Can Health Insurance Companies Access Medical Records?

Between 2005 and 2019, healthcare data breaches affected more than 249 million people, and nearly two-thirds of them experienced the impact of data theft and loss during the last 5 years of the time frame. This illustrates how healthcare data breaches are becoming more and more frequent and why older adults need to be concerned about who has access to their personal data.

Knowing if health insurance companies have access to your medical records and understanding how laws protect your private medical information is an important first step in safeguarding your personal health data.

Do Health Insurance Companies Have Access to Your Medical Records?

Health insurance companies don't have access to your full medical records. No insurance company can contact a hospital or doctor and ask to see your full medical history. However, insurance companies do have the right to access specific medical information needed to perform key functions and provide services to you.

When Can Health Insurance Companies Access Your Medical Information?

The two most common circumstances in which health insurance companies can access your medical information are when they determine coverage eligibility and when they authorize payments for medical services.

Determining Coverage Eligibility

The Affordable Care Act made it illegal for health insurance companies to deny coverage or impose waiting periods for some preexisting conditions. However, you still need to respond truthfully if asked about your medical history on an application. As a part of the underwriting process, health insurance companies can obtain information from the Medical Information Bureau (MIB) to check the accuracy of their statements.

The MIB is a database primarily used for life insurance underwriting. It doesn't provide insurers with complete medical history. Instead, it lists codes that identify key medical data, such as if you have a chronic medical condition. Information stored by the MIB does not contain health insurance identification numbers, and the codes are highly confidential, making it unlikely that the data could be used by thieves to steal your identity.

Not everyone has an MIB Underwriting Services Consumer File. Healthcare providers can't provide information to the MIB without your approval, and any information submitted only remains in your file for 7 years. If an MIB Underwriting Services Files exists for you, you have the right to request a copy for free. If you find it contains errors, you can request to have the information changed by contacting the bureau.

Authorizing Payment

Your health insurance provider receives basic information from your medical providers to authorize payments when you file claims. Health insurance will only cover tests and treatments that are medically necessary and need basic medical information to make these determinations. As a result, billing departments for medical providers may tell your health insurance company about:

• Test results. If blood work, an X-ray or other test uncovers a condition, an illness or an injury that requires further treatment or follow-up appointments, your medical provider will share the results with the insurance company to demonstrate medical necessity. Providers also tell insurers when tests are performed, so you can receive help paying for them.
  
  
• Pertinent medical information. Your medical provider will only share as much information as needed to satisfy the insurance company's medically necessary criteria. For example, they may share a basic description of your symptoms or tell the insurance company about over-the-counter medications that you used before seeking additional treatments.
  
  
• Treatment details. Your insurance company will know about anything that your medical provider requests reimbursement for, such as procedures performed and office visits. Billing departments only provide basic details, such as when the appointment or procedure took place and for what purpose. Your health insurance company won't gain access to your medical records or your medical provider's notes about the visit or procedure.

Learn More About Medicare

Join our email series to receive your free Medicare guide and the latest information about Medicare.

Leave this field empty Sign me up!

By clicking "Sign me up!" you are agreeing to receive emails from HelpAdvisor.com

Thanks for signing up!

Your free Medicare guide is on the way.

Make sure to check your spam folder if you don't see it.

Is a Health Insurance Company Subject to HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. It refers to a law passed in 1996 that establishes privacy rights for patients. It impacts how health insurance companies access, use, handle and store your sensitive medical information.

What Are the Three Rules of HIPAA and How Do They Impact Health Insurance?

HIPAA outlines three rules for safeguarding health information, and each impacts health insurance companies.

• Privacy rule: Health insurance companies can only share and obtain your medical information under certain circumstances. Insurers must make it clear to you how and when they will share and receive information and how they will use the information. Under the privacy rule, your medical information can only be shared when it is necessary for you to receive healthcare services or assistance paying for them through insurance. Your health insurance company must ask for your permission to access your medical information and normally does so when you apply for coverage.
  
  
• Security rule: Health insurance companies must take steps to protect your medical information. Insurers must develop security standards that comply with HIPAA laws to store and dispose of medical information in a way that reduces the risk of data theft.
  
  
• Breach notification rule: If a data breach does occur, HIPAA requires your health insurance provider to notify you. The company must tell you when the breach occurred and what information may have been shared or stolen.

How Does HIPAA Affect Other Entities?

HIPAA affects the following entities:

• You have the right to view your medical records at any time. If you make a records request, your medical provider must share the info within 30 days. Under HIPAA rules, the doctor can charge a nominal fee for copies of records or mailing them.
  
  
• Your family members. Due to HIPAA laws, your family members can't receive information about your medical history or current medical status unless you give permission or the individual has a power of attorney.
  
  
• Medical providers. According to the Department of Health and Human Services, your medical provider may share your medical information with another medical professional "only as needed for treatment" or if you provide permission in writing. Your written permission isn't required if the sharing of medical records is related to your treatment. If you need to see a specialist or are changing primary care doctors, you may be given a form to fill out to request the records transfer.
  
  
• The MIB and prescription databases can only obtain information about you if you give your consent. While you have the right to opt out, doing so may affect your ability to obtain health or life insurance coverage.

How Can I Protect My Medical Information?

To protect your medical information:

• Read privacy disclosures and authorization forms. Whenever your health insurance company or medical provider gives you a form to sign or a disclosure, read it carefully. If you don't understand the document, ask for clarification.
  
  
• Be careful about health-tracking apps. Before using an app to track your fitness, blood sugar levels or other medical information, read the privacy policy. While apps can't sell or share your medical info, some may share non-identifying information that allows other companies to market to you.
  
  
• Request copies of your medical records. Check your medical records at least once per year and report any errors.
  
  
• Use caution when communicating. Confirm the identity of anyone who contacts you by phone or email asking for medical information before you share details.