Policy Forum
Mar 2016

Privacy Protection in Billing and Health Insurance Communications

Abigail English, JD and Julie Lewis, MPH
AMA J Ethics. 2016;18(3):279-287. doi: 10.1001/journalofethics.2016.18.3.pfor4-1603.


Protecting patients’ privacy and the confidentiality of their health information is a fundamental ethical requirement for health care professionals. Because our health insurance landscape currently requires disclosure of a great deal of confidential health information for processing of claims and other administrative purposes, meeting this ethical obligation presents a major challenge, requiring policy solutions that are emerging but not yet fully defined. Finding effective policy solutions has become more pressing as an increasing number of people have acquired health insurance and because it has become clear that solutions implemented at the health care provider level cannot effectively address this challenge. To address this, states are beginning to adopt a variety of statutory and regulatory approaches to protect patients’ privacy, even as a wide array of communications continue to occur among health care providers, insurers, policyholders, and patients in billing and health insurance claims processes. Some of these approaches build on protections that already exist in the Health Insurance Portability and Accountability Act (HIPAA) privacy rule but have not been fully implemented. However, we need policy-level solutions that are consistent with long-standing confidentiality requirements. Examples of such solutions are found in statutes and regulations of a growing number of states.

Confidentiality Obligation

Ethical obligation. The obligation of health care professionals to protect the privacy of their patients has a long history dating back to the Hippocratic Oath. More recently, the confidentiality obligation has been enshrined in the codes of ethics and policy pronouncements of the medical profession, including those of the American Medical Association, the American Academy of Pediatrics, the Society for Adolescent Medicine, and numerous other organizations [1].

Legal requirements to protect confidentiality. The confidentiality obligation of health care professionals has found expression in an extensive array of state and federal laws [2], many of which have implications for third-party billing and health insurance claims processes [2]. Federal and state laws are replete with requirements to protect the confidentiality of patients’ health information. The federal HIPAA privacy rule, which defines patient-specific health information as “protected health information” (PHI), contains detailed regulations that require health care providers and health plans to guard against privacy breaches [2]. Other important federal protections are contained in the statutes and regulations governing the Title X Family Planning Program, the Ryan White HIV/AIDS Program, the Federally Qualified Health Centers (FQHCs) Program, and Medicaid [2]. At the state level, a wide array of statutory and regulatory provisions protects the confidentiality of medical information [2]. Examples in state law include general medical confidentiality laws, those implementing the HIPAA privacy rule, and minor consent laws, along with many others [2].

The HIPAA privacy rule, the Title X confidentiality regulations, and the confidentiality protections that flow from state minor consent laws are particularly noteworthy. Of special relevance in health insurance billing and claims, the HIPAA privacy rule allows patients, including minors who have consented to their own care, to request two different kinds of protections. First, they may request restrictions on the disclosure of their PHI [3]. Health care providers and health plans are not required to agree to these requests, but if they do agree they must comply and they must honor requests when the health care has been fully paid for by the patient or anyone other than the health plan [3]. Second, patients must be allowed to request that they receive communications regarding their PHI “by alternative means or at alternative locations” [4]. Health care providers must accommodate reasonable requests and may not insist that patients claim they would be endangered by disclosure; health plans must accommodate reasonable requests but may require a statement of endangerment [5]. These two protections are not well understood or frequently used by patients but have provided the foundation for some of the policy approaches emerging at the state level.

The federal Title X Family Planning Program [6] stands out as a leading example of legal support for the ethical obligation of health care professionals to protect confidentiality. The Title X confidentiality regulations [7] have been on the books for more than four decades and are among the strongest in federal or state law. These regulations are broader in their scope than the HIPAA privacy rule; they protect the information of patients of all ages who seek family planning services and prohibit disclosure without the patient’s permission unless otherwise required by law or to provide services to the patient [7]. Thus Title X has been a significant source of confidentiality protection in family planning services for low-income vulnerable patients, including adolescents.

Key protections for adolescents can be found at the state level in minor consent laws, which exist in every state. These laws vary among states but allow minors to consent to their own care in a variety of circumstances based on their age, their status (e.g., homeless or a parent), or the services they seek (e.g., contraceptive services or mental health care) [8]. Some of these minor consent laws also contain or are associated with confidentiality protections for minors’ information when they are authorized to give consent [8].

