A proposed federal rule would require hospitals, doctors' offices and health insurers to tell patients of anyone who has accessed their electronic medical records, if asked.
Under the rule proposed by the Department of Health and Human Services (HHS), health-care-related businesses must list everyone in their firms — from doctors to data-entry clerks — who has accessed a patient's electronic records and when.
"It is important to protect a person's right to know how their health information has been used or disclosed," said Rachel Seeger, spokeswoman for HHS's Office of Civil Rights.
For example, in 2008, the UCLA Medical Center fired several employees who looked at Britney Spears' medical records without being directly involved in her care. Under the new rule, Spears could see who accessed her records.
Other cases where a person might want to know who has seen their electronic records involve identity theft and divorce battles.
Adam Greene, who was the primary author of the proposed rule before leaving Health and Human Services for a private law firm, said the department began hearing anecdotically that people wanted answers: Has my ex-husband, who works at the hospital but wasn't part of my care team, seen my medical records? Has my neighbor, the community gossip who works at an insurance company, taken a peek?
"This was the information people were most interested in, so it should be tracked correctly," Greene said.
Since 2005, health companies directly involved in a patient's care, such as hospitals, have had to keep an internal log of who accesses electronic records.
Providing the report to patients could prove difficult. If a patient makes the request of a large hospital for the past year, the report could include records from several departments and include dozens of people.
"The burden could be significant," Greene said, though a patient could ask if a specific person has viewed a record or who has looked during the past month.
The federal government asked 90 large health organizations how many patients have asked for such records, and found it was fewer than 20 requests at each since early 2003, he said.
Greene said the low number may be because people did not know that they could ask.
HHS listed the proposed rule on the Federal Registry for public comment by Aug. 1. If approved, the rule would go into effect in January 2013.
If someone has violated the privacy law, then people can file a complaint with the health organization or HHS's Office of Civil Rights, which could lead to a fine or a criminal charge with the Justice Department.