Should You Place Your Medical Records on the Internet?

By Ronald L. Scott

A number of commercial web sites offer storage and Internet access for medical records. See, e.g., They typically promote such storage for a variety of reasons. In an emergency, an attending physician can have access to critical information such as drugs being taken, allergic reactions to drugs, conditions such as heart problems or diabetes, and other important medical information. Such information can arguably be available even where the patient is too ill to communicate the history to emergency staff.

Storing childrenís immunization records makes them accessible even if a parent changes jobs, insurers, or physicians. Advance directive storage available at some sites allows individuals to ensure that physicians and other family members know such individualís wishes in the event of an accident or serious illness.

Most sites at present rely on patient input of medical records, and some health care providers may be reluctant to rely on the accuracy and completeness of such records. Such records are likely to be better than a short oral medical history, but less comprehensive than medical records created and maintained by medical professionals. Some sites are offering Internet storage of physician-created records. For example, MedicaLogic provides an "ambulatory electronic medical record" (EMR) and supporting Internet services to member physicians. See The attention paid to issues of privacy and confidentiality by companies such as MedicaLogic is impressive and critically important. MedicaLogic allows patients to review their own medical records, but only clinicians can alter the records. Audit trails are maintained on the web site of all access to and modification of personally identifiable medical information. A patient must agree before even de-identified information is provided to a third party.

It is not clear how web sites such as MedicaLogic will face the challenge of complying with varying state laws on disclosure of medical information. For example, Texas law requires that a consent for the release of confidential medical information must have at least five essential elements: 1) it must be in writing; 2) it must be signed by the patient or the patientís authorized representative; 3) it must specify the information covered by the release; 4) it must specify the purpose of the release; and 5) it must specify the person or persons to whom the information is to be released.

Where electronic transmission of medical records is contemplated, additional elements are required by Texas law to make the consent form effective. Among the other elements that should be included are: 1) advice to the patient that his or her confidential medical information will be electronically recorded, stored, and transmitted; 2) an explanation of who will have access to the patientís medical information; 3) a description of the risks and benefits of electronic recordation, storage, and transmission; 4) an acknowledgement that electronic transmission does not alter the confidential status of the information and the privileges that apply thereto; 5) advice to the patient that dissemination of the patientís medical information to researchers or others external to the physician-patient relationship shall not occur without the patientís express written consent; and 6) a caution to the patient that, notwithstanding all reasonable security measures put in place, the confidentiality of the information may be comprised.

Ultimately, federal privacy standards such as those proposed by the U.S. Department of Health and Human Services should provide clearer guidance to medical records storage companies, patients, and clinicians. The proposed standards would not, however, preempt more stringent state standards. See Proposed Privacy Standards: Background and Overview.