record serves multiple purposes. Health-care providers need the information to provide you optimum care, and your record allows sharing of information among your various caregivers. It provides documentation of care you've received. It verifies which services and treatments your insurance covers. And medical record information can provide useful data for health research and planning that may benefit many people.

Who owns your record? It's the property of the health-care provider or facility that compiles it. State laws vary as to how much access patients have to their own health information. Usually you can gain access by contacting your health-care provider, who may ask you to put the request in writing. Some providers charge a fee for locating and copying your record.

Who can see your medical record?
In theory, you must grant permission for anyone to look at your medical information. But people often sign blanket waivers or general consent forms, making their health records available to more parties than they realize. Here's a list of the entities that may gain access to your health information.

  • Insurance companies—Before you buy a policy or receive pay for care under a policy, you'll need to authorize release of your medical record to the insurance company.

  • Medical Information Bureau (MIB)—This central database of medical records, located in Boston, contains health information for 15 million individuals. MIB's stated purpose is to detect and deter attempts by insurance applicants to omit or misrepresent information. MIB gets data from some 600 member insurance companies, who must report any information significant to health or longevity that they acquire from an applicant, or from health-care providers with the applicant's consent. To obtain information from MIB, an insurer also must have the applicant's consent. To find out if you're in MIB, see the Web site at www.mib.com. You can obtain a copy of your file for a small fee.

  • Employers—If an employer uses an outside insurer for employee health-care coverage, it may require the insurer to provide copies of employees' medical records. If an employer self-insures (most Fortune 500 companies do), it has access to employees' medical records in-house.

  • Courts—If you're involved in a hearing or court case concerning your health condition, the court may subpoena your medical record and relevant parts of that record may be copied and introduced in court.

  • Health facility inspectors—Health-care facilities must undergo inspection to maintain their licenses. The evaluator will look at medical records to judge quality of care, but generally patients' names remain undisclosed.

  • Other health agencies—Public health agencies, such as the Centers for Disease Control, may access health records in efforts to contain an epidemic, for example.

  • Direct marketers—You've always known direct marketers seem capable of getting their hands on anything. But your health information? No, they won't gain access to your entire medical record. They can, however, learn bits of your health information. For instance, if you participate in a free public screening for cholesterol, your name may get passed on to direct marketers who want to target you for specific products.

  • Internet—If you use a chat room or news group for people sharing information about a specific health condition, you have no guarantee the information you disclose will stay private.

     People assume
     doctor/patient privilege
     protects their
     medical records.
     Not true.
How can you protect privacy?
Currently a patchwork of state laws assure varying degrees of privacy protection for medical records. "What's missing is a federal law," Hudson says. "There are no minimum standards for the country."

Congress failed to meet an Aug. 21, 1999 deadline for passing a federal health privacy law, as required by the 1996 Health Insurance Portability and Accountability Act. That law stated that if Congress didn't act by the deadline, the Department of Health and Human Services (HHS) would have to issue regulations by Feb. 21, 2000. Congress still could pass a law at any time, however, that would override HHS regulations.

Passing a law is no easy task. Privacy advocates cite abuses resulting in personal damage, such as job loss. Still, opinions vary widely about how to protect privacy while also enabling access to information vital to public health, research, and law enforcement.

Until a comprehensive law exists, you can boost privacy protection of your health information:

  • Watch what you sign. Read closely any release forms you sign. If faced with a blanket release or waiver, edit the language to limit the parts of your record available to a third party.

  • Request that certain information be withheld from others. If you have a health condition you want kept strictly confidential, ask your doctor not to release the information to an insurer or employer, even if you've signed a previous release. You'll have to pay for such a visit yourself, however, because an insurer won't be reimbursing you for a visit it doesn't know happened.

  • Be careful with surveys, screenings, and Web sites. Before taking part in a survey or a free health screening, find out where the collected information will go. To protect privacy in an online chat group, don't register your name on the site. Use a pseudonym and a nonname-specific e-mail address.

  • Talk to your health-care provider. Ask what procedures are in place to control which clinic or hospital employees see your record. Let your provider know about your privacy concerns.

  • Educate yourself. Besides those already mentioned, other online resources to check include the American Health Information Management Association's site and the National Coalition for Patient Rights.

©1999 Credit Union National Association Inc.