- What does this guide cover?
- Financial records containing medical information
- Insurance records containing medical information
- School records containing medical information
- Additional Resources
This guide focuses privacy protections that exist in federal or state law for health or medical information in financial, insurance, and educational records.
It is likely that your financial records contain personal medical information. Though they don’t include actual treatment records, they do contain payment information that links you to specific treatments, prescriptions, or services.
a. What are the privacy concerns?
When your financial records contain this information, there are few restrictions on how it may be shared. This is due, in part, to the fact that the federal Gramm-Leach-Bliley Act (GLB) removed legal separations between banks, insurance companies, and brokerage firms. See the Financial Services Modernization Act of 1999, 15 U.S.C. §§ 6801-6809. In other words, a single financial institution may offer multiple financial products or services such as loans, financial or investment advice, or insurance.
These companies may also share your information with their non-financial affiliates. An affiliate is a company related to a financial institution by common ownership and control. In addition to sharing with affiliates, financial institutions may legally share a great deal of your personal information with their business partners.
It can be very difficult to determine who a financial institution's affiliates and business partners are and where your information—including your medical information—is going. For example, if you use your credit card to pay your psychiatrist, or to pay for the medication she prescribes, then the card-issuer may share the transactional information with its partners and affiliates. These partners or affiliates could include banks, insurers, or financial service companies, along with non-financial businesses.
b. What protections do you have under federal law?
The federal Gramm-Leach-Bliley Act (GLB) offers very limited consumer privacy protections. In general, GLB requires your financial institution to:
- give you the choice to opt out of certain personal financial information sharing; and
- store your personal financial information securely.
GLB applies to financial institutions such as banks, brokers, credit card companies, businesses that issue their own credit cards, and insurers. It also applies to businesses you may not consider traditional financial institutions. These include debt collectors, payday lenders, non-bank mortgage lenders, real estate appraisers, and medical services providers that offer a significant number of their patients long-term payment plans that involve interest charges. The FTC’s website, with links to guidance it has published on GLB, lists examples of businesses that are financial institutions.)
More specifically, GLB applies to a financial institution's practices concerning nonpublic personal information defined as "personally identifiable information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution." 15 U.S.C. § 6809
GLB does not distinguish medical information from other types of personal information.
It does distinguish customers with whom there is an ongoing relationship from consumers with whom there is a one-time or occasional relationship. For example, a financial institution must automatically provide a customer with its privacy notice, and provide annual notice as long as there is an ongoing customer relationship. Alternatively, consumers are only entitled to notice if a company shares the consumer's information with unaffiliated companies (subject to exceptions for processing or administering a financial transaction and legal compliance requirements). For more information on which protections apply to customers versus consumers in general, see the FTC’s In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act.
i. Privacy notices
A financial institution must send a privacy notice at the start of a customer's relationship with a financial institution and annually thereafter. This notice must:
- notify you about the company's information collection and sharing practices;
- give you the opportunity to opt out of some affiliate sharing and some third-party information sharing and provide a reasonable way of doing so (requiring a customer to write a letter to opt out is not reasonable); and
- include information about how the financial institution safeguards your information.
ii. Opt-out rights
In its privacy notice, a financial institution must give you the opportunity to opt out of sharing with nonaffiliated companies and certain other third parties. However, GLB does not require a financial institution to provide customers with an opt-out choice in the following situations:
- The financial institution shares information with companies it contracts with for services like data processing or account servicing.
- The financial institution is legally required to disclose the information (such as sharing information with law enforcement or for discovery purposes in litigation).
- The financial institution has entered into a joint-marketing agreement with another financial institution to market financial products or services.
Even if you have not opted out, a financial institution cannot share your account numbers with nonaffiliated companies for marketing purposes, and may not share any means to access your account (such as passwords). Despite the sensitivity of health information, GLB provides no special treatment for medical data.
For a clear picture of your rights with regard to the sharing of your financial information, see the Security Exchange Commission’s (SEC) model GLB privacy notice.
