Confidentiality,
Third-Party Billing,
& the Health Insurance
Claims Process:
Implications for Title X
Abigail English, Robin Summers,
Julie Lewis, and Clare Coleman
Confidentiality,
Third-Party Billing,
& the Health Insurance
Claims Process:
Implications for Title X
Abigail English, Robin Summers,
Julie Lewis, and Clare Coleman
APRIL 2 0 1 5
Funding for this project was provided by the Office of Population Affairs (Grant Number 1 FPRPA006059-01-00). The views
expressed by this project do not necessarily reflect the official policies of the Department of Health and Human Services; nor does
mention of trade names, commercial practices, or organizations imply official endorsement by the US Government.
Contents
Executive Summary ........................................................................ 1
Overview .....................................................................................................1
HIPAA Privacy Rule .......................................................................................1
Title X, Ryan White, and Federally Qualified Health Centers ............................. 1
Medicaid ......................................................................................................2
Commercial Health Insurance .........................................................................2
Evolving Approaches to Protecting Confidentiality ............................................2
Part I: Introduction ........................................................................... 3
Part II: Background .......................................................................... 4
Importance of Confidentiality ......................................................................... 4
Title X Confidentiality Protections ....................................................................4
Changing Health Care Delivery Environment ...................................................4
Emerging Confidentiality Challenges...............................................................5
Part III: Purpose and Methodology ................................................... 6
Part IV: Required Disclosures & Confidentiality
Protections in Current Laws & Policies .............................................. 7
HIPAA Privacy Rule .......................................................................................7
Disclosure of PHI Under the HIPAA Privacy Rule ...................................... 7
Confidentiality Protections Under the HIPAA Privacy Rule ............................. 8
Minors’ Rights ....................................................................................... 8
Requests for Special Confidentiality Protections ......................................... 8
State Medical Privacy and Confidentiality Laws ...............................................8
State Implementation of HIPAA Privacy Rule ............................................ 9
General Medical Privacy and Confidentiality Laws .................................. 9
Confidentiality for Minors ................................................................... 9
Title X ..........................................................................................................9
Title X Confidentiality Protections .......................................................... 9
Risks of Disclosure in Title X ............................................................... 10
Other Federal Funding Programs..................................................................10
Ryan White HIV/AIDS Program ......................................................... 10
Section 330 “Health Centers” ........................................................... 11
Medicaid ....................................................................................................11
Patient Records, Enrollment, and Decision-making ................................. 11
Medicaid Program Communications ................................................... 11
Medicaid Third-Party Liability ............................................................ 12
Commercial Health Insurance .......................................................................13
Federal Disclosure Requirements ........................................................ 13
State Disclosure Requirements ............................................................ 14
Part V: Protections to Limit Confidentiality
Breaches in Third-Party Billing and Insurance Claims ...................... 16
Medicaid’s Good-Cause Exception ...............................................................16
Management of EOBs, Denials, and Other Communications ...........................17
Requests for Confidential Communications ........................................... 18
Redirection of EOBs to the Patient ...................................................... 18
Exclusion of Information about Sensitive Services ................................... 19
Omission of EOBs When No Balance Due ......................................... 19
Suppression of EOBs ....................................................................... 20
Restrictions on Disclosure ............................................................................. 20
Restrictions Based on Endangerment ................................................... 20
Restrictions on Disclosures about Sensitive Services ................................ 21
Requirements to Protect Confidentiality for Adult or Minor Dependents ............21
Implementation ...........................................................................................22
Part VI: Conclusion ......................................................................... 23
Endnotes ........................................................................................ 24
Acknowledgements ........................................................................ 28
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
1
National Family Planning
& Reproductive Health Association
Overview
is white paper provides background
on the importance of confidentiality
in family planning settings, the role of
Title X, and the health care delivery
environment, particularly as a result of
the Health Insurance Portability and
Accountability Act (HIPAA) Privacy
Rule and the Affordable Care Act (ACA).
Federal and state laws also contain
numerous confidentiality protections,
which vary widely in terms of what
information they protect, who can access
that information, when the patient’s
permission is required for disclosure,
and many other factors. However, many
requirements of state and federal law
can lead to the disclosure of confidential
health information. is white paper
discusses disclosure requirements and
confidentiality protections in the HIPAA
Privacy Rule and state medical privacy
laws as well as in the laws related to
the primary sources of revenue for
Title X-funded health centers—the
Ryan White HIV/AIDS Program,
Section 330 Federally Qualified Health
Centers (FQHCs) program, Medicaid,
and commercial health insurance. It
also highlights examples of targeted
approaches that have been adopted in
several states to provide confidentiality
protection in the billing and health
insurance claims process.
HIPAA Privacy Rule
e HIPAA Privacy Rule contains many
provisions that protect individuals’
confidential medical information, which
is referred to as “Protected Health
Information” or “PHI.” However, the
HIPAA Privacy Rule contains a key
provision that can and does lead to the
disclosure of individuals’ PHI, with
or without their permission, but often
without their clear understanding
that the disclosure may occur or of its
implications. e HIPAA Privacy Rule
also contains important confidentiality
protections of particular relevance for
Title X providers. ese include specific
protections for the rights of minors and
two special confidentiality protections
that allow patients to request restrictions
on disclosure of their PHI and to request
that communications of their PHI
occur in a confidential way. While all
states have adopted laws to implement
the HIPAA Privacy Rule, states have
numerous other laws that protect
confidentiality of health information.
Title X, Ryan White,
and Federally
Qualified Health
Centers
Two other federally funded programs,
Ryan White HIV/AIDs and Section
330 FQHCs, share characteristics with
Title X. Title X law contains both
strong confidentiality protections and
a requirement that reimbursement
be sought from potentially liable
third parties, such as Medicaid and
commercial health insurers. Ryan
White is by law a payer of last resort
and also contains strong confidentiality
requirements. e confidentiality
regulation for Section 330 FQHCs is
virtually identical to Title X’s and, as
with Title X health centers, FQHCs are
obligated to seek reimbursement from
third parties who may be financially
liable for services that patients receive.
us Title X, Ryan White providers,
and FQHCs may all potentially benefit
in similar ways from states’ efforts to
reconcile the tension between the need
to provide confidentiality protection
and the necessity of billing public or
commercial insurance.
Executive Summary
The Title X family planning program provides access to confidential family planning services for millions of individuals.
Increasingly, patients seen in Title X-funded settings are gaining health insurance coverage through Medicaid or commercial
health plans, at the same time that insurance coverage for contraceptive services has expanded. An increase in insured
patients presents an opportunity for family planning providers to access new revenue streams for previously uncompensated
care, but also poses challenges for providers seeking to maintain Title X’s strong patient confidentiality protections while
maximizing reimbursement from third-party payers for services and supplies provided in Title X settings.
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
2
National Family Planning
& Reproductive Health Association
Medicaid
Title X serves many low-income patients
who increasingly may be or may
become eligible for Medicaid. erefore,
understanding Medicaid’s protections,
as well as its requirements that can
result in the disclosure of confidential
patient information, is crucial for Title
X providers. ere are three key areas of
federal and state Medicaid law and policy
affecting the disclosure of confidential
patient information: patient records,
enrollment, and decision-making;
Medicaid program communications; and
third-party payment requirements.
e potential release of patient records
to parents, spouses, and others, and the
potential for interference with patient
decision-making, carries a risk of harm
for some patients. Federal Medicaid
law safeguards against disclosure of
confidential information and requires
that enrollees be able to choose freely
among family planning providers.
is allows them to choose providers,
like Title X, offering heightened
confidentiality protection. State Medicaid
laws and policies contain both general
confidentiality protections and ones that
are specific to family planning.
Federal Medicaid law does not require
that explanations of benefits (EOBs)
always be sent, but does require Medicaid
managed care organizations (MCOs) to
send notices when claims are denied in
whole or in part. State Medicaid policies
vary widely in the frequency with which
they require EOBs to be sent and the
mechanisms used to comply with the
federal notice of denial requirement.
Medicaid serves as a payer of last resort
and reimbursement must be sought
from liable third parties before Medicaid
is billed. ere is a significant risk
that confidentiality could be breached
through the Medicaid eligibility and
enrollment process and the billing
of third parties such as commercial
insurers. Federal law provides a good-
cause exception when seeking third-
party payment could cause harm to the
patient. State laws and policies vary in
the ways they implement third-party
liability and the good-cause exception.
Commercial Health
Insurance
Title X health centers are beginning to
see more patients who are covered by
commercial health insurance, particularly
young adults who remain on their
parents’ policies and individuals who have
purchased insurance in the Marketplace.
Myriad requirements of federal and state
law lead to the disclosure of confidential
health information by commercial health
insurers and health plans throughout
the billing and insurance claims process.
Although state law, together with
insurance policies and contracts, contains
most of the communication requirements
that result in confidentiality breaches,
federal law contains a few key provisions.
In particular federal law requires insurers
to send notices when claims are denied.
Virtually all states have incorporated
this requirement into state law, along
with requirements for a range of other
communications and practices related
to claims and payment processing.
Confidentiality breaches are likely
as a result of these communications,
particularly if they are sent to or seen by
a parent, spouse, other family member, or
domestic partner. In addition, other laws
pertain to EOBs, requests for additional
information, notices of payment of
claims, and other communications, all of
which risk breaching confidentiality.
Evolving Approaches
to Protecting
Confidentiality
Awareness of the potential for conflict
between insurance coverage and
confidentiality protections has existed
for decades, particularly with respect
to adolescents. More recently, the
implications of this challenge have come
into sharper focus as more adults—such
as victims of intimate partner violence
covered under a perpetrator’s policy and
young adults remaining on a parent’s
policy—gain access to public and
commercial health insurance coverage
through Medicaid expansions and the
ACA. Consequently, an increasing
number of states are working to find
solutions by exploring approaches
designed to mitigate the problem.
ese state-level efforts began in
conjunction with and following the
promulgation of the HIPAA Privacy Rule
and have accelerated with the advent of
the ACA; some have been in existence for
a decade or more, while others are new
or contained in pending legislation. e
state laws and policies that represent at
least partial solutions include strategies
that implicate both Medicaid and
commercial insurance. ey include:
• Medicaid’s good-cause exception;
• Management of EOBs, denials, and
other communications;
• Restrictions on disclosure;
• Confidentiality protections for minor
or adult dependents; and
• Implementation strategies.
is white paper highlights examples
of each of these strategies. If fully
implemented, they would likely result
in significant progress toward protecting
the confidential information of patients
receiving family planning services from
Title X providers. Ongoing efforts to
promote adoption of similar measures in
other states, as well as monitoring and
evaluation of efforts taking place in all
states, will be key to ensuring that they
achieve maximum effectiveness.
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
3
National Family Planning
& Reproductive Health Association
The Title X family planning program
1
has offered confidential services since it was enacted
more than four decades ago. Title X confidentiality protections support access to essential
family planning services for millions of adults and adolescents, with priority given to low-
income individuals. Increasingly, and especially with the advent of the Affordable Care Act
(ACA), Title X patients have health insurance coverage through Medicaid or commercial health
plans, while insurance coverage for contraceptive services has also expanded. An increase
in insured patients, while presenting an opportunity for family planning providers to access
new revenue streams for previously uncompensated care, also poses challenges for providers
seeking to maintain Title X’s strong patient confidentiality protections while maximizing
reimbursement from third-party payers for services and supplies provided in Title X settings.
This white paper provides background on the importance of confidentiality in family planning
settings; the scope of Title X confidentiality protections; the health care delivery environment
associated with the ACA; and the challenges associated with confidentiality, billing, and the
insurance claims process. It details some of the key federal and state laws relevant for family
planning that can lead to disclosure of confidential information via billing and insurance claims
and that provide confidentiality protections. It also highlights some of the recent legal and
policy developments in several states that provide targeted protections for confidential health
information in the context of billing and health insurance claims.
Part I: Introduction
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
4
National Family Planning
& Reproductive Health Association
Importance of
Confidentiality
Privacy has long been a concern of
patients seeking and receiving medical
care. Dating back to the Hippocratic
Oath, physicians have had the obligation
to maintain the confidentiality of their
patients’ information. More recently, the
protection of confidential information
has been a tenet of ethical principles in
health and medicine, with medical codes
of ethics and the policies of health care
professionals’ organizations incorporating
strong privacy protections.
2
Federal and
state laws also have established detailed
confidentiality requirements.
Privacy requires protection in all health care
settings and for all health services. Certain
populations experience heightened concerns
and certain services require particularly
strong protections. Family planning
services, which address some of the most
sensitive and personal issues in health care,
are among those that require the strongest
protections; other sensitive services include
care related to sexually transmitted diseases
(STD) including HIV, substance use, and
mental health concerns. Patients seeking
family planning services, and therefore
generally requiring strong confidentiality
protections, encompass a broad spectrum
of patient populations: women and men
of reproductive age; individuals who are
married, estranged, or divorced and insured
under a spouse’s policy; and children of
separated and divorced couples.
3
Research
has documented the special privacy
concerns of certain populations, including
adolescents and young adults,
4
and victims
of domestic or intimate partner violence.
5
e extensive research findings about the
importance of patients’ privacy concerns
and the consequences of confidentiality
breaches have provided the foundation for
the confidentiality requirements that have
been established in federal and state laws.
Title X Confidentiality
Protections
e Title X confidentiality regulations
6
are among the strongest in current law,
and these confidentiality protections
are one of the reasons individuals
choose to seek care at Title X sites.
7
Title X-funded health centers must
follow the requirement that all
information concerning the personal
facts and circumstances of a patient
be held confidential and not disclosed
without the documented consent of
the individual. e regulations contain
exceptions that allow health providers
to disclose patient information without
documented consent if necessary
to provide services to the patient or
if the disclosure is required by law;
but even then appropriate safeguards
for confidentiality must be in place.
ese regulatory requirements have
been incorporated into Title X
program guidance.
8
e regulations
and implementing program guidance
can be viewed as a gold standard in
confidentiality protection and have
withstood numerous attempts to alter
or weaken them.
9
Changing Health Care
Delivery Environment
Title X providers are working in a
rapidly changing health care delivery
environment. Key drivers of change
have been the federal Health Insurance
Portability and Accountability Act of
1996 (HIPAA),
10
the privacy regulations
pursuant to HIPAA (the HIPAA Privacy
Rule),
11
and the Affordable Care Act
(ACA).
12
At the same time, Title X
grantees have felt increasing pressure to
identify new revenue streams as federal
funding for the Title X program has been
reduced by 12.3% from 2010 to 2013.
