The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 and was intended to protect health insurance coverage for workers and their families when members changed jobs; and establishes security protections for the submission of electronic health care transactions involving health insurance plans and employers.
Title II, known as the Administrative Simplification (AS) addresses the security and privacy of health data by setting standards for electronic submission of patient medical data.
Unfortunately, the AS also specifically excludes disability insurers from being defined as ”a covered entity” or “health plan” any policy, plan or program to the extent it provides or pays for the cost of, expected benefits i.e. coverage only for accident or disability income insurance.”
Also excluded are:
Coverage only for accident, or disability income insurance, or any combination thereof.
Coverage issued as a supplement to liability insurance.
Liability insurance, including general liability insurance and automobile liability insurance.
Workers’ compensation or similar insurance.
Automobile medical payment insurance.
Coverage for on-site medical clinics.
Other similar insurance coverage, specified in regulations, under which benefits for medical care are secondary or incidental to other insurance benefits.
What this means to persons with disability insurance is that disability insurance companies are not “covered entities” under HIPAA and therefore are not made to be compliant with HIPAA’s security measures to safeguard “protected health information”. “Covered entities” defined by HIPAA include: 1) health plans, 2) health care clearing houses and 3) health care providers who transmit patient information electronically.
Therefore, when Unum for example, states HIPAA has no jurisdiction over disability, it is correct. However, under HIPAA’s Privacy Rule all physicians must protect all “individually identifiable health information” whether it is stored electronically, on paper or spoken.” Protected health information under HIPAA (PHI) includes patient data related to a patient’s “past, physical or mental health , the providing of care and/or payment of care.”
Medical care providers (treating physicians) may disclose complete PHI (Protected Health Information) to organizations not subject to the Privacy Rule as long as the insured has signed a HIPAA compliant authorization. (45 CFR 164.508)
HIPAA allows disability insurers to seek, and providers to disclose an insured’s entire medical record if the Authorization clearly states the entire medical record is to be disclosed, e.g. “I authorize you to disclose my entire medical record.”
Although Unum Authorizations (and those of other insurers) allege their Auths are HIPAA compliant, the wording does not specifically state, “my entire medical file”, nor do the Auths specifically give permission to vocalize patient medical information telephonically as in a doc-to-doc call.
The intent of HIPAA’s compliant Authorizations is to allow the release of medical records “related to the claimed disability only” and not all patient records in existence unless specifically stated in the Authorization.
I received a call from a former Medical Director with a Unum claim (denied on appeal) who stated his research revealed Unum’s Authorizations were not “explicit” enough to allow physicians to give out medical information on the phone. This may mean treating physicians should reconsider when contacted by Unum (or other insurers) for phone interviews.
Unum Authorizations presented to treating physicians as permission to “speak” with Unum’s docs may not be HIPAA compliant. Certainly, the current Authorizations do not specifically state “entire medical files can be released”.
What most disability insureds do not realize is that once medical patient data is released to a “non-covered entity”, the data loses its HIPAA protection. In other words, once patients’ records are released to a disability insurer, there is no HIPAA protection. This is why one cardiologist online referred to HIPAA as “useless” protection for disability insureds. “
Bottom line, disability insurers may be using what they allege are HIPAA compliant Authorizations to obtain “entire medical files”, psychotherapy notes (which are specifically excluded), and doc-to-doc calls which are not explicitly described directly in the Authorization.
Further, it is important for insureds and claimants to understand HIPAA protection does not apply to disability insurers and therefore once medical records are released, HIPAA protection is lost.
Within the next five years all medical patient data will be required to be maintained electronically. In the meantime, privacy protection has not been afforded to those with private disability insurance further indicating the power, money and influence of the insurance lobby.
While disability insurers are not forced to be compliant with HIPAA regulations, treating physicians are, and therefore insureds can protect their patient information by designating patient records as PHI and advising physicians as to what information can be released and what can’t.
Disability insurers do have a right to obtain medical records and support for the “claimed disability” and patient data directly related to the disability should be released. It’s entirely a different matter, however, when requests for ”entire patient files” are requested, or patient information is transmitted vocally on the phone as in a doc-to-doc call.
Insureds should be knowledgeable about all issues affecting their disability claims and HIPAA is indeed at the top of the list in order to protect the privacy of certain patient records.