How can you protect your medical privacy?

The Health Information Privacy and Accountability Act of 2003 – HIPAA – offers basic, but not complete, protection of your medical records. Take these extra steps to ensure you’re shielding your medical records from thieves and peepers.

  • Under HIPAA, your health care provider can share your medical records. Give your provider a written statement that revokes permission to share your records without your written consent.
  • Ask your provider how photocopies of your records are handled. Records sometimes are copied more times than are needed and the extras may be put into the wastebasket instead of going straight to the shredder.
  • Cordless and cell phones are less secure than landlines, and fax transmissions aren’t secure at all. Find out your provider’s policy about how records are shared with consulting specialists and others involved in your care.
  • If you work for a business that’s self-insured, the company’s human resources department is likely to have copies of medical records. Find out how these records are stored and handled, and deliver a written statement to the department that you hold the company, the department and its manager personally responsible for the security of your records. Ask the manager to countersign the statement to show that it was received.
  • Be skeptical about taking part in publicly-offered health screenings in shopping malls or getting flu shots at a drug store. Ask what use will be made of any of your medical information. If you’re not given the opportunity to forbid your personal information from being shared, don’t give any.
  • Don’t fill out surveys or questionnaires that ask for personal medical information in exchange for entering you in a contest or rewarding you with coupons or discounts.
  • The Internet is the Wild West of information-sharing. If you take part in medically-related chat rooms or sites that ask for your personal data, check the site’s privacy policy. Even if you use a pseudonym in chats, your personal information can be matched to your computer’s Internet address. Before sharing personal information on a health website, find out if it participates in a web seal program such as TRUSTe, HON, or URAC Health Website Accreditation. If you’re not convinced that the site can guarantee the confidentiality of your identity and medical details, leave.
  • If your health care provider retires, merges with another practice, or goes out of business, find out how your records will be treated and where they’ll be stored. If a business goes bankrupt, its database of patient information can become an asset for sale. File written statements with archival sites that you will hold them personally responsible for your records’ security. If you can’t get a countersignature on your statement, send it by registered mail so you have proof of delivery.
  • If your medical records are subpoenaed as part of a legal proceeding, they become part of the public record. Ask the judge involved to only open the portions of your medical record that are indispensable to the case and, after the proceeding is over, ask the judge to seal the case’s records or, at least, the portion that includes your medical details.
  • If your employer offers an employee health or wellness plan, find out if your records will be stored with an outside business or become part of your personnel file. If so, ask for a written copy of the privacy policy that governs the use of the records.
  • Avoid genetic testing if at all possible. If you decide to be tested, get a written statement about who will have access to the test results and how they’ll be stored and by whom.
  • By law, your medical records are your property. Keep a copy of your medical history in case your care provider goes out of business.
  • If your information has been breached or stolen:

— Contact the credit bureaus and check your credit report at You’re entitled to one free copy of your report each year.
— Contact your health insurance carrier, health care provider, and any hospital that has records of you and tell them that your medical information has been rifled or stolen.
— File a police report.
— Finally, file an incident report at This is additional insurance that your case has been reported.

Skip to content