HIPAA and Insurance Claims: What Can Be Shared and What Can’t

Understanding how HIPAA applies to insurance claims helps you share what’s necessary for payment while protecting privacy. Most claim-related disclosures are allowed without authorization, but they’re bounded by the Minimum Necessary Standard, Business Associate safeguards, and strict limits on employer access.

This guide explains what a Covered Entity and Business Associate may disclose, where the lines are drawn, and how exceptions for public health and legal demands operate when claims data is involved.

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule protects Protected Health Information (PHI)—any individually identifiable health information in any form. Covered Entities include health plans, most healthcare providers, and healthcare clearinghouses. When these organizations handle claims, they may use and disclose PHI as HIPAA permits, or with a valid patient authorization when required.

Insurance claims primarily fall under “payment,” one prong of HIPAA’s treatment, payment, and healthcare operations framework. For payment and operations, HIPAA generally permits sharing PHI without authorization, but demands you limit disclosures to what is reasonably necessary to achieve the purpose. De-identified data—created via expert determination or the safe harbor method—is not PHI and may be used freely.

Permitted Uses and Disclosures of PHI

HIPAA permits PHI uses and disclosures for the following without patient authorization, provided other conditions (like the Minimum Necessary Standard) are met:

• Treatment: coordination or management of care.
• Payment: submitting claims, eligibility checks, billing, appeals, medical necessity review, and utilization management.
• Healthcare operations: audits, quality assessment, fraud detection, credentialing, and premium rating.

Additional permitted disclosures that may touch claims data include:

• To the individual or their personal representative upon request.
• For research with an authorization or a waiver of authorization granted by an Institutional Review Board (IRB), or via a limited data set under a data use agreement.
• Through Health Information Exchanges that facilitate routing and retrieval of PHI for treatment, payment, or operations; these exchanges typically function as a Business Associate and must follow BA obligations.

Authorizations are still required for certain uses (for example, most marketing or sale of PHI). Psychotherapy notes and some specially protected records carry added restrictions.

Business Associate Agreements Requirements

A Business Associate is any non-workforce entity that creates, receives, maintains, or transmits PHI for a Covered Entity—think third-party administrators, pharmacy benefit managers, clearinghouses, cloud or IT vendors, data analytics firms, and many Health Information Exchanges.

Before sharing claims data with a vendor, you must execute a Business Associate Agreement (BAA) that, at a minimum, does the following:

• Defines permitted and required PHI uses and disclosures, bound to HIPAA purposes.
• Requires administrative, physical, and technical safeguards consistent with the Security Rule (including access controls, encryption at rest/in transit where feasible, and audit logging).
• Imposes the Minimum Necessary Standard and limits downstream re-disclosure.
• Obligates breach and security incident reporting, with prompt notification.
• Flows the same duties to subcontractors that handle PHI.
• Supports individual rights (access, amendments, and accounting of disclosures) when a BA holds relevant information.
• Requires return or destruction of PHI at termination if feasible, and provides termination rights for material breach.

Health plans should inventory all vendors touching claims and ensure BAAs are current, accurate, and operationalized through security reviews and ongoing oversight.

Minimum Necessary Standard Application

The Minimum Necessary Standard requires you to limit PHI uses, disclosures, and requests to the least amount needed to accomplish the task. It applies to payment and operations, and to most disclosures to Business Associates. It does not apply to disclosures for treatment, those made to the individual, or those required by law.

• Share only data elements needed for adjudication, coordination of benefits, or medical necessity review (for example, dates of service, diagnosis/procedure codes, provider identifiers, and amounts).
• Use role-based access so adjusters, utilization reviewers, and appeals teams see only what their roles require.
• Redact or segment clinical narratives when a code-level summary is sufficient; avoid transmitting entire medical records unless clearly necessary.
• Configure Health Information Exchanges and other systems to return focused data sets that match the specific purpose of use.

Document your criteria for “necessary” and bake them into procedures, system rules, and BA contracts to ensure consistency.