PRIVACY TIP: Opt out when you have the option. Your failure to opt out means that you consent to the sharing of your information as stated in the privacy notice.
The Fair Credit Reporting Act (FCRA) complements GLB opt-out rights. The FCRA gives you two additional opportunities to limit information sharing between a financial institution and its affiliates:
- The FCRA allows you to opt out of sharing information about your creditworthiness with affiliates. See FCRA § 603(d)(2) (15 U.S.C. § 1681 et. seq.).
- The Fair and Accurate Credit Transactions Act (known as the FACT Act or FACTA) amended the FCRA. FACTA requires companies or people to offer individuals an opt-out before they market to you using information obtained from your transactions or account relationship with an affiliate, your account applications, or credit reports and other third-party sources. The person or company must also notify you of your right to opt out and give you a simple means to do so. See FCRA § 624 (15 U.S.C. 1681s-3). For more information, see FTC Approves Affiliate Marketing Rule Regarding Use of Consumer Information.
The FCRA does not prevent a financial institution from sharing other information, like your Social Security number, income, account balances, and transaction history. Your transaction history, which includes what you charge on a credit card, is the most likely to reveal medical information. See FCRA §§ Sec 603(d)(2); 624 (15 U.S.C. § 1681d-3).
To learn more about GLB and the FCRA, see In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act on the Federal Trade Commission website. PRC has many financial privacy resources.
You can file a complaint about a GLB or FCRA issue with the Federal Trade Commission, which investigates consumer protection and fraud matters that are not specifically assigned to other agencies. The FTC has jurisdiction over debt collection, credit reports, lending, telemarketing, credit repair services and much more. The FTC's Office of Consumer Protection has an online Complaint Assistant form (also available in Spanish), or you can call (877) FTC-HELP (877-382-4357).
c. What additional rights do you have under California law?
California's Financial Information Privacy Act (known as FIPA or SB 1) exists specifically to offer privacy protections that GLB lacks. Cal. Fin. Code §§ 4050-4060
FIPA provides more protection than GLB, but it does not prevent financial institutions from sharing your personal and medical information with affiliates. It originally contained protections, but they were struck down in 2008 when a federal court held that the FCRA preempts state law when it comes to sharing personal information with affiliates. See American Bankers Association v. Lockyer, 541 F.3d 1213 (9th Cir. 2008).
Regardless, FIPA still provides more protection than GLB in several important ways:
- A financial institution must notify you and obtain your consent to share information with unaffiliated businesses (a business is unaffiliated when it is not under the control of the same company). Cal. Fin. Code § 4052.5
- You can opt out of information sharing that results from joint-marketing agreements a financial institution makes with a non-affiliated financial company to market financial products and services. Cal. Fin. Code § 4053(a)(1)
There are many types of joint marketing arrangements, but often they are with telemarketers or direct-mail or email or other online marketers. An example of this might be a life or auto insurance company that enters into a joint-marketing agreement with a third-party company to sell long-term care insurance. If you are a customer of the life or auto insurance company, it could share your contact information with the third party and also with a direct-mail marketer to pitch the long term care policy. FIPA lets you opt out of this, but GLB does not.
- You must receive a standardized, single-page notice, like this one from every financial company with which you have a customer relationship. Envelopes that contain privacy notices must be clearly identified as such (so you don't discard them as junk mail and lose your opt-out opportunities). See Cal. Fin. Code §§ 4051.5(a)(3) and 4053.
The California-compliant FIPA notice is shorter and simpler than the national form. It has two check boxes: one to affirm that you do not want your personal and financial information shared with a financial institution’s affiliates; and one to opt out of sharing that information with outside companies an institution contracts with—via a joint marketing agreement—to provide financial products and services.
