The main subject of medical privacy is the 'medical record' which historically has been a paper file of the entire medical history of the patient. Various electronic forms of medical records have existed in western countries, but mostly in an unintegrated fashion. This lack of integration has in a large part facilitated privacy. While the patient's General Practitioner (GP) often generates and holds much data, copies can end up being produced at hospitals and other care facilities - often resulting in errors. By 1999 62% of the British National Health Service (NHS) trusts used electronic records, to some degree.

In 2003 the NHS has taken moves to create a centralised electronic registry of medical records. Its privacy is protected by the UK's Government Gateway, built by Microsoft. The programme is called Electronic Records Development and Implementation Programme (ERDIP).

Privacy is based on patients' rights in the UK, flowing from the European Convention of Human Rights through the Data Protection Act (DPA) in the UK. The opposing point of view that access is on a 'need to know basis' is not legal, it is the patient who must grant access.

In the USA, the Medical Information Privacy and Security Act (MIPSA) is the new development. It contains important provisions requiring accesses to generate an audit trail, and for patients to be able to partition their data so that for example genetic information is not revealed when they go for a flu jab. Individuals have a right to access, copy, edit and augment their information.