How can my insurer or employer access my medical records without my permission?

Yes.

The Amended HIPAA Privacy Rule gives health plans and self-insured employers broad authority (“regulatory permission”) to get information without consent that is far more extensive than is needed for billing or any other reason related to a specific individual’s health care. Other uses for which health plans and employers are authorized to obtain use and disclose an individual’s health information without consent include:

  1. Due diligence in connection with the sale or transfer of assets;
  2. Certain types of marketing;
  3. Business planning and development;
  4. Business management and general administrative activities; and
  5. Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance. Section 164.501

Example: A depressed person’s health plan or employer would have regulatory permission from the federal government to obtain the information about his/her attempted suicide and hospitalization without his/her knowledge or consent if the information was needed for any of the above business purposes, as well as for treatment or payment.

Even more disturbing, the Amended Rule would authorize the individual’s health plan or employer to use and disclose that information even if the suicide attempt and hospitalization occurred before the Amended Privacy Rule went into effect on April 14, 2003.