Hospitals sharing info without asking me?

Went to UNC the other day for hearing issue. They knew I had been to Duke for the issue as well in the spring. Pretty sure I never told UNC about my Duke visit but they knew about it anyway.

Not a big deal but did they get this info via insurance ?

They may be using the same (or related) electronic health record databases.

websites look almost identical but they should ask me first before sharing?

Were you referred to the hospitals by your primary care physician?

Is there a chance that sometime in the past you signed a share consent form?

You probably signed a form at some point in which you gave them permission to share your info with their “partners”. Who knows what “partners” might be interpreted to mean?

If the underlying EHR is linked (for example, they are part of a consortium), they didn’t share, they just posted in the mutual health record. Should they ask? I think so, and as Czarcasm says, you may have given consent in some broader document, but HIPAA doesn’t necessarily think they need to.

Based on this Duke Health Center page, it appears that Duke is affiliated with Nash UNC Health Care and Wayne UNC Health Care, among many other places. They probably share an electronic medical records system so when you sought treatment at one, they all had access to all the shared records for your system.

Even if they weren’t affiliated, your doctors do not need your permission to obtain your medical records from your other medical providers for the purposes of treating you.

Those permission slips that doctors get you to sign to obtain your medical records aren’t strictly necessary. However, since the doctor on the other end is permitted but not obligated to share those records under HIPAA, the permission slip helps to get the doctor to cooperate. The old doctor will know based on the permission slip that the requesting doctor really is your doctor and that the request is necessary for your treatment. This establishes that sharing is permitted under HIPAA.

Also, your medical records belong to you, so if you tell the doctor to share, the doctor should share. If your old doctor won’t share your medical records with your new doctor after you give permission and the new doctor mistreats you because they didn’t know something in your medical record, there is a real argument to be made that the old doctor should be on the hook for not telling the new doctor the vital information.

Traditionally, physical medical records belonged to the doctor, but there was an (American) theory that the patient owned the information. Now that ‘physical’ medical records are electronic, and with joint practices, the doctor has probably signed away their rights to the joint practice and/or the medical record company.

Patient ‘ownership of the information’ has been formalized in different ways by different American states: AFAIK only New Hampshire has legislated ‘ownership of the record’.

In some other countries, there was recognition of the creative and professional content of medical records: it’s your body, but doctors write down information that they created, and the information belongs to them, in the same way that a book they wrote or a picture they painted would. Whenever it’s come up, Courts and Legislature have tended to dislike this theory. On the evidence of the judgments I’ve seen reported, not because they are patients, but because they aren’t artists or writers: their view of ownership reflects the sources of truth they know: judgments and votes rather than creation or study.

HIPAA is a federal law. The states are bound by it.

As someone else said, providers don’t strictly need signed consent, they are covered under “continuity of care.” But most will require it just to cover themselves. And very likely, when you signed the original consent forms at either institution, included somewhere is permission to share that information to limited entities.

Most medical facilities have EHR now. My facility uses Epic. Within Epic, inside mychart, there is a place for you to opt out of sharing with care everywhere. If you do that, I think it won’t pull your information in from other Epic users. If you don’t opt out, you are opted in.

That’s Health Insurance Portability and Accountability Act, which deals with disclosure, which is relevant to this thread, but doesn’t deal with ‘ownership’ of rights other than disclosure. AFAIK, only New Hampshire has legislated that patients ‘own the records’.

When you are using the WWW, you often see pictures/graphics. You very rarely have to give any consideration to the ownership of the pictures/graphics you see, because ‘seeing’ them is the only aspect that matters. But ‘ownership’ is important to other creators and users.

Right. So it may be a different one than HIPAA. I’d have to check to see what the actual act is. I think it is still federally defined. Recently (in my facility it rolled out at the first of the year) they took down barriers in the EHR and allows patients to see nearly everything in their chart. I think in our facility, the only things they can’t see, and I think it’s a technical issue, is things that are scanned into the chart. So, things like the CT report that was not done in our radiology, etc. Everything else is viewable by patients. If that isn’t ownership, I don’t know how else you define it.

Also, if the patient doesn’t own the information, why do we need their consent to release at all?

Here’s the new rule. Patients have generally had the right to access their records under HIPAA standards.

