Life Insurance Records: Privacy And Confidentiality

Life insurance records contain highly sensitive information, including an individual's medical history, financial information, and personal details. Due to the confidential nature of this data, it is essential to understand whether life insurance records are private and protected from public access. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) establishes strict privacy rules for safeguarding individuals' health information. This legislation ensures that life insurance companies cannot access an individual's medical records without their consent. Additionally, life insurance applicants are required to sign a HIPAA form, acknowledging that their information is private and subject to penalties if disclosed publicly. While life insurance companies need access to medical records for risk assessment and underwriting purposes, they are legally bound to maintain the privacy of this information.

Medical records and life insurance applications

When applying for life insurance, you will likely be asked to provide access to your medical records. This is a standard procedure and insurance companies can access medical records to verify the information provided on your application. However, they cannot see your medical records without your written consent. In the UK, you are protected by the Access to Medical Reports Act (1988) and the Data Protection Act (2018).

Life insurance companies need to assess the risk associated with insuring an individual. They use medical records to evaluate your overall health, which helps them determine the appropriate premium for your policy. This includes reviewing your medical history, conducting a medical record review, and even requesting blood work. For example, New York Life accesses health records to ensure accurate risk assessment.

Life insurance companies are not interested in your entire medical history. They are particularly interested in any medical issues that have occurred in the last five years, which they will usually exclude from your cover. They also want to know if you have been clear of a condition for two or more years.

When assessing your application, the insurance company will look for information such as:

• Visits to your GP, including the problem and any advice given
• Prescribed medications
• Details of referrals to specialists
• Accurate dates of medical activity
• Your family's medical history
• Lifestyle habits (e.g. smoking, drinking, exercise)
• Risky hobbies, such as skydiving

If you deny the insurer access to your medical records, they may refuse to offer you a policy as they do not have the information they need to assess your application.

Yes, there are "no-exam" life insurance policies available that do not require detailed health information. However, these policies may come with higher premiums due to the increased risk the insurer takes on by not having comprehensive medical data.

Privacy laws and data protection

Insurance companies handle vast amounts of sensitive data, including personal details, financial records, and health information. As such, they must adhere to strict data protection regulations to maintain customer trust and avoid penalties. The General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the US are key regulations that control the collection, use, and protection of personal data. The GDPR, in particular, has far-reaching implications as it applies to any organisation handling EU citizens' data, regardless of location.

To ensure compliance, insurance companies must implement robust security measures, such as multi-factor authentication, privileged access management, and user activity monitoring. Additionally, they should appoint data protection officers, conduct risk assessments, and employ encryption to safeguard data.

In the context of life insurance, medical records are crucial for risk assessment and determining premium rates. While life insurance companies typically require access to medical records, they must obtain consent from the individual. This authorisation allows them to verify the information provided and assess the risk associated with insuring the individual.

Accessing records after death

Accessing a deceased person's life insurance records can be challenging but necessary. Here are the steps you can take to locate their policies and make any claims:

Search the deceased's documents and correspondence:

• Go through paper and digital files, bank safe deposit boxes, and other storage spaces for insurance-related documents.
• Check bank statements for payments to life insurance companies or annual notices regarding the policy status.
• Review the deceased's tax returns for records of interest income or expenses paid to life insurance companies.
• Check the deceased's mail and email for premium or dividend notices.

Contact relevant professionals:

• Speak with the deceased's financial advisor, banker, attorney, or accountant to see if they have any records or knowledge of life insurance policies under the deceased's name.
• Contact the insurance companies that provided the deceased with car or home insurance, as they may also have had a life insurance policy through the same insurer.
• Get in touch with the deceased's former employer or union, as they may have had an employer-sponsored life insurance policy.

Utilize online tools and databases:

• Submit a request to the National Association of Insurance Commissioners (NAIC) Life Insurance Policy Locator Service, a free online tool that can assist in locating life insurance policies.
• Check your state's insurance department and unclaimed property office, as well as the National Association of Unclaimed Property Administrator's website, to search for unclaimed property, which includes life insurance claims.

