Where are permanent medical records kept?
July 9, 2005 2:32 PM Subscribe
Where are permanent medical records kept?
I participated in a study that involved my getting an MRI a few months ago. At the end of the study, they handed me a picture of my brain and told me that the MRI information would become part of my permanent medical record.
So where is this file kept? I've moved around several times in the last few years and seen several different doctors at several different practices. I know my file from my childhood doctor was huge, but how do all the different doctors put their information together? Is there some ginormous database somewhere? Do they just keep passing this huge manila folder around? The visit to the hospital for the MRI was a one-off, but if they're putting it in my record, where does it go and how do other doctors access it? How do the other doctors even know it exists?
I participated in a study that involved my getting an MRI a few months ago. At the end of the study, they handed me a picture of my brain and told me that the MRI information would become part of my permanent medical record.
So where is this file kept? I've moved around several times in the last few years and seen several different doctors at several different practices. I know my file from my childhood doctor was huge, but how do all the different doctors put their information together? Is there some ginormous database somewhere? Do they just keep passing this huge manila folder around? The visit to the hospital for the MRI was a one-off, but if they're putting it in my record, where does it go and how do other doctors access it? How do the other doctors even know it exists?
There is no such thing as one Permanent Medical Record, which is why they gave you a copy of the MRI. If you go to that hospital the doc will have access to it there, but your regular dr will only see it if you take it to her. This is why the proper answer to the question is: with you. You should always get copies of your records when you switch drs or move or something. They may charge you for it, but under HIIPA they have to give it to you.
On the other hand, there is a huge health insurance database that has a record of all procedures you've been through, or at least every one that insurance has paid for. This is why it can be a good idea to pay for some things out of pocket if you ever expect to have to be covered by private insurance.
posted by OmieWise at 2:49 PM on July 9, 2005
On the other hand, there is a huge health insurance database that has a record of all procedures you've been through, or at least every one that insurance has paid for. This is why it can be a good idea to pay for some things out of pocket if you ever expect to have to be covered by private insurance.
posted by OmieWise at 2:49 PM on July 9, 2005
On the other hand, there is a huge health insurance database that has a record of all procedures you've been through, or at least every one that insurance has paid for.
You're saying there's a centralized database on everyone that crosses insurance companies, and that they have access to? Do you have anything to substantiate this claim?
posted by grouse at 3:12 PM on July 9, 2005
You're saying there's a centralized database on everyone that crosses insurance companies, and that they have access to? Do you have anything to substantiate this claim?
posted by grouse at 3:12 PM on July 9, 2005
grouse-There is such a database, it is as you characterize it. I can't remember what it's called, but I learned of it in a health policy class dealing with HIV/Aids in my Master's of Social Work Program. It isn't a conspiracy theory or anything. The woman who taught the class was an RN/MSW/PhD Public Health from Hopkins. She was not given to fibbing.
posted by OmieWise at 3:47 PM on July 9, 2005
posted by OmieWise at 3:47 PM on July 9, 2005
Best answer: There is such a database, it is as you characterize it.
I worked at a health insurance company, and we had no such database; in fact, the existence of a common database of patient information, used by all insurance companies, would violate federal law in several ways. Under HIPAA your health-care information can only be disclosed for the explicit purposes of treatment, payment and operations, and submitting a claim to your insurance company or providing records to other physicians who might treat you requires your written permission (this is why there are so many releases to sign when you visit the doctor). Even when a patient is covered by multiple carriers who each process a claim, the only information shared is the amount paid on the claim by the carrier(s) who previously processed it.
As a result, the only information an insurance company has on a patient is the history of claims submitted to that specific insurance company, and when more information is needed the company will contact the patient or physician to obtain it.
Also, any time an insurance company requests further information from your physician they are required by law to notify you of the request and its details. So, for example, you might get a letter stating that the insurance company has requested the physician's notes or a pathology report or whatever other specific records they asked for. Pretty much the only time the notification can be less specific is when the company is investigating whether a condition is pre-existing; the notification will state this, but for confidentiality reasons the copy sent to the patient cannot include details of the diagnosis being investigated (an insurance company is never permitted to disclose a diagnosis in that fashion).
posted by ubernostrum at 4:16 PM on July 9, 2005
I worked at a health insurance company, and we had no such database; in fact, the existence of a common database of patient information, used by all insurance companies, would violate federal law in several ways. Under HIPAA your health-care information can only be disclosed for the explicit purposes of treatment, payment and operations, and submitting a claim to your insurance company or providing records to other physicians who might treat you requires your written permission (this is why there are so many releases to sign when you visit the doctor). Even when a patient is covered by multiple carriers who each process a claim, the only information shared is the amount paid on the claim by the carrier(s) who previously processed it.
