Subscribe to receive email updates as new information becomes available.

A survey published by the American Medical Association (AMA) last year reveals that patients are very concerned about the privacy of their medical information, perhaps more concerned than most physicians and practices are aware. As healthcare providers using the latest medical technology, we tend to view the ability to share information electronically with other providers and payers (and the ability to view and obtain records from care delivered elsewhere) as a good thing. Overall, I agree, but it is important that we understand our patients’ view of this sharing and privacy of their records.

The AMA survey of 1,000 patients delineates the comfort level of patients concerning the use of their medical records. Most tellingly, 92% of those surveyed believe privacy is a right and should not be available for purchase. While three quarters of people are “most comfortable” with data records shared with their provider/doctor’s office, a similar percentage are “least comfortable” with their data made accessible/shared with social media sites, big tech, or prospective employers.

Transparency and control

I recently went to a new doctor who gave me a list of medications he thought I was taking during his intake. He had obtained these, I believe, through “medication history” functionality available in his EHR (not NextGen), which uses both pharmacy fill data and information from insurance company pharmacy benefit management plans to see what medications patients are on. However, there was a medication on the list that I paid cash for and had specifically told my pharmacy not to put through my insurance. Now, this wasn’t an embarrassing medication (think antibiotic, not Viagra), but I was surprised that my data was made available to my doctor—and presented back to me for review—without my consent.  When I asked where he’d gotten the list, he didn’t seem sure and said something like, “It just appears in the computer for me.”

So what should physicians and practices do?

Here are some points to consider to help us all avoid a big backlash over medical privacy from patients:

  • Understand where data in your EHR system comes from. It is unlikely these days that it was all entered by someone from your practice into your EHR. Did you convert from another system, and if so what does that data look like? Are you connected to a “medication history” service, or to a Health Information Exchange (HIE), or to Carequality or CommonWell—if so, do you import data from these sources and how does that appear in your system? Do you get electronic data directly from other providers or from your state? Could you recognize the “provenance” of the data if a patient asks, “How do you know that? Where’d you get that?”

  • Review your practice’s HIPAA (Health Insurance Portability and Accountability Act) privacy policy statement. You require that your patients sign that you have provided this to them annually, but does it include all the places you might be sending their medical information? Do you even know all the ways that medication information leaves your practice? Consider faxes to other providers, lawyers, insurance companies, direct messages, sharing with local or state HIEs or immunization registries, sharing with public health registries, connections to national networks like the eHealth Exchange, etc. Privacy laws vary by state and not all of these necessarily need to be explicit on the privacy practices statement, but it is worth an annual review of the document and a conversation at the practice level to ensure everyone knows the ways data might be shared externally.

  • If a patient asks, “I’d like a list of all the places you have sent or shared my medical records,” can your practice provide it? This is the spirit behind HIPAA, but are you using your EHR correctly to log these events and does your staff know how to review this log if a patient asks? Speaking of HIPAA, do you have policies in place and a way to police them for inappropriate access of patients’ medical records by staff? Could you answer a related patient request: “Tell me if [your employee] has ever looked at my medical records”?

Just as you have prepared for years to have conversations with patients about medical as well as mental and social health topics, be ready to address their concerns about the privacy of their medical records at your practice. 

Trust is key

If the medical community wants to keep the trust that patients have in us to protect their sensitive information, we need to ensure that we stay informed, proactive, and worthy of that trust.  

At NextGen Healthcare, we take the privacy of medical information seriously, even as we promote interoperability and sharing of medical information between providers to improve care. Find out more at

Meet NextGen Ambient Assist, your new AI ally that generates a structured SOAP note in seconds from listening to the natural patient/provider conversation.

Read Now
Headshot of Robert L. Murray, PhD, MD, FAAFP

Robert Murry, PhD, MD, FAAFP

Chief Medical Officer

Dr. Robert (Bob) Murry joined NextGen Healthcare in July 2012 and was appointed chief medical officer in December 2021. He brings to this position more than 20 years of extensive clinical experience and background in health IT. Previously, Dr. Murry served as the company’s Chief Medical Information Officer (CMIO) since May 2017. During his time as CMIO, he was the "Voice-of-the-Physician" across specialties, product safety, and government/regulatory affairs. Before becoming CMIO, he was the company's vice president of Clinical Product Management, responsible for clinical oversight and workflow design.

Previously, Dr. Murry served as Medical Director for Ambulatory Informatics and CMIO for Hunterdon Medical Center, where he continues to practice family medicine at Hunterdon Family Medicine at Delaware Valley.

He is board certified in Clinical Informatics by the American Board of Preventive Medicine and board certified in Family Medicine by the American Board of Family Medicine. He is also a Fellow of the American Academy of Family Physicians. Dr. Murry holds an MD from The University of Texas Southwestern Medical Center, Dallas; a PhD in Physical Chemistry from Boston College; and an MA in Physical Chemistry from the Massachusetts Institute of Technology.