Imagine a bit of vital information recorded dutifully by highly educated professionals tasked with compiling, protecting, and preserving the document. These same individuals serve also as gatekeepers of sorts, requiring the appropriate credentials before these somewhat secret documents are released.

The documents, highly personal in nature, contain information that is often mundane, but sometimes highly sensitive. As a whole, they are secret, but these documents are not the ones you might be thinking about.

These secret, encrypted, mysterious, often illegible documents are medical records.  Sometimes they are so "secret" no one may access them.  This is not because of global security or some secret conspiracy. It is just the reality of the healthcare world.  Everyone, whether they are a physician, layperson, attorney, or politician, has medical records they cannot access.  Yet politicians do not seem to grasp this. This latest cycle of presidential campaign rhetoric makes mention of “complete medical records,” suggesting the candidates make available all their medical records. The possibility that someone could not produce these records is treated as inconceivable.

I agree with Inigo Montoya: I do not think that word means what they think it means. 

The New York Times examined this issue, deeming it impossible.  At Spiers Group, we are often asked to review medical records. We have a team of folks who can dissect these, reading between the lines for certain issues. The biggest problem the team faces is that most often the records are incomplete. Entire episodes referenced in the record are sometime missing. How can this be?

Think about medical records. Everyone has them. Your first record is likely older than you, and it is commingled with your mother’s record. The data begins to accumulate in earnest when you are born. The record contains countless pediatrician visits, the occasional visit to the emergency room, and perhaps a hospitalization or two. Some childhood surgery, such as an appendectomy or a tonsillectomy, can add to the volume.  Teen years are more of the same. Adulthood, for many, brings some stability, but who can name every provider or specialist they have ever seen?

The reality is that no one can reasonably be expected to recall all health care visits. Likewise, how can you get the information if you cannot even remember the visit. More to the point, even if you could remember, medical records are often destroyed after a certain period. In the past, 7 to 10 years after a patient’s last visit, or the age of 18, as the case may be, marked the end of the retention requirement. I am sure many of my medical records have been converted to paper bags decades ago.

Today, with electronic medical records, this should be simpler for physicians and patients alike. It is not. This has also has led to some misconceptions about who has access to records, as well as how easily they can be accessed.

It helps to think of medical records as documents stored in a security deposit box. The security deposit box can only be accessed if one knows where it is, and has the proper credentials. Patients have responsibility for knowing where their medical records are held, and they control access to them.  A patient’s physician – or attorney, insurance company, or hospital – cannot just summon a record from the ether.  Patients should maintain some semblance of a medical history with them in order to share the information with providers. Patients also hold the two keys to their medical records; they know where the records are, and they can grant others access to them

Electronic health records have great promise, but every system cannot communicate with all others. Early electronic medical record systems were constructed on multiple platforms, incapable of fully and completely communicating with each other, if they could communicate at all.  We hope all current medical record systems seamlessly communicate, but such hopes are not yet mature.  Ultimately, as more medical data is converted to digital form, it may be easier for patients to gain access. To use another banking analogy, medical records will be accessible just as we access our banks from an ATM - provide the right credentials, no matter where you are, and you can access the records. 

Until we reach that digital utopia, many challenges remain.  Many records remain on paper. Finding a particular record in a file room with hundreds of thousands of pages stored in tens of thousands of file folders can be challenging.  It will take many, many years to convert these to some electronic form, if ever attempted. More recently, the many different digital formats for health records that have accumulated over the years. Not all electronic records are migrated to the latest platforms. 

Privacy issues abound in the arena of medical records. The friction between HIPAA and the simplified delivery of care is ever present. Shipping paper records via mail has some risk, as does emailing them.  Encrypting digital records offers some security. Unfortunately, some will enclose the password for an encrypted record in the same package.  Finally, external patient portals to access records are also fraught with security risks.  Providers should make certain patients understand their role in protecting their records, but patients must make certain they act to protect their personal data.

In the end, all a provider can do is manage the records to which they have access and control. Patients likewise have a responsibility to maintain at least some narrative history of their medical past. The growth of personal medical record keeping systems makes it easier for patients to keep up with their own health information. Patients should remember, however, that health care providers cannot be liable for what the patient does with the medical record once the patient has it. If a patient stores his record on his smartphone, he assumes responsibility for its privacy and security.   

So while no one can provide “complete” records, or ensure “complete” security, by taking reasonable steps to provide the available data in a reasonably secure form, providers can aid those with the ultimate responsibility for keeping up with a patient’s medical history – the patient.