Let’s Talk About: Privacy of Medical Records and Personal Data

During a discussion of “Life Company Basics” featured as part of the recent Society of Settlement Planners (SSP) virtual 2021 Annual Conference, a question was raised, but not fully answered, about the privacy of medical records.

Most structured settlement negotiations require information about the claimant, such as birth date and medical condition. The birth date is essential to obtain structured settlement annuity quotations that entail lifetime payments. Medical information is critical for assessing whether a special age rating is applicable as the result of a reduced life expectancy.

HIPAA and Structured Settlements

The privacy accorded to medical records inevitably raises concerns about the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA generally protects the confidentiality of medical records held by covered entities. The statute and regulations define “covered entities” to include health care providers, health plans and other persons or entities that provide or insure medical services..

“Business associates” of covered entities are generally defined to be persons who perform “a function or activity . . . on behalf of a covered entity.” By contrast, a patient is not a covered entity. This means that a claimant in a lawsuit is not limited in what information the claimant provides to others.

The basic HIPAA privacy requirements for defendants or life insurance companies in obtaining medical information about a claimant therefore generally depends on the source of the information. For example, if a defense broker, defense attorney or life insurance company obtains medical information directly from a covered entity, HIPAA issues are probably applicable.

If, by contrast, a claimant answers interrogatories and/or provides documents directly (or through counsel), the information should have no HIPAA implications. Note: a claimant could also sign a waiver of HIPAA’s privacy protection which would allow a defense litigator to subpoena the requested medical information from a covered entity.


Earlier this year, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (the “NPRM”) to modify the Privacy Rule under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to facilitate the individual right of access to medical records and protected health information and to ease the administrative burden for covered entities to provide such records and information. Comments to the NPRM are due by March 22, 2021.

This new NPRM would modify the current HIPAA Privacy Rule in several significant ways. First, the NPRM strengthens a consumer’s right to access their own health information. Second, the NPRM increases a consumer’s ability to share information for care coordination and case management. Third, the NPRM allows greater family and caregiver involvement for individuals experiencing emergencies or health crises. Fourth, the NPRM reduces the administrative burdens on HIPAA-covered health care providers and health plans.

State Laws

In addition to meeting HIPAA requirements, defendants and life insurance companies should be cognizant of relevant state laws relating to the privacy of medical information about a claimant or injured party. In Texas, for example, licensed entities, including life insurers, liability insurers and agencies, must comply with Chapter 602 of the Texas Insurance Code. This Chapter requires all licensed entities to obtain written authorization before disclosing nonpublic health information. However, there is a specific exception for underwriting.

Gramm-Leach-Bliley Act and Related State Insurance Laws

A separate set of privacy issues addressing the sharing of sensitive personal data, which could impact structured settlement case management, results from the federal Gramm-Leach-Bliley Act (GLB), regulations issued under it by the Federal Trade Commission and related state insurance regulations.

As a general rule under GLB, when personal data of a “consumer” are used by a “financial institution” to market or sell products to the consumer, the financial institution must give notice to the consumer as to how the information will be used or shared with affiliates. Compliance with these rules is the task of financial institutions. Providing and issuing annuities is expressly covered by GLB.

Significantly, GLB does not apply to insurers. GLB, however, does require state insurance regulators to adopt privacy regulations that apply to insurers and other licensed entities. Most states have adopted legislation similar to the NAIC’s Model Act entitled “Privacy of Consumer Financial and Health Information Regulation.”

Regulations under the NAIC Model Act may apply to all entities licensed by the State Department of Insurance. The notice requirements under the Model Act differ depending on whether the information is from “consumers” vs. “customers.”

“Consumers” are individuals who seek to obtain or have obtained a product or service. “Consumers” include beneficiaries under life insurance policies and annuitants. “Customers” are consumers with whom there is a continuing relationship. An annuitant who is not the owner of the annuity is not a customer.


All structured settlement participants must be aware that medical records and other personal data represents sensitive information and may be subject to legal sharing restrictions and protections. Practitioners should not only be familiar with applicable laws but also with the source and status of any personal data or documentation before accepting and/or distributing it to other parties.

This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for, taxlegal or accounting advice. You should consult your own taxlegal and accounting advisors before engaging in any transaction.

Portions of this article have been reprinted with permission of the publisher of “Structured Settlements and Periodic Payment Judgments” by Daniel Hindert, Joseph Dehner and Patrick Hindert and published by Law Journal Press, a division of ALM Media. Release 69 of this legal textbook will become available later this month.