What is the law that requires insurers to disclose information?

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.

HIPAA Right of Access Videos

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create Your Health Information, Your Rights!, a series of three short, educational videos (in English and option for Spanish captions) to help you understand your right under HIPAA to access and receive a copy of your health information.

HIPAA Right of Access Infographic

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create this one-page fact sheet, with illustrations, that provides an overall summary of your rights under HIPAA:

• Your Health Information, Your Rights!

HIPAA General Fact Sheets

Who Must Follow These Laws

We call the entities that must follow the HIPAA regulations "covered entities."

Covered entities include:

• Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
• Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
• Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition, business associates of covered entities must follow parts of the HIPAA regulations.

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:

• Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
• Companies that help administer health plans
• People like outside lawyers, accountants, and IT specialists
• Companies that store or destroy medical records

Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.

Who Is Not Required to Follow These Laws

Many organizations that have health information about you do not have to follow these laws.

Examples of organizations that do not have to follow the Privacy and Security Rules include:

• Life insurers
• Employers
• Workers compensation carriers
• Most schools and school districts
• Many state agencies like child protective service agencies
• Most law enforcement agencies
• Many municipal offices

What Information Is Protected 

• Information your doctors, nurses, and other health care providers put in your medical record
• Conversations your doctor has about your care or treatment with nurses and others
• Information about you in your health insurer’s computer system
• Billing information about you at your clinic
• Most other health information about you held by those who must follow these laws

How This Information Is Protected

• Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
• Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
• Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
• Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.

What Rights Does the Privacy Rule Give Me over My Health Information?

Health insurers and providers who are covered entities must comply with your right to: 

• Ask to see and get a copy of your health records
• Have corrections added to your health information
• Receive a notice that tells you how your health information may be used and shared
• Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
• Request that a covered entity restrict how it uses or discloses your health information
• Get a report on when and why your health information was shared for certain purposes
• If you believe your rights are being denied or your health information isn’t being protected, you can

You should get to know these important rights, which help you protect your health information.

You can ask your provider or health insurer questions about your rights.

Learn more about your health information privacy rights.

Who Can Look at and Receive Your Health Information

The Privacy Rule sets rules and limits on who can look at and receive your health information

To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:

• For your treatment and care coordination
• To pay doctors and hospitals for your health care and to help run their businesses
• With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object
• To make sure doctors give good care and nursing homes are clean and safe
• To protect the public's health, such as by reporting when the flu is in your area
• To make required reports to the police, such as reporting gunshot wounds

Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot:

• Give your information to your employer
• Use or share your information for marketing or advertising purposes or sell your information

Table of Contents:

If you use consumer reports to underwrite insurance policies or screen high-risk applicants, you must comply with the Fair Credit Reporting Act (FCRA).

The FCRA is designed to protect the privacy of consumer report information — sometimes informally called “credit reports” — and to guarantee that information supplied by consumer reporting agencies (CRAs) is as accurate as possible.

Consumer reports may include information about a person’s credit history, medical conditions, driving record, criminal activity, and even their participation in dangerous sports.

Insurer Obligations

You must have a permissible purpose before obtaining a consumer report — generally, that the report will be used in connection with the underwriting of insurance involving the consumer or with the consumer’s permission (§ 604) — and must take certain steps after you take an adverse action based on information in the report.

Getting and Using Medical Information

If you need a consumer report that has medical information, you must get the applicant’s
permission before the CRA can issue the report. § 604(g)(1)(A). You may share the medical information only to carry out the transaction for which the report was obtained, or as permitted by law. § 604(g)(4).

Adverse Action Notice

When an adverse action is taken — for example, when insurance is denied, rates are increased or a policy is terminated — and the decision  is based partly or completely on information in a consumer report, Section 615(a) of the FCRA requires you to provide a notice of the adverse action to the consumer. The notice must include:

• the name, address and telephone number of the CRA that supplied the consumer report, including the toll-free telephone number for the CRA if it maintains files nationwide;
• a statement that the CRA that supplied the report didn’t make the decision to take the adverse action and can’t give the specific reasons for it; and
• a notice of the individual’s right to dispute the accuracy or completeness of any information the CRA furnished, and the person’s right to a free report from the CRA, within 60 days, if the person asks for it.

Disclosure of this information is important because some consumer reports may have errors. The adverse action notice is required even if information in the consumer report wasn’t the primary reason for the denial, rate increase, or termination. Even if the information in the report played only a small part in the overall decision, the applicant must be notified.

While adverse action notices are not required to be in writing, many insurers provide them in writing and keep copies for two years to prove compliance with the FCRA.

Examples
These situations show when an adverse action notice must be given to insurance applicants.

A life insurance company orders a consumer report from the Medical Information Bureau (MIB), a CRA. Information in the MIB report leads to further investigation of the applicant. The application for insurance is rated or declined because of information learned from the investigation, whether the decision was based partly or completely on the information.

Section 604(g) of the FCRA requires an insurance company or any other user of medical information to get the consumer’s consent — orally, electronically or in writing — before getting medical information. That means the life insurance company in this situation would have to have obtained the consumer’s consent before getting the consumer report from the MIB. In addition, since the MIB report was part of the basis for the adverse decision in this case, the Section 615(a) adverse action notice described above must be sent to the consumer.

A person with an unfavorable credit history, say, due to  a bankruptcy, is denied automobile insurance at standard rates. Although the credit history was considered in the decision, the applicant’s limited driving experience was a more important factor.

The applicant is entitled to the Section 615(a) adverse action notice because the credit report played a part — even a small one — in the insurer’s decision to charge a higher premium.

An insurance company orders a consumer report on an existing policyholder to make sure the policyholder continues to qualify for the coverage in the policy. The insurance company learns that the consumer’s credit history has declined since the policy was written originally, and raises the consumer’s premiums.

The applicant is entitled to a Section 615(a) adverse action notice, because “adverse action” includes an increase in the charge for existing insurance or another unfavorable change in the terms of existing insurance, such as the amount of coverage or the policy’s terms.
§ 603(k)(1)(B)(i).

Disposing of Consumer Report Information

When you finish using a consumer report, you must securely dispose of the report and any information you gathered from it. That means burning, pulverizing or shredding paper documents, and disposing of electronic information so that it can't be read or reconstructed. For more information, see Disposing of Consumer Report Information? Rule Tells How.

Other Considerations

If you report information, like a consumer’s insurance claims, to a CRA, you have legal obligations under the FCRA’s Furnisher Rule. Your responsibilities include:

• furnishing information that is accurate and complete, and
• investigating consumer disputes about the accuracy of information you provide.

For more information, see Consumer Reports: What Information Furnishers Need to Know.

Non-Compliance

If you don’t comply with the FCRA, you may be sued by the FTC, Consumer Financial Protection Bureau (CFPB), state governments, or in some cases, consumers. The FCRA provides for maximum penalties of $4,367 per violation in the case of lawsuits brought by the FTC. FCRA Sections 616, 617, 621

Your Opportunity to Comment

The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency's responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman.

The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a video, How to Report Fraud at ReportFraud.ftc.gov, to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

[Note: Edited January 2022 to reflect Inflation-Adjusted Civil Penalty Maximums.]