When individuals file disability claims, they often share highly sensitive personal and medical information with disability insurance companies. This includes diagnoses, mental health records, and treatment history. This information is critical for determining eligibility for disability benefits, but it must be handled with care to protect claimants’ privacy. Multiple federal and state laws establish confidentiality requirements for the handling and storage of medical data in the context of disability claims.
This blog post will explore the key federal and state privacy laws that govern the use and protection of medical information by disability insurance companies. It will also provide guidance on the responsibilities of insurers and the rights of claimants.
Table of Contents
Federal Privacy Laws Governing Medical Information in Disability Claims
Several federal laws apply to the protection of medical information in disability claims, even though not all disability plans fall under the same legal frameworks. Here’s a breakdown of the most important federal laws related to privacy and disability claims.
1. Health Insurance Portability and Accountability Act (HIPAA)
While HIPAA is widely known for its strict privacy rules regarding health information, its applicability to disability insurance companies can be limited. HIPAA’s Privacy Rule protects the confidentiality of “protected health information” (PHI) held by “covered entities,” such as healthcare providers, health plans, and healthcare clearinghouses.
Disability insurance plans are typically income replacement plans. As a result, they are generally not considered health plans under HIPAA and are not directly subject to its requirements. However, if a disability plan includes medical benefits, HIPAA’s Privacy Rule may apply to those specific components. Additionally, if a disability insurance company handles medical information in coordination with a health insurance plan, HIPAA regulations may apply.
Even when HIPAA does not apply, insurers are subject to other privacy rules discussed below.
2. Americans with Disabilities Act (ADA)
The ADA offers broad protections for individuals with disabilities, including privacy safeguards for medical information obtained through disability-related inquiries. Under the ADA, employers and insurance companies are required to keep all medical information obtained for disability determinations confidential. Keep this information in separate files from regular personnel records. Only share it with supervisors needing to arrange accommodations or government officials investigating ADA compliance.
For disability insurance claims, disability insurers must carefully handle medical information. They must ensure it is used only for relevant purposes and not improperly disclosed.
3. Genetic Information Nondiscrimination Act (GINA)
GINA prohibits the use of genetic information in making employment or health insurance decisions. Although it primarily governs genetic discrimination, it includes strict provisions regarding the confidentiality of genetic information. If a disability insurance company collects any genetic information, including family medical histories, GINA mandates confidentiality. The law permits disclosure only in very limited situations.
4. Employee Retirement Income Security Act (ERISA)
While ERISA itself does not directly mandate confidentiality of medical information, it imposes fiduciary duties on plan administrators to act in the best interest of participants. Disability plans that fall under ERISA must protect the privacy of medical information as part of this fiduciary duty. Additionally, plan documents and insurance contracts may specify additional confidentiality requirements.
In practice, ERISA may require that disability insurance companies implement reasonable safeguards to protect sensitive information from unauthorized access or disclosure.
5. Family and Medical Leave Act (FMLA)
Though the FMLA is primarily concerned with job-protected leave for medical and family reasons, it also contains provisions related to the confidentiality of medical records. Any medical certifications or documentation obtained for FMLA leave must be kept in a confidential file, separate from the employee’s personnel file. If a disability insurance company becomes involved in collecting or storing such information, it must comply with these confidentiality requirements.
State Privacy Laws Governing Medical Information in Disability Claims
In addition to federal laws, state-level privacy laws impose further requirements on how medical information is handled in disability claims. Some states have stronger privacy protections than others, and insurance companies operating in those states must comply with both state and federal regulations.
1. Illinois Mental Health and Developmental Disabilities Confidentiality Act
The Illinois Mental Health and Developmental Disabilities Confidentiality Act provides strict protections for the confidentiality of mental health records. This law applies to records related to mental health services provided by licensed mental health professionals. The Act does not directly regulate disability insurance companies. However, when disability claims involve mental health records, the Act’s confidentiality requirements still apply to those records. Insurers must ensure that any mental health treatment information is protected and only shared under legally authorized circumstances.
2. Illinois Personal Information Protection Act (PIPA)
Illinois’ PIPA requires businesses, including insurance companies, to implement safeguards to protect personal information, including medical records. Under PIPA, if a disability insurance company collects or stores medical information, it must take reasonable measures to protect it from unauthorized access, such as through encryption or secure storage systems. Additionally, PIPA mandates that companies notify affected individuals in the event of a data breach involving their personal or medical information.
Similar laws are in place in other states, imposing similar obligations on insurers to secure personal and medical data.
3. California Consumer Privacy Act (CCPA)
The CCPA is one of the most comprehensive privacy laws in the U.S., applying broadly to how businesses collect, store, and use personal information. Disability insurance companies operating in California must comply with the CCPA if they meet certain thresholds. Under the CCPA, individuals have the right to know what personal information is being collected about them, the right to request its deletion, and the right to opt out of its sale.
While medical information already covered under HIPAA is exempt from the CCPA, disability insurance companies must still carefully handle other types of personal information under this law. For example, medical information that is not directly related to healthcare services may fall under the CCPA’s protections.
4. New York SHIELD Act
The New York SHIELD Act requires businesses that handle the private information of New York residents to adopt reasonable security measures to protect that data. For disability insurers, this means implementing administrative, technical, and physical safeguards to protect sensitive medical records from unauthorized access. In the event of a breach, the SHIELD Act also mandates prompt notification to affected individuals.
Practical Steps Claimants Can Take to Protect Their Privacy
These laws prohibit redisclosure of medical records without permission. However, claimants may waive their rights by allowing insurers to share information with third parties such as employers or the Social Security Administration. For this reason, it is important to carefully read all authorization forms provided to you by your insurer prior to signing and to scratch out and initial any changes you deem necessary to protect your privacy.
Alternatively, you can assume total responsibility for obtaining and submitting medical records on your own behalf, thereby ensuring that only those records you want considered are submitted and avoiding having to sign an authorization form altogether.
If you are concerned about a disability insurer accessing your medical records and you have already given the insurer permission to do so, you may revoke that authorization directly with the provider using the following template:
Revocation of HIPAA Authorization
I, [Your Name], hereby revoke my authorization for [Provider Name] to use or disclose my protected health information (PHI) as previously authorized. I understand that this revocation will not affect any actions taken before the date of this revocation. Please discontinue any further use or disclosure of my PHI as of the date below, except as required by law.
Patient Name: [Your Name]
Date of Birth: [Your DOB]
Provider Name: [Provider Name]
Effective Date of Revocation: [Date]
Signature: ___________________
Date: ___________________
Key Takeaways to Protect Privacy in Disability Instance Claims
Disability insurance companies are entrusted with sensitive medical information that must be protected in accordance with various federal and state laws. Failure to comply with these regulations can lead to legal penalties, loss of consumer trust, and potential lawsuits. While HIPAA may not always apply, other laws such as the ADA, GINA, ERISA, and state-specific laws impose significant privacy obligations. Together, these laws ensure that claimants’ medical information remains confidential, restricting unauthorized access and improper disclosures. Insurers must take appropriate measures to safeguard this information, ensuring compliance with legal requirements and maintaining the trust of claimants.
By understanding and adhering to these privacy laws, disability insurers can effectively protect the rights and confidentiality of individuals seeking disability benefits. Claimants should also take proactive steps to safeguard their medical information, review authorization forms carefully, and stay informed about their privacy rights under these laws.