Both the U.S. and the California-specific notices would be clearer it they explained the difference between creditworthiness information (also called "consumer report information") which may not be shared, and "transaction and experience" information, which may be:
- Creditworthiness may be based on information about whether you pay your bills on time, how long you have had credit, and the level of debt you can comfortably carry. It may also be based on character, general reputation, personal characteristics, or mode of living.
- Transactional (and experience) information, in the broadest sense, is data based on your interactions or transactions with businesses, organizations, and websites that create a record of those events, such as a payment record.
If you do not exercise the opt-out rights that GLB and FIPA give you, you relinquish the already limited control you have over personal information collected by financial institutions. Once a financial institution shares your information, you lose all practical control over where it goes and how it is used. If you change your mind later, you can call your financial institutions directly and ask for an 800 number or website where you can opt out of information sharing. Such financial institutions may include banks, brokers, credit card companies, insurers, and less obvious ones like automobile dealers, payday loan companies, collection agencies, and travel agents.
Even though the burden is on you to opt out, once you do it, you never have to do it again. Your choice is effective until you cancel it in writing.
For much more detailed information on protecting your financial privacy in general, see PRC’s resources on banking and finance. The FTC also has a wealth of information for consumers about GLB on its Bureau of Consumer Protection Business Center website.
a. Health insurance under the Affordable Care Act
When you apply as an individual for disability or long term care insurance or for automobile insurance that includes medical benefits, you will probably be required to authorize disclosure of your medical records. You do not need to authorize disclosure of medical records when you apply for medical insurance. The Affordable Care Act (ACA) dispensed with that requirement for medical insurance by eliminating preexisting conditions as a risk factor.
Instead of your medical history, medical insurers now base their underwriting on your age, ZIP code (which will be identified with a geographic region), family size, and tobacco use. You may not be denied coverage for using tobacco, but you may be charged up to150 percent of the premium charged to a nonsmoker of the same age who lives in the same geographic area. Another factor is your income, which you need to disclose in order to determine your eligibility for federal or state subsidies to purchase health insurance through the state insurance exchange, as well as immigration and incarceration status.
In addition, under the ACA, your medical history or health status can be used to rate your participation in employee wellness programs. As of 2014, the ACA authorizes premium discounts of up to 30 percent of the cost of employment-based health insurance coverage for employees who participate in wellness programs. Eligibility for the discount may be either based or dependent on the employee’s meeting a certain health status target, such as weight loss or smoking cessation.
To help you understand what the ACA has changed about health insurance underwriting and other practical issues, see Key Features of the Affordable Care Act by Year, an HHS document, but not found on the HHS website.
b. Insurance that considers health a risk factor but is not health insurance
To obtain life, long-term care, disability, or auto insurance plans that offer medical benefits you can still be asked to authorize the release of your medical records. To learn more about what types of policies are not covered by HIPAA, see the U.S. Department of Health and Human Services website.
In California, the Insurance Information and Privacy Protection Act (IIPPA) prohibits insurers from disclosing personal—including medical—information they collect in connection with an insurance application or claim without your written authorization. Cal. Ins. Code §§ 791-791.29
Also, medical information in insurance records may not be used for marketing purposes. Cal. Ins. Code § 791.13 For more information, see Insurers: Privacy of Non-Public Personal Information on the California Department of Insurance website.
School records may include a great deal of health and medical information, such as vaccination histories, physical examinations results for sports participation, counseling for behavioral problems, and visits to a school nurse.
California law requires a health examination and evidence of immunizations (or waivers) for all children entering first grade in a public or private school. Cal. Health & Safety Code § 124105
The school health exam is very comprehensive. It includes medical and developmental history, unclothed physical exam, dental and nutritional assessments, vision and hearing tests, and diagnostic screening for anemia, lead, urine abnormalities, tuberculosis, and other health issues as needed. For more information on California's school health exam, see the Department of Health Care Services publication, CHDP [Child Health and Disability Prevention Program] School Handbook: School Entry Health Examination Requirements.