13
e HIPAA Privacy Rule has both
strengthened confidentiality protections
and created some opportunities for
private information to be disclosed. e
Rule imposes detailed obligations on
health care providers and confers new
rights on patients, including the right to
request special confidentiality protections
that could limit disclosures,
14
especially
when the disclosures would place patients
in danger. e Rule also allows for certain
disclosures in connection with billing and
payment in ways that have the potential
to undermine confidentiality.
15
e ACA has enabled millions of
uninsured individuals to gain coverage
and sets standards for the services
they must be able to receive with that
coverage.
16
Significantly, the ACA
allows young adults to remain on a
parent’s health insurance plan until the
age of 26.
17
e increased number of
young adults and victims of intimate
partner violence with insurance has
raised the visibility and urgency of the
confidentiality challenges associated
with insurance claims.
18
Also of critical
importance, the ACA requires most
commercial health insurance plans to
provide coverage for certain preventive
services without cost-sharing.
19
e
scope of services covered under this
requirement include many that are
provided at Title X sites, such as all
FDA-approved contraceptive methods,
20
associated counseling and well-woman
visits; screening and counseling for
STDs including HIV, and intimate
partner violence; and some vaccines
(such as HPV).
21
Part II: Background
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
5
National Family Planning
& Reproductive Health Association
Emerging
Confidentiality
Challenges
Protecting confidentiality is complex
and has long been challenging in the
health insurance arena.
22
Some federal
standards have been established to
safeguard patient privacy, but apart from
the HIPAA Privacy Rule there is no single
overarching standard for confidentiality
protections that applies across payer
sources, which creates apparent conflicts
between state and federal laws and even
among federal laws. e landscape is
replete with opportunities for disclosure
of private information, some of which are
the result of explicit legal requirements,
such as the sending of explanations
of benefits (EOBs). Meanwhile,
others are inadvertent or unintended
consequences of systems, such as web
portals and electronic health records
(EHRs), established to benefit health care
providers and patients.
23
While Title X
has strong confidentiality protections,
the expansion of insurance coverage to
previously uninsured populations has
complicated the system.
24
Historically,
Title X has served very few patients with
commercial insurance, and Medicaid
eligibility has been largely limited outside
of family planning expansion programs,
so providers have had little need to bill
third-party payers. Now, however, a
growing number of Title X patients have
coverage, which means there are third
parties from whom payment can and
should be sought. Although other health
care sectors are also grappling with similar
confidentiality issues, the challenge is
particularly acute in Title X settings
because of both the heightened risk of
harm from disclosure associated with the
sensitivity of the services and the pressure
to maximize revenue sources in a time of
declining Title X and other public family
planning dollars.
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
6
National Family Planning
& Reproductive Health Association
e purpose of this white paper is to shed
light on the challenges that currently exist
with respect to confidentiality, third-party
billing, and insurance claims. First, the
paper identifies the federal and state laws
and policies that can result in breaches
of confidential information in the billing
and insurance claims process as well as
those that protect the confidentiality
of health information. e paper offers
analysis of the implications of both
sets of laws and policies for Title X and
family planning providers. Second, the
paper highlights examples of some of
the approaches that have been adopted
in a small but growing number of states
to resolve the existing conflict between
protecting confidentiality and using
health insurance coverage.
To identify relevant laws and policies,
a search was conducted of sources
related to the HIPAA Privacy Rule;
state confidentiality requirements; Title
X; Ryan White HIV/AIDS Program;
Section 330 Federally Qualified Health
Centers; Medicaid; and commercial
health insurance. Relevant sources were
identified using LexisNexis and the
Internet. A literature review of secondary
sources included journal articles,
monographs and reports, websites, and
other electronic databases. Primary
sources identified and analyzed included
statutes, regulations, sub-regulatory
guidance, and court decisions.
Extensive searches were conducted to
identify primary sources in federal law.
Searches also were conducted for state
laws and policies in eight states. e
criteria used to select states included:
whether a state had laws requiring
commercial health insurers to disclose
confidential information as part of the
claims process, e.g. via EOBs; whether a
state had new or specific laws providing
confidentiality protection for dependents
insured on a family member’s health
insurance policy; the state’s status with
respect to Medicaid expansion under the
ACA; the state’s status with respect to
the expansion of Medicaid eligibility for
family planning services via waiver or a
state plan amendment; other Medicaid
factors, including Medicaid managed
care implementation and any known
Medicaid policies with respect to the
“good-cause” exception;
25
geographic
distribution; and the family planning
policy environment in the state.
rough the application of these criteria,
a non-representative but diverse group of
states was selected, including Alabama,
California, Colorado, Illinois, Iowa,
New York, Texas, and Washington. e
research conducted in these states was not
designed to create a complete legal profile
of each state but rather to identify some
examples of different legal and policy
approaches to disclosure requirements
and confidentiality protections in the
billing and insurance claims process.
Part III: Purpose and Methodology
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
7
National Family Planning
& Reproductive Health Association
Many requirements of state and federal
law can lead, directly or indirectly, to
the disclosure of confidential health
information that an individual would
prefer remain private, sometimes for
urgent and compelling reasons. Federal
and state laws also contain numerous
confidentiality protections for health care
information. ese laws vary widely in
terms of what information they protect,
who can access the information, when
the patient’s permission is required for
disclosure, and many other factors.
Although electronic health records
(EHRs) constitute an extremely important
component of the management of
patients’ health information, including
the degree of confidentiality protection,
a detailed exploration of the laws and
policies that are specifically related
to EHRs is beyond the scope of this
white paper. e following discussion
addresses disclosure requirements and
confidentiality protections in the HIPAA
Privacy Rule, state medical privacy laws,
Title X, the Ryan White HIV/AIDS
Program, Section 330 Federally Qualified
Health Centers (FQHCs), Medicaid, and
commercial health insurance.
HIPAA Privacy Rule
e HIPAA Privacy Rule contains many
provisions that protect individuals’
confidential medical information,
which is referred to as “Protected Health
Information” or “PHI.” However, the
HIPAA Privacy Rule also contains a key
provision that leads to the disclosure of
individuals’ PHI, often with their permission
but without their clear understanding that
the disclosure may occur.
Disclosure of PHI Under
the HIPAA Privacy Rule
Although an individual’s authorization is
generally required in order for “covered
entities”—which include health plans
and insurers as well as health care
providers—to disclose PHI, there are
exceptions, such as when disclosures
are required by law, as in child abuse
reporting, or for certain public health
purposes. Also, there is one overarching
exception to the authorization
requirement,
26
which is that health care
providers, health plans, and insurers
are permitted to disclose otherwise
protected confidential information
for “treatment, payment, or health
care operations” without the express
authorization of the individual.
27
is
covers a broad range of communications
that occur within the billing and health
insurance claims process.
Most covered entities do obtain
authorization from individuals to disclose
their PHI even when those disclosures
will occur for treatment, payment, or
health care operations purposes. For
example, when seeking care from a
health care provider in an inpatient or
outpatient setting, individuals are almost
always asked—and, in effect, required—
to sign a document authorizing the
provider to disclose whatever confidential
health information is necessary to
submit claims and receive payment
from their health insurer. e signing
of these documents is routine, and
patients may not understand the full
implications of what they are signing.
28
Even without that authorization from
the individual, however, the health care
provider would likely be able to disclose
the information under the rubric of
the “treatment, payment, or health care
operations” regulation. e reach of the
HIPAA Privacy Rule is so broad, and
the implementation of its requirements
in virtually all health care settings has
become so routine, that the implications
of the disclosures that may occur are
rarely made clear to patients.
Some states have statutory provisions
authorizing these disclosures without the
patient’s authorization. In other states,
the policy may be embodied in insurance
contracts or plan documents. For example,
in California, the “Confidentiality of
Medical Information Act” provides:
A provider of health care or a
health care service plan may
disclose [without authorization of
the patient] medical information as
follows:… to an insurer, employer,
health care service plan, hospital
service plan, employee benefit
plan, governmental authority,
contractor, or other person or
entity responsible for paying for
health care services rendered to the
patient, to the extent necessary to
allow responsibility for payment to
be determined and payment to be
made [emphasis added].
29
Another example of the way in which
insured individuals may have authorized
disclosure of their confidential information
without realizing it is contained in the
standard “Summary Description” of one
group health insurance plan in Alabama:
Part IV: Required Disclosures &
Confidentiality Protections in Current
Laws & Policies
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
8
National Family Planning
& Reproductive Health Association
To administer this plan we need
your medical information from
physicians, hospitals and others. To
decide if your claim should be paid
or denied or whether other parties
are legally responsible for some or
all of your expenses, we need records
from health care providers and other
plan administrators. By applying
for coverage and participating
in this plan, you agree that we
may obtain, use and release all
records about you and your minor
dependents that we need [emphasis
added] in order to administer this
plan or to perform any function
authorized or permitted by law. You
further direct all other persons to
release all records to us about your
minor dependents that we need to
administer this plan. If you or any
provider refuses to provide records,
information or evidence we request
within reason, we may deny your
benefit payments… . Additionally,
we may use or disclose your personal
health information for treatment,
payment or health care operations,
or as permitted or authorized by law
pursuant to the privacy regulations
under the Health Insurance
Portability and Accountability Act of
1996 (HIPAA) [emphasis added].
30
Confidentiality Protections
Under the HIPAA Privacy Rule
In addition to the provision that can
lead to disclosures of patients’ PHI,
the HIPAA Privacy Rule also contains
important confidentiality protections
of particular relevance for Title X
providers. ese include specific
protections for the rights of minors and
two special confidentiality protections
that allow patients to request
restrictions on disclosure of their
PHI and request that communications
of their PHI be confidential.
Minors’ Rights
e HIPAA Privacy Rule contains specific
protections for minors and provides them
with important rights.
31
Generally, the
parent of an unemancipated minor is
considered the authorized representative
of the minor. However, in specific
circumstances the Rule treats minors as
individuals who can exercise rights for
themselves. In particular, this occurs when
minors are authorized to give consent for
their own health care,
32
or when parents
accede to a confidentiality agreement
between a minor and a health care
provider. Parents’ access to their minor
child’s PHI in these circumstances depends
on “state or other law, including applicable
case law.”
33
Title X provides minors with
confidentiality protection that also allows
them to obtain services based on their
own consent.
34
erefore, in the Title X
setting, parents should not have access to a
minor’s PHI unless the minor agrees, and
the minor would provide authorization
for disclosure whenever authorization is
required or sought.
Requests for Special Confidentiality
Protections
Two critically important provisions of the
HIPAA Privacy Rule allow individuals to
request special confidentiality protections
for their PHI and the way in which it
is handled by health care providers and
health insurers. ese provisions have
provided the basis for the efforts of
several states to provide confidentiality
protections in the context of billing and
health insurance claims.
First, health care providers and insurers
must allow individuals to request
restrictions on the disclosure of their PHI
that would otherwise be permitted for the
purpose of treatment, payment, or health
care operations.
35
Health care providers
and health plans (“covered entities”) are
not generally required to agree to such
restrictions, but if they agree to comply
they must do so, except in emergencies.
However, a covered entity must agree to a
request not to disclose an individual’s PHI
without the individual’s authorization
if the disclosure is for the purpose of
treatment, payment, or health care
operations and is not otherwise required
by law and if the health care item or service
has been paid for in full by the patient or
someone other than the health plan.
36
Second, individuals must be allowed
to make requests to both health care
providers and health plans that they
“receive communications of protected
health information… by alternative
means or at alternative locations.”
37
Health care providers are required to
accommodate reasonable requests
and may not require patients to make
a statement that that they would be
endangered by disclosure. Health plans
are required to accommodate reasonable
requests, but only “if the individual
clearly states that the disclosure of
all or part of [the] information could
endanger the individual [emphasis
added].”
38
Health care providers and
health plans may require an individual
to put the request in writing; provide
information about how payment, if any,
will be handled; and specify an alternative
address or other method of contact.
Both of these provisions of the HIPAA
Privacy Rule have been key elements in
the efforts states are making to address
the confidentiality challenges that are
part of the billing and health insurance
claims process. e right to request
communications about confidential
information by alternative means or at
alternate locations has had particular
prominence in these efforts.
State Medical Privacy
and Confidentiality
Laws
States have many laws and policies
that protect the privacy of patients
and the confidentiality of their health
care information. ese protections
are found in state laws implementing
the HIPAA Privacy Rule; general
medical confidentiality laws; laws
providing patients with access to their
medical records; general patients’ rights
laws requiring privacy protections
in outpatient and inpatient settings;
protections for information related to
specific health issues such as substance
use, mental health problems, and
HIV; professional licensing laws and
evidentiary privileges; state funding
programs; and minor consent laws. Most
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
9
National Family Planning
& Reproductive Health Association
of these laws are relevant in the Title X
setting and many of them are relevant
to the intersection of confidentiality
laws with laws governing the health care
billing and insurance claims process.
A few examples of these state medical
privacy and confidentiality laws are
included here.
State Implementation of
HIPAA Privacy Rule
e requirements of the federal HIPAA
Privacy Rule are applicable to health care
providers and health insurers in every
state. e Rule sets the floor for privacy
protections, but states are free to provide
more stringent protections if they so
choose. Most states have enacted statutes
or promulgated rules to incorporate at
least some of the provisions of the HIPAA
Privacy Rule into state law; some have
adopted comprehensive statutory or
regulatory schemes to reflect or go beyond
the HIPAA requirements. Examples of
states with detailed laws implementing
HIPAA include California, Colorado,
New York, Texas, and Washington. Four
of these states—California, Colorado,
New York, and Washington—have relied
on the HIPAA privacy framework to
begin to limit confidentiality breaches
in the insurance claims process. ese
approaches are discussed in detail in the
last section of this white paper. Texas
has numerous statutory and regulatory
protections for confidentiality and
medical privacy. In particular, the Texas
Medical Records Privacy Act contains
several provisions that are more stringent
than the HIPAA Privacy Rule.
39
General Medical Privacy
and Confidentiality Laws
Although a comprehensive survey of
the full range of medical privacy and
confidentiality laws adopted by the eight
states examined for this white paper is
beyond this paper’s scope, some salient
examples of the various types of laws
found in these states are highlighted
here. California has long-standing and
particularly detailed laws that pre-dated
HIPAA but have been updated and
amended since the HIPAA Privacy
Rule was promulgated—such as the
Confidentiality of Medical Information
Act
40
and the Patient Access to Health
Records Act,
41
both of which contain
detailed provisions specifying when a
patient’s consent is required to release or
access his or her medical records. Some
state confidentiality laws pertain to the
handling of medical information and
records by specific types of health care
providers or insurers. For example, laws
in Alabama and Colorado obligate health
maintenance organizations (HMOs) to
protect from unauthorized disclosure any
information or data about the “diagnosis,
treatment, or health” of any enrollee or
applicant.
