Who controls your health data? A guide to your rights

Headshot of Myles Ma, CPFC


Myles Ma, CPFCSenior ReporterMyles Ma, CPFC, is a certified personal finance counselor and former senior reporter at Policygenius, where he covered insurance and personal finance. His expertise has been featured in The Washington Post, PBS, CNBC, CBS News, USA Today, HuffPost, Salon, Inc. Magazine, MarketWatch, and elsewhere.

Published|5 min read

Policygenius content follows strict guidelines for editorial accuracy and integrity. Learn about our editorial standards and how we make money.

Electronic health records have freed our personal medical data from paper, giving doctors and patients more convenient access to the information they need. But digitizing health data opens it up to the same security risks faced by Facebook, Equifax and all the other companies we trust with our private information.

Federal privacy law outlines certain rights people have over their health information, but it's filled with exceptions. Knowing your rights, plus where the law falls short, can help you keep your private health details from falling into the wrong hands.

What rights do you have?

The federal law that restricts the release of medical information is the Health Insurance Portability and Accountability Act of 1996, or HIPAA. The HIPAA privacy rule gives people the right to to see and receive copies of their medical records kept by their health care providers and health plans. This includes billing records, insurance information, test results, medical images like X-rays and case notes.

The law also allows you to designate other people who can access your health information if, for example, you have a family member involved in your care and you want your doctor to be able to talk to them if you become incapacitated, said Sharona Hoffman, professor of law and bioethics at Case Western Reserve University. You also have the right to request a correction if you see a mistake in your health record, though your provider can refuse.

HIPAA restricts other entities, like your employer, from accessing your health information, but has a long list of exceptions of people to whom your health care provider can disclose your health information, Hoffman said.

Where the law falls short

In theory, you own your health information. But your health record is owned by whomever creates and stores it, Hoffman said.

"Your doctors office actually owns your medical record," she said.

Your health care providers are the real gate keepers for your health information. The law allows providers to disclose your health information for a variety of reasons. Some, but not all, of these exceptions help providers do their job. For example, the law allows the people treating you to share your health information, so your doctor can tell your nurse or a specialist your symptoms, Hoffman said.

Your provider can share your health information with your insurance company for billing purposes. A provider can access your record while doing an audit. They can disclose your information to law enforcement or to a public health agency, Hoffman said.

There are no restrictions under HIPAA for accessing health records with specific identifying information removed. Marketers and researchers can access this "de-identified" information, and they may be able to match it with other data they have to identify individual people, Hoffman said.

Some people argue there are too many exceptions, Hoffman said. And the law comes up short when it comes to other places your health information might end up, like genetic testing services, employers or social media.

"A big shortfall is that HIPAA only covers health care providers, insurers, health care clearing houses, which do some billing and administrative work, and their business associates," Hoffman said. "It doesn't cover anyone else that handles health information."

Your employer has a lot of health information. Many companies require pre-employment drug testing or take part in wellness programs. HIPAA doesn't cover these programs. The Americans with Disabilities Act requires employers to keep this information confidential, but isn't as specific as HIPAA about what that means, Hoffman said.

Employers aren't supposed to act on wellness information, but it would be challenging to prove they denied you a raise or promotion because of it, Hoffman said. Companies who self-insure have even more information.

In 2015, AOL CEO Tim Armstrong faced a national backlash after blaming benefit cuts on the cost of providing health care to two employees with "distressed babies." Other employees were able to connect the dots and figure out who he was talking about. The baby's mother blasted Armstrong for violating her family's privacy.

Many people share their health data with corporations through fitness devices, apps and online searches, said Dr. Deborah C. Peel, founder and president of Patient Privacy Rights, an advocacy group. Searches are particularly revealing and can be tied back to the searcher or their family.

How to protect your data

Many people are protecting their data by not giving it out. In a 2016 survey of 12,090 adults conducted by Black Book Research, 89% said they withheld information during visits and many were concerned their prescriptions, mental health notes and chronic condition data would be shared with retailers, employers or the government without their permission. Withholding information this way puts patients' health at risk, Peel said, but people fear their health information will lead to discrimination.

Peel said to avoid posting about your physical or mental health on social media. Avoid free health apps as well. The reason they're free is because they're selling your data, Peel said.

Data companies can vacuum up disparate scraps from social media posts, data from free apps and "de-identified" health information to form a complete picture of your health, Peel said.

Short of keeping secrets from your doctor, you have some tools to protect your information. Make use of the rights you do have under HIPAA: You can ask your provider for an "accounting of disclosures," a list of times they shared your provider with another person or organization. This way you can at least get an idea of how your information is being used.

If something's incorrect, you have the right to ask your provider to fix it, which they have 60 to 90 days to do if they agree to the change. If not, the disagreement will at least get noted in your record.

Finally, if you feel your information was used improperly, you can file a complaint with your provider, health insurer, the Department of Health and Human Services or your state's Attorney General. The privacy notice you receive when you agree to take part an electronic health record system should tell you how to file a complaint.

"Your data is you," Peel said. "You need to control it."

Ready to shop for life insurance?