With all of the personal information a school record contains, you may wonder if there are any laws that protect it. The answer is yes. The federal Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records in general, including all of the medical information they contain. 20 U.S.C. § 1232g (34 CFR § 99)
FERPA applies to all schools and educational agencies that receive funds under any program administered by the U.S. Department of Education. This includes virtually all public schools and school districts, as well as most private and public colleges and universities. Elementary and secondary-level private and religious schools generally do not receive U.S. Department of Education funds and are not subject to FERPA. Medical information in their student records may be protected only by school policies.
FERPA gives parents certain rights regarding their minor children's school records. When a student turns 18 or attends school beyond high school, he or she becomes an eligible student under FERPA and receives the rights formerly held by his or her parents.
Parents and eligible students have the following rights under FERPA:
- They may inspect and review the education records a school maintains. A school does not need to provide copies of records, unless inspection is otherwise impossible (because of distance, for example). A school may charge for any copies it provides.
- They may ask a school to correct records they believe are inaccurate or misleading. If the school declines, a parent or eligible student may request a hearing, administered by a school official with no direct interest in the outcome.
If the decision comes out against the student, she (or her parent) may put a statement in the school record with her view of the disputed information. For example, a student or parent might want to dispute a behavioral or psychological assessment that she views as unfair or biased.
- A school needs the written consent of a parent or eligible student to release information from an education record, with the following exceptions:
- to school officials with legitimate educational interest;
- to a school that a student is transferring to;
- to specified officials for audit or evaluation purposes;
- in connection with student financial aid;
- to organizations conducting studies for or on behalf of the school ( a vague and potentially broad exception);
- to accrediting organizations;
- to comply with a judicial order or subpoena;
- to appropriate authorities in health and safety emergencies; and
- to authorities in the juvenile justice system, according to state law. 34 CFR § 99.31
In addition, some information in school records is considered directory information and may be disclosed without consent. This includes name, address, phone number, date and place of birth, honors and awards, and dates of attendance. Although this exception, widely used by marketers and data miners, includes a great deal of personal information—which can then be linked with other information for sale—at least it does not include medical information.
Parents and eligible students do have the right to opt out of disclosure of directory information. Schools must tell you this and offer you a reasonable amount of time to opt out.
Schools must also notify parents and eligible students annually of all of their rights under FERPA. The school may determine how it will provide the notice, and individual notice is not required. This means a school could send a letter or email, but could also put a public notice in a PTA bulletin, student handbook, Facebook page, or newspaper article.
Students who are interested in learning more about their rights under FERPA should read the Department of Education publication, FERPA General Guidance for Students.
For more information on FERPA and complicated situations where HIPAA may apply in an educational context, see the Department of Education/Health and Human Services publication, Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records.
California laws and resources
To find the full text of California laws, see California Legislative Information:
California Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code §§ 56-56.37)
California Fair Employment and Housing Act (FEHA) (Cal. Gov't Code §§ 12900-12996)
California Financial Information Privacy Act (FIPA) (Cal. Fin. Code §§ 4050-4060)
California Insurance Information and Privacy Protection Act (Cal. Ins. Code §§ 791-791.28)
California Public Records Act (CPRA) (Cal. Gov't Code § 6254(c))
Unruh Civil Rights Act (Cal. Civ. Code § 51)
The Attorney General’s website on California privacy laws also contains summaries of California privacy laws.
Cal OSHA -The Division of Occupational Safety and Health
California Department of Justice, Division of Privacy Enforcement and Protection
Federal laws and resources
Americans with Disabilities Act (ADA) (42 U.S.C. § 12101)
Fair Credit Reporting Act (FCRA) (15 U.S.C. §1681)
Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. §1232g; 34 CFR § 99)
Gramm Leach Bliley Act (GLB) (15 U.S.C. §§ 6801-6809)
For More Information on HIPAA, see the U.S. Department of Health and Human Services website.
Originally funded in 2012 with cy pres award from Rodriguez et al. v. NDHealth et al.
Updated in 2017 with funding from the Rose Foundation for Communities and the Environment.