Posted by Bill Sandweg on 20 July 2020.

As patients, we have an expectation that our medical records will remain confidential. After all, there are few records more personal than our medical records, which may describe the most intimate details of our personal lives. Confidentiality is important to the physician/patient relationship because, without it, patients may be understandably reluctant to be honest in describing to the provider their history and problems. Unfortunately, technology and human nature are conspiring to make the desired confidentiality an illusion.

As much as we might want our personal data to be confidential, the ways in which it is distributed, the way health care providers act and the attempts by dishonest people to hack our data all make our desires nearly meaningless.

Let’s start with who gets to see our records already. Over the last 50 years, medicine has changed. When we go to the hospital, we are cared for by a team of doctors, nurses, technicians, aides and on and on. Every breath we take is charted, or is supposed to be. A complete and accurate medical record is necessary to allow for different team members, who may never speak directly to each other, to know what is going on with the patient and how to best treat them. More and more these records are being kept only in hospital computers, These are EMR’s (Electronic Medical Records). Everyone with access to the hospital computer system and the patient ID number can see the patient’s records. You can find news stories about instances in which people with access to the hospital computer have improperly looked at a patient’s medical records. The news stories usually involve celebrity patients but it happens with other patients as well.

The documents we sign for our doctors and at the hospital specifically allow the doctor or hospital to share our records and information with our insurance company and with the businesses they contract with to provide certain services. Among these would be the vendor who sells and maintains the EMR system, outside laboratories, and the like. They are also required to provide our information to local, state or federal agencies under certain circumstances. All kinds of people at these various locations may see your records.

Health care providers themselves are often sources of confidentiality breaches. Any one of a patient’s providers may gossip with a friend about an interesting case and accidentally provide enough information for the patient to be identified. They may discuss a patient with a colleague when the colleague is not involved in the care. They may discuss a patient with a appropriate person but do so in a careless way. Providers are sometimes overheard in the elevator or the cafeteria or the hallway or the locker room discussing confidential patient information. Studies have found that these are actually some of the most severe breaches.

Then there are the hackers who invade the medical records of hospitals, insurance companies, healthcare providers to steal personal information they can use to make money. In 2019 alone, the records of nearly 35 million patients were compromised by hackers. Some of these hacks went on for years before they were discovered. It is almost certain that there are records being reviewed right now by hackers, who have not been discovered by the system operator. There are so many companies with access to records that there is a vast and fertile field for hackers to exploit to steal information. Sometimes, you don’t even need to be a hacker to get protected patient information. Sometimes, the company accidentally leaves the information unprotected on the internet for anyone to see.

Then, of course, there is plain old fallible human nature and the inevitability that human beings occasionally make mistakes. Some of these mistakes end up exposing confidential information on an individual scale. A provider may disclose sensitive information to a family member. In one case that made the news, the confidential information was disclosed to the ex-wife because the provider had not updated its records. Or the provider may send a letter or leave a voice mail in such a way that someone other than the patient gets the information. This kind of error is most likely to cause great personal distress.

There is not much you can do to make your records more secure. That is the system and we are fools, if we do not recognize the limitations inherent in it. We can and should, however, make sure our records are accurate. More and more patients can see what the provider is writing or has written and ask for corrections to be made. Providers may be resistant to actually correcting records but that is a subject for another day.