Be aware of special challenges:

• If the insurance company has changed its name, merged, or sold the policy to another company, the NAIC provides tips on how to find them.
• In case of the company's bankruptcy, contact the state life and health guaranty association through the National Organization of Life & Health Insurance Guaranty Associations' search tool.
• Consider that the policy may have been purchased in Canada and reach out to the Canadian Ombudservice for Life and Health Insurance for information.

Notify the insurer and file a claim:

• Notify the insurer of the loved one's passing as soon as possible to initiate the process of identifying the policy's beneficiaries.
• If you are a beneficiary, file a life insurance claim by providing the necessary documentation, such as proof of identity, the death certificate, and claim forms.
• Understand the death benefit's terms, including any tax implications, and decide on your preferred payout option (lump sum or installments).

Act promptly:

While there is no time limit for claiming life insurance, acting sooner can help ensure a smooth payout process and prevent issues like fraud and identity theft.

Safeguarding sensitive information

When an individual applies for life insurance, it is the duty of the agent, broker, and the life insurance company to safeguard sensitive information. This includes personal details, medical history, and financial information.

The onus of protecting sensitive information falls on the entire organization, from the agent to all home office personnel. This is to protect the individual from harm, as the information is very comprehensive and could make the applicant vulnerable to extortion, blackmail, and theft if it fell into the wrong hands.

To ensure compliance, employees are educated on privacy laws and are required to take an exam and sign off on their compliance. Regular training and updates on privacy laws are also necessary to keep the issue at the forefront of employees' minds.

Data Privacy Laws

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy of medical records and sensitive personal information. HIPAA outlines three rules for safeguarding health information:

• Privacy Rule: Health insurance companies can only share and obtain your medical information under certain circumstances. They must make it clear how and when they will share and receive information and how they will use it. Your medical information can only be shared when necessary for you to receive healthcare services or assistance paying for them through insurance.
• Security Rule: Health insurance companies must take steps to protect your medical information. They must develop security standards that comply with HIPAA laws to store and dispose of medical information in a way that reduces the risk of data theft.
• Breach Notification Rule: If a data breach occurs, HIPAA requires the health insurance provider to notify you of when the breach occurred and what information may have been shared or stolen.

Access to Medical Records

Insurers can only access your medical records if you give them written permission. They can only access relevant information and are allowed to share your medical records with each other as long as you are made aware in advance.

Insurers will often request access to your medical records to assess your health condition and determine the level of risk they are taking on by insuring you. This includes reviewing your medical history and, in some cases, requesting blood work.

Data Breaches

Despite safeguards and compliance requirements, data breaches can still occur. Between 2005 and 2019, healthcare data breaches affected more than 249 million people, with two-thirds experiencing the impact of data theft and loss in the last five years of this period.

To protect your medical information, it is important to read privacy disclosures and authorization forms carefully, be cautious about health-tracking apps, and regularly request and review copies of your medical records.

Data breaches

In the case of life insurance, data breaches can occur when insurance companies access medical records. While insurance companies cannot see an individual's full medical records without written permission, they can access specific medical information to perform key functions and provide services. This includes information relating to coverage eligibility and payment authorization for medical services.

In the US, insurance company Globe Life recently experienced a data breach involving unauthorized access to consumer and policyholder information. The breach was caused by vulnerabilities in a company web portal, and it is unclear what type of data was compromised. Fidelity Investments Life Insurance also reported a data breach affecting more than 28,000 customers, which was linked to a hack of a third-party service provider, Infosys McCamish Systems. In another incident, the CLOP Ransomware Gang infiltrated the MOVEit file transfer software used by many organizations, compromising the personal information of approximately 42,000 Vermonters and over 38 million consumers nationwide. American General Life Insurance Company was one of the companies impacted by this breach.

To protect personal data from data breaches, individuals should understand their rights under privacy laws such as HIPAA, carefully read authorization forms, and regularly check their medical records for errors.

Frequently asked questions