How insurers are using HIPAA to shield their conduct from scrutiny

HIPAA does not prohibit the production of the administrative record to a plaintiff; it in fact requires it

Christian J. Garris
2018 September

Insurance companies, always desirous of concealing their claims conduct, are increasingly using the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to avoid the sharing of claims files between plaintiffs’ counsel. Insurers do this with the stated aim of protecting the privacy rights of plaintiffs, but of course it should be the plaintiffs that decide what to do with their own medical records. The real reason why insurers now refuse to produce the claim file, also known as the “administrative record” in Employee Retirement Income Security Act (“ERISA”) cases, is that they seek to avoid the distribution of their claim files where they can be scrutinized by plaintiffs’ counsel over a large number of cases.

The issue arises in health and disability insurance cases, and because most of those cases are group coverage, they fall under ERISA. Although life insurance cases can also involve medical records, it is less common for them to, so the vast bulk of these cases in which these issues are raised is health and disability.

Under ERISA, there are additional rules governing the production of the administrative record.

What is ERISA and why does it apply to group health and disability cases?

Based on a consensus in the 1970s that there was a crisis regarding the state of pension plans (see, e.g., Ablamis v. Roper (9th Cir. 1991) 937 F.2d 1450, 1452-53), Congress took up the problem and drafted a new law to protect employees from pension fraud and abuse: the Employee Retirement and Income Security Act of 1974, 29 U.S.C. § 1001 (“ERISA”). ERISA applies to all group life, health, and disability benefits unless the plan is for church or government employees. Initially, however, it was not clear that state bad-faith laws were preempted by ERISA. In Pilot Life Insurance Co. v. Dedeaux (1987) 481 U.S. 41, the Supreme Court answered that question, holding that ERISA preempted state law on the subject. Plaintiffs could no longer bring state-law-based bad-faith claims arising out of the denial of benefits in group life, health, or disability plans that were subject to ERISA. After that decision, the landscape of insurance law changed forever. Most group claims became governed by the new set of laws – ERISA.

In ERISA cases, the insurance company is required to produce the administrative record

In ERISA cases, there is often no discovery other than the production of the administrative record, the insurance policy, and the summary plan description (the document mandated by ERISA that is for the employees that describes the coverages and exclusions).

Insurers seek to place barriers for plaintiffs to obtain their documents

Insurers have a duty to produce their documents as part of their Initial Disclosures under Federal Rule of Civil Procedure (“FRCP”) 26. Insurers now routinely refuse to produce these documents without imposing unilateral conditions not found in the FRCP. Insurers now often demand, as a condition to producing any documents, that the plaintiff sign various documents proposed by the insurer to release the insurer from any liability for their production. Insurers may not create barriers of their own choosing to discovery. They cannot unilaterally require conditions to be performed by a plaintiff in order to comply with their discovery obligations.

The issue is not about a party with sensitive documents that seeks a protective order to protect those documents – far from it. Here, it is the insurers and not the plaintiffs who seek to avoid the production of documents. It is a plaintiff’s privilege to waive if he or she chooses to do so. By placing these issues before a court in litigation, a plaintiff has waived the right to maintain their confidentiality. The real reason the insurers refuse to produce the documents is not an altruistic motive to protect a plaintiff’s health information. The real reason behind the insurers’ demand that a protective order be in place for the documents is not to protect a plaintiff’s medical records, but to prevent a plaintiff from obtaining the claim file (the administrative record) and the summary plan description and being able to make fair, unrestricted use of their own file. The real reason for this refusal to produce documents is solely a tactical effort that the insurers have recently mandated that its counsel pursue.

This trend began about a year ago. Now, most insurers seek such an order to “protect” the documents in all of their cases. Yet, the insurers do not hold the confidentiality privilege regarding these documents. HIPAA and ERISA regulations require their disclosure to the plan participant, and Rule 26 mandates that the insurers produce their documents. The insurers can make no showing that they hold any privilege that they can assert to require a protective order for the production of the administrative record and the summary plan description.

The duty to participate in discovery

The duty to participate in discovery arises from the Federal Rules of Civil Procedure. A party cannot unilaterally excuse itself from participating in discovery by requiring various forms to be signed and releases to be granted. An insurer carries the burden of proving that they are justified in failing to produce the documents. (Kamakana v. City & County of Honolulu (9th Cir. 2006) 447 F.3d 1172, 1179-80.)

