Plan sponsors must understand the intersection of claims procedures under the Employee Retirement Income Security Act (ERISA), and the mandate to keep individually identifiable health information confidential, under the Health Insurance Portability and Accountability Act (HIPAA). This understanding is particularly important when plan sponsors receive letters or requests for information from third parties. The U.S. Court of Appeals for the Fourth Circuit attempts to reconcile the two procedures in the case of Kenneth Wilson v. UnitedHealthcare Insurance Company, No. 20-2044.

Facts of the Case

Kenneth Wilson’s minor son, JW, received residential mental health treatment. The insurer denied coverage for the treatment as medically unnecessary. The Wilsons hired a lawyer to contest the denial of coverage, who requested all relevant documents from the insurer. The request included a HIPAA authorization with an illegible signature on the wrong line of the form. In addition, the authorization lacked other vital details, such as the legal authority for the parent to sign on behalf of the minor. As a result, the insurer did not respond or provide the requested documents.

Procedural History of the Case

The Wilsons then sued on behalf of JW. They argued that they were not subject to the usual administrative appeals process for denied claims through the insurer before filing suit. As a result, the insurer’s lack of response to the lawyer was tantamount to a denial. The insurer argued that it could not respond to the lawyer because the HIPAA form was defective. The insurer further claimed as defective, would be an admission that JW had received treatment, which is confidential under HIPAA.


Under ERISA claims procedures, the person making a claim against the benefits plan is entitled to copies of all relevant documents, records, other information, and plan documents. ERISA also provides that claimants can designate representatives or attorneys to pursue claims on their behalf.

HIPAA authorization forms must meet extremely specific requirements. Failure to meet these requirements means that the insurer or plan cannot disclose the confidential health information requested. In this case, the HIPAA authorization was lacking. In addition, HIPAA’s more stringent disclosure requirements conflict with ERISA’s broader disclosure requirements in instances such as these.

The Court’s Ruling

The Court ruled that the insurer could have disclosed general information about the claim to the lawyer, including plan documents and the medical necessitate guidelines. A valid ERISA claim was sufficient to trigger this duty of disclosure.

The Court also ruled that since the HIPAA authorization was invalid, the insurer was correct in not disclosing JW’s individually identifiable health information. ERISA’s fiduciary duties required the insurer to notify the attorney that the HIPAA authorization was deficient instead of simply not responding.

Applications of the Case for Employers and Plans

Whether employers, insurers, third-party administrators, or administrative services-only providers receive such requests for information, staying silent is not an option. Even if the HIPAA authorization is deficient somehow, the party receiving the authorization should make a good faith effort to collaborate with other providers and respond somehow. This decision does not excuse a deficient HIPAA authorization, in that plan sponsors have a duty to reasonably require a validly executed HIPAA authorization.

HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 470-571-1007.


The post When HIPAA and ERISA Claims Procedures Clash: What Plan Sponsors Need to Know appeared first on Hall Benefits Law.