Hey everyone, I’m hoping to get some advice on this. I have a health insurance plan through my job (Aetna). A medication I was prescribed got denied, and Aetna’s prior authorization team told me to ask HR if they could override the rejection.
So I emailed HR and just said, very generally, ‘A medication I was prescribed was denied. Does the company ever override rejections for medical necessity?’ I didn’t mention the medication name or any details.
HR replied and included the exact name of the medication! I never told them that. That means Aetna must have shared that info with my employer.
Is this a HIPAA violation? Has anyone else had this happen? What should I do if I want to take action?
Sounds like you’re on a self-funded plan. If that’s the case, your employer is actually the one paying for the claims, and they have access to certain medical info, including prescriptions.
Ellery said:
Sounds like you’re on a self-funded plan. If that’s the case, your employer is actually the one paying for the claims, and they have access to certain medical info, including prescriptions.
Wait, so you’re saying my employer—not Aetna—is the one paying for my meds? How do I find out if I’m on a self-funded plan?
@Winter
Yeah, that’s how it works with self-funded plans. Aetna is just managing the claims, but the money comes from your employer.
You can check your insurance card or benefits documents—if it’s self-funded, it might say something like ‘self-insured’ or ‘administered by Aetna’ instead of ‘insured by Aetna.’ Or just ask HR directly.
@Gracen
Yep, self-funded plans mean the employer sees claims data. They’re not supposed to use it to make employment decisions (like firing people based on medical costs), but they do see the info.
If your company is small, it’s more likely that someone in HR directly saw your medication. Bigger companies usually have a separate benefits team that handles it.
Since you asked HR to help with an override, that kind of implied that they would need to know what they were approving. They can’t override something without details. It’s possible that Aetna shared it as part of the process.
Filing a complaint might not go anywhere because this is normal for self-funded plans. But if you’re really concerned, you could ask HR how they handle confidentiality.
Winter said: @Sage
That makes sense, but I was still surprised they knew without me telling them. Do you think this means they can see all my medical records?
Not exactly. They don’t see everything, but they can access claims data related to plan administration.
They’re not supposed to use this info for anything outside of benefits, and legally, they can’t make hiring or firing decisions based on medical history. But yeah, they do have access to some health info, like prescriptions and procedures.
Bailey said:
This isn’t a HIPAA violation if it’s a self-funded plan. In that case, your employer technically owns the plan and is allowed to review claims data.
I thought I had to give consent for my medical info to be shared between organizations?
Think of it like this: If you ask HR to override a denial, they have to know what they’re approving. It’s like requesting FMLA—you don’t have to give every detail, but they need enough info to validate the request.
Since Aetna told you to ask HR, that pretty much confirms your plan is self-funded. HIPAA still applies, but self-funded employers can access some medical records for benefits decisions.
If you’re concerned, you should ask HR how they handle confidentiality and who has access to this information.
This setup feels weird, right? It’s legal, but that doesn’t mean it’s not unsettling. Employers having access to your medical info—even if limited—is uncomfortable for a lot of people.