k young:
OH BOY! Asking for that specific 'law' is a tall order. The regulations are contained in HIPAA (Health Insurance Portability and Accountability Act) which is an amendment of ERISA (Employee Retirement Income Security Act of 1974). We are not talking about a simple "law" stating "you have to give her the information". These laws are huge and require much interpretation. I suspect that the reason you are having trouble is that new privacy regulations under HIPAA went into effect on April 14, 2003. Many insurors and providers are really "freaked out" by those regs and are being over diligent in the protection of that information--to the point of protecting it from those who own it (ie you, in your case). In fact, the new regs provide for not much new in the way of protection of PHI (personal health information). Most reputable business entities covered in the new regs were already observing these same guidelines.
I could explain further particulars such as the definition of PHI--quite lengthy itself and open to interpretation. Anything that can identify you as an individual and related to a health record is PHI--even down to the year of your birth in some cases. If over age 79, for example, the "pool" of indentifying informatioin is too small and therefore 'privileged'. Even your zip code could be considered identifying. I give these examples so that you may research on your own until I or someone else can quote the regs that pertain most to your situation. A visit to Dept. of Labor web site (
www.dol.gov) is your best bet. To slightly narrow the search, ERISA is in Title 29 of the Code of Federal Regulations.
I will find the most relevant statutes / definitions and post back. But, beware, I visit the forum fairly infrequently. If you are in a hurry, search the Department of Labor, Medicare, your State Department of Insurance etc. for regs regarding HIPAA and ERISA. (Heck, a Google search of HIPAA will astound you.) Again, be warned, BIG topics and most are open to interpretation and then actionable only on a complaint by complaint basis. Nevertheless, you are the owner of your personal health information--most providers do / should know this. Keep looking in the meantime, and I will get back (with pages & pages!) of HIPAA regulations.
Also, in the meantime, you can't make them give you the info. But, be sure to acknowledge collectors in writing--make them validate their claim of debt. Then, keep after the insurer, only way is to familiarize yourself with HIPAA law. If you read much, you will soon be more educated than they. The internet has a huge wealth of info on HIPAA. I suggest a search of "HIPAA + privacy" and even that will be a huge return.
In a nutshell, I think your insurance provider is being over diligent. One thing I left out of the above is this: claims payment history IS NOT NECESSARILY personal health information (PHI). So, for the insurer to give you info re: who was paid what when, is not privileged information as it contains no PHI (diagnoses, symptoms, etc etc etc) Even if your father is the primary policy holder and you are a dependent!. Perhaps you could remind / inform them of this small fact.
Again, I will look for relevant statutes, but from an experience point of view, when I have an 18 year old dependent on a plan, I ask for authorization only from the 18 year old. The parents need a signature from the 18 year old dependent in order to have access to his / her PHI.
And, lastly, my own personal opinion....Daddy isn't going to be in a favorable light by any interested party...if / when he is found to be profiting from an insurance payment (DOL & DOI to name a couple).
best to you, lkc15507