Your Patient Privacy Rights in Long-term Care Insurance

Explore Your Patient Privacy Rights in Context

In the U.S., your patient privacy rights in long-term care insurance depend on whether the insurer or product qualifies as a HIPAA-covered health plan. Regardless, your information is also governed by financial, insurance, and state privacy laws.

1. Your HIPAA privacy rights in long-term care insurance

   HIPAA (the Health Insurance Portability and Accountability Act) is a U.S. federal law that sets national standards for protecting the privacy and security of health information held by health care providers, health plans, labs, and their contractors. It includes the parties involved in the delivery of your healthcare and its billing.

   Under HIPAA's regulations, a "health plan" includes an issuer of a long-term care policy, excluding a nursing home fixed indemnity policy. So many long-term care insurance issuers are HIPAA-covered health plans. However, HIPAA also excludes from "health plan" any policy to the extent it provides "excepted benefits" under federal law. So whether a particular long-term care product is HIPAA-covered can depend on the specific policy design. So, if you're dealing with a specific long-term care policy, the simplest move is to ask the insurer in writing whether it is a HIPAA-covered health plan for that product and request the relevant privacy notices.

   When your insurer is a HIPAA-covered health plan, you have important privacy rights, including:

   • Right to a Notice of Privacy Practices explaining how the plan may use and share your protected health information and what rights you have.
   • Right to access your records—to inspect and obtain a copy of the health information the plan holds about you. Limited exceptions include psychotherapy notes and information compiled for legal proceedings (prepared in anticipation of, or for use in, a civil, criminal, or administrative action), though you may still be able to access the underlying records. Other limited denial situations can include certain correctional settings, temporary research-related suspensions you agreed to, information restricted by another law, or information obtained from a non-health care provider under a promise of confidentiality. In rare cases, access may be denied (or denied subject to review) if access is likely to endanger someone's life or physical safety or cause substantial harm, including in some situations involving a personal representative.
   • Right to request a correction or amendment to health information the plan maintains about you.
   • Right to an accounting of disclosures of your health information made in the prior six years with the major exception of disclosures made for treatment, payment, and health care operations).
   • Right to request restrictions on certain disclosures, including a special right to restrict disclosure to a health plan for a service you pay for out of pocket in full.
   • Right to request confidential communications, such as being contacted at a different address or phone number, or through a safer method.
   • Right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your plan violated HIPAA's privacy or security rules.

   HIPAA-covered health plans:

   • Cannot impose preexisting-condition exclusions for covered individuals.
   • Cannot discriminate based on "health factors" when setting eligibility, benefits, or premiums in most group health plan contexts. "Health factors" include health status, medical condition (physical or mental), claims experience, receipt of health care, medical history, genetic information, and disability.

   What to do: Ask your plan for its Notice of Privacy Practices, request a copy of your records (and correct errors), use confidential communications if needed, get an accounting of disclosures, if appropriate, and file a complaint with the U.S. Health and Human Services' Office of Civil Rights if you believe your HIPAA rights were violated. If you have an incident to report, please let us know.

    

2. Your HIPAA rights when providers share medical records with long-term care insurers

   Even when the long-term care insurer itself isn't HIPAA-covered, your health care providers usually are—and they generally need your valid written authorization to send medical records to an insurer for underwriting or a claim. So you still have leverage at the source.

   What to do: Read any medical-record authorization carefully before signing, limit it to the specific records and time period needed, and ask your health care provider what will be disclosed; keep copies of all authorizations, and if records are shared beyond what you approved, consider filing a HIPAA complaint with the U.S. Department of Health and Human Services. If you have an incident to report, please let us know.

3. How the Gramm-Leach-Bliley Act Protects (and Shares) Your Personal Information in Insurance

   Many insurance companies are subject to the Gramm-Leach-Bliley Act (GLBA), which requires privacy notices and gives consumers a way to opt out of certain disclosures of nonpublic personal information to nonaffiliated third parties. GLBA also includes exceptions—situations in which a financial institution may share nonpublic personal information with certain nonaffiliated third parties without offering an opt-out. These exceptions generally fall into three main categories:

   • Service providers and joint marketing: Sharing with nonaffiliated vendors that perform services or functions for the institution (and with joint marketing partners), as long as the institution provides the required privacy notice and has a contract limiting the third party's use and disclosure of the information.
   • Processing and servicing transactions: Sharing as necessary to effect, administer, or enforce a transaction you request or authorize—such as processing or servicing a financial product, maintaining an account, or supporting securitization and other secondary-market activity tied to the transaction.
   • Other permitted disclosures (security, fraud, legal, and oversight): Sharing to protect the confidentiality or security of records; prevent fraud or unauthorized transactions; manage institutional risk; or resolve disputes and inquiries. Information may also be shared with parties who have a legal or beneficial interest, or who act in a fiduciary or representative capacity. In addition, GLBA permits sharing for oversight and professional services—such as with insurance rate advisory organizations, guaranty funds or agencies, rating agencies, compliance assessors, and the institution's attorneys, accountants, and auditors—and in certain government or legal-process contexts, subject to applicable rules.

   What to do: Review your insurer's privacy notice carefully to understand how your personal information may be shared and with whom; if the notice offers an opt-out for sharing with nonaffiliated third parties, follow the provided instructions to exercise that right. Ask your insurer for clarification about any sharing that falls under GLBA exceptions, and if you believe your information was improperly disclosed, consider filing a complaint with the Federal Trade Commission or your state insurance regulator. If you have an incident to report, please let us know. If you have an incident to report, please let us know.

4. Your right to know when your consumer report impacts your insurance

   If the insurer uses a consumer report (including a credit report) and takes adverse action (denial or worse terms), you have rights to notice, a free copy of the report, and the ability to dispute errors under the Fair Credit Reporting Act. (See more about your patient privacy rights in credit reports).

   What to do: If you receive an adverse action notice, request and review your free copy of the consumer report within 60 days, check it carefully for inaccuracies or outdated information, dispute any errors with the consumer reporting agency in writing, and keep copies of all correspondence. If you believe your rights under the Fair Credit Reporting Act were not honored, consider filing a complaint with the Consumer Financial Protection Bureau. If you have an incident to report, please let us know.

5. Your state-based rights to access and correct long-term care insurance records

   Your long-term care policy and your state may provide additional rights to access and correct insurer-held information and other protections that apply to insurance transactions.

   What to do: Review your long-term care policy for any provisions about accessing or correcting your personal information, and check your state's insurance laws—typically available through your state department of insurance—to learn what additional privacy and correction rights may apply to insurance transactions. Keep records of any requests you make, and if access or corrections are denied, ask about the insurer's internal appeals or complaint process. If you have an incident to report, please let us know. If you have an incident to report, please let us know.

Understanding your patient privacy rights in long-term care insurance empowers you to safeguard your medical information, hold insurers accountable, and take action when your rights are at risk. To stay informed as rules and practices evolve and incidents occur, join our mailing list. And if you experience a concerning situation tied to your health information, please report the incident so we can track patterns and strengthen public accountability. Donate, as you are able, to support this work.

Select another context in which to examine your patient privacy rights:

Note: The content above is general information for the public and is not legal advice for any specific situation. Rights and processes relevant to a particular situation can vary based on circumstances and additional state or federal laws.

This document was created and is maintained by PPR President Dr. Latanya Sweeney. Please share your feedback and let Dr. Sweeney know about the ways you've used it, and if you have any suggestions.