Who’s Seen My Medical Record? Better Be Able To Answer

Right now, HHS is considering a new rule which would demand that hospitals, medical practices and health plans provide anyone who asks with a list of who has accessed their electronic medical records.

The proposed rule, which will go into effect January 2013 if approved, shouldn’t be a big deal in theory. After all, since 2005 healthcare companies directly involved in patient care have had to keep their own log of who accesses patient records electronically.  But apparently, the industry is arguing that providing a report on who saw your EMR file would be a massive hassle. (Even the rule’s author told USA Today that “the burden could be significant.”)

OK, I’m beginning to get a bit of a headache. Correct me if I’m wrong, but isn’t such monitoring — a detailed record of who looked at what record — a completely standard security measure for any organization with its act together?

I’m also wondering why the heck the article suggests that it would be difficult to get such access logs across departments. Again, I’m not an IT executive and I don’t play one on TV, but how much would EMR security be worth if you could only track access department by department?

I’ll admit that the more paper that remains in the process, the trickier things get. If a consumer wanted a complete list of who’d accessed their files, and the healthcare organization still conducted some major processes on paper, things could get pretty time-consuming. (Though even in that case, healthcare organizations better be aware of who’s peeked at what patient’s data.)

Still, I detect a smokescreen here. While there are probably entities — notably smaller practices with lower-end EMRs in place — that would be burdened by this requirement, many more would probably find it no trouble to handle if they tried. In fact, if a provider has spent big bucks on an EMR that can’t dig up access records easily, they should get their multi-million-dollar investment back.

I understand health plans’ and hospitals’ reluctance to turn over such information, which could drag them into lawsuits, divorces (“Did my wife really have the right to see my records?”) and medical ID theft prosecutions, to name just a few possibilities.  Once targeted, the entity would have to prove, sometimes laboriously, why a given person actually did have good reason to access a certain patient record, and sometimes they’d look bad even if they were in the right.

But if that’s the real issue, and I strongly suspect it is, I’d prefer to see health plans and providers come out and admit that they don’t want to get dragged into fights they may not win. Saying they can’t afford to comply with what should be a simple request just makes them look dishonest. And that can only lead to further headaches down the road.

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.


  • Do we know if a list of all who have accessed your medical records will be available in 2013? I am 99.9% positive that my electronic medical records have been viewed by people who should not have had access to my medical record. I am very upset about it and I would like to see a list of people who have had access my record. I’m trying to figure out if I should wait until January 2013 or is there something that I can do now. Sensitive medical information has been released about me and I am literally the ‘talk of the town’ that I live in.

  • Renee,
    I don’t think much is going to be better in 2013 than it is now. You’ll still have to go to each doctor to get the info. I believe you should be able to request that information from your clinic. Most EHR software does a good job of tracking that if your clinic is using an EHR. If they’re on paper, then you might not be as lucky.

    Sorry to hear about your issues. I hope you can find the information you need.

Click here to post a comment