As a result, the only information an insurance company has on a patient is the history of claims submitted to that specific insurance company, and when more information is needed the company will contact the patient or physician to obtain it.
Also, any time an insurance company requests further information from your physician they are required by law to notify you of the request and its details. So, for example, you might get a letter stating that the insurance company has requested the physician's notes or a pathology report or whatever other specific records they asked for. Pretty much the only time the notification can be less specific is when the company is investigating whether a condition is pre-existing; the notification will state this, but for confidentiality reasons the copy sent to the patient cannot include details of the diagnosis being investigated (an insurance company is never permitted to disclose a diagnosis in that fashion).
posted by ubernostrum at 4:16 PM on July 9, 2005
Best answer: There were movements toward such a centralized insurance database until HIPAA quashed it.
There is no centralized medical record system, nor do most of us think that there ever will be, nor should be. Record transfer can be accomplished via hand-carrying by the patient (the most foolproof in several ways), mail or electronic transfer.
However, the phrase 'permanent medical record' has some meaning. Once medical records are generated, they (or at least the part of them that represents 'information') are in some legal sense the property of the patient. For example, the film and silver emulsion that your MRI is printed on doesn't belong to you, but the pixels of the image do.
Once the records are generated, there are very specific Federal laws as to how they can be handled, how they must be stored, for what period of time they must not be destroyed, etc. The laws detailing to whom and in what manner they may be disclosed were actually simplified by HIPAA - they are now only proto-Byzantine, rather than the full fledged Byzantine that they used to be. It'd be a reasonable, yet not really accurate first approximation to say that you, your direct care-takers (doctors, nurses, etc) and your legal designees can access your health record; and pretty much no one else can without your permission.
It's likely that if the study you participated in did 500 brain MRIs, they could pick up a few cases of brain tumor, MS, or whatnot. (Actually, they run this risk with every MRI they do, so the scale of the study really doesn't matter.) Some ethics committee was doubtless aware of this and mandated your researchers to have the MRIs reviewed by a physician and the information therein revealed be made part of your medical record. This is because it would be generally considered unethical to discover incidentally that someone had a brain tumor and then, for example, do nothing with that information.
posted by ikkyu2 at 4:58 PM on July 9, 2005
There is no centralized medical record system, nor do most of us think that there ever will be, nor should be. Record transfer can be accomplished via hand-carrying by the patient (the most foolproof in several ways), mail or electronic transfer.
However, the phrase 'permanent medical record' has some meaning. Once medical records are generated, they (or at least the part of them that represents 'information') are in some legal sense the property of the patient. For example, the film and silver emulsion that your MRI is printed on doesn't belong to you, but the pixels of the image do.
Once the records are generated, there are very specific Federal laws as to how they can be handled, how they must be stored, for what period of time they must not be destroyed, etc. The laws detailing to whom and in what manner they may be disclosed were actually simplified by HIPAA - they are now only proto-Byzantine, rather than the full fledged Byzantine that they used to be. It'd be a reasonable, yet not really accurate first approximation to say that you, your direct care-takers (doctors, nurses, etc) and your legal designees can access your health record; and pretty much no one else can without your permission.
It's likely that if the study you participated in did 500 brain MRIs, they could pick up a few cases of brain tumor, MS, or whatnot. (Actually, they run this risk with every MRI they do, so the scale of the study really doesn't matter.) Some ethics committee was doubtless aware of this and mandated your researchers to have the MRIs reviewed by a physician and the information therein revealed be made part of your medical record. This is because it would be generally considered unethical to discover incidentally that someone had a brain tumor and then, for example, do nothing with that information.
posted by ikkyu2 at 4:58 PM on July 9, 2005
Er, how do we docs know that you have a medical record elsewhere, and what it might contain? Easy - we ask, or you tell us unprompted. Such disclosures are always welcome and sometimes even useful.
posted by ikkyu2 at 4:59 PM on July 9, 2005
posted by ikkyu2 at 4:59 PM on July 9, 2005
I used to work in my dad's medical practice, and we were always getting requests to photocopy so-and-so's records and send them to their new doctor.