Specifically, in an ERISA action where the dispute is whether or not a claim should have been paid, the insurer must produce four categories of documents: (1) the administrative record (the records of the insurance company or plan for the specific claim at issue), (2) the summary plan description (the plan or insurance coverage certificate that explains what is covered and what is excluded), (3) the Master Policy issued by the insurers to the plaintiff’s employer, if any, and (4) any other documents such as guidelines relied upon by the insurer in considering the plaintiff’s claims for benefits as described in Code of Federal Regulations, title 29, section 2560.503-1(m)(8). These documents collectively constitute the “administrative record” on which a court will determine whether or not the claim should be paid at trial. (Kearney v. Standard Ins. Co. (9th Cir. 1999) 175 F.3d 1084, 1094-95.)

There is also no justification for a waiver or release before an insurer produces its documents because nothing is being filed with a court when an insurer produces its documents; they are simply served on the plaintiff. A plaintiff has a right to have the above documents produced to them pursuant to Federal Rules of Civil Procedure, Rule 26. When the parties later file the administrative record with a court in preparation for the trial, the parties can meet and confer regarding the public filing of the plaintiff’s records. The issue here though is the refusal of the insurer to even produce the administrative record to the plaintiff.

Insurers rely on HIPAA as the sole basis for their refusal to produce documents. HIPAA, however, requires insurers to produce documents to a plaintiff, it does not prevent it. (45 C.F.R. § 164.502(a)(2).) Insurers argue that they are refusing to produce the documents in order to “protect” the plaintiff. Insurers want plaintiffs to waive certain rights as a condition precedent to insurers producing any documents. For insurers to suggest that by waiving rights a plaintiff is therefore more “protected” is simply a ridiculous argument.

The larger issue here is that insurers want to put additional barriers between ERISA plaintiffs and their ability to litigate their cases. Insurers should not be permitted to unilaterally impose barriers to a plaintiff’s right to receive the relevant documents in this case.

Insurers should be ordered to produce their documents as part of their Initial Disclosures. They should not be able to impose a protective order on a plaintiff. The insurers do not hold any privilege that would even suggest a protective order is needed. Insurers hold no privilege for which they can propose a protective order. In essence, insurers utterly lack any standing to require a protective order. Without any showing of prejudice to an insurer, it cannot request a protective order. (Foltz v. State Farm Mut. Auto. Ins. Co. (9th Cir. 2003) 331 F.3d 1122, 1130.)

The real reason behind the refusal to produce the documents is that insurers want to prevent a plaintiff and their counsel from making free use of these documents. Yet, ERISA regulations, HIPAA regulations, and the Federal Rules of Civil Procedure all require that insurers produce these documents without a protective order. There is no issue here about the filing of these documents with the court, merely their production to a plaintiff.

Rule 26 requirements

The Federal Rules of Civil Procedure require the parties to produce their documents as part of the Initial Disclosures under Federal Rules of Civil Procedure, Rule 26. As the Ninth Circuit has held on numerous occasions in ERISA cases, the plan or insurance company defendant should produce the “administrative record” so that the district court can conduct a trial to determine whether the decision to deny the claim was correct or incorrect under the applicable standard of review. (See, e.g., Kearney v. Standard Ins. Co., 175 F.3d at 1094-95.)

The administrative record is, in essence, the claim file and is what is to be reviewed by a court at trial. The Department of Labor has promulgated regulations governing the submission and determination of claims under employee welfare benefit plans. (See 29 C.F.R. § 2560.503-1.) These regulations specify that to secure a “full and fair review” of a claim, it is required that claimants be given access to all “relevant documents.” (29 C.F.R. § 2560.503-l(h)(2).) “Relevant documents” is defined to include those “submitted, considered, or generated in the course of making the benefit determination, without regard to whether such document, record, or other information was relied upon in making the benefit determination.” (29 C.F.R. § 2560.503-1(m)(8)(ii).) This “administrative record” of the plan administrator must be produced so that the merits of the claim can be reviewed by the court. (Id. at 1094; Metropolitan Life Ins. Co. v. Glenn (2008) 554 U.S. 105, 110.) It therefore must be produced by an insurer as part of their Federal Rules of Civil Procedure, Rule 26 disclosures.

The summary plan description is the document created by the plan that details the rules for the converage at issue. ERISA requires that the plan create a summary plan description and that it must explain the “circumstances which may result in disqualification, ineligibility, or denial or loss of benefits,” (29 U.S.C. § 1022(b)), “in a manner that is calculated to be understood by the average plan participant.” (29 U.S.C. § 1022(a)(1).) In order for a court to be able to evaluate the coverage, the summary plan description must also be produced. (King v. Blue Cross & Blue Shield (9th Cir. 2017) 871 F.3d 730, 734; Kearney v. Standard Ins. Co., 175 F.3d at 1094-95.) The summary plan description must be produced by an insurer as part of their Federal Rules of Civil Procedure, Rule 26 disclosures.