42
Many states also have laws that
address the confidentiality of information
related to a particular health condition,
such as HIV infection, or a specific type
of care, such as substance abuse or mental
health treatment. e George Washington
University’s Hirsh Health Law & Policy
Program and the Robert Wood Johnson
Foundation have created an online legal
database that contains summaries and
citations of many of these laws.
43
Confidentiality for Minors
Every state has laws that allow minors
to consent for their own health care
in certain situations, based either on
the status of the minor or services they
are seeking.
44
Some states explicitly
prohibit disclosure of information or
records pertaining to the services for
which minors may consent unless the
minor gives permission for disclosure.
45
Some states explicitly grant discretion
to health care professionals to disclose
information to parents in specific
circumstances, even when the minor has
consented to care and may be objecting
to the disclosure.
46
When neither state
nor federal laws address the question of
whether or when a minor’s confidential
information can be released to parents,
the HIPAA Privacy Rule grants discretion
to a health care provider (which includes
a health insurance plan) exercising
medical judgment to determine whether
to grant access to parents. Many states’
minor consent laws are partially or mostly
silent on this issue of parents’ access.
47
However, federal Title X law is not. Title
X providers may not disclose minors’
confidential information without their
permission unless required to do so by
some other federal law or a state law such
as a child abuse reporting requirement.
48
Beyond the confidentiality protections
contained in minor consent laws, some
states include specific protections for
minors in their general medical privacy
and confidentiality laws.
49
Protections
for minors may also be included in the
contract language for health insurance
policies and managed care organizations
(MCOs), but this varies widely by plan.
Title X
e Title X statute and regulations not
only protect confidentiality, they also
contain requirements that could create
confidentiality challenges. Specifically, the
regulations require that efforts be made
to collect payments from third parties,
including government agencies such as
Medicaid, when those third parties are
authorized or obligated to pay for the
services a patient is receiving from a Title
X-funded provider.
50
Title X Confidentiality
Protections
e Title X confidentiality regulations
are exceptionally strong. e regulations
provide that:
All information as to personal facts
and circumstances obtained by
the project staff about individuals
receiving services must be held
confidential and must not be
disclosed without the individual’s
documented consent, except as may
be necessary to provide services
to the patient or as required by
law, with appropriate safeguards
for confidentiality. Otherwise,
information may be disclosed only
in summary, statistical, or other
form which does not identify
particular individuals.
51
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
10
National Family Planning
& Reproductive Health Association
ese regulatory requirements have been
incorporated into the guidance for the
Title X program.
52
Of major current and historical
significance, the Title X confidentiality
regulations protect adolescents as well as
adults;
53
this protection is supported by
the requirement to determine a minor’s
financial eligibility for discounts based
on his or her own resources rather than
those of his or her families.
54
When
documented consent is not obtained
because disclosure is necessary to
provide services to the patient or is
required by law, appropriate safeguards
for confidentiality must still be in
place. Examples of disclosures that are
required by law include mandatory
reporting of child abuse,
55
intimate
partner violence,
56
and STDs.
57
For a
more detailed discussion of the history
and current status of the Title X
confidentiality regulations see “Adolescent
Confidentiality Protections in Title X.”
58
Risks of Disclosure in Title X
Generally, Title X law provides that
individuals from low-income families—
defined as having incomes at or below
100% of the federal poverty level (FPL) or
a family with a higher income but unable
to pay for family planning services—
must not be charged for services unless
the charges will be paid by a third party,
including a government agency such as
Medicaid that is authorized or legally
obligated to pay.
59
Unemancipated minors
who wish to receive confidential services
must have their ability to pay considered
on the basis of their own resources.
60
Individuals from families who do not
meet the definition of “low-income” but
whose income is at or below 250% FPL
are to be charged according to a schedule
of discounts, often referred to as a sliding
fee scale.
61
Title X providers are required to engage
in reasonable efforts to secure third-
party payment without application of
discounts for low-income individuals.
62
ird-party sources from which
payments should be sought might
include public or commercial health
insurance coverage through Medicaid,
the Children’s Health Insurance
Program (CHIP), employer-based
plans, the Federal Employee Benefit
Program, TRICARE coverage for
military personnel and families, and
ACA Marketplace plans. Other publicly
funded third-party sources that are
important in the Title X context include
FQHCs
63
and the Ryan White HIV/
AIDS Program.
64
For Title X patients
who are insured and who are subject
to charges for Title X services, the
copayments and other cost sharing for
individuals with family incomes under
250% FPL cannot exceed what they
would pay if Title X discounts were
applied.
65
Although billing Medicaid or commercial
health insurers and the steps involved in
the insurance claims and payment process
can result in breaches of confidentiality,
especially if a patient is a dependent on
a family member’s policy, it is essential
to identify approaches that allow Title
X providers to secure revenues from
third parties while honoring patient
confidentiality. Some possibilities for
doing this are highlighted in the last
section of this paper. Ultimately, the Title
X program requirements specify that
reasonable efforts are required to collect
charges without jeopardizing patient
confidentiality.
66
is is an important
failsafe for Title X patients that providers
have used to not seek third-party
reimbursement when the provider has
ascertained that seeking reimbursement
would jeopardize patient confidentiality
and the patient has indicated a need for
confidentiality protection.
Other Federal
Funding Programs
Title X health centers often rely on
funds from other federal programs to
pay for services, and other federally
funded health care service delivery
sites sometimes receive Title X funds
to subsidize family planning services.
erefore, it is important for Title X
providers to understand whether any
of the requirements for these programs,
such as the Ryan White HIV/AIDS
Program or Section 330 Federally
Qualified Health Centers, could lead
to disclosures of patients’ information
in ways that are inconsistent with Title
X confidentiality regulations and what
specific confidentiality protections are
part of these programs.
Ryan White HIV/AIDS
Program
Some Title X health centers receive
funds from the Ryan White HIV/
AIDS program (Ryan White) to support
medical services they provide for patients
with HIV. By statute, Ryan White is a
payer of last resort and Ryan White funds
cannot be used if payment has been
made, or can reasonably be expected to be
made, by any other payer.
67
Ryan White
fills the gaps for individuals with HIV
who have no other source of coverage or
face coverage limits.
68
Ryan White grantees and their
contractors are expected to vigorously
pursue Medicaid enrollment as well
as other funding sources such as
state-funded HIV/AIDS Programs,
employer-sponsored health plans, and
other public and commercial health
insurance coverage.
69
ey also should
conduct eligibility determinations,
perform insurance verification, make
every effort to identify primary payers,
and coordinate their services with other
payers.
70
us the payer of last resort
status of Ryan White and the obligation
for recipients of Ryan White funds to
seek other sources of payment available
for individuals to whom services are
being provided raises the possibility of
disclosure similar to that which exists in
the Title X setting. As in Title X, Ryan
White service providers and patients have
significant concerns about confidentiality
that can complicate the process of sharing
data to secure third-party payments,
71
but also like Title X, the Ryan White
law includes strong and explicit
confidentiality protections.
72
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
11
National Family Planning
& Reproductive Health Association
Section 330 “Health
Centers”
Federally qualified health centers
(FQHCs) funded under Section 330
of the Public Health Service Act, also
frequently referred to as community health
centers, are required to provide voluntary
family planning services and supplies.
73
Some FQHCs receive Title X funds to
help provide family planning services.
FQHCs are required to maintain the
confidentiality of patient records
74
but they
are also required to make every reasonable
effort to collect reimbursement for costs
of providing health services to patients
who are entitled to medical assistance
under Medicaid or under any other public
assistance program or commercial health
insurance program.
75
Centers are required
to maintain a schedule of fees, with
discounts applicable to patients based on
their ability to pay, but are not allowed to
deny services to anyone based on inability
to pay.
76
e confidentiality regulation for
FQHCs contains language almost identical
to the Title X confidentiality regulations.
77
us Title X providers and FQHCs
are in similar positions, with strong
confidentiality requirements in place but
also clear obligations to seek revenues
from third-party payers. Consequently, the
evolving approaches discussed later in this
white paper would likely benefit both Title
X providers and FQHCs in similar ways.
Medicaid
Title X serves many low-income
patients who increasingly may be
eligible for Medicaid. erefore,
understanding Medicaid’s protections,
and its requirements that can result in
the disclosure of confidential patient
information, is crucial for Title X
providers. ere are three key areas of
federal and state Medicaid law and policy
affecting the disclosure of confidential
patient information: patient records,
enrollment, and decision-making;
Medicaid program communications; and
third-party payment requirements.
Patient Records, Enrollment,
and Decision-making
e potential release of patient records
to parents, spouses, and others, and the
subsequent interference with patient
decision-making, carries a risk of harm
for some patients. Federal Medicaid
law safeguards against disclosure of
confidential information.
78
It also requires
that Medicaid cover family planning
“services and supplies” for all Medicaid
enrollees of childbearing age, including
“minors who can be considered to
be sexually active.
79
Combined with
federal requirements that states ensure
beneficiaries eligible for family planning
services are “free from coercion or mental
pressure and free to choose the method
of family planning to be used,”
80
these
protections have been interpreted to
provide significant protection for patient
records and decision-making, including
for minors.
81
In addition to confidentiality protections
for Medicaid services, federal Medicaid
law requires that enrollees be able to
choose freely among family planning
providers.
82
is “freedom of choice”
protection enables them to choose to
receive services from providers, such
as Title X sites, that adhere to a high
standard of confidentiality protection,
even if those providers are outside of the
patient’s managed care network.
State laws and policies contain varied
provisions that help to protect the privacy
of Medicaid applicants and enrollees and
their confidential health information.
83
ese methods include both general
confidentiality requirements
84
and specific
confidentiality protections for information
related to family planning services.
85
Additionally, the release of information
about a patient’s enrollment in a
Medicaid family planning expansion
could cause harm. Some states have
taken steps to protect this information,
particularly as states have invested in
technology to better use enrollment
data and diverse databases containing
information about patients become
more linked, increasing the risk that
confidential information will be released.
For example, in an analysis of state
Medicaid family planning expansions, the
Guttmacher Institute found that:
As data for many different state
programs are linked together (with
the advantage of easing enrollment
and renewal, and improving
customer service), situations may
occur in which another family
member may inadvertently be
informed that a woman is enrolled
in the family planning expansion
program. Some states (six of
the 19) have responded to this
potential problem by creating
electronic “flags” for client records,
such as messages reminding
state caseworkers and health care
providers when a woman has
requested confidentiality or when
changes to the client’s record
may affect her privacy [emphasis
added].
86
Medicaid Program
Communications
A significant concern for providers
seeking to protect patient confidentiality
arises from the use of EOBs and other
forms of communication to convey
information on Medicaid payment for
services to enrollees. When information
concerning Medicaid claims is
communicated to patients, particularly
through EOBs or similar notices, such
communications may inadvertently
reveal to parents, spouses, or other family
members that a patient has sought or
received family planning services, putting
the patient at risk of harm.
Federal law does not explicitly require
that state Medicaid programs always
send EOBs when services are provided
to beneficiaries or paid for by Medicaid.
Instead, federal regulations require that,
in order to combat fraud, state Medicaid
agencies “have a method for verifying with
beneficiaries [emphasis added] whether
services billed by providers were received.”
87
Federal regulations, adopted pursuant
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
12
National Family Planning
& Reproductive Health Association
to the Balanced Budget Act of 1997,
also specify that state Medicaid program
contracts with Medicaid managed care
organizations (MCOs) must require them
to “give the enrollee written notice of any
decision by the MCO … to deny a service
authorization request, or to authorize
a service in an amount, duration, or
scope that is less than requested.”
88
us
some form of written notice to Medicaid
enrollees is required by federal law when
services are denied in whole or in part by
a Medicaid MCO.
89
e extent to which
an EOB is the specific mechanism used
to comply with this requirement is not
clear, although even if the written notice is
not an EOB it nevertheless can result in a
breach of confidentiality.
State policies vary widely when it comes
to the use of EOBs and, within states,
between fee-for-service Medicaid and
Medicaid MCOs. Some states do not
send EOBs at all, others send them only
when a claim is denied, and others send
them on a monthly or quarterly basis
as opposed to on a per-service basis.
90
Research by the National Alliance to
Advance Adolescent Health indicates
that for patients not enrolled in MCOs
the majority of state Medicaid agencies
do utilize EOBs in some form—EOB,
REOMB (Recipient Explanation of
Medical Benefits), or Medical Service
Verification letter.
91
Interviews with 12
of the largest Medicaid MCOs serving
the Medicaid population indicated that
EOBs are viewed by states as a simple and
inexpensive method of verifying services.
92
In contrast, Medicaid MCOs typically
have broad discretion in setting their
policies regarding the use of EOBs, and
most MCOs do not send EOBs except as
required by states.
93
Notably, CMS, the
federal agency that oversees Medicaid,
recently posted a sample EOB online to
explain to beneficiaries that they might
receive an EOB and what it would
contain,
94
suggesting that use of EOBs in
the Medicaid context is continuing, even
if not federally mandated.
Beyond how frequently and for what
reason EOBs are sent, other state policies
regarding EOBs—such as whether the
patient can designate an alternate address
for EOBs to be sent, or whether EOBs
are sent to a minor receiving services or
their parent or head of household—can
impact confidentiality. In an effort to
mitigate the problems that EOBs and
other Medicaid communications can
cause with regard to confidentiality,
some states exclude information about
family planning and other sensitive
services when they send EOBs.
95
Also, to protect adolescents who need
confidential Medicaid services, some
states that do send EOBs, REOMBs,
or Medical Service Verification Letters
send them directly to the adolescent.
e National Alliance to Advance
Adolescent Health’s analysis showed
that among 42 states that send EOBs
or verification letters in Medicaid,
“while about half…reported sending the
statements directly to the adolescent, the
other half reported sending them to the
parent or head of household.”
96
Specific
protective language related to Medicaid
program communications in state laws
or policies include some that are based
on HIPAA
97
and others that pertain to
communications in the state’s family
planning waiver.
98
Medicaid Third-Party
Liability
Medicaid is a payer of last resort,
meaning that states are obligated to
implement practices to secure payments
from any liable third parties.
99
State
Medicaid agencies are required to “take
reasonable measures to determine the
legal liability of the third parties who are
obligated to pay for services furnished
under the [Medicaid state] plan.”