A Threat to Confidentiality: Legal Requirements to Disclose Information

The conflict. In tandem, and sometimes in conflict, with the myriad confidentiality requirements, federal and state laws contain many provisions that require disclosure of confidential health information, sometimes allowing it even without the permission of the patients to whom the information pertains. The juxtaposition of confidentiality obligations and disclosure requirements causes a conflict for providers and concern for patients. All persons have privacy interests, and when they seek care they expect health care professionals to protect their health information from confidentiality breaches. As documented in decades of research findings [9, 10], fear of such breaches can deter people from seeking health care, with potentially severe consequences for their health and public health.

Patients who may have the greatest fear of breaches of confidentiality include those seeking sensitive services such as sexual and reproductive health care, mental health services, or substance abuse treatment [11]; adolescents; those affected by domestic or intimate partner violence [9, 12]; and those covered as dependents on a family member’s health insurance policy. When a patient is covered on a policy of someone else—a parent or a spouse—communications about claims often go to the policyholder, thereby disclosing the patient’s confidential health information.

Leading examples of these disclosure requirements can be found in the HIPAA privacy rule and federal and state laws governing health insurance communications. For example, although health care providers generally seek patients’ permission to disclose their information for the purpose of submitting health insurance claims, the HIPAA privacy rule allows disclosure of PHI without authorization for “treatment, payment, or health care operations” [13]. This provision creates significant risk of confidentiality breaches.

Most significant are the laws that require insurers’ sending to policyholders explanations of benefits (EOBs) (which detail the services rendered and the amounts paid by and owing to the insurance company) and notices when health insurance claims are denied in whole or in part [2, 11, 14-16]. The Employee Retirement Income Security Act (ERISA) and the Patient Protection and Affordable Care Act (ACA) both require insurers to communicate to policyholders about the benefits received and denied. These communications are commonly referred to collectively as EOBs.

Although intended to promote consumer protection and greater transparency in the health insurance claims process, these requirements have an unintended effect when the patient and the policyholder are two different people: they often result in the disclosure of patients’ sensitive information to the holders of the policies through which they are insured as dependents, which can expose the patients to danger or deter them from seeking health care [11].

These communications from health insurers to policyholders are ubiquitous. The requirements in both federal and state law for the sending of notices when claims are denied in whole or in part, and the way in which the partial denial of a claim is defined, mean that virtually all claims result in the sending of a notice, which usually goes to the policyholder [2, 11, 14-16]. The potential for loss of privacy exists in both public and commercial insurance, but it is most acute in the private sector and is especially associated with the sending of EOBs to policyholders. While this risk is lessened within the Medicaid program because EOBs are not sent to beneficiaries in many states and because people enrolled in Medicaid are their own policyholders, the challenge of protecting information can still surface under Medicaid managed care plans [2, 11].

The HIPAA privacy rule does not protect against the sending of EOBs and other claim-related notices. In fact, HIPAA allows for such disclosures for the purposes of payment without authorization, and it also allows broadly for disclosures with authorization, which patients are usually required to grant to their insurers as a condition of coverage and to their providers to facilitate submission of claims.

With the passage of the ACA, many more people have Medicaid or commercial health insurance and millions of young adults ages 18-25 are now able to remain on their parents’ plans [17]. These young adults have no way to ensure their privacy while using their parents’ health insurance even though, as adults, they may rightfully assume they are entitled to the same confidentiality protections as other adults; the limitation on their privacy results from their coverage on a plan for which their parent, who is the policyholder, is likely to receive most communications [18]. As a result, patients insured as dependents sometimes still choose to act as though they were uninsured, thus undermining the personal and social benefit of insurance and burdening safety-net providers.

Example: Title X-funded family planning health centers. The ethical dilemma posed by the juxtaposition of the confidentiality obligation and the disclosure requirements for billing and health insurance claims processing is starkly illustrated by the quandary confronting Title X-funded family planning health centers. On the one hand, Title X confidentiality regulations, as described above, are very strong, and the ethical commitment to protecting patient privacy is firmly embedded in the policies and practices of providers of Title X-funded family planning services [7]. On the other hand, Title X providers’ generation of needed revenue, by billing health insurers for services covered by their patients’ commercial health plans or Medicaid, risks confidentiality breaches.

