Your medical records are protected by federal and state laws regarding who may access these records. While state laws vary considerably, the Health Insurance Portability and Accountability Act (HIPAA) specifies who can access your personal health information, including medical records. This law on privacy rights set limits on the use and release of medical records, including how health insurance companies may access and use this information.
In general, health insurance companies do not have the right to inspect your medical records other than for purposes of determining eligibility for health care coverage. Most insurance companies in the United States belong to the Medical Information Bureau (MIB), which operates an information exchange between member insurance companies of brief, coded health information of underwriting significance taken from the underwriting of previous applications for life and health insurance coverage. MIB does not access an individual’s medical records. MIB information is consented to by the applicant and is used to protect insurers from errors, omissions and misstatements in an applicant’s health statement. Under the Fair Credit Reporting Act (FCRA), consumers can obtain one free disclosure annually of their MIB record. Unless you have applied for life and health insurance in the past seven years, you will not have an MIB record. For more information visit MIB’s website.
In addition, HIPAA provides employers with the right to review limited portions or summaries of your medical information in some circumstances, like for obtaining bids for insurance plans for the company or in reviewing workers compensation claims. If the health information your employer receives goes beyond a basic summary, then your employer must take steps to protect and limit viewing of this information. HIPAA limits the use of medical information for employment purposes.
Larger corporations may offer “self-insured” health care plans where the employer itself assumes the risk of health care costs and has the responsibility for paying heath care claims, effectively acting as an insurer. Claims may be processed by company personnel or contracted out to other companies that process and maintain the records. HIPAA rules apply to medical records used in this situation, including how information is shared and the requirement for written consent to share information in most situations.
In all cases, access to medical records is granted if you sign a written consent which meets HIPAA requirements for disclosure of details and time period the consent is in place. This means it is very important that you read any such forms carefully and ask any questions before signing a consent form.