Patient Privacy Rights

Protecting Americans from health data harms

Know Your Rights Summit | Videos Research | Tech Policy | Advocacy About Donate

 

Get Patient Privacy Updates    |     Report an Incident     |     Contact

Your Patient Privacy Rights in Disability Insurance

Explore Your Patient Privacy Rights in Context

 

In the U.S., privacy rights around disability insurance are a patchwork—shaped by a mix of federal laws, state regulations, and contract terms.

 

  1. Identify if your rights are covered under ERISA in your disability insurance plan

    If your disability coverage is part of an employee benefit plan established or maintained by a private-sector employer or a union, it is covered by the Employee Retirement Income Security Act (ERISA). Common ERISA-covered plans include employer-sponsored long-term disability (insured or self-funded), employer-sponsored short-term disability when it is structured as a formal benefit plan, and disability benefits offered through a union plan.

    ERISA generally does not apply to: government employer plans (federal, state, or local); church plans (unless they elect ERISA coverage); plans maintained solely to comply with workers' compensation, unemployment compensation, or state disability insurance laws; certain salary-continuation "payroll practices" paid from an employer's general assets; and certain voluntary "safe harbor" arrangements (typically employee-paid policies offered at work) when there are no employer/union contributions, participation is completely voluntary, the employer does not endorse the program (beyond marketing and payroll deduction), and the employer receives no compensation beyond reasonable administrative costs.

    What to do: A quick way to tell in real life whether your plan is an ERISA plan: Look at the summary plan description. If it describes ERISA rights or appeals, naming a Plan Administrator, and it follows ERISA disability claims procedures, then the plan is usually governed by ERISA. If you have an incident to report, please let us know.

  2. Your privacy rights in non-ERISA disability insurance plans

    If your disability insurance plan is not covered by ERISA, your patient privacy rights and legal protections are generally governed by state law and any contractual terms in the insurance policy.

    Non-ERISA disability plans include: Government employers (federal, state, local), Church or religious organizations, and Plans for sole proprietors or certain partnerships.

    Most states have insurance privacy laws that:

    • Require notice about how your medical information will be used;
    • Restrict disclosure of health information to third parties without consent (with some exceptions for fraud detection, legal requirements, etc.);
    • Let you access and grants some controls over the personal or health information in your file;
    • May impose limits on how long your medical data can be retained or used.

    What to do: Check your state department of insurance to see what specific privacy rights apply in your jurisdiction. If you have an incident to report, please let us know.

  3. Your patient privacy rights in your ERISA-covered disability insurance plan

    ERISA right to a full and fair review: For ERISA-covered plans, you have the right to clear denial reasons, a meaningful appeal process, and procedures designed to ensure a full and fair review.

    ERISA right to your claim file: You can request access to documents and information relevant to your claim, including the evidence the plan relied on—so you can respond effectively on appeal.

    ERISA right to sue after exhausting appeals: ERISA procedures generally cannot require more than two mandatory appeals before you may bring a civil action under ERISA Section 502(a).

    What to do: To protect your rights in an ERISA-covered disability plan:

    • Request Your Claim File in Writing: Submit a written request to the plan administrator or claims administrator asking for a copy of your entire claim file. This includes all documents, medical opinions, notes, internal guidelines, and communications used to evaluate your claim. You are entitled to review this information under ERISA to prepare an effective appeal.
    • Review the Denial Notice Carefully: Read the denial letter closely. ERISA requires the plan to provide specific reasons for denial, reference the plan terms relied upon, and describe any additional information needed to perfect the claim. Take notes on any vague or unsupported conclusions.
    • Prepare a Strong Appeal Within Deadlines: You generally have 180 days to appeal after a denial. Use this time to: (a) Gather and submit additional medical or vocational evidence; (b) Correct errors or misstatements in the plan's analysis; and, Respond directly to any adverse opinions in the claim file. Clearly state how the denial was wrong or incomplete under the plan terms.
    • Assert Your Right to a Full and Fair Review: If the plan fails to follow ERISA claims procedures (e.g., fails to provide relevant documents, issues vague reasoning, or uses biased reviewers), you may be able to argue that you were denied a full and fair review. Document any such failures.
    • Understand When You Can File Suit: After exhausting the plan's internal appeals—usually no more than two rounds—you may consider bringing a civil action under ERISA Section 502(a). You might consider not appealling more than twice, even if the plan tries to require it.
    • Keep Detailed Records: Maintain copies of all correspondence, requests, medical records, denial letters, and appeal submissions. If your rights are violated, this paper trail can support your legal claims.
    • Seek Legal Help If Needed: If your appeal is denied or the insurer is not following ERISA procedures, consider contacting an attorney who specializes in ERISA disability claims. They can help you enforce your rights and potentially file suit in federal court.
    If you have an incident to report, please let us know.

  4. How HIPAA helps protects your health records when shared with disability insurers

    HIPAA (the Health Insurance Portability and Accountability Act) matters at your doctor's office. Even though the disability insurer isn't HIPAA-covered, your health care providers often are—and they typically need a valid written authorization from you to send medical records to a disability insurer as part of underwriting or a claim.

    What to do:When applying for disability insurance or submitting a claim, be sure to read any medical record authorization forms carefully—your health care providers, as HIPAA-covered entities, generally need your valid written consent before disclosing medical records to an insurer; you can request to narrow the scope of the authorization and ask your provider what will be shared. Keep copies of all signed forms and communications, and if you believe your information was disclosed improperly, consider filing a HIPAA complaint with the U.S. Department of Health and Human Services. If you have an incident to report, please let us know.

