skip to main content
RadInfo Logo Home

Medical Information Privacy

Summary

  • You have the right to decide whether to share your confidential medical information.
  • Healthcare groups must keep your electronic medical information secure.
  • If you suspect someone has improperly accessed your information, contact your healthcare provider immediately.

Your medical information is stored in an electronic format. There are many rules and regulations — including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) — that exist to protect your medical information.

Doctors need to access your information to make important, quick decisions about your medical care. However, you have the right to decide whether they may access your information or share it with others.

Healthcare groups have developed safeguards to protect your medical information. As technology improves, healthcare groups are also improving the ways they secure your information.

Doctors must help protect your information. They must document all use of your information, share their privacy/security policies with you, and report any data loss or breach. Contact your doctor's office immediately if you suspect someone is misusing your information.

top of page

What is electronic medical information security?

Healthcare groups store images, test results, physician notes, medications, allergies, and other data electronically. Doctors have a responsibility to first "do no harm." This responsibility includes protecting your information, privacy, and confidentiality. Patient information security outlines the steps healthcare workers must take to guard your "protected health information" (PHI). Security also refers to maintaining the integrity of electronic medical information. It makes sure that those who need to can access your information to provide medical care. The federal government regulates the management of electronic records and your protected health information.

Research and educational activities also must comply with privacy and security requirements. Institutions must protect the privacy of your health information, while allowing reasonable access by researchers, educators, or trainees.

top of page

What is patient privacy?

Patient privacy is your right to decide when, how, and to what extent others may access your protected health information (PHI). Patient privacy maintains confidentiality and only shares your information with those who need it to provide medical care. If your information is used for research purposes, researchers must request approval from their local institution research board (IRB). This may include making your information anonymous before using it to conduct research.

top of page

Why are security and patient privacy important?

Electronic medical information security can affect the quality of patient care and patient rights. It can also impact the work practices and legal responsibilities of healthcare professionals. Doctors can make the best decisions for your care if they can access your complete medical history. Lack of access can delay important decisions and harm your medical care. Protection methods must keep your information private and confidential while still allowing authorized individuals to quickly access it.

top of page

What are radiology professionals doing to safeguard medical images and patient information?

Radiologists are some of the first doctors to adopt digital medical imaging and electronic health information. They recognize the many benefits of these technologies and are working to eliminate risks. This work is done through groups like the Radiological Society of North America (RSNA), American College of Radiology (ACR),and Society for Imaging Informatics in Medicine (SIIM). Together, these healthcare leaders are developing standards and creating policies to ensure your radiology information remains secure but can be shared easily so you can receive high-quality patient care.

top of page

What are the responsibilities of the radiologist and patient?

Radiologists work with IT professionals to protect your information, privacy, and confidentiality. Doctors must document their privacy and security policies and share them with you. All staff must be trained in security policies. These policies must provide for computer system backups and maintenance, proper data storage, system failure and recovery plans, incident reporting, and security issue resolutions. Failure to comply with state and federal Electronic Protected Health Information (ePHI) regulations may result in financial and/or criminal penalties.

As a patient, you have a right to talk to your doctor in confidence and have your information protected. You choose whether to release it, except when required by law or in the event of an emergency.

top of page

What should you do if you think someone is inappropriately accessing your health information?

If you believe someone is misusing your health information, contact your doctor's office immediately. Federal rules outline steps that care providers must take to investigate, report, and address any unauthorized use of your healthcare information that compromises your privacy. If your information has been exposed, your care provider must provide you with a description of the incident and outline what steps you should take to protect yourself. The care provider must also tell you what they will do to recover the loss and avoid further breaches. This report must identify whom you should contact if you have any questions about the breach.

top of page

How is medical information kept secure and private?

Many different safeguards protect the privacy, security, and integrity of your information. At the same time, these safeguards give your doctors access so they can provide you with medical care. Physical safeguards include:

  • Using encrypted storage or devices
  • Restricting physical access to authorized personnel only
  • Preserving copies and conducting data backups
  • Maintaining emergency protocols
  • Properly disposing outdated devices

Technical safeguards include firewalls and secure transmission modes for communication. These include virtual private networks (VPN) or secure sockets layer (SSL) and encryption techniques.

Administrative safeguards include:

  • Documenting department security policies
  • Training staff about security policies
  • Conducting audit trails of all system logs by user identification and activity
  • Enforcing policies for storing electronic data and system backups
  • Providing specific methods to report incidents and resolve security issues
  • Documenting accountability, sanctions, and disciplinary actions for any violation of policies and procedures
  • IRB approval for any study involving protected healthcare information or human subjects

Electronic medical records (EMRs) must include the following in their security policies and procedures:

Authorization/access control methods include single sign-on databases or lists assigning user access rights and privileges. They also include automatic account logoff after a certain period of inactivity. This helps prevent access by invalid users. Frequent password changes and physical access controls (such as chip-based ID cards) may also be used.

Authentication verifies your identity to a computer system using login passwords, digital certificates, smart cards, and biometrics. Authentication only verifies your identity. It does not define what resources you can access.

The EMR must be continuously available, and system administrators must defend against various threats. They must provide back-up for their systems (duplicated hardware, data archives, power, and networking systems). They must also keep computer servers physically safe and defend against computer viruses and hacking.

Confidentiality means that all unauthorized access of your medical data is blocked.

It is essential to maintain data integrity when transferring information. This is done by verifying that the information arrived as it was sent and was not modified in any way. IT personnel use a variety of methods to maintain data integrity and detect any attempts to modify the data.

Nonrepudiation provides a record of the transaction. This ensures that a transferred message has been sent and received by the parties claiming to have sent and received it. Methods include digital signatures and system logs of all user activity.

If you still have questions about how your private information is protected, please talk with your healthcare provider.

top of page

This page was reviewed on July 06, 2022

Sponsored By

Please note

RadiologyInfo.org is not a medical facility. Please contact your physician with specific medical questions or for a referral to a radiologist or other physician. To locate a medical imaging or radiation oncology provider in your community, you can search the ACR-accredited facilities database.

This website does not provide cost information. The costs for specific medical imaging tests, treatments and procedures may vary by geographic region. Discuss the fees associated with your prescribed procedure with your doctor, the medical facility staff and/or your insurance provider to get a better understanding of the possible charges you will incur.

Web page review process: This Web page is reviewed regularly by a physician with expertise in the medical area presented and is further reviewed by committees from the Radiological Society of North America (RSNA) and the American College of Radiology (ACR), comprising physicians with expertise in several radiologic areas.

Outside links: For the convenience of our users, RadiologyInfo.org provides links to relevant websites. RadiologyInfo.org, RSNA and ACR are not responsible for the content contained on the web pages found at these links.