Question: Is personal information collected, stored, and transmitted as part of a life insurance (rather than a health insurance) quote, illustration, application, or ongoing life insurance policy management considered protected health information (PHI) and fall under HIPAA requirements? Examples of health-related personal information collected as part of a life insurance quote might be health class, height, weight, and smoking status.
Answer: Although these data items would be considered PHI under HIPAA, whether the information is subject to HIPAA regulations depends upon whether the life insurance company is a HIPAA covered entity (CE) and/or a business associate (BA). If the company is considered a CE or BA under HIPAA, the data would be PHI and subject to HIPAA requirements.
But most life insurance companies are not considered CEs or BAs under HIPAA and are therefore not subject to HIPAA regulations. According to the U.S. Department of Health & Human Services (HHS), CEs are usually health plans, healthcare clearinghouses, and healthcare providers. HHS does not have the authority to regulate, for instance, employers, public agencies that deliver Social Security or welfare benefits, and life insurance companies.
Companies that provide both health and life insurance could encounter tricky compliance situations, especially when the customer databases for the two overlap or are combined. For more information to determine whether your organization is considered a CE or BA under HIPAA, visit www.hhs.gov/hipaa/for-professionals/covered-entities/index.html.