The term, “Electronic Health Records” (EHR) refers to medical documents made available in digital format, for use with computers and other Healthcare Information Technology (HIT), to improve the quality, safety, and efficiency of medical care.

Advantages – doctors have access to their patients’ most current information; faster / easier to update and transfer; analytics are available for the decision making process; medications can be automatically cross-referenced to avoid adverse interactions; disaster recovery (i.e., offsite backup copies in the event of fire, earthquakes, tornado); reduction of redundant testing & paperwork; audit trails (reports of who has accessed files); reduction of  human error, such as misread handwriting; lower physical storage requirements (in terms of rooms full of file cabinets); automatic alerts / reminders; coordination between different providers, where updates are reflected between doctors; alerts about allergies / drug interactions are on hand such as in the emergency room.

Drawbacks – with records accessible world wide, your information can be exposed to a range of unauthorized personnel including ID thieves; similar to cyber crime with financial transactions, more steps are required of your provider to ensure security of Protected Health Information (PHI); learning curve for providers has kept many from utilizing properly / taking full advantage; potential inability for healthcare providers to access your records in the event of power outages, internet disconnections, etc.

Patients have the following rights, quoted from:
– To see or get a copy of your medical record
– To request to have any mistakes corrected
– To get a notice about how your health information is used and shared
– To say how and where you want to be contacted by your health care provider; and
– To file a complaint if you think any of these rights have been violated
– One method to pursue this is through OCR’s website:

Be sure your healthcare provider complies with privacy and security requirements / best practices, including yet not limited to:
– Access controls, such as passwords, to help limit access to private information
– Encrypting stored information, meaning files can only be read by someone who knows the correct “key,” available only to authorized individuals
– Audit trails, recording who accessed which records, what changes were made and when

Health records contain information needed to apply for credit / loans and receive medical services in victims’ names, known as Medical Identity Theft – any diagnoses and treatments from the criminal end up on the actual person’s permanent record.

Recommendations for patients to prevent medical ID theft include:
– Store confidential paperwork at your home in a location inaccessible to visitors, such as a safe; also consider using a bank safe deposit box for such documents.  Shred all documents when no longer needed.
– Review all records from your doctors and insurance providers to find out if they include any for services you did not receive or conditions you were never diagnosed.
– Avoid providing personal information over the phone or computer, unless you personally contacted that number / address first.
– Practice basic computer security for any system you will use in relation to medical transactions, including firewall, anti-malware programs, automatic updates, and password protection.

You have the option whether or not for your records to be shared electronically with other providers in a Health Information Exchange:
Whether HIE is opt in vs. opt out by default varies by state:
– Opt in – patient authorization is required before their records are shared in the HIE, where sensitive information will be electronically available to other healthcare providers.
– Opt out policy – patient data is automatically sent to the exchange, unless they otherwise opt out.
(Opt-in is less common because it adds more steps for administrators – therefore, make sure you are familiar with state policy and opt out if not sure)

Who can access your records?
– With your permission:  Yourself; friends / relatives; healthcare providers; insurance companies; Medicare / Social Security; employers (often required to apply for the job)
– Permission not needed:  The Medical Information Bureau; prescription / immunization database; government agencies; law enforcement

How you can request a copy of your records (Directly from your doctor or hospital).

Companies may allow you to sign into your account online to view claims data, similar to online banking.  You are responsible for your own PC security if accessing this information online.  This also applies when filling out forms online, such as applying on

You need to review your records periodically to make sure they do not contain errors, that sure no medical ID theft / fraud took place on your account – most of the time you just talk with you provider to arrange this, though sometimes it is more complicated process.  You can view your records on site, in the presence of an employee – you will need to present ID, you can copy info in writing / by hand.  It will cost extra to have it printed off, whether requested on site or mailed to you – usually they charge on a per page basis in that case.

When you go to a hospital or clinic they will request for you to sign a form for the release of information; they legally cannot refuse treatment either way.

Items can be amended from your records only if you can prove they were factually incorrect, not because you just want it removed.  To fix or add to an entry – you must request the amendment in writing.  If the request for an amendment to your file is granted, your objections / statement, along with your doctor’s opinion is added and kept with the previous records going forward.^ Legally your provider cannot remove information you want left off, for liability reasons (it is a legal record for the doctor / hospital).  If you believe info is wrong, you need to request to have them add an amendment.

Health providers must provide a Notice of Privacy Practices, available at all times and upon request, detailing how your info may be used, where you may also request your health records to review.  You will be requested to sign a document to acknowledge you got the notice; this is different from signing authorization to release your health records.

Breach notification – if your information may have been compromised the healthcare provider or business associate must notify affected individuals in written form – a breach is any impermissible access or use of your records.  Entities are required to provide a toll free phone number for 90 days for you to find out if your info was involved.

If you have reason to believe a covered entity or business associate violated health information privacy rights or committed another violation, you need to file a complaint with the Office for Civil Rights (in writing identify the entity / associate and describe the violation).

Social media: It is advised to periodically monitor on your providers’ profiles, to make sure they have not violated patients’ privacy nor posted anything improperly, in which case review sites offer the ability to leave feedback for providers, for instance

It is important to keep current contact info on file with your provider, so you can be notified upon any breach.  It is also important to maintain your own Personal Health Record (PHR), which is compiled by yourself instead of your provider.  You bring this along to medical offices in case it is needed.

An individual’s PHR usually includes: list of illnesses, history, medications, doctors’ recommendations, images, report, immunization, payment records, advance directive, including living will / power of attorney, emergency info (i.e., if you have a stent / pacemaker / artificial bone or limb / implants), chronic health conditions (asthma, diabetes, blood pressure), allergies (incl. food and drug), screenings & tests, hearing / vision checkups.

Always keep with you (i.e., in your wallet) – id, emergency contact info, doctor name and #, insurance card, organ donor card.

– If your data has been involved in a breach, the practice is required to notify you ASAP.  Breaches affecting 500 or more individuals are posted here: