Heathcare Record Terms of Access

Privacy Protection by Contract

Electronic Medical Record

Some fear the law will not accord adequate privacy to healthcare records managed by non-healthcare companies like Google. I have argued that legal terms posted by a patient in (or in relation to) the patient's healthcare record can enhance legal privacy.

For the sake of public discussion, here is a humble example of what the terms might provide:


Healthcare Record Terms of Access

Declared and Agreed by Patient

1. I, the patient, have granted one or more third parties (the "Record Manager") power over this record. I have done so because I believe it is beneficial to me relative to my health.

2. These Terms of Access are communicated to anyone, including the Record Manager, accessing or possessing power to access my information in this record.

3. This record may contain my personal healthcare information.

4. These Terms of Access apply to you ("You") unless you are a "covered entity" under the Healthcare Insurance Portability and Accountability Act (HIPAA). You could include the Record Manager.

5. You agree to these Terms of Access, and You agree to abide by them, by doing either of the following:

(a) accessing this record, or

(b) availing Yourself to the conveniences afforded by the Record Manager’s power over this record.

6. I am entitled to privacy for my information in or discerned from this record ("My Information").

7. You agree to keep My Information private and confidential, consistent with norms for covered entities under HIPAA.

8. You agree to give me at least 6-months advance notice (delivered via first-class mail, postage-prepaid) before You change Your privacy policy relative to My Information.

9. You agree to give me notice (delivered via priority US mail, postage-prepaid) before You comply with a subpoena (or similar order) seeking access to My Information.

10. The fact that the Record Manager possesses power over this record does not undermine the legal privileges accorded communications between me and my healthcare providers.

11. You may deviate from these Terms of Access only if:

(a) I agree in a document – printed on paper – and signed by me in ink or by voice signature;

(b) The document clearly explains the deviation to me in plain English; and

(c) From all the circumstances, including the signed document, compelling evidence exists that I knowledgeably and voluntarily approved the deviation.


Again, I post this form language just for the purpose of public discussion. These terms are not necessarily complete. Before relying on terms like the above, you may want to seek legal advice. What I say here is not a substitute for legal advice. If you need advice, you should consult a lawyer.

As I learn more about this topic, and hear comments, I may revise what I've posted above. So check back.

--Benjamin Wright


  1. Nice blog but I have a question. How can I patient have control over his record if he don't touch it. also what will happen if any one read that record, I don't think that it will be a big thing.

    again Nice blog


  2. la7oon asked a question: "How can [a] patient have control over his record if he [can't] touch it"?

    I suspect there are and will be many, many kinds of electronic patient records. Some may give patients more direct control over the content of their records than others. If a patient can insert words into his record, then he might insert "terms of use" as I have suggested. http://hack-igations.blogspot.com/2008/02/contracts-for-patient-privacy.html

    Now, if the patient is unable to insert terms into his record, it might be possible for him effectively to communicate the terms just by publishing them in a relevant web site that he does control. I have previously cited the Greer v. 1-800-FLOWERS.COM case for the idea that terms published on a web site might impact a contractual relationship that does not directly involve the web site. For more on extreme contract law, see http://hack-igations.blogspot.com/2008/01/robot-surveillance-contracts.html

    [Again, nothing I say on this or any other blog is legal advice for anyone, just a contribution to public discourse.] --Ben