The right to privacy is one of the bedrocks of the American value system — but when it comes to your medical records, there are questions about how far that privacy really extends. If you've ever wondered who has access to your medical records, you're not alone.

A recent poll by the NPR, Kaiser Family Foundation, and the Harvard School of Public Health, found that 79 percent of the 1,238 adults surveyed anticipate "significant security breaches" through the use of electronic health records (EHRs).

Not only does your insurance company share information about your health with other insurers, they receive this information directly from your doctor and other sources.

The confidentiality of your medical records depends on the people who handle them. Insurance companies use medical information to underwrite policies.

Insurance companies use "underwriting standards" to determine whether they will issue the policy the customer requests and what the price will be. When underwriting a policy, life insurance companies factor in your age, height, weight, personal medical history, family medical history and whether you smoke. Underwriting standards for members of a group (such as group life insurance purchased through work) are less stringent than for someone who wants to buy an individual policy, but there is still an underwriting process. According to the National Association of Health Underwriters, large health insurance policies are medically underwritten, but only at the time of purchase. Rates are generally based on prior claims experience.

The MIB

If you have ever applied for an individual life, health, disability, long-term care or critical illness insurance policy, chances are your information (stored as codes, not "medical files") is in a database at MIB (formerly named the Medical Information Bureau). MIB provides information to nearly 600 life and health insurance companies medical information taken from individuals' insurance applications. Member companies report information to the MIB.

Insurance companies pay a fee to become members of the MIB, and they also pay a fee every time they request information from the company's database. You will be notified when you apply that the insurance company plans to check the MIB for any record of you, but that notification may be buried in fine print of the authorization you will sign. Ask an agent when you fill out the application if pre-existing medical conditions might raise your rates or nix your application altogether.

Getting your hands on your MIB records

According to the MIB, it has records on only one or two out of every 10 people who apply for individual insurance. Nonetheless, its database does contain files on about 16 million individuals. The easiest way for you to check to see if the MIB has a file on you — and whether that file is accurate — is to request a copy of your record.

Getting your MIB record The MIB Web site tells you how to request your file.

The MIB is similar to consumer credit reporting services. For instance, it purges records that have been in the system for more than seven years. Under the Fair Credit Reporting Act, you have a right to see and correct the information the MIB has on you. Some states have also adopted laws specifically dealing with the confidentiality of medical records. The MIB and member companies doing business in those states are also subject to those laws.

Member companies of the MIB must also comply with the MIB's own privacy standards. The information is only exchanged within the insurance companies they work with and is only used for underwriting an application, or for claim adjustments. Member companies generally use this information to detect lies or inconsistencies on insurance applications. For example, if you applied for life insurance five years ago and noted a history of cancer, and now you submit an application to another company without that information, the company will want to know why.

Patient privacy and insurance claims

Although there are federal patient privacy standards, and most states have additional privacy standards for health care providers, that doesn't mean your patient information doesn't travel to other places.

One of the problems with keeping medical records confidential is the number of people who handle such information. Every time you visit the doctor, you leave a paper trail that passes through numerous hands.

While state and federal privacy laws may require a doctor to keep records private, an insurance company can demand to review all necessary records before reimbursing the physician for services rendered.

Does your employer administer your benefits in-house? That means someone in your own company may know the intimate details of your medical history.

Legal users of your medical records Patient Privacy Rights has a chart showing all the entities with legal access to your personal medical information.

Even if you pay for your health care out of your own pocket, eschewing insurance altogether, your medical records could still end up in the hands of your insurer. That's because most doctors are part of health care networks that require access to all records, not just their own enrollees.

Hospitals also keep records on patients they've served. Pharmacies store and sell information about the medications that customers use. Considering the fatal consequences of certain drug combinations, tracking a patient's medication is necessary for safety reasons.

In this age of outsourcing, insurance companies often contract with other companies to help with data collection. Sometimes, you may not even know that you're dealing with a "third-party" company that is engaged in a practice called data mining. About half of all life, health, and disability insurance companies contract with a third party to collect your medical records. Companies that routinely acquire medical records and physician statements for their insurance company clients include SAS Business Analytics and Insurity Inc. (a division of a subsidiary of ChoicePoint/LexisNexis, which also provides auto insurers with DMV records).

HIPAA: Some rights

The federal Health Insurance Portability and Accountability Act (HIPAA) requires the simplification of electronic data transactions, and procedures to protect patients' privacy.

The Department of Health and Human Services issued the privacy rule to "address the use and disclosure of individuals' health information or "protected health information" by organizations subject to the Privacy Rule (covered entities) and set standards for individuals' privacy rights to control how their health information is used, under HIPAA.

Entities that have to be in compliance of HIPAA include:

• Health insurance companies, HMOs, group health plans, Medicare and Medicaid

• Anyone that conducts business electronically to bill your health insurer, including physicians, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies and dentists.

• Health plan clearinghouses, including billing services, repricing companies and community health-management information systems

Each organization governed under HIPAA is required to set up procedures to protect patients' privacy. Each also has to designate an official to monitor that system and notify patients about their privacy-protection practices. The regulations call for penalties, ranging from fines to criminal charges, against people who violate a patient's right to privacy.

President Obama signed the American Recovery and Reinvestment Act of 2009, which includes protections for how medical information is used. The act prohibits:

• Unauthorized sale of medical records, unless they are being used for research, public health and treatment.
• Limits marketing practices.
• Requires health providers and business associates to keep an audit of personnel who have access to sensitive medical information.
• Sets strict standards for technology systems, including data encryption and breach notifications.
• Implements monetary penalties for violations.
• Monitors contracts and reporting practices.

Other protections provided by the American Recovery and Reinvestment Act include the right for patients to request an "audit trail" of their electronic medical records to learn who has been looking at their health information. They also have the right to be notified of unauthorized use, and can obtain an electronic copy of their records.

HIPAA privacy regulations

Allow consumers to see their medical records, request corrections, and obtain documentation of disclosures of their health information. Penalize companies that violate patients' privacy rights with fines or criminal charges. Allow some health information to be disclosed without patient consent, including data used by medical researchers, law enforcement and banks that process health care payments and premiums. Require each organization governed under HIPAA to set up procedures to protect patients' privacy and designate an official to monitor that system. Source: U.S. Department of Health and Human Services