100
e
steps to determine the liability of third
parties include obtaining health insurance
information during the Medicaid
initial application and redetermination
processes.
101
e type of information
that is obtained from applicants for
Medicaid “may include, but is not limited
to, the name of the policy holder, his
or her relationship to the applicant or
beneficiary, the social security number
(SSN) of the policy holder, and the name
and address of insurance company and
policy number.”
102
Medicaid regulations
specify detailed procedures for ensuring
that payment from liable third parties is
collected, usually before Medicaid can
issue payment on a claim.
103
ey also
require applicants to assign any rights
they may have for medical support to the
state Medicaid agency and to cooperate
with collection efforts.
104
is is affirmed
on the Medicaid website, which states:
“By law, all other available third-party
resources must meet their legal obligation
to pay claims before the Medicaid
program pays for the care of an individual
eligible for Medicaid.”
105
Most states have adopted statutes,
regulations, or state Medicaid agency
policies to implement the third-party
liability requirements of federal Medicaid
law, although variations exist among the
states. Alabama, for example, requires
all providers to file claims and receive
responses from liable third parties before
seeking payment from Medicaid.
106
Colorado requires Medicaid enrollees
to use “primary” third-party coverage
before using Medicaid services, and
requires counties to obtain information
about that third-party coverage when the
individual applies for or is predetermined
to be eligible for Medicaid.
107
Illinois
requires Medicaid beneficiaries to tell
the Medicaid agency about medical
benefits they receive or should receive.
108
New York requires recipients of services
from the state’s Family Planning Benefit
Program to assign their rights to medical
support or insurance coverage for family
planning services to the Medicaid agency
unless “good cause” exists for them not
to do so.
109
Federal statutes and regulations provide a
good-cause exception to the requirement
that individuals identify and provide
information to assist in the pursuit of
third parties who may be liable to pay
for care and services under the plan
when “it is anticipated that cooperation
will result in reprisal against, and cause
physical or emotional harm to, the
individual or other person.”
110
is
exception, which has allowed patients to
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
13
National Family Planning
& Reproductive Health Association
seek health services without jeopardizing
the confidentaility of their information,
has been critical to protecting a patient’s
safety and ensuring access to family
planning services.
In spite of its importance, the good-
cause exception was written at a
time when the primary means for a
state Medicaid program to identify
potentially liable third-party payers
was through information provided by
the patient; if a patient claimed the
exemption and did not turn over their
health insurance information, they
could be reasonably assured that other
payers—which may send EOBs or other
communications that could breach the
patients’ confidentiality—would not
be billed, and therefore their privacy
would be protected. However, in today’s
age of electronic records and databases,
and with the expansion of commercial
health insurance coverage through the
ACA marketplaces, many states now
have alternate ways to identify and bill
potential third-party payers. According to
the Medicaid website:
States conduct data matches to
identify third-party resources.
States must have laws in place
that require health insurers to
provide their plan eligibility and
coverage information to Medicaid
programs. For example, states
conduct data matches with public
entities, such as the Department
of Defense, to identify Medicaid
enrollees and/or their dependents
that have coverage through the
Military Health Services system
and the TRICARE program.
111
Further, there is significant variance from
state to state about how the good-cause
exception is operationalized, if at all. A
number of states do not appear to have
any statute or regulations pertaining to
the good-cause exception, so it is unclear
how it is operationalized in those states.
is has led patients and providers
in some states to be concerned about
“losing control” of the process once
Medicaid is billed, putting patients at
potential risk of harm. Such providers
may therefore be choosing to forgo billing
Medicaid to assure that the patient’s
confidentiality is fully protected, even
when the state’s Medicaid EOB and other
communications policies would not put
the patient’s confidentiality at risk.
Other states have language regulating
the use of the good-cause exception,
but operationalize it differently.
For example, Iowa provides that:
“A woman eligible under the Iowa
Family Planning Network coverage
group can claim good cause for not
cooperating with the ird-Party
Liability Unit due to confidentiality if
she is fearful of the consequences of a
parent or spouse discovering that she is
receiving family planning services.”
112
Texas Medicaid policy states: “Federal
and state regulations mandate that
family planning client information
be kept confidential. Because seeking
information from third-party
insurance may jeopardize the client’s
confidentiality, prior insurance billing
is not a requirement for billing family
planning for [Medicaid].”
113
Some states,
such as Louisiana, make clear that the
Medicaid agency has the right to pursue
third-party benefits even when good
cause exists for the Medicaid applicant
or enrollee not to cooperate in doing
so,
114
potentially limiting the protection
provided by the good-cause exception.
Commercial Health
Insurance
Myriad requirements of federal and state
law lead to the disclosure of confidential
health information by commercial health
insurers and health plans throughout
the billing and insurance claims
process. Although state law, together
with insurance policies and contracts,
contains most of the communication
requirements that result in confidentiality
breaches, federal law contains a few key
provisions as well. In particular, federal
law requires insurers to send notices
when claims are denied. Virtually all
states have incorporated this requirement
into state law, along with requirements
for a range of other communications and
practices related to claims and payment
processing. Confidentiality breaches are
likely a result of these communications,
particularly if they are sent to or seen by
a parent, spouse, other family member,
or domestic partner.
Federal Disclosure
Requirements
A key provision of the Employee
Retirement Insurance Security Act
(ERISA) requires most commercial health
insurance plans
115
to “provide adequate
notice in writing to any participant or
beneficiary whose claim for benefits
under the plan has been denied, setting
forth the specific reasons for such
denial, written in a manner calculated
to be understood by the participant,”
and to provide an opportunity for a
“full and fair review” of the denial.
116
e federal regulations issued by the
Department of Labor require ERISA
plans to “establish and maintain
reasonable procedures governing the
filing of benefit claims, notification of
benefit determinations, and appeal of
adverse benefit determinations….”
117
e
ERISA definitions of “participant” and
“beneficiary” suggest that these notices
could be sent either to the employee/
policyholder or to another individual
who is covered and entitled to benefits
under the plan.
118
e regulations also
state that the denial—or “adverse benefit
determination”—may be sent either in
writing or electronically.
119
Regulations issued to implement ACA
requirements related to group health
plans and health insurers include
procedures for claims and appeals.
Pertinent requirements relating to denial
of claims were issued jointly by the US
Treasury Department, the Department
of Labor, and the Department of Health
and Human Services.
120
ese regulations
require most commercial health plans
and insurers to comply with the same
requirements regarding notices when
claims are denied and added greater
specificity to the content of the notices
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
14
National Family Planning
& Reproductive Health Association
required by the previous Department of
Labor regulation.
As explained in the Preamble to the
joint regulations:
Plans and issuers must comply with
the requirements of paragraphs
(g) and (j) of the DOL claims
procedure regulation, which
detail requirements regarding the
issuance of a notice of adverse
benefit determination. Moreover,
for purposes of these interim final
regulations, additional content
requirements apply for these
notices. A plan or issuer must
ensure that any notice of adverse
benefit determination… includes
information sufficient to identify
the claim involved. is includes
the date of service, the health care
provider, and the claim amount (if
applicable), as well as the diagnosis
code (such as an ICD–9 code,
ICD–10 code, or DSM–IV code),
the treatment code (such as a CPT
code), and the corresponding
meanings of these codes. A plan
or issuer must also ensure that
the reason or reasons for the
adverse benefit determination
or final internal adverse benefit
determination includes the denial
code (such as a CARC and RARC)
and its corresponding meaning.
It must also include a description
of the plan or issuer’s standard, if
any, that was used in denying the
claim (for example, if a plan applies
a medical necessity standard in
denying a claim, the notice must
include a description of the medical
necessity standard).
121
e Preamble to the regulations also states:
A denial, reduction, or termination
of, or a failure to provide or make
a payment (in whole or in part) for
a benefit can include both pre-
service claims (for example, a claim
resulting from the application of
any utilization review), as well as
post-service claims. Failure to make
a payment in whole or in part
includes any instance where a plan
pays less than the total amount of
expenses submitted with regard to
a claim, including a denial of part
of the claim due to the terms of a
plan or health insurance coverage
regarding copayments, deductibles,
or other costsharing [sic]
requirements [emphasis added].
122
is means that virtually all benefit
determinations made by health insurers
are likely to be considered a denial,
because the full amount of the charges
submitted by health care providers
is rarely paid by insurers due to a
combination of the contractual discounts
negotiated between the insurer and the
provider and the terms of the covered
individual’s health insurance policy with
respect to deductibles, copayments, and
coinsurance. us Title X providers need
to be aware that whether the notice is
specifically titled an EOB or not, when
claims are filed with their patients’
commercial insurers or health plans, a
notice regarding determination of benefits
claimed and paid or not paid will almost
certainly be sent in compliance with the
requirements of federal law.
State Disclosure
Requirements
Every state has numerous laws that
explicitly require or indirectly result
in disclosure of confidential health
information as part of the health
care billing and health insurance
claims process. Two leading types of
communications that are addressed in
these statutes, regulations, and policies
are EOBs and denials of claims; others
include communications related to
acknowledgment of claims, requests for
additional information, and payment of
claims. e Guttmacher Institute and the
Center for Adolescent Health & the Law
conducted a detailed review and analysis
of these laws in all 50 states and the
District of Columbia in 2012.
123
In addition to the requirements contained
in laws and policies, various practices
that are part of the insurance claims
process may result in the disclosure of
confidential health information to people
other than the patient. For example, a
policyholder may be able to view the
claims history under the policy online, so
that even if an EOB has been suppressed
or sent to the patient rather than the
policyholder, the policyholder may learn
confidential information when reviewing
the claims history.
Although not every state has a statute
or regulation that explicitly requires the
sending of an EOB for all insurance
claims, the use of EOBs is ubiquitous
in the health system. ere are several
possible reasons for this. First, about
half of states do have laws specifically
addressing EOBs.
124
Second, the sending
of EOBs may be required in insurance
contracts and policies rather than in state
statutes and regulations.
125
ird, states
without an explicit requirement to send
a communication titled EOB almost
certainly have a law requiring that a
notice be sent when a claim is denied in
whole or in part.
126
In light of the broad
scope of how denials are understood in
federal law—as described in the Preamble
to the regulations regarding “adverse
benefit determinations”
127
—it is likely
that laws requiring notices of denial
are resulting in the issuance of EOBs,
regardless of the specific terminology used
to identify them.
Variations appear in the specific
provisions of EOB laws in different
states. For example, some laws specify
the recipient or the content of the EOB
or require information about specific
services, but others do not. Detailed
review of the laws in eight specific states
yielded examples of these variations.
For example, Alabama requires that
an EOB be sent to the “insured” or
“beneficiary;”
128
California requires
that an EOB be sent to the “claimant
and assignee;”
129
New York requires
that an EOB be sent to the “insured”
or “subscriber.”
130
Other states, such as
Illinois,
131
and Texas
132
do not appear to
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
15
National Family Planning
& Reproductive Health Association
have an explicit requirement for sending
EOBs but related language appears to
presume that one will be sent. According
to the state insurance commissioner,
Washington requires that an EOB be
sent upon the request of an enrollee of a
health plan.
133
ose laws that specify the content of
an EOB illustrate how confidentiality
could be breached. For example, a New
York statute requires HMOs and health
insurers to:
…provide the insured or
subscriber with an explanation of
benefits form…e explanation
of benefits form must include
at least the following:(1) the
name of the provider of service
and the admission or financial
control number, if applicable;
(2) the date of service; (3) an
identification of the service for
which the claim is made; (4) the
provider’s charge or rate; (5) the
amount or percentage payable
under the policy or certificate after
deductibles, co-payments, and any
other reduction of the amount
claimed; (6) a specific explanation
of any denial, reduction, or other
reason, including any other third-
party payor [sic] coverage, for not
providing full reimbursement for
the amount claimed…
134
Similarly, in Colorado, a regulation
requires that an EOB include the
following information:
A. Name of member. B.
Relationship of member to
subscriber. C. Subscriber/member’s
claim number. D. Name of
subscriber. E. Provider name and
whether the provider is in or out
of network. F. Date of service.
G. Type of service (emergency,
inpatient, outpatient, etc.).
135
e degree to which these requirements
result in confidentiality breaches depends
in part on the degree of detail included
on an EOB with respect to such issues
as the name of the provider and the
description of the service. However,
vague or general descriptions cannot
be relied on as the means of protecting
sensitive confidential information when
the possibility exists of greater specificity
resulting in breach.
Every state has a statute or regulation
requiring that a notice be sent when a
claim is denied partially or completely
by a health plan or insurer, as mandated
by federal law—ERISA and the ACA.
136
e specific information to be included
in these notices of denial—or adverse
benefit determinations—as set forth
explicitly in both federal law and the
laws of many states could easily breach
confidentiality for the person receiving
the services. As with EOBs, there is
variation among states with respect to
the recipient of the notice, and whether
one is specified. e recipient is variously
designated as the insured, beneficiary,
legal representative, designated adult
family member, enrollee, covered person,
subscriber, or certificate holder.
137
ere
are not always clear definitions of these
terms and it is not always discernable
whether the denial could be sent to the
patient rather than to the family member
on whose policy the patient is insured.
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
16
National Family Planning
& Reproductive Health Association
Awareness of the potential for conflict
between insurance coverage and
confidentiality protections has existed
for decades, particularly with respect
to adolescents.
138
More recently, the
implications of this challenge have come
into sharper focus as more adults—such
as victims of intimate partner violence
covered under a perpetrator’s policy and
young adults remaining on a parent’s
policy into their mid-20s—gain access to
public and commercial health insurance
coverage through Medicaid expansions
and the ACA.
139
Consequently,
an increasing number of states are
working to find solutions by exploring
approaches designed to mitigate the
problem. ese state-level efforts began
in conjunction with and following the
promulgation of the HIPAA Privacy
Rule and have accelerated with the
advent of the ACA. Some protections
have been in existence for a decade or
more, while others are brand new or
contained in pending legislation.
e state laws and policies that represent
at least partial solutions include strategies
that implicate both Medicaid and
commercial insurance. ey include:
• Medicaid’s good-cause exception;
• Management of EOBs, denials, and
other communications;
• Restrictions on disclosure;
• Confidentiality protections for minor
or adult dependents; and
• Implementation strategies.
e following section includes examples
of strategies contained in statutes,
regulations, and pending legislation
from California, Colorado, Maryland,
Massachusetts, Oregon, New York,
Texas, and Washington.
140
Ultimately,
these strategies are linked in ways
that underscore the need for seamless
insurance protections. If, for example,
commercial insurance protected
patient confidentiality more effectively,
avoiding breaches via EOBs and other
mechanisms, then Medicaid’s third-
party liability requirement would be
less problematic and Medicaid’s good-
cause exception would be less necessary.
