Medical Records Release
Many people consider information about their health to be highly sensitive, deserving of the strongest protection under the law. Long-standing laws in many states and the age-old tradition of doctor-patient privilege have been the mainstay of privacy protection for decades.
Now, the federal Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for privacy of health information, effective April 14, 2003. But HIPAA only applies to medical records maintained by health care providers, health plans, and health clearinghouses - and only if the facility maintains and transmits records in electronic form. A great deal of health-related information exists outside of health care facilities and the files of health plans, and thus beyond the reach of HIPAA. (PRC Fact Sheet 8a, "HIPAA Basics,"
The extent of privacy protection given to your medical information often depends on where the records are located and the purpose for which the information was compiled. The laws that cover privacy of medical information vary by situation. And, confidentiality is likely to be lost in return for insurance coverage, an employment opportunity, your application for a government benefit, or an investigation of health and safety at your work site. In short, you may have a false sense of security.This guide provides information on medical records not covered by the HIPAA Privacy Rule:
- A description of medical records.
- Situations where HIPAA does not cover medical records.
- Who has access to your medical records?
- Tips for protecting the privacy of your health records.
- How to access your own records.
- How to learn more about the new federal rules, HIPAA.
- Electronic Health Records -- Benefits and Dangers for Consumers
- Resources for additional information.
What do my medical records contain?
Medical records are created when you receive treatment from a health professional such as a physician, nurse, dentist, chiropractor, or psychiatrist. Records may include your medical history, details about your lifestyle (such as smoking or involvement in high-risk sports), and family medical history.
In addition, your medical records contain laboratory test results, medications prescribed, and reports that indicate the results of operations and other medical procedures. Your records could also include the results of genetic testing used to predict your future health. And they might include information about your participation in research projects.
Information you provide on applications for disability, life or accidental insurance with private insurers or government programs can also become part of your medical file.
What medical information is not covered by HIPAA?
Medical information that is not covered by the new federal privacy law might be found in your financial records, your child's school records, and/or your employment files.
Financial records. The federal Gramm-Leach-Bliley Act (GLB) allows financial companies such as banks, brokerage houses, and insurance companies to operate as a single entity. GLB gives you the right to be notified about the information-sharing practices of financial institutions. And you must be given an opportunity to opt-out of third-party information sharing. But GLB does not keep information from being shared among affiliated companies.
Your credit card account and checking transactions are likely to include information about where you go for health care. Insurance applications and medical claims also contain health-related information. So it is possible for such medical information to be shared among affiliates of financial institutions. Such information is not protected by HIPAA.
Some financial companies promise extra protection for medical information. And insurance companies may be prohibited from giving information to an affiliated bank by state insurance laws. It pays to examine the privacy notices of financial institutions carefully. (Read PRC Fact Sheet 24, "Protecting Financial Privacy,"
Education records maintained by your child's school contain vaccination histories, information about physical examination for sports, counseling for behavioral problems, and records of visits to the school nurse. Privacy of education records is under the control of the US Department of Education and the Family Educational Rights and Privacy Act (FERPA). These records are not covered by HIPAA. For more information about FERPA, visit the Department's web site at
Employment records and medical information may be mingled in situations not covered by HIPAA. Your employer may be covered by the Occupational Safety and Health Act (OSHA). If so, you have the right to access your medical records gathered for your employer's OSHA responsibilities. (See the web site of the US Department of Labor for more on employee's rights under OSHA,
In addition, the federal Family and Medical Leave Act (FMLA) gives most workers the right to 12 weeks of unpaid leave a year for personal and family health. If FMLA leave is because of a serious illness, your employer may request a doctor's certification of the illness. But the employer cannot make you produce medical records. See the U.S. Department of Labor web site for more information on FMLA,
If your employer is self-insured for employees' medical benefits, its handling of insurance claims and other health-related information is covered by HIPAA. In this capacity, the employer would be considered a "hybrid" entity. For more information on HIPAA involving employer group health plans and self-insurance situations, read PRC Fact Sheet 8a on "HIPAA Basics,"