Medical privacy can mean many things to different people such as:

• Keeping our medical information to ourselves.
• Choosing what we want others to know about our medical situation.
• Trusting that personal medical information won't be shared.
• Comparing our right to medical privacy with someone else's right to know.

It's important to know what are your medical privacy rights and responsibilities. Some important questions to ask include:

• Which medical information am I required to give and why must I give it?
• How will the medical information be used?
• Who will see the medical information?
• Will I be able to control the accuracy of the medical information?

Why Is Medical Privacy Important?

With the great increase in computerized medical information systems over the past few decades, health care providers, insurance companies, information bureaus, government, employers, and other organizations hold much greater amounts of medical information about individuals than ever before, and it is easier for them to analyze the information and use it.

Consumers face risks in how this information is used and applied. Examples of possible risks include:

• Being denied insurance coverage because of incorrect information in your file.
• Use of a medical condition affecting a critical employment decision by an employer.
• Information shared with companies that market drugs.
• People finding out about a medical condition which you prefer to keep private.

What Is Medical Privacy?

To understand the definition of medical privacy, let's take the words individually. When defining privacy, it means the right of individuals to decide what information about them (through both paper and electronic means) will be communicated to others. When you add on the word "medical," you are talking about anything related to the physical and mental of an individual.

So, medical privacy is the individual's right to decide what personal physical and mental health information is communicated to others, both paper and electronic information. The word "others" could mean a physician, medical staff, insurance company, employer, family member, friend, and so on.

What Laws Protect Your Medical Privacy?

The government is working to establish laws that would help protect people's medical privacy. A federal law, Health Insurance Portability and Accountability Act of 1996 (HIPAA), would allow health care businesses (such as health insurance plans, health care clearinghouses, and health care providers) to use cost-effective electronic transactions for financial and administrative tasks. However, in order to conduct electronic transactions, these businesses have to implement safeguards to protect consumer personal information.

The HIPAA law gave Congress three years to pass comprehensive health privacy legislation. However, when Congress did not enact this law in time, the HIPAA law required the Department of Health and Human Services to develop these privacy regulations.

These new written regulations are called the Standards for Privacy for Individually Identifiable Health Information--also known as the Privacy Rule. It took effect on April 14, 2001. The Privacy Rule provides national standards to protect consumers' personal health information and allows consumers more access to their medical records. Most large health care entities (defined as those entities with more than $5 million in annual revenue) must comply with the Privacy Rule by April 14, 2003. Smaller health plans must comply by April 14, 2004.

Illinois has some health privacy laws in place to benefit the consumer. One law allows the patient to see their medical records (both physical and mental health) from their physician, hospital, or insurance provider. All the patient needs to do is make a written request and show proper identification. Insurance companies must provide the requested records within 30 business days. Physicians and hospitals have 60 days to comply with the patient's request. The patient has the right to have their medical records corrected if there is an error and also to have confusing or misrepresented information deleted or amended.

What Does Your Medical Record Contain?

Your medical record contains details of your medical history and the medical care you have received. It can also include:

• Results from medical tests (including diagnostic tests and genetic tests).
• Observations about your health from your physician and other health care professionals.
• Description of health behaviors (such as alcohol and drug use, sexual practices, and dietary, sleeping, and exercise habits).
• Comments about your work environment (such as air quality, chemicals and radiation exposure, potential high-risk job tasks, etc.).

In short, your medical record contains data about some of the most intimate and personal dimensions of your life.

How Is Your Medical Record Used: What Are Your Privacy Risks?

A primary purpose of a medical record is to store health information to facilitate diagnosis and treatment of illnesses. For this purpose, complete records about your medical history, past illnesses and treatments, and health behaviors is critical. Most of us want to trust our physicians with our personal medical information and most of us do. Unfortunately, there are more people who handle a person's medical records than the doctor such as:

• other health care workers
• health insurance companies (including health maintenance organizations [HMOs] and other health care financers)
• employers
• medical information bureau and life insurance companies
• public insurance programs and public health care programs
• federal and state agencies such as Immigration and Naturalization Services (INS), Center for Disease Control (CDC), etc.
• local and state health departments (disease registries, screening programs, WIC, etc.)
• medical imaging centers
• medical laboratories
• pharmacies, pharmacy wholesales, drug companies
• medical and health researchers
• consumer surveys administered through Web sites and other media
• marketers

With all these different companies and institutions having potential access to your health information, it becomes clear that your medical record is not simply a file but a collection of health information. Understanding who holds and handles your health information is a first step towards taking charge of your medical record privacy.

Your health insurance company has your health information in order to pay for your medical costs. However, your employer also may have access to this health information. While many large companies require their health plans to keep employee medical information confidential, many of these employers have access to medical records for case management and other purposes.Employers cannot make employment-related decisions based on disability (because of the Americans with Disabilities Act), but the law does not prohibit their access to the information. How employers use health information about their employees, and whether they have a privacy policy implemented, is an important question for employees to ask.

Information organizations, such as the Medical Information Bureau or the company, All Claims, gather health information through the payment and insurance system. The Medical Information Bureau (MIB) is a membership organization for over 600 insurance companies. They gather information about people with serious health conditions and those people employed in dangerous occupations or engaging in dangerous sports. The MIB does not retain a record for everyone, but it does hold information on many, many people. Companies like All Claims gather health information from insurance companies and create a database of individuals. The database indicates whether individuals have high utilization rates for health care or if they have multiple policies. Insurance companies can use information from these companies when making insurance underwriting decisions on policies such as life, long-term care, or health insurance.