  5. How the Americans with Disabilities Act protects your medical privacy in the workplace

    If your medical information reaches your employer, the Americans with Disabilities Act limits internal sharing of your information. When an employer obtains employee medical information through disability-related inquiries or exams (or related processes), the Americans with Disabilities Act requires the employer to treat it as confidential, keep it in separate medical files, and limit who can see it (e.g., supervisors only for restrictions or accommodations, first aid or safety, and government investigators).

    What to do: If you believe your employer has improperly shared or handled your medical information, document what happened, consider requesting clarification in writing about who has access to your records and why, and consider filing a complaint with the Equal Employment Opportunity Commission (EEOC) or your state fair employment agency. If you have an incident to report, please let us know.

  6. Your right to know when your consumer report impacts your insurance

    If the insurer uses a consumer report (including a credit report) and takes adverse action (denial or worse terms), you have rights to notice, a free copy of the report, and the ability to dispute errors under the Fair Credit Reporting Act. (See more about your patient privacy rights in credit reports).

    What to do: If you receive an adverse action notice, request and review your free copy of the consumer report within 60 days, check it carefully for inaccuracies or outdated information, dispute any errors with the consumer reporting agency in writing, and keep copies of all correspondence. If you believe your rights under the Fair Credit Reporting Act were not honored, consider filing a complaint with the Consumer Financial Protection Bureau. If you have an incident to report, please let us know.

  7. How the Gramm-Leach-Bliley Act Protects (and Shares) Your Personal Information in Insurance

    Many insurance companies are subject to the Gramm-Leach-Bliley Act (GLBA), which requires privacy notices and gives consumers a way to opt out of certain disclosures of nonpublic personal information to nonaffiliated third parties. GLBA also includes exceptions—situations in which a financial institution may share nonpublic personal information with certain nonaffiliated third parties without offering an opt-out. These exceptions generally fall into three main categories:

    • Service providers and joint marketing: Sharing with nonaffiliated vendors that perform services or functions for the institution (and with joint marketing partners), as long as the institution provides the required privacy notice and has a contract limiting the third party's use and disclosure of the information.
    • Processing and servicing transactions: Sharing as necessary to effect, administer, or enforce a transaction you request or authorize—such as processing or servicing a financial product, maintaining an account, or supporting securitization and other secondary-market activity tied to the transaction.
    • Other permitted disclosures (security, fraud, legal, and oversight): Sharing to protect the confidentiality or security of records; prevent fraud or unauthorized transactions; manage institutional risk; or resolve disputes and inquiries. Information may also be shared with parties who have a legal or beneficial interest, or who act in a fiduciary or representative capacity. In addition, GLBA permits sharing for oversight and professional services—such as with insurance rate advisory organizations, guaranty funds or agencies, rating agencies, compliance assessors, and the institution's attorneys, accountants, and auditors—and in certain government or legal-process contexts, subject to applicable rules.

    What to do: Review your insurer's privacy notice carefully to understand how your personal information may be shared and with whom; if the notice offers an opt-out for sharing with nonaffiliated third parties, follow the provided instructions to exercise that right. Ask your insurer for clarification about any sharing that falls under GLBA exceptions, and if you believe your information was improperly disclosed, consider filing a complaint with the Federal Trade Commission or your state insurance regulator. If you have an incident to report, please let us know. If you have an incident to report, please let us know.

  8. Your state-based rights to access and correct disability insurance records

    Your disability insurance policy and your state may provide additional rights to access and correct insurer-held information and other protections that apply to insurance transactions.

    What to do: Review your disability insurance policy for any provisions about accessing or correcting your personal information, and check your state's insurance laws—typically available through your state department of insurance—to learn what additional privacy and correction rights may apply to insurance transactions. Keep records of any requests you make, and if access or corrections are denied, ask about the insurer's internal appeals or complaint process. If you have an incident to report, please let us know. If you have an incident to report, please let us know.

 

Because disability insurance privacy protections come from multiple overlapping laws—ERISA, HIPAA, the Americans with Disabilities Act, federal consumer-reporting rules, GLBA, and state insurance law—understanding which rules apply to your situation is essential to protecting your health information, asserting your rights, and responding effectively when problems arise. To stay informed as rules and practices evolve and incidents occur, join our mailing list. And if you experience a concerning situation tied to your health information, please report the incident so we can track patterns and strengthen public accountability. Donate, as you are able, to support this work.

 

Select another context in which to examine your patient privacy rights:

Healthcare Employment Finances Credit Reports Housing Education Insurance eHealth Internet Marketing Purchases Reputation Mental Health Addiction Children Adolescents Law Enforcement Courts Prison Genetics HIV/AIDS Abortion Domestic Violence Harassment Data Collections Medical Insurance Life Insurance Disability Insurance Long-term Care Workers' Compensation Auto Insurance

 

Note: The content above is general information for the public and is not legal advice for any specific situation. Rights and processes relevant to a particular situation can vary based on circumstances and additional state or federal laws.

This document was created and is maintained by PPR President Dr. Latanya Sweeney. Please share your feedback and let Dr. Sweeney know about the ways you've used it, and if you have any suggestions.

Join Report DONATE

PPR logo

Independent public-interest organization advancing patient privacy through research, policy, and accountability.

People

Coalition

Summit

Brandeis Privacy Award

Know your rights

FAQs

Glossary

Our Privacy Policy

Research

Legislation

Posts

Press Releases