Also, the effectiveness of these strategies
in protecting the confidentiality of
individuals with health insurance,
particularly dependents insured on a
family member’s policy, depends on
whether and how they are implemented;
an assessment of this is beyond the scope
of the legal analysis in this white paper
and will require further research.
141
Medicaid’s Good-
Cause Exception
Some states have implemented the
Medicaid good-cause exception in
ways that are particularly beneficial to
enrollees. For example, New York has
operationalized the good-cause exception
across its Medicaid program. Questions
concerning whether patients have a
good-cause reason third-party payers
should not be billed appear on a number
of checklists and application forms, such
as the application for the state’s family
planning state planning amendment
(SPA).
142
Anecdotal information
indicates that New York utilizes a 1-800
number providers can call to denote
a patient’s need for confidentiality,
which then flags that patient in the state
Medicaid agency’s system so the state
does not bill any third-party payers.
143
Texas requires compliance with federal
third-party liability requirements, but
has also incorporated language into its
Medicaid Provider Procedures Manual
directing providers to protect patient
confidentiality in family planning:
Federal and state regulations
mandate that family planning
client information be kept
confidential. Because seeking
information from third party
insurance may jeopardize the
client’s confidentiality, prior
insurance billing is not a
requirement for billing family
planning for any [Medicaid
program] [emphasis added].
144
Washington implements the good-cause
exception in Take Charge, its Medicaid
family planning waiver program, with
particularly detailed protections that
explicitly apply to adolescents and victims
of intimate partner violence:
“Two groups of clients may request
an exemption from the Medicaid
requirement to bill third-party
insurance due to ‘good cause.’ e
two groups are:…applicants who
meet all the following criteria:
are 18 years of age or younger;
Part V: Protections to Limit
Confidentiality Breaches in Third-Party
Billing and Insurance Claims
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
17
National Family Planning
& Reproductive Health Association
are covered under their parent’s
health insurance; do not want
their parents to know that they are
seeking and/or receiving family
planning services” and “individuals
who are domestic violence victims
and are covered under their
perpetrator’s health insurance”…
‘Good cause’ means that use of the
third-party coverage would violate
a client’s confidentiality because
the third party: routinely sends
verification of services to the third-
party subscriber and that subscriber
is someone other than the
applicant; requires the applicant to
use a primary care provider who
is likely to report the applicant’s
request for family planning services
to another subscriber. If either
of these conditions apply, the
applicant is considered…without
regard to the available third-party
family planning coverage. At the
time of application, providers must
make a determination about ‘good
cause’ on a case-by-case basis.”
145
is provision does not appear to apply
to young adults who, under the ACA,
may be covered on a parent’s health
insurance until the age of 26 and whose
need for confidentiality may be equal
to that of adolescents. It also does not
mention other adults who are not
intimate partner violence victims but
are covered under a subscriber’s coverage
when the subscriber is someone other
than the Medicaid applicant; many of
these adults also might have a compelling
need for confidentiality protection.
Management of EOBs,
Denials, and Other
Communications
One of the strategies that states
are beginning to use to protect
confidentiality in the health insurance
context involves policies that apply to
the sending of EOBs, denials, and other
related communications. Barriers do exist
to limiting the use of EOBs. To the extent
that they serve the purpose of providing
enrollees and policyholders with the
“adverse benefit determination” or service
denial notices required by federal law,
some mechanism must be found to
ensure compliance with that federal law
and the corresponding requirements
incorporated into state laws. Additionally,
EOBs have been designed at least in part
to further benign purposes: deterring
fraud and providing transparency in
the claims process.
146
So, for example,
informing policyholders of the degree to
which they have met their cost-sharing
obligations—copayments, deductibles,
and coinsurance—as well as the amount
of any remaining financial liability, is an
important function of EOBs that must be
served in some way.
In spite of these barriers, states have
begun to put in place some tools for
the management of EOBs and other
communications that can enhance
confidentiality for patients, particularly
those who are insured as dependents on a
family member’s policy.
147
Some of these
approaches include honoring requests for
confidential communications; redirecting
EOBs to the patient rather than the
policyholder; controlling the level of
detail in EOBs when sensitive services are
involved; and suppressing or waiving the
necessity for EOBs when the policyholder
has no residual financial liability.
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
18
National Family Planning
& Reproductive Health Association
Requests for Confidential
Communications
One of the leading strategies that is
being adopted by states and discussed by
health care professionals and advocates
to reconcile the need for confidentiality
with legal requirements, policies, and
practices for insurance communications
is to implement the HIPAA requirement
of allowing individuals to request
“confidential communications,” the
phrase that is used to refer to requests
that communications be sent to an
alternative location or by alternate
means.
148
Health care providers are
required to accommodate reasonable
requests of this type and may not require
patients to state the basis of their request.
Health insurers must accommodate
reasonable requests but may require
a statement of endangerment. is
requirement is widely reflected in state
Medicaid agency policies and insurance
contracts, as well as notices of privacy
practices issued to patients in compliance
with HIPAA.
For example, California tells Medi-Cal
enrollees: “You can ask us to contact you
in a specific way (for example, home
or office phone) or to send mail to a
different address. We will consider all
reasonable requests, and must say “yes”
if you tell us you would be in danger if
we do not.”
149
California also has created
a form for Medi-Cal enrollees to use in
making such requests.
150
A leading state law to address the problem
of confidentiality breaches in the health
insurance claims process is California’s
SB 138, which was enacted in late 2013
and went into effect in January of 2015.
is legislation was enacted with the
following explicit purpose: “erefore, it
is the intent of the Legislature in enacting
this act to incorporate HIPAA standards
[emphasis added] into state law and to
clarify the standards for protecting the
confidentiality of medical information in
insurance transactions.”
151
SB 138 contains both a detailed set of
findings about the importance of privacy
and confidentiality
152
and a series of
definitions of key terms. “Endanger” is
defined to mean that a “subscriber or
enrollee fears that disclosure of his or
her medical information could subject
the subscriber or enrollee to harassment
or abuse.”
153
A similar provision in
pending legislation in Oregon defines
endangerment to include fear that
disclosure would lead to harassment or
abuse or undermine access to health care.
154
California’s SB 138 defines “sensitive
services” to include those that minors
are able to consent for independently
under state law—including among
other services, mental health counseling,
reproductive health services, STD testing
and care, sexual assault services, and drug
treatment.
155
Oregon’s pending legislation
contains a similar definition of sensitive
services.
156
Based upon these findings and
definitions, SB 138 requires that:
A health care service plan shall
permit subscribers and enrollees
to request, and shall accommodate
requests for, communication in
the form and format requested by
the individual, …or at alternative
locations [emphasis added], if the
subscriber or enrollee clearly states
either that the communication
discloses medical information or
provider name and address relating
to receipt of sensitive services
[emphasis added] or that disclosure
of all or part of the medical
information or provider name and
address could endanger [emphasis
added] the subscriber or enrollee.
157
is provision goes beyond the
requirements of HIPAA in requiring
insurers to accommodate requests for
confidential communications related
to sensitive services even if the enrollee
does not claim endangerment. e law
also makes clear that when an enrollee
does claim endangerment,” the health
care service plan shall not require
an explanation as to the basis for a
subscriber’s or enrollee’s statement that
disclosure could endanger the subscriber
or enrollee [emphasis added].”
158
California’s SB 138 is being looked
to as a possible model for other states
to consider as they move forward
with efforts to address the problem of
confidentiality and insurance. SB 138
contains some excellent elements that are
protective of patients’ privacy interests.
It also was enacted in the context of
pre-existing California law, which already
contained comprehensive protections for
patients’ medical records and detailed
minor consent laws that provided the
foundation for the new protections
contained in SB 138.
Maryland, Massachusetts, and Oregon
appear to be following California’s
lead with respect to confidential
communications. Maryland recently
enacted a law that requires the
development of a form to use for requests
for confidential communications in
compliance with the HIPAA Privacy
Rule.
159
e legislation pending in
Massachusetts and Oregon would not
allow insurers to require an explanation as
to the basis for an insured’s confidential
communications request.
160
Redirection of EOBs
to the Patient
A similar strategy to the HIPAA-based
request for confidential communications
approach embodied in California’s SB
138 is redirection of EOBs, in which the
EOB is sent directly to the patient or to
a location the patient designates. Such
redirection does sometimes occur, at least
in the Medicaid context.
161
However,
few, if any, current laws and policies
appear to explicitly require this approach
in commercial insurance, although
anecdotal reports suggest that some
commercial insurers have adopted the
practice, at least for adult patients who
are insured as dependents. Redirection
has the advantage of avoiding the same
problems with respect to providing notice
of certain rights, such as grievances and
appeals, that would be associated with
complete suppression of EOBs; however,
it does remain potentially problematic
when there is residual financial liability,
which is ultimately the responsibility of
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
19
National Family Planning
& Reproductive Health Association
the policyholder rather than the patient.
Redirection policies are evolving, so it
is unclear at this time how, or even if,
financial liability concerns conflict with
redirection policies.
Legislation proposed in Oregon would
require that most communications from
insurers, including EOBs and benefit
denials, be sent directly to the patient,
regardless of whether she or he had
submitted a confidential communications
request.
162
e proposed Massachusetts
legislation, if enacted, would require an
EOB (referred to in Massachusetts as a
“common summary of payment” form)
to be sent to the patient if the insured
patient requested it:
Carriers shall issue common
summary of payments forms at
the member level for all insureds.
Carriers shall permit an insured
who is legally authorized to consent
to care, or a party legally authorized
to consent to care for the insured,
to choose his or her preferred
method of receiving the common
summary of payments form, which
shall include, but not be limited to,
the following: (1) sending the form
to the address of the subscriber; (2)
sending the form to the address of
the insured dependent; (3) sending
the form to an alternate address
upon request of the insured; or
(4) sending the form through
electronic means when available.
e preferred method of receipt
shall be valid until the insured
submits a new preferred method.
163
is is similar to the requirement in
the HIPAA Privacy Rule that allows
individuals to request confidential
communications, as previously discussed.
However, HIPAA allows an insurer to
condition compliance on the individual
stating that she or he would be
endangered otherwise; the Massachusetts
proposed bill does not appear to permit
the insurer to require such a statement.
A provision in legislation recently
introduced in Oregon also would not
allow insurers to require the insured
to provide the basis of their fear of
harassment, abuse, or limitations in their
access to health care that would result
from disclosure.
164
Exclusion of Information
about Sensitive Services
One strategy for providing confidentiality
protection for a patient insured as a
dependent, even if the EOB or similar
communication were to reach the
policyholder, is to limit the level of detail
about sensitive services that is included in
the EOB. Legislation recently proposed
in Massachusetts would do that in
the following way with respect to the
common summary of payments form:
Carriers shall not identify the
descriptions for sensitive health
care services in a common
summary of payments form. e
division shall define by regulation
sensitive health care services for
purposes of this section. e
division shall refer to the National
Committee on Vital and Health
Statistics and similar regulations
in other states, and shall consult
with experts in fields including,
but not limited to, infectious
disease, reproductive and sexual
health, domestic violence and
sexual assault, and mental health
and substance use disorders, in
promulgating the regulation.
165
Massachusetts law currently requires
the Division of Insurance to develop
a common summary of payments
form and consult with stakeholders
in so doing.
166
A broad coalition of
stakeholders in Massachusetts submitted
recommendations for the content and
management of the common summary
of payments form.
167
is strategy offers some clear advantages
but also has inherent limitations. For
example, limiting the level of detail
about services is only effective if the
policyholder already knows that the
patient was going to a provider, but less
so if either the name of the provider is
disclosed and reveals the type of services
provided (e.g., family planning), or
the policyholder did not know that the
patient was seeking services. e mere
fact of the EOB, rather than what it
contains, triggers problematic questions.
Omission of EOBs When No
Balance Due
Taking into consideration the
important role of the EOB in informing
policyholders of their residual financial
liability, some states have adopted or are
considering laws and policies that either
suppress EOBs or remove the mandate
to send them. For example, a New York
statute provides:
Except on demand by the insured
or subscriber, insurers, including
health maintenance organizations
…shall not be required to provide
the insured or subscriber with
an explanation of benefits form
in any case where the service is
provided by a facility or provider
participating in the insurer’s
program and full reimbursement
for the claim, other than a co-
payment that is ordinarily paid
directly to the provider at the
time the service is rendered, is
paid by the insurer directly to the
participating facility or provider
[emphasis added].
168
us, if a patient has paid any
copayments owed to the health care
provider and the balance of any amount
due to the provider will be paid directly
by the insurer, it is not required under
New York law for the insurer to send an
EOB to the insured or subscriber unless
one is demanded. is policy contains at
least two potential gaps: the policyholder
(insured or subscriber) can demand an
EOB (if they have become aware by some
means that the care has been obtained by
an insured dependent); and the statute,
while eliminating any requirement
that an EOB be sent when no financial
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
20
National Family Planning
& Reproductive Health Association
liability remains for the policyholder, still
permits insurers to send EOBs.
e legislation recently proposed in
Massachusetts employs a similar approach.
e Massachusetts bill provides that:
Unless specifically requested by the
insured, a carrier shall not provide
a common summary of payments
form if the insured has no liability
for payment for any procedure or
service, including, but not limited
to, the United States Preventive
Services Taskforce recommended A
and B preventive services.
169
“Insured” is defined in Massachusetts
health insurance law as “an enrollee,
covered person, insured, member,
policyholder or subscriber of a carrier.”
170
us, as in New York, if the proposed
legislation were enacted in Massachusetts,
a policyholder would be able to request
an EOB; but, unlike in New York, if no
request were made, the insurer would
not be permitted to send an EOB if there
were no residual financial liability. e
proposed Massachusetts bill also makes
clear that the intention is to encompass
preventive services that have no cost-
sharing pursuant to the ACA.
Suppression of EOBs
Health care professionals, advocates,
and researchers who have considered the
challenge of aligning the insurance claims
process with the need for confidentiality
protection often have suggested the
suppression of EOBs to protect patients
from the disclosure to family members
of information about sensitive services.
171
To date, current laws and policies do
not appear to have adopted this strategy,
possibly because doing so might impact
the requirement of notification of denials
and appeal rights under federal law, a
requirement that EOBs often fulfill.
However, the legislation pending in
Massachusetts would apparently make
suppression possible, by providing:
Carriers shall permit all insureds
who are legally authorized to
consent to care, or parties legally
authorized to consent to care for
the insured, to request suppression
of summary of payments forms, in
which case summary of payments
forms shall not be issued unless
and until the insured submits a
revocation of the request.
