Patient Privacy Rights

Protecting Americans from health data harms

Know Your Rights Summit | Videos Research | Tech Policy | Advocacy About Donate

 

Get Patient Privacy Updates    |     Report an Incident     |     Contact

Your Patient Privacy Rights in Auto Insurance

Explore Your Patient Privacy Rights in Context

 

In the U.S., auto insurers are property and casualty insurers. Their medical-pay and accident coverage is not covered under the health insurance rules set by HIPAA (the Health Information Portability and Accountability Act) because they are not a health plan. That said, HIPAA still applies to your healthcare providers, because hey are the primary source of your personal health information to auto insurers. So, your authorizations are the main control point.

 

  1. Your HIPAA Privacy Rights When Medical Information Is Shared with Auto Insurance

    Auto insurers commonly ask you to sign medical-record authorizations for underwriting (sometimes to be covered) or, more often, for claims (e.g., for medical payments, or reports of bodily injury). Even though the insurer isn't HIPAA-covered, your healthcare providers are, and your authorized releases are usually how your records get transmitted.

    Under HIPAA, your healthcare provider and health plan may disclose your personal health information as authorized by you or to the extent necessary to comply with your auto insurance needs. Your healthcare providers are expected to apply "miniumum necessary" practices for routine workers' compensation disclosures, often using standard protocols.

    With your healthcare provider being covered under HIPAA, you have important privacy rights, including:

    • Right to a Notice of Privacy Practices explaining how the plan may use and share your protected health information and what rights you have.
    • Right to access your records—to inspect and obtain a copy of the health information the plan holds about you. Limited exceptions include psychotherapy notes and information compiled for legal proceedings (prepared in anticipation of, or for use in, a civil, criminal, or administrative action), though you may still be able to access the underlying records. Other limited denial situations can include certain correctional settings, temporary research-related suspensions you agreed to, information restricted by another law, or information obtained from a non-health care provider under a promise of confidentiality. In rare cases, access may be denied (or denied subject to review) if access is likely to endanger someone's life or physical safety or cause substantial harm, including in some situations involving a personal representative.
    • Right to request a correction or amendment to health information the plan maintains about you.
    • Right to an accounting of disclosures of your health information made in the prior six years with the major exception of disclosures made for treatment, payment, and health care operations).
    • Right to request restrictions on certain disclosures, including a special right to restrict disclosure to a health plan for a service you pay for out of pocket in full.
    • Right to request confidential communications, such as being contacted at a different address or phone number, or through a safer method.
    • Right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your plan violated HIPAA's privacy or security rules.

    What to do: When your medical information is being shared for auto insurance purposes, read any authorization forms carefully and limit them to what's required by your state's auto insurance law; ask your health care provider what information will be disclosed and under what authority, request that "minimum necessary" standards be applied, keep copies of all authorizations and communications, and if you believe your information was disclosed more broadly than permitted, consider filing a HIPAA complaint with the U.S. Department of Health and Human Services. If you have an incident to report, please let us know.

  2. How the Gramm-Leach-Bliley Act Protects (and Shares) Your Personal Information in Insurance

    Many insurance companies are subject to the Gramm-Leach-Bliley Act (GLBA), which requires privacy notices and gives consumers a way to opt out of certain disclosures of nonpublic personal information to nonaffiliated third parties. GLBA also includes exceptions—situations in which a financial institution may share nonpublic personal information with certain nonaffiliated third parties without offering an opt-out. These exceptions generally fall into three main categories:

    • Service providers and joint marketing: Sharing with nonaffiliated vendors that perform services or functions for the institution (and with joint marketing partners), as long as the institution provides the required privacy notice and has a contract limiting the third party's use and disclosure of the information.
    • Processing and servicing transactions: Sharing as necessary to effect, administer, or enforce a transaction you request or authorize—such as processing or servicing a financial product, maintaining an account, or supporting securitization and other secondary-market activity tied to the transaction.
    • Other permitted disclosures (security, fraud, legal, and oversight): Sharing to protect the confidentiality or security of records; prevent fraud or unauthorized transactions; manage institutional risk; or resolve disputes and inquiries. Information may also be shared with parties who have a legal or beneficial interest, or who act in a fiduciary or representative capacity. In addition, GLBA permits sharing for oversight and professional services—such as with insurance rate advisory organizations, guaranty funds or agencies, rating agencies, compliance assessors, and the institution's attorneys, accountants, and auditors—and in certain government or legal-process contexts, subject to applicable rules.

    What to do: Review your insurer's privacy notice carefully to understand how your personal information may be shared and with whom; if the notice offers an opt-out for sharing with nonaffiliated third parties, follow the provided instructions to exercise that right. Ask your insurer for clarification about any sharing that falls under GLBA exceptions, and if you believe your information was improperly disclosed, consider filing a complaint with the Federal Trade Commission or your state insurance regulator. If you have an incident to report, please let us know. If you have an incident to report, please let us know.

  3. Your right to know when your consumer report impacts your insurance

    If the insurer uses a consumer report (including a credit report) and takes adverse action (denial or worse terms), you have rights to notice, a free copy of the report, and the ability to dispute errors under the Fair Credit Reporting Act. (See more about your patient privacy rights in credit reports).

    What to do: If you receive an adverse action notice, request and review your free copy of the consumer report within 60 days, check it carefully for inaccuracies or outdated information, dispute any errors with the consumer reporting agency in writing, and keep copies of all correspondence. If you believe your rights under the Fair Credit Reporting Act were not honored, consider filing a complaint with the Consumer Financial Protection Bureau. If you have an incident to report, please let us know.

  4. Your state-based rights to access and correct auto insurance records

    Your auto insurance policy and your state may provide additional rights to access and correct insurer-held information and other protections that apply to insurance transactions.

    What to do: Review your auto insurance policy for any provisions about accessing or correcting your personal information, and check your state's insurance laws—typically available through your state department of insurance—to learn what additional privacy and correction rights may apply to insurance transactions. Keep records of any requests you make, and if access or corrections are denied, ask about the insurer's internal appeals or complaint process. If you have an incident to report, please let us know. If you have an incident to report, please let us know.

 

Taken together, these rights and safeguards are meant to help you get the coverage you need without signing away more of your medical privacy than the situation truly requires—so when auto insurance asks for health information, your best protection is to stay informed, limit authorizations, and keep a clear paper trail. To stay informed as rules and practices evolve and incidents occur, join our mailing list. And if you experience a concerning situation tied to your health information, please report the incident so we can track patterns and strengthen public accountability. Donate, as you are able, to support this work.

 

Select another context in which to examine your patient privacy rights:

Healthcare Employment Finances Credit Reports Housing Education Insurance eHealth Internet Marketing Purchases Reputation Mental Health Addiction Children Adolescents Law Enforcement Courts Prison Genetics HIV/AIDS Abortion Domestic Violence Harassment Data Collections Medical Insurance Life Insurance Disability Insurance Long-term Care Workers' Compensation Auto Insurance

 

Note: The content above is general information for the public and is not legal advice for any specific situation. Rights and processes relevant to a particular situation can vary based on circumstances and additional state or federal laws.

This document was created and is maintained by PPR President Dr. Latanya Sweeney. Please share your feedback and let Dr. Sweeney know about the ways you've used it, and if you have any suggestions.

Join Report DONATE

PPR logo

Independent public-interest organization advancing patient privacy through research, policy, and accountability.

People

Coalition

Summit

Brandeis Privacy Award

Know your rights

FAQs

Glossary

Our Privacy Policy

Research

Legislation

Posts

Press Releases