There was also a HUGE room in the basement that was full of all the inactive charts: people who had either died or gone to a different doctor. They weren't allowed to be discarded.
posted by elisabeth r at 5:04 PM on July 9, 2005
There was also a HUGE room in the basement that was full of all the inactive charts: people who had either died or gone to a different doctor. They weren't allowed to be discarded.
posted by elisabeth r at 5:04 PM on July 9, 2005
http://www.lbl.gov/Education/ELSI/privacy-main.html
In a recent 1993 Harris Poll, more than a quarter of the people who responded said that information about them had been improperly disclosed. Below is a list of some agencies who already have access to your medical information:
1. Health and Life Insurance companies require you to release your records before they will issue a policy to you.
2. Government agencies such as Medicare or Social Security Administration
3. The Medical Information Bureau has approximately 15 million files in a central database. Every time you file an insurance claim, a copy of this information goes to MIB.
4. Some institutions gather medical information on individuals and sell this information to drug companies.
so check: www.mib.com
Maybe HIPPA is helping , but your record is Out there..
posted by Agamenticus at 8:07 PM on July 9, 2005
In a recent 1993 Harris Poll, more than a quarter of the people who responded said that information about them had been improperly disclosed. Below is a list of some agencies who already have access to your medical information:
1. Health and Life Insurance companies require you to release your records before they will issue a policy to you.
2. Government agencies such as Medicare or Social Security Administration
3. The Medical Information Bureau has approximately 15 million files in a central database. Every time you file an insurance claim, a copy of this information goes to MIB.
4. Some institutions gather medical information on individuals and sell this information to drug companies.
so check: www.mib.com
Maybe HIPPA is helping , but your record is Out there..
posted by Agamenticus at 8:07 PM on July 9, 2005
I think OmniWise is referring to the Medical Information Bureau, commonly referred to as MIB.
MIB is typically used by insurance companies to share informational codes about consumers and their health history. When an insurance company is underwriting a new policy, they will have an applicant answer questions about their medical history and can use MIB to verify information. Although MIB isn't like a "permanent medical record" it will have flags of anything an insurance company paid on - IF that insurance company uses MIB. Not all do.
Your MIB file is available at any time for your own review.
Here are some additional links:
MIB About Us
Article on "mysterious" MIB revealed
Article by Legal Match explaining MIB further
Sorry this is a bit off-topic, but I thought some clarification and links might help as well.
posted by cyniczny at 8:20 PM on July 9, 2005
MIB is typically used by insurance companies to share informational codes about consumers and their health history. When an insurance company is underwriting a new policy, they will have an applicant answer questions about their medical history and can use MIB to verify information. Although MIB isn't like a "permanent medical record" it will have flags of anything an insurance company paid on - IF that insurance company uses MIB. Not all do.
Your MIB file is available at any time for your own review.
Here are some additional links:
MIB About Us
Article on "mysterious" MIB revealed
Article by Legal Match explaining MIB further
Sorry this is a bit off-topic, but I thought some clarification and links might help as well.
posted by cyniczny at 8:20 PM on July 9, 2005
The MIB isn't a complete medical record unless you've filed an insurance claim for each and every lab test, procedure, or interaction you've ever had with the healthcare system and that company files with the MIB. As the industry consolidates into fewer and fewer payers, MIB will get more and more information. If you work for a company with a self-insured plan, meaning that your employer funds and pays for claims itself and only uses an administrator, it probably won't use the MIB.
As an RN, I can tell you that your medical record at a particular facility belongs to you, but the paper/microfilm/media it's stored/printed on belongs to the facility in which it's kept. You have the right to see your record, but the hospital or doctor's office also has the right to charge you a fee for copying it.
HIPAA has helped some with privacy, but it's far from perfect. Just last week a world-class, very famous health care facility in Minnesota (four letters, starts with 'M' and ends with 'O'), where I'm a patient, sent me lab and cardiac results that belong to someone else. If that place can't get it right, ain't nobody gonna get it right.
posted by lambchop1 at 8:34 PM on July 9, 2005
As an RN, I can tell you that your medical record at a particular facility belongs to you, but the paper/microfilm/media it's stored/printed on belongs to the facility in which it's kept. You have the right to see your record, but the hospital or doctor's office also has the right to charge you a fee for copying it.