172
is provision is unusual in its use of
the term “suppression” with respect to a
summary of payments form or EOB. It
is, however, effectively the equivalent of
the type of request to limit disclosure of
PHI that is permitted under the HIPAA
Privacy Rule, discussed below. It differs in
one important respect. e Massachusetts
bill would require the insurer to suppress
the summary of payment form/EOB
upon request, as long as the insured is
legally authorized to consent to care and
states that disclosure would endanger the
insured.
173
Under the HIPAA Privacy Rule,
the insurer would be permitted but not
required to accede to such a request.
174
Restrictions on
Disclosure
Apart from the specific management
of EOBs and other communications,
an important strategy is for insurers
to restrict disclosure of information
about sensitive services to anyone
other than the patient. Once again,
this is something that the HIPAA
Privacy Rule allows individuals (i.e.
patients) to request.
175
However,
health insurers are not obligated to
grant such requests, unless the care to
which the information pertains has
been paid for in full.
176
is HIPAA
requirement, which is applicable in
Medicaid, Medicaid managed care,
and the commercial insurance context,
has been widely implemented in
statutes, regulations, policies, and
insurance contracts. e details of
implementation vary.
For example, California informs its
Medicaid (known as Medi-Cal) enrollees
that: “You can ask us not to use or share
certain health information for treatment,
payment, or our operations. We are not
required to agree to your request, and
we may say “no” if it would affect your
care.”
177
California also informs Medi-Cal
enrollees that:
You have the right to request
the Department of Health Care
Services (DHCS) to restrict the
use and disclosure of your Medi-
Cal information to carry out
treatment, payment or operations.
You also have the right to request
DHCS not to disclose Medi-Cal
information to a family member,
relative, or friend involved with
your care or payment for your
health care. DHCS may not be
able to agree with your request.
is form must be accompanied
by a photocopy of a form of
identification and documentation
of your address.
178
us the confidentiality protection
afforded the patient is conditional rather
than within the control of the patient.
Restrictions Based on
Endangerment
e HIPAA Privacy Rule requirement to
allow individuals to request restrictions
on their PHI provides a floor of privacy
protections below which states are not
permitted to go. However, states are
free to adopt more protective measures.
One example of a state doing so is
Washington’s regulation that requires
insurers to grant individuals’ requests to
limit disclosure, by providing that:
Notwithstanding other provisions
of this chapter, a licensee shall limit
disclosure of any information,
including health information,
about an individual who is the
subject of the information if
the individual clearly states in
writing that disclosure to specified
individuals of all or part of that
information could jeopardize
the safety of the individual
[emphasis added]. Disclosure of
information under this subsection
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
21
National Family Planning
& Reproductive Health Association
shall be limited consistent with
the individual’s request, such as
a request for the licensee to not
release any information to a spouse
to prevent domestic violence
[emphasis added].
179
us, Washington has allowed insurers
to require individuals to state that they
would be endangered by disclosure and,
if that occurs, requires the insurer to limit
disclosure as requested by the patient.
Restrictions on Disclosures
about Sensitive Services
Washington goes further in its regulations
pertaining to restrictions on disclosure
by requiring that insurers—and other
“licensees” including health care providers
restrict disclosures about sensitive services
based on a written request by the patient,
regardless of whether the individual has
made a statement of endangerment:
Notwithstanding any insurance
law requiring the disclosure of
information, a licensee shall not
disclose nonpublic personal health
information concerning health
services related to reproductive
health, sexually transmitted
diseases, chemical dependency
and mental health, including
mailing appointment notices,
calling the home to confirm
appointments, or mailing a bill
or explanation of benefits to a
policyholder or certificateholder,
if the individual who is the subject
of the information makes a written
request. In addition, a licensee shall
not require an adult individual to
obtain the policyholder’s or other
covered person’s authorization to
receive health care services or to
submit a claim.
180
Washington further makes clear what
the individual must include in a request
for nondisclosure and what it is that the
insurer must protect:
When requesting nondisclosure,
the individual shall include in
the request: (a) eir name and
address; (b) Description of the
type of information that should
not be disclosed; (c) In the case of
reproductive health information,
the type of services subject to
nondisclosure; (d) e identity or
description of the types of persons
from whom information should
be withheld; (e) Information as to
how payment will be made for any
benefit cost sharing; (f) A phone
number or e-mail address where
the individual may be reached
if additional information or
clarification is necessary to satisfy
the request.
181
ese Washington regulations, if fully
implemented, would go a long way
toward alleviating the conflict between
the need to protect confidentiality
without sacrificing insurance coverage.
Requirements to
Protect Confidentiality
for Adult or Minor
Dependents
Some states have adopted statutes or
regulations that contain specific provisions
to protect confidentiality either for adults
or minors who are insured as dependents.
Although these approaches are similar to
strategies discussed above, they are not
identical and are highlighted here.
For example, a Colorado regulation
requires that insurers:
Must take reasonable steps to
ensure that the protected health
information (PHI) of any adult
child or adult dependent who
is covered under the policy is
protected [emphasis added]. is
protection includes ensuring that
any communications between the
carrier and covered adult child
remain confidential and private,
[emphasis added] as required under
the Health Insurance Portability
and Accountability Act (HIPAA).
is protection of personal health
information would include, but is
not limited to, developing a means
of communicating exclusively
[emphasis added] with the covered
adult child or adult dependent such
that PHI would not be sent to the
policyholder without prior consent
of the covered adult child or adult
dependent.
182
is regulation contains key protections,
incorporating HIPAA Privacy Rule
standards, but also making clear that
communications must not be sent to the
policyholder without the permission of
the adult child or adult dependent. is
would protect young adults who remain
on their parents’ plans as allowed by the
ACA and victims of intimate partner
violence who are insured as dependents
on a perpetrator’s policy.
Washington, which has regulations
that restrict disclosure of sensitive
information, extends to minors “who
may obtain health care without the
consent of a parent or legal guardian
pursuant to state or federal law” the
same rights it grants to adults, described
above, and allows minors to exclusively
exercise those rights.
183
Because minors
are able to obtain Title X-funded family
planning services without parental
consent, the Washington regulation
extends to them. Washington also makes
clear that insurers “shall not require
the minor to obtain the policyholder’s
or other covered person’s authorization
to receive health care services or to
submit a claim as to health care which
the minor may obtain without parental
consent under state or federal law.”
184
e legislation pending in Massachusetts
would similarly extend its protections to
minors insured as dependents.
185
Another example of language
protecting minors is contained in a
New York Medicaid MCO contract:
“e Contractor must ensure that any
Enrollee’s, including a minor’s [emphasis
added], use of Family Planning and
Reproductive Health services remains
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
22
National Family Planning
& Reproductive Health Association
confidential and is not disclosed to family
members or other unauthorized parties,
without the Enrollee’s consent to the
disclosure.”
186
Colorado also provides
protection for minors receiving family
planning services in one county service
site, stating: “All services are confidential.
Although we encourage open
communication between parents and
teens, by law, [emphasis added] parental
permission is not required for teens to use
our services. All of the clinic’s services are
completely confidential.”
187
Implementation
None of the state protections will be of
value unless they are implemented in
ways that effectively shield individuals
with insurance, particularly those
insured as dependents. e status of
implementation for these laws is far from
clear, and anecdotal reports suggest that
in most places it is in the early stages or
has not yet begun.
For example, California’s SB 138 took
effect in January 2015, so it is too soon to
assess its effect. Nevertheless, health care
providers and advocates in California have
worked hard with insurers to establish
mechanisms for compliance, including
the development of forms and the
establishment of a website to communicate
with patients and providers.
188
If the legislation pending in Massachusetts
is enacted, it requires:
e division, in collaboration with
the department of public health,
shall develop and implement a plan
to educate providers and consumers
regarding the rights of insureds
to promote compliance with this
section. e plan shall include,
but not be limited to, staff training
and other education for hospitals,
community health centers, school-
based health centers, physicians,
nurses and other licensed health
care professionals, as well as
administrative staff, which shall
include all staff involved in
patient registration and education
about confidentiality, and billing
staff involved in processing of
insurance claims. e plan shall
be developed in consultation with
groups representing health care
insurers, providers, and consumers,
including consumer organizations
concerned with the provision of
sensitive health services.
189
If carried out, these detailed
specifications of an implementation
strategy would likely result in significant
progress toward protecting patients
receiving sensitive services, including
family planning services from Title X
providers. Ongoing monitoring and
evaluation of efforts taking place in all
states will be key to ensuring that they
achieve maximum effectiveness.
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
23
National Family Planning
& Reproductive Health Association
Part VI: Conclusion
For many years, even decades, awareness
has been growing of the tension
that exists between protecting the
confidentiality of health information
and receiving reimbursement from
public and commercial health insurance.
Title X providers are in the vanguard of
addressing this challenge and seeking
ways to resolve the tension. Recently,
largely due to the ACA, increasing
numbers of Title X patients are enrolled
in Medicaid or have coverage through
commercial health insurance plans, and
insurance coverage of family planning
services has expanded. erefore, Title
X providers have the opportunity to
bill insurance when their patients
have coverage, which they are also
required to do by statute. Committed
to safeguarding the confidentiality of
their patients’ sensitive information, and
obligated to do so by the stringent Title
X confidentiality rules, Title X providers
have been seeking ways to reconcile their
ostensibly conflicting requirements—to
protect confidentiality while maximizing
revenues from third parties.
A growing number of states are adopting
numerous strategies to address the
challenge, and Title X providers have
played a key role in these evolving
efforts. e research conducted for
this white paper uncovered examples
of promising approaches in five of
the eight states targeted for in-depth
research—California, Colorado, New
York, Texas, and Washington—as
well as in three other states that
have recently enacted or proposed
legislation—Massachusetts, Maryland,
and Oregon. e state strategies have
relied heavily on the HIPAA Privacy
Rule, particularly the provisions that
allow individuals to request special
confidentiality protections: to restrict
disclosure of their information or
redirect communications to a different
location or send it by alternative means.
Each of the evolving strategies in these
states has been highlighted and discussed
in this white paper. Although they do
not provide complete solutions, their
full implementation could result in
significant progress toward enabling
patients to receive sensitive services on
a confidential basis while allowing their
health care providers to bill and receive
payment from the patients’ public or
commercial health insurance. A policy
guide developed to complement this
white paper explores ways in which
existing state laws and policies can be
implemented robustly or modified,
and new ones can be adopted, to
move toward reconciliation of the
confidentiality challenges associated with
health insurance billing and claims.
190
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
24
National Family Planning
& Reproductive Health Association
1 42 U.S.C. §§ 300 et seq.
2 See, e.g., Madlyn C. Morreale, Amy J. Stinnett, and Emily C. Dowling, eds.,
Policy Compendium on Confidential Health Services for Adolescents, 2nd Ed.
(Chapel Hill, NC: Center for Adolescent Health & the Law, 2005). http://
www.cahl.org/policy-compendium-2nd-2005/.
3 Rachel B. Gold, “A New Frontier in the Era of Health Reform: Protecting
Confidentiality for Individuals Insured as Dependents,” Guttmacher Policy
Review 16, no. 4 (2013): 2. https://www.guttmacher.org/pubs/gpr/16/4/
gpr160402.pdf. According to the Kaiser Family Foundation, more women of
reproductive age (27%) than men (20%) are insured as dependents. Ibid.
4 Research findings have shown that privacy concerns influence the behavior of
adolescents and young adults with respect to whether they seek care, where
they do so, which services they accept, and how candid they are with their
health care providers. Carol A. Ford, Abigail English, and Garry Sigman,
“Confidential Health Care for Adolescents: Position Paper of the Society for
Adolescent Medicine,” Journal of Adolescent Health 35, no. 2 (2004): 160-167.
http://www.jahonline.org/article/S1054-139X%2804%2900086-2/fulltext;
Alina Salganicoff, Usha Ranji, Adara Beamesderfer, and Nisha Kuran, Women
and Health Care in the Early Years of the ACA: Key Findings from the 2013 Kaiser
Women’s Health Survey (Menlo Park, CA: Henry J. Kaiser Family Foundation,
May 2014): 28, 38-39. https://kaiserfamilyfoundation.files.wordpress.
com/2014/05/8590-women-and-health-care-in-the-early-years-of-the-
affordable-care-act.pdf. Adolescents are especially concerned about disclosures
to their parents of their use of family planning services, but young adults have
similar concerns. Diane M. Reddy, Raymond Fleming, and Carolyne Swain,
“Effect of Mandatory Parental Notification on Adolescent Girls’ Use of Sexual
Health Care Services,” JAMA 288, no. 6 (2002): 710–714; Rachel K. Jones, et
al., “Adolescents’ Reports of Parental Knowledge of Adolescents’ Use of Sexual
Health Services and eir Reactions to Mandated Parental Notification for
Prescription Contraception,” JAMA 293, no. 3 (2005): 340–348; Carol A.
Ford, et al., “Young Adults’ Attitudes, Beliefs, and Feelings About Testing for
Curable STDs Outside of Clinic Settings,” Journal of Adolescent Health 34, no.4
(2004): 266-269.
5 Victims of intimate partner violence have heightened concerns about
protecting their confidential information due to fears of serious physical
and psychological danger from spouses or domestic partners as a
result of disclosure. National Consensus Guidelines on Identifying and
Responding to Domestic Violence Victimization in Health Care Settings.
(San Francisco: Family Violence Prevention Fund, 2004). http://www.
futureswithoutviolence.org/userfiles/file/HealthCare/consensus.pdf.
6 42 C.F.R. § 59.11.
7 Jennifer J. Frost, Rachel Benson Gold, and Amelia Bucek, “Specialized
Family Planning Clinics in the United States: Why Women Choose em
and eir Role in Meeting Women’s Health Care Needs,” Women’s Health
Issues 22 (November 2012): e519-e525.
8 Office of Population Affairs, Program Requirements for Title X Funded
Family Planning Projects, (April 2014), Sec. 10. http://www.hhs.gov/opa/
pdfs/ogc-cleared-final-april.pdf.
9 Abigail English, Center for Adolescent Health & the Law, and National
Family Planning & Reproductive Health Association, Adolescent
Confidentiality Protections in Title X, June 5, 2014. http://www.
nationalfamilyplanning.org/document.doc?id=1559.
10 Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of
titles 18, 26, 29, and 42 of the U.S. Code).
11 45 C.F.R. Part 160 and Part 164, Subparts A and E.