How Can You Safeguard Your Medical Record Privacy?

There are many steps you can take to protect the privacy of both your electronic and paper medical records.

1. Tell only relevant information to your health with your physician. Request in writing if you do not want particular medical information released to your insurance company or to your employer. You could pay for the doctor's visit yourself and not have it submitted to your insurance.

2. Ask your doctor, medical clinic, or hospital how they maintain the privacy and confidentiality of your medical records. Do they transmit medical records electronically such as via computer, fax, cordless phone, or cellular phone? If so, request in writing that they not store or transmit your medical information electronically. Maybe they will comply with your request.

3. Obtain a copy of your medical records from your physicians, hospital, and other medical entities. Read them and if there is an error or misleading information, make a written request to have it deleted or amended.

4. Obtain a copy of your file kept by the Medical Information Bureau (MIB). Don't be disappointed if they do not have your file. MIB reports are usually for people with serious medical conditions or other factors that affect a person's long life. To obtain a copy of your file, contact them by calling (617) 426-3660. They will mail you a form called the "Request for Disclosure Form." Complete this form and send it back to them with a check for $9 to MIB, Inc., P. O. Box 105, Essex Station, Boston, MA 02112. If you find an error in your files, you can request that it be corrected.

5. Be cautious on how much private medical information you share on the Internet when filling out surveys, questionnaires, or health screenings. Look for and read the privacy policies before using a web site. Find out how the medical information can be used and who will have access to it.

6. Read all medical-related authorization forms and edit them to limit the dissemination of your personal medical records before signing. Before signing, find out whom you are authorizing to have your medical records released to and why do they need this information. You can edit these forms to reduce the number of places your medical records are distributed and to restrict secondary disclosures. Be sure to initial and date your authorization form changes.

7. Shred any medical records, claims, or receipts you are disposing.

8. Communicate with your physicians, hospital administrators, and community, county, state, and federal legislators about your concerns and challenges on medical privacy. Help educate providers and legislators about how the lack in medical record privacy impacts you. Consumers are the catalysts for urging new legislation to protect medical records and personal information.

9. Continually educate yourself on the current medical privacy issues. There are many places to receive this information; web sites like www.healthprivacy.org and www.epic.org are good places to start.

Written by Paul E. McNamara, MPP, PhD, Extension Specialist in Health and Consumer Economics, University of Illinois Extension and Katherine J. Reuter, CFCS, Extension Educator, University of Illinois Extension, May 2002.

References

Callahan Dennis, Jill, 2000. Privacy and Confidentiality of Health Information. San Francisco, California: Jossey-Bass, 106 pages, ISBN 0787952788.

Electronic Privacy Information Center, 2002. "Medical Record Privacy." Retrieved March 22, 2002, from www.epic.org/privacy/medical.

_______, 2002. "Medical Privacy Public Opinion Polls." Retrieved on April 26, 2002, from www.epic.org/privacy/medical/polls.html.

Goldman, Janlori, and Hudson, Zoe, 1999. "Exposed: A Health Privacy Primer for Consumers." Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University. Retrieved on April 26, 2002, from www.healthprivacy.org.

Health Privacy Project, 2002. "Health Privacy Polling Data." Retrieved on April 26, 2002, from www.healthprivacy.org.

_______, 2002. "Medical Privacy Stories." Retrieved April 26, 2002, from www.healthprivacy.org.

_______, 2002. "The State of Health Policy: Illinois." Retrieved on June 4, 2002, from www.healthprivacy.org.

_______, 2002. "What You Can Do To Protect Your Privacy." Retrieved on April 26, 2002, from www.healthprivacy.org.

Hyatt, Michael S., 2001. Invasion of Privacy: How to Protect Yourself in the Digital Age. Washington, D.C.: Regnery Publishing Company, 256 pages, ISBN0895262878;.

Karp, Jack, July 27, 2001. "Protecting Your Electronic Medical Records." Retrieved April 2, 2002, from www.techtv.com.

________, February 19, 2002. "Doctor-Patient E-Privilege." Retrieved April 2, 2002, from www.techtv.com.

Linowes, David F., 1989. Privacy in America: Is Your Private Life in the Public Eye? Urbana, Illinois: University of Illinois Press, 190 pages, ISBN 0252016041.

Rider, Mary Ellen, 1999. "Maintaining A Treasure Chest: Your Health Record." University of Nebraska Cooperative Extension Home Extension Form 481 Participant Manual. Available at www.ianr.unl.edu/pubs/consumered/hef481.htm.

Rider, Mary Ellen, 1999. "Maintaining A Treasure Chest: Your Health Record." University of Nebraska Cooperative Extension Home Extension Form 482 Leader Guide. Available at www.ianr.unl.edu/pubs/consumered/hef482.htm.

Rider, Mary Ellen, Ahlberg, Lisa, and Judy Webber, 1998. "Medical Record Privacy." University of Nebraska Cooperative Extension G98-1368-A. Available at www.ianr.unl.edu/pubs/consumered/g1368.htm.

U.S. Department of Health and Human Services, 2001. "Protecting the Privacy of Patients' Health Information." HHS Fact Sheet, dated July 6, 2001. Retrieved on April 26, 2002, from www.hhs.gov/news/press/.

U.S. Department of Health and Human Services, 2002. "Standards for Privacy of Individually Identifiable Health Information -- Proposed Rule Modification." HHS Fact Sheet, dated March 21, 2002. Retrieved on April 26, 2002, from www.hhs.gov/news/press/.