HIPAA has helped some with privacy, but it's far from perfect. Just last week a world-class, very famous health care facility in Minnesota (four letters, starts with 'M' and ends with 'O'), where I'm a patient, sent me lab and cardiac results that belong to someone else. If that place can't get it right, ain't nobody gonna get it right.
posted by lambchop1 at 8:34 PM on July 9, 2005
HIPAA is the most perfect example of bureaucracy run wild, and the proverbial "few bad apples" ruining it for the vast majority of people. It is a HUGE government project, supplemented by thousands of private-sector and contracted HIPAA workers, that has and will continue to needlessly increase the cost of healthcare.
/rant
posted by davidmsc at 10:14 PM on July 9, 2005
/rant
posted by davidmsc at 10:14 PM on July 9, 2005
Thanks for your links, cyniczny.
FACT – Privacy concerns at MIB and member companies are taken more seriously than you can possibly imagine.
This is so bare-facedly false that I'd like to smack the person who wrote it. I can imagine a degree of personal privacy that would cause the brain of the author of this sentence to melt into a puddle of unrecognizable goo.
posted by ikkyu2 at 10:15 PM on July 9, 2005
FACT – Privacy concerns at MIB and member companies are taken more seriously than you can possibly imagine.
This is so bare-facedly false that I'd like to smack the person who wrote it. I can imagine a degree of personal privacy that would cause the brain of the author of this sentence to melt into a puddle of unrecognizable goo.
posted by ikkyu2 at 10:15 PM on July 9, 2005
I worked at a large hospital that specialized in pediatrics. For three years we kept old records in the basement. After that they were sent to an off hospital storage facility (just a normal rented storage shed). After 5 or 7 years, I forget which, the records are destroyed.
At each stage the records become more disorganized, and our chance of finding a record becomes less possible. It's an amazingly incompetent way of doing things, especially considering today's technology.
We often had 18 year olds getting ready for college stop by wanted shot records from their childhood when it had been 10 years since we had seen them. Most were shocked we didn't have their records.
And with hippa, things have gotten even worse.
posted by justgary at 11:21 PM on July 9, 2005
At each stage the records become more disorganized, and our chance of finding a record becomes less possible. It's an amazingly incompetent way of doing things, especially considering today's technology.
We often had 18 year olds getting ready for college stop by wanted shot records from their childhood when it had been 10 years since we had seen them. Most were shocked we didn't have their records.
And with hippa, things have gotten even worse.
posted by justgary at 11:21 PM on July 9, 2005
This doesn't directly answer the question, but since ubernostrum's answer was flagged as best, I feel I need to make a correction. Obtaining consent for release of your medical information is optional in a number of cases. These generally relate to treatment, but also include "payment", i.e. insurance companies; see here. One of my biggest complaints about HIPAA was that it removed the requirement that information could only be shared with insurance companies with the patient's consent, while making it more difficult to share information otherwise, even when appropriate. The official scoop on sharing medical information under HIPAA is here, but they really de-emphasize that part of the reason HIPAA was enacted was to make it easier for insurance companies to get medical records, thus the fact that health insurance figures prominently in the name of the act.
Oh, and to more directly answer your question, most hospitals keep information indefinitely, but put it on microfilm if it is not used for a few years (this is changing as more hospitals go to electronic records). Doctors offices on the other hand, typically keep records until the doctor retires, at which time patients are asked to pick up their records. Any records not picked up by the patients are either shredded (or thrown away in earlier days) or stuck in a storage unit somewhere for destruction at some future time.
posted by TedW at 6:36 AM on July 10, 2005
Oh, and to more directly answer your question, most hospitals keep information indefinitely, but put it on microfilm if it is not used for a few years (this is changing as more hospitals go to electronic records). Doctors offices on the other hand, typically keep records until the doctor retires, at which time patients are asked to pick up their records. Any records not picked up by the patients are either shredded (or thrown away in earlier days) or stuck in a storage unit somewhere for destruction at some future time.
posted by TedW at 6:36 AM on July 10, 2005
cyniczny writes "MIB is typically used by insurance companies to share informational codes about consumers and their health history. When an insurance company is underwriting a new policy, they will have an applicant answer questions about their medical history and can use MIB to verify information. Although MIB isn't like a 'permanent medical record' it will have flags of anything an insurance company paid on - IF that insurance company uses MIB. Not all do."