12 Patient Protection and Affordable Care Act (H.R. 3590), Pub. L. No. 111-
148, 124 Stat. 119 (signed into law March 23, 2010), and amended by the
Health Care and Education Affordability Reconciliation Act of 2010 (H.R.
4872), Pub. L. No. 111-1522 (signed into law March 30, 2010).
13 “Title X Funding History,” Office of Population Affairs, accessed April 2,
2015, http://www.hhs.gov/opa/about-opa-and-initiatives/funding-history/.
14 45 C.F.R. § 164.522(a) and (b).
15 45 C.F.R. §§ 164.502(a)(1)(ii) and 164.506.
16 Centers for Medicare and Medicaid Services, US Department of Health
and Human Services. Medicaid & CHIP: December 2014 Monthly
Applications, Eligibility Determinations and Enrollment Report. Feb. 23,
2015. http://www.medicaid.gov/medicaid-chip-program-information/
program-information/downloads/december-2014-enrollment-report.pdf.
HHS.gov/HealthCare, US Department Health and Human Services. Open
Enrollment Week 13: February 7, 2015 – February 15, 2015. http://www.
hhs.gov/healthcare/facts/blog/2015/02/open-enrollment-week-thirteen.html.
17 Abigail English and M. Jane Park, Access to Health Care for Young Adults:
e Affordable Care Act is Making a Difference (Chapel Hill, NC: Center for
Adolescent Health & the Law; and San Francisco: CA: National Adolescent
Health Information and Innovation Center, 2012). http://nahic.ucsf.edu/
download/access-to-health-care-for-young-adults-the-affordable-care-act-
of-2010-is-making-a-difference/; Benjamin D. Sommers, Office of the
Assistant Secretary for Planning and Evaluation, U.S. Dept. of Health &
Human Services, Number of Young Adults Gaining Insurance Due to the
Affordable Care Act Now Tops 3 Million, June 2012. http://aspe.hhs.gov/
aspe/gaininginsurance/rb.cfm.
18 Salganicoff et al., Women and Health Care [see note 4, above]; Lauren Slive
and Ryan Cramer, “Health Reform and the Preservation of Confidential
Health Care for Young Adults” Journal of Law, Medicine & Ethics 40, no. 2
(2012): 383-390.
19 42 U.S.C. § 300gg-13; 45 C.F.R. § 147.130.
20 An exemption to the contraceptive coverage requirement has been made
available for religious institutions, together with associated requirements
for accommodations. Coverage for Certain Preventive Services Under
the Affordable Care Act; Final Rules, 78 Fed. Reg. 39870-39899, July 2,
2013, http://www.gpo.gov/fdsys/pkg/FR-2013-07-02/pdf/2013-15866.
pdf; Centers for Medicare and Medicaid Services, Center for Consumer
Information and Oversight, US Department of Health and Human
Services, Women’s Preventive Services Coverage and Nonprofit Religious
Organizations, accessed March 29, 2015, http://www.cms.gov/CCIIO/
Resources/Fact-Sheets-and-FAQs/womens-preven-02012013.html. e
requirement and the exemption have been extensively litigated and are the
subject of numerous ongoing court cases. Kelsey Miller, A Guide to the
Lawsuits Challenging Obamacare’s Contraceptive Coverage Requirements,
Kaiser Health News, Sept. 17, 2013, http://kaiserhealthnews.org/news/
contraception-mandate-challenges/.
21 Health Resources and Services Administration, US Department of Health
and Human Services, Women’s Preventive Services Guidelines, accessed
March 29, 2015, http://www.hrsa.gov/womensguidelines/.
22 Abigail English, Rachel B. Gold, and Elizabeth Nash, Confidentiality
for Individuals Insured as Dependents: A Review of State Laws and Policies
(Washington, DC: Guttmacher Institute, and New York: Public Health
Solutions, 2012). http://www.guttmacher.org/pubs/confidentiality-review.
pdf; AMA Council on Scientific Affairs, “Confidential Health Services for
Adolescents,” JAMA 269, no. 11 (1993): 1420-1424.
23 Society for Adolescent Health and Medicine, et al., “Recommendations
for Electronic Health Record Use for Delivery of Adolescent Health Care:
Position Paper,” Journal of Adolescent Health 54, no. 4 (2014): 487-490.
http://www.adolescenthealth.org/SAHM_Main/media/Advocacy/Positions/
Apr-14-Elec-Health-Records.pdf; Committee on Adolescence, American
Academy of Pediatrics, et al., “Standards for Health Information Technology
to Ensure Adolescent Privacy,” Pediatrics 130, no. 5 (2012): 987-990. http://
pediatrics.aappublications.org/content/130/5/987.long; Arash Anoshiravani,
et al., “Special Requirements for Electronic Medical Records in Adolescent
Medicine. Journal of Adolescent Health 51, no.5 (2012): 409-414. http://
www.jahonline.org/article/S1054-139X%2812%2900335-7/pdf.
24 Slive and Cramer, “Health Reform.” [see note 18, above]
25 42 U.S.C. § 1396k; 42 C.F.R. § 433.147.
26 Rebecca Gudeman, “e Affordable Care Act and Adolescent Health:
Closing Confidentiality Loopholes so that Adolescents Can Benefit Fully
From Newly Available Health Benefits and Insurance,” Youth Law News
Endnotes
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
25
National Family Planning
& Reproductive Health Association
32, No. 3 (2013). http://www.youthlaw.org/publications/yln/2013/jul_
sep_2013/affordable_care_act_adolescent_health/.
27 45 C.F.R. § 164.502(a)(1)(ii).
28 Salganicoff, et al., Women and Health Care, 38. [see note 4, above]
29 Cal. Civil Code § 56.10(c)(2).
30 Blue Cross and Blue Shield of Alabama, Insert for 320 Plan, MKT-320 ((7-
2008), amending Group Health Summary Plan Description, effective July
1, 2011 (emphasis added), http://www.aldoi.gov/PDF/Consumers/320%20
Plan%20%20policy.pdf.
31 Abigail English and Carol A. Ford, “e HIPAA Privacy Rule and
Adolescents: Legal Questions and Clinical Challenges,” Perspectives on Sexual
and Reproductive Health 36, no. 2 (2004): 80-86. http://www.guttmacher.
org/pubs/journals/3608004.pdf.
32 Minors are authorized to give their own consent for contraceptive
services in a large majority of states and for STD services in all states.
See, e.g., Guttmacher Institute, State Policies in Brief: Minors’ Access to
Contraceptive Services, April 2015. http://www.guttmacher.org/statecenter/
spibs/spib_MACS.pdf; Guttmacher Institute, State Policies in Brief: Minors’
Access to STI Services, April 2015. http://www.guttmacher.org/statecenter/
spibs/spib_MASS.pdf.
33 45 C.F.R. § 164.502(g)(3).
34 Rebecca Gudeman and Sarah Madge, “e Federal Title X Program and
Family Planning: Privacy and Access Rules for Adolescents,” Youth Law
News 30, no. 1, 2011. http://www.youthlaw.org/publications/yln/2011/
jan_mar_2011/the_federal_title_x_family_planning_program_privacy_and_
access_rules_for_adolescents/.
35 45 C.F.R. § 164.522(a)(1).
36 45 C.F.R. § 164.522(a)(1); see also Slive and Cramer, “Health Reform.” [see
note 18, above]
37 45 C.F.R. §§ 164.502(h); 164.522(b)(1).
38 Ibid.
39 Tex. Health & Safety Code §§ 181,001-181.250.
40 Cal. Civil Code §§ 56.10-56.16.
41 Cal. Health & Safety Code §§ 123100-123149.5.
42 Ala. Admin. Code § 27-21A-25; Colo.Rev.Stat. § 10-16-423
43 Health Information & the Law, accessed March 29, 2015, www.
healthinfolaw.org.
44 Abigail English, Lindsay Bass, Alison Dame Boyle, and Felicia Eshragh, State
Minor Consent Laws: A Summary, 3rd Ed. (Chapel Hill, NC: Center for
Adolescent Health & the Law, 2010).
45 E.g., Cal. Civ. Code § 56.11; Cal. Health & Safety Code § 123115; Iowa
Code §§ 141A.7; N.Y. Pub. Health Law § 17; Wash. Admin. Code § 284-
04-510.
46 E.g., Cal. Fam. Code § 6922; 410 Ill. Comp. Stat. §§ 210/4, 210/5; N.Y.
Pub. Health Law §§ 18(2)(c), 18(3)(c); Tex. Fam. Code Ann. § 32.003.
47 English, et al., State Minor Consent Laws. [see note 44, above]
48 Gudeman and Madge, “e Federal Title X Family Planning Program.” [see
note 34, above]
49 E.g., Cal. Civ. Code § 56.11; Cal. Health & Safety Code § 123115; Wash.
Admin. Code § 284-04-510.
50 42 C.F.R. § 59.5(a)(9).
51 42 C.F.R. § 59.11.
52 Program Requirements for Title X Funded Family Planning Projects, Sec.
10. [see note 8, above]
53 Federal Title X confidentiality protections take precedence over state
requirements for parental consent or notification, allowing minors to receive
family planning services at Title X sites without parental involvement.
English, Adolescent Confidentiality Protections in Title X. [see note 9, above]
54 42 C.F.R. § 59.2.
55 All states have mandatory child abuse reporting laws. For a database of these
laws established by the federal Department of Health and Human Services,
see Child Welfare Information Gateway, State Statutes Search, accessed
March 29, 2015, https://www.childwelfare.gov/systemwide/laws_policies/
state.
56 See Futures Without Violence, Mandatory Reporting of Domestic Violence
to Law Enforcement by Health Care Providers: A Guide for Advocates
Working to Respond to or Amend Reporting Laws Related to Domestic
Violence, accessed March 13, 2015, http://www.futureswithoutviolence.org/
userfiles/Mandatory_Reporting_of_DV_to_Law%20Enforcement_by_HCP.
pdf.
57 See Public Health Law Research, Temple University, State Statutes Explicitly
Related to Sexually Transmitted Diseases in the United States, 2013, June
5, 2014, http://www.cdc.gov/std/program/final-std-statutesall-states-
5june-2014.pdf.
58 English, Adolescent Confidentiality Protections. [see note 53, above]
59 42 U.S.C. § 300a(4)(c)(2); 42 C.F.R. § 59.5(a)(7).
60 42 C.F.R. § 59.2.
61 42 C.F.R. § 59.5(a)(8).
62 42 C.F.R. § 59.5(a)(9); Program Requirements for Title X Funded Family
Planning Projects, Sec. 8.4.6. [see note 8, above]
63 Public Health Service Act Sec. 330; 42 U.S.C. §254b.
64 Ryan White HIV/AIDS Treatment Extension Act of 2009, Pub. Law
No. 111-87, October 30, 2009, http://www.gpo.gov/fdsys/pkg/PLAW-
111publ87/html/PLAW-111publ87.htm.
65 Program Requirements for Title X Funded Family Planning Projects, Sec.
8.4.6. [see note 8, above]
66 Program Requirements for Title X Funded Family Planning Projects, Sec.
8.4.8. [see note 8, above]
67 HIV/AIDS Bureau, Health Resources and Services Administration,
US Department of Health and Human Services, Ryan White HIV/
AIDS Program Part A Manual—Revised 2013, 1, http://hab.hrsa.gov/
manageyourgrant/files/happartamanual2013.pdf.
68 HIV/AIDS Bureau, Part A Manual 10. [see note 67, above]
69 HIV/AIDS Bureau, Part A Manual 34. [see note 67, above]
70 HIV/AIDS Bureau, Part A Manual 33-34, 273. [see note 67, above]
71 HIV/AIDS Bureau, Part A Manual 186-187. [see note 67, above]
72 E.g., Public Health Service Act, § 2661, 42 U.S.C. §300 ff-61.
73 42 U.S.C. § 254b(a) and (b).
74 42 U.S.C. § 254b(k)(3)(C).
75 42 U.S.C. § 254b(k)(3)(F).
76 42 U.S.C. § 254b(k)(3)(G).
77 42 C.F.R. § 51c.110.
78 42 U.S.C. § 1396a(a)(7).
79 42 U.S.C. § 1396d(a)(4)(C).
80 42 C.F.R. § 441.20.
81 E.g., Doe v. Pickett, 480 F. Supp. 1218 (S.D.W.Va. 1979); Planned
Parenthood Association v. Matheson, 582 F. Supp. 1001 (D.C. Utah 1983);
County of St. Charles v. Missouri Family Health Council, 107 F.3d 682
(8th Cir. 1997), rehearing denied (8th Cir. 1997), cert. denied 522 U.S. 859
(1997). See also English, Adolescent Confidentiality Protections. [see note
53, above]
82 42 C.F.R. § 441.20.
83 Elsewhere, in the context of the HIPAA Privacy Rule, this white paper refers
to confidential health information as protected health information or PHI.
84 E.g., Alabama Medicaid Management Information System: Provider
Manual, January 2011, 148, http://medicaid.alabama.gov/documents/6.0_
Providers/6.7_Manuals/6.7.1_Provider_Manuals_2011/6.7.1.1_
January_2011/6.7.1.1_Provman.pdf;
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
26
National Family Planning
& Reproductive Health Association
85 E.g., Alabama Medicaid Provider Manual: Plan First, April 2014, http://
www.medicaid.alabama.gov/documents/6.0_Providers/6.7_Manuals/6.7.8_
Provider_Manuals_2014/6.7.8.2_April_2014/Apr14_C.pdf; California
Family PACT Program Provider Agreement, DHCS 4669, March 2014,
2, http://www.dhcs.ca.gov/formsandpubs/forms/Forms/Office%20of%20
Family%20Planning/DHCS_4469_FINAL_3-14_ADA.pdf; Larimer
County, Colorado, Department of Health and Environment, Community
Health Services, Family Planning, accessed March 29, 2015, http://www.
co.larimer.co.us/health/chs/familyplanning.asp; Texas Department of State
Health Services, Family Planning Rules and Legislation, Confidentiality,
accessed March 29, 2015, http://www.dshs.state.tx.us/famplan/rules.shtm.
86 Adam Sonfield and Rachel B. Gold, Medicaid Family Planning Expansions:
Lessons Learned and Implications for the Future (New York: Guttmacher
Institute, 2011), www.guttmacher.org/pubs/Medicaid-Expansions.pdf.
87 42 C.F.R. § 455.20.
88 42 C.F.R. § 455.20.
89 For a more detailed discussion of the implications of requiring a notice when
benefits are denied in whole or in part, see the section on commercial health
insurance at pp.13-14.
