Elizabeth Nash was 21 and just finishing her junior year at the College of William & Mary when she had a miscarriage. She planned to tell her parents about it in person, but her insurer beat her to it when, as a matter of routine, it mailed them a form that described the medical treatment she’d received.
Nash says the experience “caused a rift that took a while to repair.”
Nash, now 38, recently co-authored an analysis of state laws on health-care confidentiality for insured dependents for the Guttmacher Institute, a reproductive health organization, and was surprised to find that state laws in this area are “so lacking and vague and mushy.”
Under the Affordable Care Act, which allows adult children to stay on their parents’ plans until they reach age 26, breaches of privacy such as the one Nash experienced may become a growing problem. Since the law passed, more than 3 million young adults have gained coverage, according to the Department of Health and Human Services.
Although parents must give consent for most care provided to children younger than 18, many states allow minors to consent on their own to such potentially sensitive services as testing and treatment for sexually transmitted infections, prenatal care and delivery, contraception and outpatient treatment for mental health and substance abuse.
The privacy rule of the federal Health Insurance Portability and Accountability Act (HIPAA), which took effect a decade ago, generally prohibits the unauthorized disclosure of individuals’ medical records and other health information. But there’s a catch. Health-care providers and insurers can generally use such information when trying to secure payment for treatment or other services.
And that can be problematic. Providers submit bills to insurers, which process them and generate a document, often an Explanation of Benefits (EOB) form, that tells the insured or the policyholder how much the insurer paid and what, if anything, is owed on the bill.
These communiques are important to combat fraud and identity theft, and many states require that they be sent, according to Nash.
But the documents do not always go to the person who was treated. “The notice could go to your parents or to you, depending on state law, insurance contracts and insurance policy,” says Abigail English, director of the Center for Adolescent Health and the Law, and lead author of the analysis published by the Guttmacher Institute.
English says it’s “extremely common” for insurers to send EOBs to the policyholder rather than the patient.
Under federal privacy regulations, patients can request that insurers not disclose confidential information or ask that they send it to an address of their choosing. Insurers are required to comply if not doing so would endanger the patient, says English — for example, if disclosure might pose a threat of domestic violence.
“Plans typically do have procedures in place to deal with the disclosure of sensitive information,” says Susan Pisano, a spokeswoman for America’s Health Insurance Plans, a trade group.
Some insurers have made strides in addressing confidentiality issues related to billing and other communications. Cigna, for example, redesigned its EOB forms to strip out specifics about the treatment or services provided, says Joe Mondy, a spokesman for the company. The form, which typically goes to the policyholder, does name the facility and the provider, however.
In addition, unless the law requires it, the insurer sends an EOB only if there’s a balance due.
Policy experts say strategies such as Cigna’s make sense. That’s especially true given the expansion in free preventive services under the Affordable Care Act. Starting in January, for example, many women in new health plans or in those that have changed their benefits enough to lose grandfathered status will be eligible for such services, including contraceptives, counseling and screening for sexually transmitted infections, and screening and counseling for domestic violence.
“With more insurance coverage of contraception, there will be more issues of whether insurers are protecting confidentiality,” says Tina Raine-Bennett, an obstetrician-gynecologist at Kaiser Permanente Medical Center in Oakland, Calif., who is chair of the Committee on Adolescent Health for the American College of Obstetricians and Gynecologists.
Although protecting young women’s privacy poses a challenge for insurers, “I do believe there will be a net gain in having those services,” she says.
This column is produced through a collaboration between The Washington Post and Kaiser Health News. KHN, an editorially independent news service, is a program of the Kaiser Family Foundation, a nonpartisan health-care-policy organization that is not affiliated with Kaiser Permanente.