Q&A: Filing a complaint against an insurance company
Q: I recently filed a complaint against my insurance company. The insurance agent who handles my case informed my boss that I filed a complaint against her. Now my boss is mad at me, and I feel like my job is at risk. Is this a HIPAA violation?
A: It would be a HIPAA violation if you filed a complaint with your health insurance company related to privacy or security. You have the right to complain to covered entities (CE) who serve you, such as health insurance companies and providers, and you have a right to file a complaint with OCR. CEs cannot retaliate against a patient or health plan member who files a privacy or security complaint. The caveat is that the complaint needs to be an exercise of your HIPAA privacy rights related to your privacy or the security of your information that is used and disclosed by your health insurance company.
HIPAA also goes a step further. CEs are required to include information about how you can file a complaint in their Notice of Privacy Practices. The information must include “a statement that individuals may complain to the covered entity and to the Secretary (OCR) if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individual will not be retaliated against for filing a complaint.”
What can complicate things is when a CE is self-funded. In other words, if your employer pays the cost of all claims instead of using a commercial plan, they may have more access to PHI, but they still cannot retaliate against you if you file a complaint. Employers who are self-funded need to prevent any other employees who are not directly involved in managing the self-funded plan from accessing any PHI the employer may use and disclose. This includes your boss, unless your boss is the person assigned to manage the plan.
Editor’s note: Question answered by Chris Apgar, president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at email@example.com.