  1. The client still has to request releases of records. Making the request may be as simple as clicking a button in the client portal or setting up an app to retrieve notes on a schedule. There is always a request involved, however.
  2. The paradigm called Open Notes is founded on a clinician-client relationship wherein clients are encouraged to read their provider’s encounter notes as part of their treatment. There are philosophies and concepts involved in using Open Notes that go beyond simply making notes available to clients who wish to retrieve them.
  3. Most of the professionals who read my articles do not use ONC-certified EHR systems, and the rule does not require us to adopt such systems.
  4. Clients have had a right to access their full record, including progress notes, for a looooong time . No one has characterized the pre-existing rights of access as creating an “Open Notes” situation…

I can see everything you write here on the SDMB, but don’t own any of it. Not withstanding my inability to define ownership.

Thanks. I’m sorry I set the discussion on a tangent. I probably should have avoided saying medical records “belong” to the patient since the doctor also has a right to keep those records. But ownership of medical records is complicated. Today, patients are guaranteed access to and copies of their medical records under various federal regulations promulgated under HIPAA and other authority of the Department of Health and Human Services plus state rules. It’s a weird patchwork that, in most cases, allows people to get copies of their medical records for their own purposes or for purposes of medical treatment at little cost to them. HHS has regulations that on what medical providers can charge for the information, which, as I recall, is limited essentially to postage and copying charges. When the records are electronic, as most are these days, those charges largely don’t apply. Once the patient has the records, they have the unfettered right to copy and distribute them further.

The owner of an image on a website can take the picture off the web and deprive me of access to it at any time she chooses. Even if I kept a copy, the owner can demand I delete it (subject to limited exceptions like for fair use) My doctor cannot do that with my medical records. The rights I have in the medical records that my doctor holds about me can in casual conversation be referred to as ownership, although that ownership is not exclusive - my doctor is entitled to keep my original medical records even if I demand copies for myself.

Ownership (particularly of real property) is sometimes referred to as a bundle of rights. Those rights are generally summarized as rights of:

  • Disposition, which is the right to sell or give the property to another. The doctor has only limited rights to give the information away or to sell access to it, consistent with HIPAA privacy requirements (which generally means to other of my medical providers or because I have authorized it).
  • Enjoyment, which is the right to possess the property without outside interference. Doctors can use and enjoy the medical records as they wish but their use is subject to restrictions on sharing the information under HIPAA and state law privacy protections, so there is considerable outside interference in order to protect the rights of patients.
  • Exclusion, which is the right to keep others from using the property. These rights are largely held by the patient. As noted above, the doctor has the right to keep other doctors from using the records (even if sharing is authorized under HIPAA) but, if the patient gets copies of the records, the patient gets to decide who to include and exclude in their use.
  • Possession, which is the right to occupy the property. This isn’t really applicable. Physical property can only be occupied in a limited way. I can only get so many cars in my garage. But I can make as many copies of medical records as I want so use does not need to be exclusive.
  • Control, which is the right to legally use the property by the owner how they see fit. There are many restrictions on how doctors can use medical records. There are basically none on how the patient can use them.

So, looking at the bundle of rights, who owns the medical records?

I looked up the situation here in the UK and found this:

  • Patient records, both private and NHS, are not the patient’s property. Patients are not entitled to take possession of the originals. However, under data protection legislation they have a right to view their original records and to obtain copies of them.*

That site doesn’t mention the problem with non-computerised historical records. GPs are reluctant to allow patients to see their older records because many GPs were in the habit of writing derogatory comments like “time waster” on them.

Addressing the OP’s initial post only, your new provider (UNC) does not need your permission to get records from your past providers (Duke in this case) except in matters of mental health, HIV, and a few other exceptions.

I get outside records on my current patients without getting their signature all the time, and have since long before HIPAA went into effect. I do inform the patient I am getting their old records, as a rule.

As a side note, 90% of what I see posted about HIPAA on the web is wrong. That number rises to 99% if the poster misspelled HIPAA.

around here if you go to a specialist the vast majority are UNC or Duke docs. So they probably routinely look up the other place . I think only around 10 to 20% of specialists are not with UNC or Duke. Both systems have taken over a lot of independent doc offices in recent years.

Looks like Duke Health is part of several Health Information Exchanges (HIE) as are most health care companies, insurance companies, providers, hospitals, etc…

Health Information Exchanges | Duke Health

Basically medical and insurance entities that sign up and meet certain standards can share their patient’s information within that exchange.

If I had to guess, it’s more than likely the NC HealthConnex is the one that both UNC and Duke are using to share your information because it’s a state-run thing.