The health law opened the door for millions of young adults to stay on their parents’ health insurance until they turn 26. But there’s a downside to remaining on the family plan. Chances are that mom or dad, as policyholder, will get a notice from the insurer every time the grown-up kid gets medical care, a breach of privacy that many young people may find unwelcome.
With this in mind, in recent years a handful of states have adopted laws or regulations that make it easier for dependents to keep medical communications confidential.
The privacy issue has long been recognized as important, particularly in the case of a woman who might fear reprisal if, for example, her husband learned she was using birth control against his wishes. But now the needs of adult children are also getting attention.
“There’s a longstanding awareness that disclosures by insurers could create dangers for individuals,” said Abigail English, director of the advocacy group Center for Adolescent Health and the Law, who has examined these laws. “But there was an added impetus to concerns about the confidentiality of insurance information with the dramatic increase in the number of young adults staying on their parents’ plan until age 26” under the health law.
Federal law does offer some protections, but they are incomplete, privacy advocates say. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a key federal privacy law that established rules for when insurers, doctors, hospitals and others may disclose individuals’ personal health information. It contains a privacy rule that allows people to request that their providers or health plan restrict the disclosure of information about their health or treatment. They can ask that their insurer not send the ubiquitous “explanation of benefits” form describing care received or denied to their parents, for example. But an insurer isn’t obligated to honor that request.
In addition, HIPAA’s privacy rule says that people can ask that their health plan communicate with them at an alternate location or using a method other than the one it usually employs. Someone might ask that EOBs be sent by email rather than by mail, for example, or to a different address than that of the policyholder. The insurer has to accommodate those requests if the person says that disclosing the information would endanger them.
A number of states, including California, Colorado, Washington, Oregon and Maryland, have taken steps to clarify and strengthen the health insurance confidentiality protections in HIPAA or ensure their implementation.
In California, for example, all insurers have to honor a request by members that their information not be shared with a policyholder if they are receiving sensitive services such as reproductive health or drug treatment or if the patient believes that sharing the health information could lead to harm or harassment.
“There was concern that the lack of detail in HIPAA inhibited its use,” said Rebecca Gudeman, senior attorney at the National Center for Youth Law, a California nonprofit group that helps provide resources to attorneys and groups representing the legal interests of poor children. She noted that HIPAA doesn’t define endangerment, for example, and doesn’t include details about how to implement confidentiality requests.
Concerns by young people that their parents may find out about their medical care leads some to forgo the care altogether, while others go to free or low-cost clinics for reproductive and sexual health services, for example, and skip using their insurance. In 2014, 14 percent of people who received family planning services funded under the federal government’s Title X program for low-income individuals had private health insurance coverage, according to the National Family Planning and Reproductive Health Association.
Even though most states don’t require it, some insurers may accommodate confidentiality requests, said Dania Palanker, senior counsel for health and reproductive rights at the National Women’s Law Center, a research and advocacy group.
“Inquire whether there will be information sent and whether there’s a way to have it sent elsewhere,” Palanker said. “It may be possible that the insurer has a process even if state doesn’t have a law.”
Insurers’ perspective on these types of rules vary. In California, after some initial concerns about how the law would be administered, insurers in the state worked with advocates on the bill, Gudeman said. “I give them a lot of credit,” she said.
Restricting access to EOBs can be challenging to administer, said Clare Krusing, a spokesperson for America’s Health Insurance Plans, a trade group. A health plan may mask or filter out a diagnosis or service code on the EOB, but provider credentials or pharmacy information may still hint at the services provided.
There’s also good reason in many instances for insurers and policyholders to know the details about when a policy is used, experts say. Policyholders also may have difficulty tracking cost-sharing details such as how much remains on the deductible for their plan.
In addition, “if a consumer receives a filtered or masked EOB, he or she has no way of knowing whether their account has been compromised or used as part of fraudulent activity,” Krusing said.
This story was produced by Kaiser Health News, an editorially independent program of the Kaiser Family Foundation.