Employer Access Restrictions

Employers are generally not Covered Entities. A group health plan is a Covered Entity, and Health Plan Sponsors (employers) may receive PHI only for plan administration activities and only if plan documents are amended to restrict uses and maintain firewalls between plan administration staff and the employer’s employment functions.

In practice, this means:

• Employers may receive enrollment/disenrollment information and “summary health information” for purposes like obtaining premiums or modifying the plan design.
• Access to identifiable claim details requires either a proper plan administration pathway that meets HIPAA’s requirements or an individual’s authorization; PHI cannot be used for employment decisions.
• Only designated workforce members performing plan administration should access PHI, and their use must be limited to those functions.

If an employer wants information beyond what HIPAA permits for plan administration, it should obtain individual authorizations that clearly describe the information and purpose.

Public Health and Safety Exceptions

HIPAA allows—but does not require—certain disclosures for public interest and safety. These may intersect with claims when reporting or investigations arise. Examples include:

• Reporting to public health authorities for disease surveillance, vital events, or product safety reporting.
• Notifying appropriate persons to avert a serious and imminent threat to health or safety, consistent with applicable law and professional judgment.
• Disclosures to health oversight agencies for audits, inspections, or investigations of the healthcare system.
• Disclosures about abuse, neglect, or domestic violence to authorized government authorities, when conditions are met.
• Limited disclosures to law enforcement in narrowly defined situations (such as responding to a court order).

When these pathways are used, disclose only what is permitted for the specific purpose and document the decision-making as part of your compliance program.

Legal Requirements for PHI Disclosures

HIPAA permits disclosures “required by law,” and sets conditions for responding to legal demands. Common examples involving claims include:

• Court orders or warrants that specify the information to be produced.
• Subpoenas or discovery requests accompanied by satisfactory assurances (or patient notice/opportunity to object) as HIPAA requires.
• Administrative requests that are specific, limited in scope, and necessary for a legitimate purpose.
• Workers’ compensation or similar programs where another law mandates or permits sharing limited PHI.

Apply the Minimum Necessary Standard where it still applies, track non-routine disclosures for accounting, and ensure stricter federal or state privacy laws are honored when they provide greater protection.

Bottom line: for insurance claims, HIPAA permits targeted sharing for payment and operations, but expects you to minimize data, bind vendors with robust BAAs, restrict employer access to true plan administration, and follow narrow pathways for public health and legal demands.

FAQs.

What types of insurance claim information can be shared under HIPAA?

Covered Entities and their Business Associates may share PHI needed for payment and operations, such as dates of service, diagnosis and procedure codes, provider and member identifiers, adjudication details, and amounts billed or paid. Entire medical records should be shared only when those details are genuinely necessary to resolve the claim or appeal.

When can PHI be disclosed without patient authorization?

PHI can be disclosed without authorization for treatment, payment, and healthcare operations; to the individual; for certain public health and safety purposes; to health oversight agencies; and when required by law or legal process. If none of these pathways apply, a valid, specific authorization is needed.

How do Business Associate Agreements protect PHI?

BAAs contractually bind vendors to use and disclose PHI only for permitted purposes, implement Security Rule safeguards, apply the Minimum Necessary Standard, report breaches, pass the same duties to subcontractors, support individual rights, and return or destroy PHI at termination—creating enforceable protections around claims data.

Can employers access individual health insurance claims?

Employers generally cannot access identifiable claim information unless they act as Health Plan Sponsors performing plan administration functions under HIPAA-compliant plan documents, or they obtain the individual’s authorization. Even then, PHI may not be used for employment decisions and must be walled off from HR employment functions.

What is the minimum necessary standard under HIPAA?

It’s the requirement to limit PHI uses, disclosures, and requests to the least amount reasonably necessary to accomplish the purpose. It applies to payment and operations (including claims) but not to treatment, disclosures to the individual, or disclosures required by law. Role-based access and targeted data sharing are key ways to comply.