90 Harriette B. Fox and Stephanie J. Limb, State Policies Affecting the Assurance
of Confidential Care for Adolescents (Washington, DC: e National Alliance
to Advance Adolescent Health, April 2009). http://www.thenationalalliance.
org/pdfs/FS5.%20State%20Policies%20Affecting%20the%20Assurance%20
of%20Confidential%20Care.pdf.
91 Ibid; see also Rachel Benson Gold, “Unintended Consequences: How
Insurance Processes Inadvertently Abrogate Patient Confidentiality,”
Guttmacher Policy Review 12, no. 4 2009: 12-16. https://www.guttmacher.
org/pubs/gpr/12/4/gpr120412.pdf.
92 Fox and Limb, State Policies. [see note 90, above]
93 Fox and Limb, State Policies. [see note 90, above]
94 Centers for Medicare & Medicaid Services, US Department of Health and
Human Services, Reading Your Explanation of Benefits, CMS Product No.
11819, June 2014, https://marketplace.cms.gov/outreach-and-education/
downloads/c2c-sample-explanation-of-benefits.pdf.
95 Fox and Limb, State Policies. [see note 90, above]
96 Ibid; see also Gold, “Unintended Consequences.” [see note 91, above]
97 E.g., California Department of Health Care Services, Your Information,
Your Rights, Our Responsibilities, accessed March 30, 2015, http://www.
dhcs.ca.gov/formsandpubs/laws/priv/Documents/Notice-of-Privacy-
Practices-English.pdf; California Department of Health Care Services,
Confidential Communication Request, accessed March 30, 2105, http://
www.dhcs.ca.gov/formsandpubs/forms/Forms/privacyoffice/DHCS%20
6235.pdf; Colorado Medical Assistance Program, Notice of Privacy Practices,
accessed March 31, 2015, https://www.colorado.gov/pacific/sites/default/
files/Colorado%20Medicaid%20Notice%20of%20Privacy%20Practices.pdf.
98 E.g., New York State Department of Health, Medicaid Reference Guide,
C-5, accessed March 31, 2015, http://www.health.ny.gov/health_care/
medicaid/reference/mrg/mrg.pdf.
99 See 42 C.F.R. §§ 433.135-433.154.
100 42 C.F.R. § 433.138.
101 Centers for Medicaid and Medicaid Services, US Department of Health
and Human Services, Medicaid ird Party Liability and Coordination of
Benefits, accessed March 29, 2015, http://www.medicaid.gov/Medicaid-
CHIP-Program-Information/By-Topics/Eligibility/TPL-COB-Page.html.
102 42 C.F.R. § 433.138(b).
103 42 C.F.R. § 433.139.
104 42 C.F.R. §§ 433.145-433.148.
105 Centers for Medicare and Medicaid Services, Medicaid ird Party Liability.
[see note 101, above]
106 Ala. Admin. Code r. 560-X-20-.02. http://medicaid.alabama.gov/
documents/5.0_Resources/5.2_Administrative_Code/Chapters_11_20/5.2_
Adm_Code_Chap_20_ird_Party_2-13-15.pdf.
107 Colorado Department of Health Care Policy and Financing, Rule 8.061,
Use of Other Resources in the Provision of Medical Assistance Benefits, Rule
8.061.2, accessed March 29, 2015, https://www.colorado.gov/pacific/hcpf/
department-program-rules-and-regulations; 10 Colo. Code Reg. 2505-10
8.061.
108 Illinois Department of Healthcare and Family Services, HFS 2875: Medical
Assistance and ird Party Liability, accessed March 29, 2015, http://www2.
illinois.gov/hfs/MedicalPrograms/Brochures/Pages/HFS2875.aspx.
109 New York State Department of Health, Office of Health Insurance
Programs, Family Benefit Program Application, accessed March 29, 2015,
http://www.health.ny.gov/forms/doh-4282.pdf.
110 42 U.S.C. § 1396k; 42 C.F.R. § 433.147.
111 Centers for Medicare and Medicaid Services, Medicaid ird Party Liability.
112 Iowa Department of Human Services, Employees’ Manual, Medicaid
Nonfinancial Eligibility, revised January 13, 2012, http://dhs.iowa.gov/sites/
default/files/8-c.pdf.
113 Texas Medicaid Provider Procedures Manual, Gynecological and
Reproductive Health and Family Planning Services Handbook, Sec.
2.4.1.1 Family Planning and ird Party Liability, http://www.tmhp.com/
HTMLmanuals/TMPPM/Current/Vol2_Gynecological_and_Reproductive_
Health_Services_Handbook.27.038.html.
114 Louisiana Medicaid Eligibility Manual, “Assignment of ird Party Rights,”
I-200, February 6, 2007, http://new.dhh.louisiana.gov/assets/medicaid/
MedicaidEligibilityPolicy/I-200.pdf.
115 For an explanation of which health insurance plans are covered by ERISA,
see US Department of Labor, Health Plans and Benefits: Employee
Retirement Security Act—ERISA, accessed March 30, 2015, http://www.
dol.gov/dol/topic/health-plans/erisa.htm.
116 29 U.S.C. § 1133.
117 29 C.F.R. § 2560.503-1(b).
118 29 U.S.C. § 1002(7) and (8).
119 29 C.F.R. § 2560.503-1(g).
120 Interim Final Rules for Group Health Plans and Health Insurance Issuers
Relating to Internal Claims and Appeals and External Review Processes
Under the Patient Protection and Affordable Care Act. 75 Fed. Reg. 43330,
Jul. 23, 2010.
121 75 Fed. Reg. 43333.
122 75 Fed. Reg. 43332.
123 English, Gold, and Nash, Confidentiality for Individuals Insured as
Dependents. [see note 22, above]
124 Ibid.
125 Ibid.
126 Ibid.
127 75 Fed. Reg. 43332.
128 Ala. Admin. Code, §482-1-124-.04(5).
129 Cal. Code Reg. 2695.11(b); see also Cal. Insurance Code §§10123.13,
10123.135.
130 N.Y. Insurance Law § 3234(a) and (b).
131 215 ILCS 5/143.31(c).
132 Tex. Admin. Code tit. 28, § 21.5020.
133 English, Gold, and Nash, Confidentiality for Individuals Insured as
Dependents. [see note 22, above]
134 N.Y. Insurance Law § 3234(a) and (b). See also 215 ILCS 5/143.31(c) for
similar language in Illinois.
135 3 Colo. Code Regs. 702-4:4-2-35, Sec. 5. See also Cal. Health & Safety
Code § 1395.6(c)(1).
136 English, Gold, and Nash, Confidentiality for Individuals Insured as
Dependents. [See note 22, above]
Confidentiality, Third-Party Billing, & the Health Insurance Claims Process:
Implications for Title X
27
National Family Planning
& Reproductive Health Association
137 Ibid; see also, e.g., Cal. Insurance Code §10123.13 (“insured”); Texas
Insurance Code §541.060 (“policyholder”).
138 AMA Council on Scientific Affairs “Confidential Health Services for
Adolescents.”
139 Kathleen P. Tebb, Erica Sedlander, Gingi Pica, Angela Diaz, Ken Peake, and
Claire D. Brindis, Protecting Adolescent Confidentiality Under Health Care
Reform: e Special Case Regarding Explanation of Benefits (San Francisco:
Philip R. Lee Institute for Health Policy Studies and Division of Adolescent
and Young Adults Medicine, Department of Pediatrics, University of
California, 2014). http://healthpolicy.ucsf.edu/Protecting-Adolescent-
Confidentiality.
140 Examples from other states—Connecticut, Delaware, Hawaii, Maine,
and Wisconsin—were highlighted in a 2012 report from the Guttmacher
Institute and the Center for Adolescent Health & the Law and are not
discussed here. See English, Gold, and Nash, Confidentiality for Individuals
Insured as Dependents. [see note 22, above]
141 Ibid.
142 New York State Department of Health, Office of Health Insurance
Programs, Family Benefit Program Application, accessed March 29, 2015,
http://www.health.ny.gov/forms/doh-4282.pdf.
143 NFPRHA conversation with Alice Berger, Vice President for Health Care
Planning, Planned Parenthood of New York City, August 2014.
144 Texas Medicaid Provider Procedures Manual (April 2015), Gynecological
and Reproductive Health and Family Planning Services Handbook, Sec.
2.4.1.1. http://www.tmhp.com/HTMLmanuals/TMPPM/Current/Vol2_
Gynecological_and_Reproductive_Health_Services_Handbook.27.038.html.
145 Washington State Health Care Authority, Washington Apple Health Family
Planning Provider Guide, 60-61, July 2014, http://www.hca.wa.gov/
medicaid/billing/documents/guides/familyplanningprovider_bi.pdf.
146 English, Gold, and Nash, Confidentiality for Individuals Insured as Dependents
[see note 22 above]; Tebb, Protecting Adolescent Confidentiality. [see note 139,
above]
147 English, Gold, and Nash, Confidentiality for Individuals Insured as
Dependents. [see note 22 above]
148 45 C.F.R. § 164.522(b).
149 California Department of Health Care Services, Your Information. [see note
97, above]
150 California Department of Health Care Services, Confidential
Communication Request. [see note 97, above]
151 Cal. S.B. 138, Ch. 444 (Oct. 1, 2013), Sec. 1(d).
152 Cal. S.B. 138, Sec. 1(a)-(c).
153 Cal. S.B. 138, Sec. 2(e).
154 Or. H.B. 2758, 78th Leg., Reg. Sess. (Or. 2015), Sec. 2(2)(d).
155 Cal. S.B. 138, Sec. 2(n).
156 Or. H.B. 2758, Sec. 2(1)(f).
157 Cal. S.B. 138, Sec. 4(a)(1).
158 Cal. S.B. 138, Sec. 4(a)(3).
159 Md. S.B. 790, Ch. 72 (2014); 45 C.F.R. § 164.522(b).
160 Mass. H. 871, 189th Gen. Court, H.D. 595, filed Jan. 13, 2015, Sec. 1; Or.
H.B. 2758, Sec. 2(3)(b).
161 Fox and Limb, State Policies. [see note 90, above]
162 Or. H.B. 2758, Sec. 2(2)(b).
163 Mass. H. 871, Sec.1.
164 Or. H.B. 2758, Sec. 2(2)(d) and (3)(b).
165 Mass. H 871, Sec. 1.
166 Mass. Gen. Law. ch. 176O § 27.
167 Action for Boston Community Development, et al., Letter to Kevin
Beagan, Deputy Commissioner, Massachusetts Division of Insurance, Re:
Recommendations for Division of Insurance Regulations or Guidance
Governing Common Summary of Payments Forms Pursuant to M.G.L. c.
176O, § 27 (Section 207A of Chapter 224 of the Acts of 2012), Oct. 10, 2013;
see also Explanation of Benefits and Confidentiality in Massachusetts: Fact Sheet.
http://www.brighamandwomens.org/Departments_and_Services/womenshealth/
ConnorsCenter/EOB%20Confidentiality%20fact%20sheet.pdf.
168 N.Y. Insurance Code § 3234(c) (emphasis added).
169 Mass. H. 871, Sec.1.
170 Mass. Gen. Laws ch. 176O § 1.
171 Tebb et al., Protecting Adolescent Confidentiality Under Health Care Reform.
172 Mass. H. 871, Sec.1.
173 Ibid.
174 45 C.F.R. § 164.522(a).
175 45 C.F.R. § 164.522(a).
176 45 C.F.R. § 164.522(a)(1)(vi). See also Slive and Cramer, “Health Reform.”
177 California Department of Health Care Services, Your Rights. [see note 97, above]
178 California Department of Health Care Services, Confidential
Communication Request. [see note 97, above]
179 Wash. Admin. Code 284-04-510(1).
180 Wash. Admin. Code 284-04-510(2). Oregon has followed Washington’s lead
by including a comparable provision in its recently introduced legislation.
Or. H.B. 2758, Sec. 2(2)(a).
181 Wash. Admin. Code § 284-04-510(4).
182 3 Colo. Code Reg. § 702-4, Sec. 6.
183 Wash. Admin. Code 284-04-510(3).
184 Wash. Admin. Code § 284-04-510(3).
185 Mass. H. 871, Sec.1.
186 N.Y. Medicaid Managed Care/Family Health Plus/HIV Special Needs Plan
Model Contract, March 1, 2014, www.health.ny.gov/health_care/managed_
care/docs/medicaid_managed_care_fhp_hiv-snp_model_contract.pdf.
187 Larimer County Colorado, Family Planning. [see note 187, above]
188 Keep It Confidential: My Health My Info, accessed March 30, 2015, http://
myhealthmyinfo.org/.
189 Mass. H. 871 Sec 1.
190 Julie Lewis, Robin Summers, Abigail English, and Clare Coleman,
Proactive Policies to Protect Patients in the Health Insurance Claims Process
(Washington, DC: National Family Planning & Reproductive Health
Association, 2015).
Acknowledgements
This white paper was prepared by Abigail English of the Center for Adolescent Health
& the Law and Clare Coleman, Julie Lewis, and Robin Summers of the National Family
Planning and Reproductive Health Association (NFPRHA).
The authors wish to thank Jeffrey Eaton, Daryn Eikner, Mindy McGrath, Monique Morales,
and Audrey Sandusky of NFPRHA. The authors also wish to thank Rebecca Gudeman of
the National Center for Youth Law and Tasmeen Weik of the Office of Population Affairs.
Suggested citation:
Abigail English, Robin Summers, Julie Lewis, and Clare Coleman, Confidentiality, Third-
Party Billing, & the Health Insurance Claims Process Implications for Title X (Washington,
DC: National Family Planning & Reproductive Health Association, 2015).
Funding for this project was provided by the Office of Population Affairs (Grant Number
1 FPRPA006059-01-00). The views expressed by this project do not necessarily reflect
the official policies of the Department of Health and Human Services; nor does mention of
trade names, commercial practices, or organizations imply official endorsement by the US
Government.
About Confidential & Covered
Confidential & Covered is a multi-year research project designed to understand the factors
that may make it difficult for Title X-funded family planning providers to seek reimbursement
due to patient privacy concerns. Learn more at www.confidentialandcovered.com.
About NFPRHA
NFPRHA represents the broad spectrum of family planning administrators and clinicians
serving the nation’s low-income and uninsured. NFPRHA serves its members by providing
advocacy, education, and training to those in the family planning and reproductive health
care fields.For over 40 years, NFPRHA members have shared a commitment to providing
high-quality, federally funded family planning care - making them a critical component of
the nation’s public health safety net.
www.nationalfamilyplanning.org
www.confidentialandcovered.com