Thank you, this is what I refered to, and matches how I characterized it.
posted by OmieWise at 8:01 AM on July 10, 2005
Thank you, this is what I refered to, and matches how I characterized it.
posted by OmieWise at 8:01 AM on July 10, 2005
TedW: I had always been under the impression that physicians do have to get your permission to submit the information even though it's the "payment" part of "treatment, payment and operations". That's why (or so I thought) both the HCFA-1500 and UB92 claim forms (the standard forms used by physicians and hospitals, repsectively) have a field indicating that the patient has signed an authorization for release.
And in some ways HIPAA did make it easier for us to obtain records, since it created a nationwide standard for authorization (so if you have a HIPAA-compliant Authorization for Release on file you know no-one can give you trouble or force you to jump through extra hoops). But it did a lot more than that; for example, it established the 63-day grace period between the lapse of one coverage and the beginning of another which can prevent the re-application of pre-existing clauses (that ability to move to another insurer without penalty is 'Portability', which is the 'P' in HIPAA), and severely limited the applicability of those clauses. It also introduced strict civil and criminal penalties for violations of medical privacy (this is 'Accountability', which is the first 'A' HIPAA); neither of these can be viewed as making life easierfor an insurance company. In fact, I'd be willing to guess that the company I worked for suffered some losses due to HIPAA simply because of the time spent modifying systems and retraining people for compliance.
posted by ubernostrum at 1:58 PM on July 10, 2005
And in some ways HIPAA did make it easier for us to obtain records, since it created a nationwide standard for authorization (so if you have a HIPAA-compliant Authorization for Release on file you know no-one can give you trouble or force you to jump through extra hoops). But it did a lot more than that; for example, it established the 63-day grace period between the lapse of one coverage and the beginning of another which can prevent the re-application of pre-existing clauses (that ability to move to another insurer without penalty is 'Portability', which is the 'P' in HIPAA), and severely limited the applicability of those clauses. It also introduced strict civil and criminal penalties for violations of medical privacy (this is 'Accountability', which is the first 'A' HIPAA); neither of these can be viewed as making life easierfor an insurance company. In fact, I'd be willing to guess that the company I worked for suffered some losses due to HIPAA simply because of the time spent modifying systems and retraining people for compliance.
posted by ubernostrum at 1:58 PM on July 10, 2005
Ubernostrum; you are right that HIPAA makes it easier for patients to get theirown records; you are also right that it establishes more severe (and uniform) penalties than existed before for inapproriate disclosure of medical information. However, this is what the Dept. of Health and human services says about consent, with relevant parts highlighted:
Consent. A covered entity may voluntarily choose, but is not required, to obtain the individual’s consent for it to use and disclose information about him or her for treatment, payment, and health care operations. A covered entity that chooses to have a consent process has complete discretion under the Privacy Rule to design a process that works best for its business and consumers.
A “consent” document is not a valid permission to use or disclose protected health information for a purpose that requires an “authorization” under the Privacy Rule (see 45 CFR 164.508), or where other requirements or conditions exist under the Rule for the use or disclosure of protected health information.
Right to Request Privacy Protection. Individuals have the right to request restrictions on how a covered entity will use and disclose protected health information about them for treatment, payment, and health care operations. A covered entity is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees. See 45 CFR 164.522(a).
posted by TedW at 9:28 AM on July 11, 2005
Consent. A covered entity may voluntarily choose, but is not required, to obtain the individual’s consent for it to use and disclose information about him or her for treatment, payment, and health care operations. A covered entity that chooses to have a consent process has complete discretion under the Privacy Rule to design a process that works best for its business and consumers.
A “consent” document is not a valid permission to use or disclose protected health information for a purpose that requires an “authorization” under the Privacy Rule (see 45 CFR 164.508), or where other requirements or conditions exist under the Rule for the use or disclosure of protected health information.
Right to Request Privacy Protection. Individuals have the right to request restrictions on how a covered entity will use and disclose protected health information about them for treatment, payment, and health care operations. A covered entity is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees. See 45 CFR 164.522(a).
posted by TedW at 9:28 AM on July 11, 2005
Whoopsie. We may all have jumped the gun - Medicare will give away Vista medical recordkeeping software to doctors. Maybe it's coming sooner than we think.
posted by ikkyu2 at 7:26 PM on July 22, 2005
posted by ikkyu2 at 7:26 PM on July 22, 2005
This thread is closed to new comments.
posted by ericb at 2:40 PM on July 9, 2005