Who is Peeking at Your Medical Records?Does anyone really know who has seen their medical records? I was shocked at who could have information that was obtained from my personal medical record. Not that my name is all over the internet with the diagnoses of my last visit – but do you really know who has access to your private medical records? This may come as a shock… keep reading…


Of course, you have access to your personal medical records. You can also assign access to whomever you choose. I have no problem with my husband or daughter getting information from my doctor if they need it. I could sign a Power of Attorney which would make it official – but I haven’t.

Aside from family and friends, even strangers if you want, an attorney or legal representative may need access to review your records to prepare for litigation. You can give “YOUR” representative permission but keep in mind – a court order, obtained by the other party, can allow “THEIR” representative permission to view your medical records - if justified and legal.

Your Doctor.

Your doctor wrote the information on the chart so they have access. Staff members in the medical office will access your private health information for coding, billing, faxing prescriptions, ordering consults with specialists, filing medical records, scheduling diagnostic tests. Your information will be sent to your insurance company – let’s face it – doctors need to be paid.   

If you doctor is a member of an Accountable Care Organization, Independent Physician Association, a Medical Group or a Patient Centered Medical Home there will be quality personnel sifting through your medical record looking for anything from a recent colonoscopy to a potassium level. Quality incentives are very important to your doctor and any organization they are affiliated with.

Your Employer.

Your employer may be granted a “need to know” access to your medical records for situations such as Worker’s Compensation claims, Family Medical Leave of Absence, disability claims, extended medical leaves, and perhaps, a general overview of their employee health status to estimate insurance premium costs.


Whoever pays for the medical insurance claim will access your medical record. Medicare Advantage Plans, commercial insurance carriers, Medicare and Medicaid review your medical records ranging from justifying a claim, assessing quality measures, calculating risk adjustment payments, validating utilization of resources, overseeing case management of high-maintenance patients and pharmacy management.

There are contracted vendors for many of these projects who will also request access to your medical records.


Medicare has many programs that review medical records for targeted information. Information for these projects can be related to fees for billed services, coding inconsistencies, quality assessments, fraud or overuse.  A few of these are:

  • URAC (Utilization Review Accreditation Commission) is a non-profit organization that helps promote health care quality through the accreditation of organizations involved in medical care services.
  • CERT (Comprehensive Error Rate Testing) Contractors help calculate the Medicare Fee-For-Service (FFS) improper payment rate by reviewing claims to determine if they were paid properly
  • MAC (Medicare Administrative Contractors) Process claims and enroll providers and suppliers.
  • MEDIC (Medicare Drug Integrity Contractors) Monitor fraud, waste, and abuse in the Medicare Parts C and D Programs.
  • RAC (Recovery Audit Contractors) are designed to protect Medicare by identifying improper payments and referring potential fraud to the Centers for Medicare & Medicaid Services (CMS).
  • ZPIC (Zone Program Integrity Contractors) Investigate potential fraud, waste, and abuse for Medicare Parts A and B.
  • HEAT (Health Care Fraud Prevention and Enforcement Action Team) established to build and strengthen existing programs combatting Medicare fraud while investing new resources and technology to prevent fraud and abuse.
  • Medicare FFS Recovery Auditor - to identify and correct Medicare improper payments to Medicare beneficiaries and providers.


Medicaid, just like Medicare, also reviews medical records for a multitude of reasons from claims, quality, and utilization. Some of these programs are:

  • MFCU (Medicaid Fraud Control Units) investigates and prosecutes Medicaid provider fraud as well as patient abuse or neglect in health care facilities and board and care facilities.
  • MIC (Medicaid Integrity Contractors) to identify Medicaid overpayments and decrease the payment of inappropriate Medicaid claims.
  • OMIG (Office of Medicaid Inspector General) – audits to determine the nature and extent of services billed to the Medicaid Program and to verify that Medicaid policies and procedures are being followed.
  • PERM (Payment Error Rate Measurements) - annually review programs they administer and identify those that may be susceptible to significant improper payments, to estimate the amount of improper payments.
  • DOJ (Department of Justice) may investigate medical records for suspected criminal acts and omissions such as improper billing or referral arrangements.
  • OIG (Office of Inspector General) investigates tips and complaints from all sources on potential fraud, waste, and abuse.
  • HHS (Health and Human Services) - Office for Civil Rights (OCR) conducts periodic audits of covered entities compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
  • DADS (Department for Aging and Disabled Services) reviews medical records while conducting investigations.


Pharmaceutical-related companies also seek information from your medical records to assess, trend and predict outcomes related to prescription drug usage. If you are prescribed a controlled substance, it is possible one of these programs has some information on you:  It would be the minimum necessary for their purposes and individually unidentifiable but your information none-the-less.

Some of these programs are:

  • DEA (Drug Enforcement Administration) the Office of Diversion Control helps prevent, detect, and investigate diversion of controlled pharmaceuticals from lawful purposes to the illicit drug market.
  • NAMSDL (National Alliance for Model State Drug Laws) helps States address the issues of drug and alcohol abuse while monitoring the progress of drug legislation in all 50 States.
  • NASCSA (National Association of State Controlled Substances Authorities) dedicated to assisting government agencies, pharmaceutical companies, and other stakeholders in their efforts to reduce drug diversion and abuse.
  • NADDI (National Association of Drug Diversion Investigators) helps prevent and investigate prescription drug diversion through law enforcement, health care professionals, State regulatory agencies, and pharmaceutical manufacturers.
  • NIDA (National Institute on Drug Abuse) funds research on drug abuse and addiction.
  • ONDCP (Office of National Drug Control Policy) works with the President and the Executive branch to address drug control issues and activities.
  • OSHA (Occupational Safety and Health Administration) may request employee medical records when investigating an incident.
  • SSDI (Social Security Disability Income) will look at any record addressing an alleged disabling condition.
  • CMS (Center for Medicare and Medicaid Services) will review medical records to determine if claims were billed per Medicare coverage, coding, payment and billing regulations. Another large program that reviews medical records is the Risk Adjustment Payment Program which is the basis for calculating per month compensation paid to health care plans.
  • MIB (Medical Information Bureau) is a computer database containing medical and some non-medical information pertaining to individuals who have applied for insurance coverage.


I had to share this list. I am not saying all of these agencies, services, people have looked at your medical records but the potential is there.

Does anyone know much about Athena? I heard it was going to be the new medical cloud.