The master policy issued by the insurer to the employer, if there is one, must also be produced if the insurer wishes to rely on any of its provisions. (See Vu v. Fashion Inst. of Design & Merch., 2015 WL 13545179, at *6 (C.D. Cal. Apr. 23, 2015); Turrill v. Life Ins. Co. of N. Am. (5th Cir. 1985) 753 F.2d 1322, 1325.)

Other documents “relied upon in making the benefit determination” must also be produced by the insurer if they exist. (29 C.F.R. § 2560.503-1(m)(8)(i).) These documents must be produced by the insurer as part of their Federal Rules of Civil Procedure, Rule 26 disclosures. (See, e.g., Glista v. UNUM Life Ins. Co. of Am. 1st Cir. 2004) 378 F.3d 113, 123.)

The production of the administrative record

HIPAA does not prohibit the production of the administrative record to a plaintiff; it in fact requires it. Despite the clear requirement of ERISA that the insurance company produce these documents, insurers insist that they need not do so unless a plaintiff signs documents releasing the insurer from any liability related to their production. A party cannot unilaterally require another party to sign releases to obtain discovery responses or documents. Insurers also state that a plaintiff must agree to a protective order to obtain these documents, yet the insurers do not even articulate what privilege they hold that must be protected. Certainly, a plaintiff does not propose that a protective order is needed for an insurer to produce these documents to a plaintiff.

To add an entirely new layer to the discovery process as the insurers propose would be to ignore the requirements of the Federal Rules of Civil Procedure and the Department of Labor regulations. It would also stifle the rights of plan participants to obtain their benefits by placing even more obstacles in the way of having their claims swiftly adjudicated. (See Boggs v. Boggs (1997) 520 U.S. 833, 845.)

Again, the specific basis for the insurers’ refusal to produce their documents is HIPAA. HIPAA, however, only states that divulging confidential medical records to third parties requires the consent of the patient. Providing a patient with their own records is required. HIPAA not only authorizes the release of one’s own medical records to oneself, it requires it.

Title 45 contains the HIPAA regulations, and Code of Federal Regulations, title 45, section 164.502 details how a covered entity such as an insurer is supposed to disclose protected health information. HIPAA only applies to “individually identifiable health information” (45 CFR § 160.103, 45 CFR § 164.500(a)), and hence has no relation to insurance policies, certificates, or summary plan descriptions. Under section 164.502, an insurer must disclose a plaintiff’s information to a plaintiff:

Covered entities: Required disclosures. A covered entity is required to disclose protected health information:

(i) To an individual, when requested under, and required by § 164.524 or § 164.528.

(45 CFR § 164.502(a)(2).)

Section 164.524 states in relevant part:

(1) Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual.

(45 CFR § 164.524(a)(1).)

HIPAA very clearly does not apply to individuals trying to access their own records. The U.S. Department of Health and Human Services, the relevant government agency, has issued a “Summary of the HIPAA Privacy Rule,” stating when disclosure is required by an insurer:

Required Disclosures. A covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action. ( at p. 4 (May 2003).)

Insurer must produce its documents to a plaintiff

ERISA regulations require that an insurer produce its documents to a plaintiff. The ERISA regulations discussed above require that plan participants be given access to all “relevant documents.” (29 C.F.R. § 2560.503-l(h)(2).) Hence, the insurer cannot demand that a protective order be imposed before it will produce any documents because ERISA also requires that it produce these documents to the plan participant, such as a plaintiff, without restriction. The production of the administrative record and other documents to a plaintiff does not raise any issues regarding public disclosure, so HIPAA should not be a basis to refuse their production. The position of insurers that they are trying to safeguard the privacy rights of a plaintiff is disingenuous at best. Plaintiffs should be able to obtain a copy of their own medical records. There is no issue at present regarding the public filing or distribution of any of these documents. Furthermore, a plaintiff’s rights are in no way enhanced by signing a waiver or a release of claims against their insurer.


Insurers should be compelled to produce the claims files to a plaintiff and should not be able to refuse to do so based on HIPAA. Insurers cannot assert HIPAA to refuse to produce documents to a plaintiff because they do not hold the privilege and thus cannot carry their burden for refusing to produce their documents. (Kamakana v. City & County of Honolulu (9th Cir. 2006) 447 F.3d 1172, 1179-80.)

Christian J. Garris Christian J. Garris

Christian J. Garris, Los Angeles, litigates insurance bad faith and consumer class-action matters.

How insurers are using HIPAA to shield their conduct from scrutiny

Copyright © 2023 by the author.
For reprint permission, contact the publisher: Advocate Magazine