The purpose of the Health Insurance Portability and Accountability Act (HIPAA) privacy rule was to protect the medical records and protected health information (PHI) of individuals. As a result, insurance companies provide extremely sparse data to employers with less than 250 employees, in the form of large claims data at the end of the year. Insurance companies provide this limited data to prevent HIPAA violations that occur when employers determine which employee has which medical condition due to the relatively small number of employees.
The reality is that employers likely already know which employees have medical issues, as human resources personnel must administer the Family and Medical Leave Act (FMLA). For instance, doctor’s notes typically identify the medical condition at issue, so employers inevitably are privy to HIPAA-restricted PHI in most situations.
Although medical claim inflation hovers around four percent, insurance companies regularly demand annual rate increases ranging from eight to 12% with no justification whatsoever. They will not provide smaller employers with actual claim information because doing so allegedly would violate HIPAA. As it turns out, insurance companies are not concerned about HIPAA because it does not apply to them when negotiating plan prices with employers.
A decade ago, brokers could receive insurance plan proposals for employers with no specific information about employees and their dependents. This trend slowly changed. Now, carriers either will not provide plan proposals without a complete list of all employees and dependents or will provide extremely inflated proposals without this information.
Insurance companies are now using third-party databases to get health-related information about plan participants before providing plan proposals. Although HIPAA restricts the use of PHI by medical providers, health plans, and insurers acting as providers, a loophole exists when insurers act as bidders. Under HIPAA, health insurance companies are not “covered entities,” so they can access and use PHI in ways other “covered entities” may not. Plus, since the PHI does not come directly from the individuals or their healthcare providers, it’s not subject to the privacy protections in HIPAA.
Although this practice is perfectly legal, it raises ethical concerns that emphasize the need for better privacy laws. In addition, it raises the potential for discrimination against certain groups of people and violates the spirit of HIPAA.
These third-party databases have powerful tools to gather information about individuals’ medical conditions, which insurance companies then use for marketing, risk assessment, and the inflation of insurance premiums. Some third-party databases include social media sites, public records, consumer data brokers, and online forums and support groups. Data brokers, such as LexisNexis Risk Solutions, Acxiom, Experian, Transunion, Equifax, and CoreLogic, use various analytic models to predict the future healthcare costs of individuals or groups based on diagnostic information, demographics, and healthcare utilization data.
HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 470-571-1007.
Hall Benefits Law, LLC
Latest posts by Hall Benefits Law, LLC (see all)
- Fifth Circuit Considers Arbitration Clause in ERISA Claim - March 20, 2026
