How can I keep my medical records private?
October 2, 2009 12:50 AM   Subscribe

How can I keep my medical records from getting into the wrong hands?

Even with HIPAA I'm quite skeptical about how private my medical records really are, especially in light of the large number of privacy breaches in recent years.

I asked a couple of former providers if they could send my medical records and discard their copies, and they told me that they are legally obligated to retain medical records. Which types of providers, exactly, are bound by these laws? I know they apply to my family physician, but do they also apply to professional hypnotists or physical therapists, even when I was paying out of pocket?

More generally, how can I reduce the amount of medical information "out there" about me that could get into the wrong hands?
posted by wireless to Law & Government (6 answers total) 2 users marked this as a favorite
Response by poster: Also, what are my rights with regards to requesting for a conversation with a physician to be off the record?
posted by wireless at 12:53 AM on October 2, 2009

It seems to me that there are other records related to medical care which also need to be considered when discussing medical privacy.

An insurer will have a record of any services for which you made a claim, whether it was paid or not. Your pharmacist will have a record of medications dispensed to you. Any allied health providers to which you've been sent for blood tests, x-rays, etc will have records of those tests and the results. Depending on where and when you were born, your original Guthrie heel prick sample may still exist somewhere.

Your "medical records" encompass more than just the patient files held by your doctor and your dentist and some of the records held by ancillary service providers are probably not transferable to new providers but could be equally damaging if inappropriately disclosed. I'm not sure how you reduce the amount of medical information "out there" when so much of it is held by places you may never use again but from which you cannot recover your records or request destruction of them.

The question's an interesting one, and I'm especially interested in the period of time for which those ancillary records which are not patient files can be held (presumably there's a legal minimum period for which they must be retained, but I'm curious about whether there's a time after which they must be destroyed). I'd be far more concerned about a former insurer of mine holding information about my medical history than about a former doctor retaining that information.
posted by Lolie at 2:00 AM on October 2, 2009

Always pay cash, minimize preventative or maintenance care and go to the most low tech MD you can find. That's way there is no insurance company involved, and there are fewer medical records period with lower likelihood of records being hacked since they are only in paper form. No guarantees about the shredding process though.

Federal and individual state laws probably differ about record keeping. Various professional organizations may also have recommendations about record keeping, especially for minors who may not be told of certain conditions or be aware of the importance of the information until later in life. Your state medical board probably has an on-going discussion with assorted medical para-professionals as to who is a "medical professional" for the purposes of the law and that's a whole different discussion, but in general your hypnotist is technically -versus morally- not covered by HIPAA.

All in all, I think medical privacy is already a lost cause. The need for coordinated care among specialists and generalists, together with the high cost of such care, make EMR's the only reasonably efficacious method of communication. Yes you could carry records with you in addition to a central MD having them and many people do. Just make sure these records don't get lost or aren't updated for any of a dozen reasons related to the time lag of testing, the postal system and neighbors. Or you'll be back at your MD's office asking for copies.
posted by beaning at 6:00 AM on October 2, 2009

Medical record retention is a matter of state law, and within that it can vary by what type of record it is (e.g. birth and death are usually permanent, diagnoses, films, etc. are usually 10 years). There are good legal reasons for this, among them the need for evidence in the event of malpractice claims.

Many providers/health systems are going to electronic these days, too. I understand your wanting your privacy, but it can be very important for providers to have your complete medical history when trying to treat you.

There are new breach notification regulations implementing HIPAA which require providers/carriers to notify individuals (and HHS and sometimes the media) when there has been a breach related to personal health information.
posted by Pax at 6:21 AM on October 2, 2009

Record retention laws vary widely by state. Here's a PDF document that details some of the differences between states. I'm not positive, but I believe what qualifies as "medical records" differs by states. Many practitioners will keep their medical records beyond the minimum date, and some don't ever destroy their medical records.

Frankly, I'm not sure how much control you have over your medical records. I don't want to freak you out, but your medical records travel lots of places. Hospitals sometimes outsource lab work, for example, so you may have records at facilities you've never heard of. Many facilities store their medical records off-site or hire other companies to complete requests for copies of medical records. Your medical records may be scanned and stored electronically at those off-site locations, creating new copies of them that you don't know about. Even when your information is destroyed odds are it passes through at least half a dozen hands before paper meets shredder. All facilities that handle medical records must follow the same laws about confidentiality and privacy, and those laws are enforced very seriously. My point is that there are a lot of procedures that you have little control over and the only way to really reduce the amount of medical information "out there" is to opt out of the system in some fashion.
posted by lilac girl at 10:04 AM on October 2, 2009

go to the most low tech MD you can find

This sounds like a bad idea. In my experience, there's so much motivation to digitize that the only practices that are still low-tech just don't have the money to change. If they don't have much income, they can't pay well, and you wind up with -- literally -- high-school kids hired to handle your medical records.
posted by booksandlibretti at 9:09 PM on October 2, 2009

« Older UK Freelance Tax   |   How to get a wooden salad bowl made Newer »
This thread is closed to new comments.