How Safe Are Your Medical Records?

HIV Clinic Blunder Ignites Concerns About Patient Confidentiality

Used under a Creative Commons license at
Photograph © Hilary Dotson

On September 2, 2015, a clinic in Central London made world headlines when it was learned that the administrators accidentally leaked the names of 780 HIV-positive patients its monthly  newsletter. A spokesperson for the 56 Dean Street Clinic, a government-funded facility based in London's Soho district, admitted that the clinic "screwed up" by copying all 780 patients on the same email rather than sending individually.

While cases like this (or at least of this scale) are uncommon, they often served to undermine the public's confidence in how well medical records are kept and how such information can or should be shared. This is particularly true when it comes to communicable diseases like HIV or STDs, wherein the release of such information can place a person at risk of embarrassment, stigmatization and discrimination.

Law Protecting Patient Privacy and Confidentiality

In the U.S., a number of laws have been put into place to address these concerns. Chief among them is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law enacted by  Congress to enhance the efficacy and transparency of health insurance coverage. Co-authored by Senator Ted Kennedy of Massachusetts and Senator Nancy Kassebaum Baker of Kansas, HIPAA and was signed into law on August 21, 1996 by President Bill Clinton and serves two primary functions:

  • Title I: To protect health insurance coverage for individuals or families who change or lose their jobs.
  • Title II: To prevent health insurance abuse and fraud; and to improve the administration of the healthcare systems by creating standards for the use and dissemination of healthcare information.

Among the provisions of Title II was the enactment of the HIPAA Privacy Rule, which regulates the sharing of a patient's healthcare information by so-called "covered entities," which include medical providers, health insurers and their contracted associates.

As dictated by the Privacy Rule, healthcare information may be shared without a patient's written consent under the following conditions:

  • When requested by law enforcement officials as required by law (for example, by subpoena or warrant; or to locate a missing person or fugitive).
  • In order to facilitate treatment, payment or healthcare operations so long as reasonable effort is made to release only that information needed to achieve such purpose.

All other disclosures require the expressed written authorization from the patient before any such disclosure is made.

Interpreting the HIPAA for People Living With HIV

Privacy and confidentiality remain key concerns among many individuals infected with HIV. In fact, according to a survey conducted by the University of California, Los Angeles in 2008, breach of confidentiality was cited as the most salient reason for avoiding HIV testing among low-income Americans.

The HIPAA Privacy Rule is meant to ensure that, among other things, a patient's HIV status is not disclosed without his or her expressed consent.

It doesn’t mean, however, that a patient can tell a doctor when or where to make such disclosure in every case.

For example, a doctor may choose to share a patient's information with nurses or specialists if it is deemed necessary to the immediate or ongoing medical treatment of that patient. Failure to make such disclosure may, in fact, be detrimental if the medical team is unaware either of medications the patient is taking or infections that may be related to (or impacted by) the patient's HIV.

While there may be some ethical "gray areas"—where one could question whether the patient's HIV status is relevant to a particular treatment or procedure—it has become increasingly important to share this information with healthcare providers insofar the long-term management of HIV includes the avoidance of many non-HIV-related illnesses, including cardiovascular disease and cancer. Avoiding such disclosure places a patient at increased risk for misdiagnoses, duplicated treatment, or adverse drug events.

To better understand what information may or may not be shared by an individual provider, request their Notice of Privacy Policy. This explains not only your rights under the HIPAA, but spells out exactly how your records may be shared. The policy is often posted on health insurance websites, as well as in hospital admissions, pharmacies, and doctor's offices. If not, you can request a copy or asked that one be mailed to you.

If concerned about any disclosure, potential or otherwise, discuss the issue when first meeting your doctor and/or in the event that a medical referral is made. You can also request what is called an accounting of disclosure, which outlines how and where your healthcare information has been shared.

The HIPAA also affords you the right to tell your doctor and other contracted entities which telephone number or email address to use in order to prevent accidental disclosure of HIV-related information.

Sharing Information with Non-Medical Entities

The HIPAA does allow for certain facets of HIV information to be shared with non-medical providers. These include hospital administrators for use in patient billing; pharmacies that are asked to prescribe medications; or health insurers who need to assess a patient's benefit qualifications.

Health information may also be shared, in some instances, with non-health insurers, such as those providing disability insurance or life insurance. However, a covered entity is only required to do so if you, as the insured, have authorized access as per the terms of your enrolment. It is, therefore, important to always know the terms of your policie, or to seek to  advice from your State Insurance Department before signing.

By contrast, an employer neither has right to request your medical records nor to inquire about your HIV status, either from you or a covered entity.  These protections are provided under the Americans with Disability Act of  1990 (ADA).

Requesting Your Healthcare Information

The HIPAA give individuals the right of access to their healthcare information, whether it is stored on paper or electronically. Having access your records ensures that you

  • are able to check that all information is correct and updated.
  • are able to keep all test results and prescriptions, which might otherwise be divided among several providers.
  • have your complete medical history on hand whenever meeting a new doctor or specialist.

While your full record may not always be available, every effort should be made by contracted entities to provide you with copies should such requests be made. (Please note, however, that charges may apply for hard copy printing and posting.)

In the event that information in your records is incorrect, you also have the right to request an amendment, particularly if it affects health insurance benefits or future care. However, it is important to note that doctors also have the right to deny such requests, and that any changes made solely to conceal a person's HIV status or to provide fraudulent information may be subject to legal action.

What To Do If Your Privacy Rights Have Been Violated

If you believe that your information has been improperly shared, it is advised that you first discuss the issue with your doctor or healthcare provider if only to obtain clarity or avoid miscommunications.If the reply is unsatisfactory, you can then file a complaint with the Office of Civil Rights' (OCR) Health Information Privacy Office. Complaints must be filed within 180 days of the violation, and can be filed electronically, by post or by fax to your OCR Regional Manager.


Sky News. "HIV Clinic 'Screwed Up" By Releasing Names." Published online September 2, 2015.

U.S. Congress. "104th Congress, 1st Session: S. 1028." Washington, D.C.; July 13, 1995.

Ford, C.; Tilson, E.; Smurzynski, M.; et al. "Confidentiality Concerns, Perceived Staff Rudeness, and Other HIV Testing Barriers."  Journal of Equity in Health. October 2008; 1(1): 7-21.

U.S. Department of Justice. "Current text of the Americans with Disabilities Act of 1990 incorporating the changes made by the ADA Amendments Act of 2008." Washington, D.C.; updated March 25, 2009.

Continue Reading