When can insurers access PHI created prior to coverage?

Insurers can access protected health information (PHI) created prior to coverage under regulated research conditions with proper protections and authorizations, or when legally required. PHI is protected and may only be disclosed with the individual's authorization or under certain exceptions. 

A research paper from the Urban Institute states, “Currently, data standards vary dramatically across types of health insurance, leading to wide variation in the completeness of R/E data in public versus private coverage and across health plans’ lines of business.”

For research purposes, PHI created before coverage can be accessed without individual authorization if it is used for activities preparatory to research, such as reviewing PHI to formulate a research hypothesis or determine study feasibility, provided that the PHI is not removed from the covered entity and is not used to identify potential subjects. 

Researchers must provide written assurances that the PHI will not be removed and is necessary for the preparatory activity. PHI of deceased individuals may be accessed if certain representations are made to the holder of the PHI, particularly if the decedent has been deceased for less than 50 years.

What is PHI and who controls it?

PHI is defined by HIPAA as any individually identifiable health information that is created, received, or maintained by a covered entity and relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare, or payment for healthcare services. PHI includes 18 specific identifiers such as names, geographic data, dates, phone numbers, medical record numbers, and biometric identifiers. 

Control over PHI primarily resides with covered entities, including healthcare providers, health plans, and healthcare clearinghouses. These are legally responsible for protecting the privacy and security of this information. The BMC Medical Informatics and Decision Making study ‘Managing protected health information in distributed research network environments’ notes on the topic of PHI in research environments, “Effective PHI management requires efforts at multiple levels including national and organizational policy interpretation, access control, and control over data release.” 

Understanding 45 CFR §164.508 and §164.502(a)(5)(i)

These provisions collectively restrict their ability to access and use PHI, especially genetic information, prior to enrollment. 45 CFR §164.508(a) specifies the conditions related to the use and therefore the access to PHI for covered entities, “Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.”

45 CFR §164.508 establishes that, except as otherwise permitted or required by HIPAA, a covered entity must obtain a valid, written authorization from an individual before using or disclosing their PHI for purposes like marketing or research. The regulation allows individuals to maintain control over who can access their sensitive health information and for what purposes, with specific requirements for what constitutes a valid authorization.

45 CFR §164.502(a)(5)(i) goes on to prohibit health plans (with the exception of certain long-term care policies) from using or disclosing genetic information for underwriting purposes, which includes determining eligibility, benefits, premiums, or the application of pre-existing condition exclusions. This means that, even if a health plan has access to genetic information or other PHI prior to a customer’s enrollment, it cannot use that information to make decisions about coverage or pricing. The intent is to prevent discrimination based on genetic data and to ensure fair access to health insurance.

The special cases of life, disability, and long-term care insurance

Unlike health plans, which are regulated under laws such as the Genetic Information Nondiscrimination Act (GINA) and the Affordable Care Act (ACA) that restrict the use of genetic information for underwriting, these types of insurance have fewer federal protections. According to the Risk Management Insurance Review study ‘Genetic testing and insurance implications: Surveying the US general population about discrimination concerns and knowledge of the Genetic Information Nondiscrimination Act (GINA)’, the reality of underwriting and genetic testing are ever present, “Even within the scope of genetic tests that insurers are allowed to take into account, available tests greatly vary in their sensitivity (ability to detect a genetic variant in an affected individual) and predictive value (likelihood of having symptoms if have a genetic variant).”

Life insurers, for example, are generally permitted to request and use genetic test results and other health information for underwriting decisions such as eligibility and premium setting, although some states have enacted laws limiting this practice or requiring informed consent before genetic testing is used. 

Disability and long-term care insurers similarly have broader latitude to access and use PHI, including genetic data, to assess risk. Notably, health plans are prohibited from using genetic information for underwriting or coverage decisions, but life, disability, and long-term care insurers are not covered by GINA and thus can access PHI prior to enrollment under certain conditions. 

The regulatory gap creates potential genetic discrimination in these insurance markets, as individuals with predictive genetic test results may face higher premiums or denial of coverage. Insurers typically do not require genetic testing but may request existing genetic information disclosed by applicants. 

Pre-ACA vs. post-ACA practices

Before the ACA was enacted in 2010, health insurers in the US commonly used pre-existing conditions, including genetic information and family medical history, to determine eligibility, premiums, and coverage limitations. Although some states had laws restricting the use of genetic information, protections were inconsistent and limited, allowing insurers to deny coverage or charge higher rates based on genetic risks. 

The Journal of Law and Medical Ethics study ‘Time to End the Use of Genetic Test Results in Life Insurance Underwriting’ notes on the state perspective, “Most state laws on genetics and life insurance merely require insurers to obtain informed consent before performing genetic tests or prohibit the use of genetic information in underwriting unless there is a sound actuarial justification.” HIPAA provided some protections by prohibiting group health insurers from excluding coverage based solely on genetic test results without symptoms. 

The ACA changed these practices by prohibiting health insurers from denying coverage or charging higher premiums due to pre-existing conditions, including those identified through genetic testing. It also banned the use of genetic information in underwriting health insurance, effectively extending and strengthening protections against genetic discrimination. As a result, post-ACA health plans cannot access or use PHI related to genetic information to make enrollment or pricing decisions.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What rights do individuals have to access their health information from health plans?

Individuals have a legal right to access and obtain a copy of their PHI held by health plans, including medical records, billing records, claims data, enrollment records, and other information used to make decisions about their care or coverage.

Can individuals request their PHI in a specific format?

Yes, health plans must provide access to PHI in the form and format requested by the individual if it is readily producible in that format, such as electronic copies.

Are there any types of information that individuals cannot access from their health plans?

Certain information is excluded from the right of access, including psychotherapy notes that are maintained separately, information compiled for legal proceedings, and some quality improvement or business planning records that do not directly affect individual care decisions.