Although Title X providers may receive reimbursement for care through grant funding or other limited sources even when the patient has access to insurance, the financial pressures on Title X providers are profound, with funding levels flat and patients’ needs increasing. Title X regulations also require grantees to bill financially liable third parties when it is possible to do so while still protecting confidentiality [19]. Thus arises the quandary: providers are reluctant to bill insurers unless they can assure their patients that confidentiality breaches can be avoided, and patients who are unable to pay out of pocket continue to express a desire to receive confidential services without their insurance being billed.

This scenario results in Title X providers forgoing revenues from their patients’ health insurance coverage in order to honor their ethical—and legal—obligation to protect the confidentiality of patients’ information. In a recent survey, 62 percent of Title X-funded family planning providers said that they do not send bills at all for patients who request confidentiality, and 74 percent stated they use grant funds and charge based on income by using a sliding fee scale for patients in need of confidentiality [20].

This quandary exists not only for Title X providers and other health care professionals and health care delivery sites, but also for patients themselves. Patients may refuse to get needed services if they can only afford them through their health insurance and are thus forced to choose among necessary services because they cannot afford to pay out of pocket for all the services they need. Or patients are put in a bind because they are uncertain whether use of coverage will result in a confidentiality breach in spite of the providers’ promises.

Evolving Protections in State Laws

Recognizing the extent of this dilemma, states have begun to address the problem with a variety of approaches, particularly in the commercial health insurance sector. These approaches include the management of EOBs, denials of claims, and other communications; enabling patients to request restrictions on disclosure of their health information; explicit confidentiality protections for minor and/or adult dependents; and varied strategies for implementing these protections [2, 11]. So far several states—including California, Colorado, Maryland, Massachusetts, Oregon, New York, Texas, and Washington—have adopted or proposed one or more statutes, regulations, or policies related to payment and billing or the health insurance claims process—either in Medicaid or in commercial health insurance—that are designed to increase confidentiality protections in some way [2, 11].

Several states have employed the communications management strategy. California’s Confidentiality of Health Information Act (CHIA) of 2013 contains detailed clarifications of and requirements for implementing HIPAA standards [21]. CHIA allows minors and adults to request “confidential communications” when they are seeking any of a group of “sensitive services” or believe they would be endangered—which, under the California law, also means harassed or abused [22]—if their request were not honored. Insurers must honor both requests related to sensitive services even without a claim of endangerment and requests based on an endangerment claim without requiring an explanation. Another significant example is a 2015 Oregon law that defines insurance communications broadly; it explicitly allows “enrollees” (i.e., patients) to request that communications be redirected and sent to them and not to the policyholder, and it requires insurance carriers to honor such requests [23]. Other strategies include excluding information about sensitive services from EOBs, as in a proposed Massachusetts law [24], and not sending EOBs when there is no “balance due” or residual financial liability on the part of the policyholder, as New York State law allows [25].

An example of the strategy that allows restrictions on disclosure is a Washington State regulation, promulgated at about the same time as the HIPAA privacy rule, that requires insurers to restrict disclosure of health information about patients if they state in writing that disclosure could jeopardize their safety [26]. Washington, like California, also requires insurers to restrict disclosures about sensitive services regardless of whether the patient claims endangerment. However, while the California statute specifically addresses the handling of communications, the Washington regulation speaks more generally about restrictions on disclosure for particular groups of patients.

Adopting a more general approach, Colorado issued a regulation in 2013 that requires insurers to “take reasonable steps” to protect the information of any adult dependent covered by a family member’s policy and to ensure that communications between the insurance company and the adult dependent remain “confidential and private” [27]. Unlike the California and Washington laws, Colorado’s is limited to adults and does not include minors, even though Colorado law does allow minors to consent to a range of health care services and receive them confidentially.


As states take preliminary steps to enable patients to use their health insurance coverage and health care providers to bill insurers without breaches of confidentiality, the ethical dilemmas and the policy challenges loom equally large. Continued refinement of policy is essential, as is implementation to test its effectiveness. With each new approach, two outstanding challenges must be addressed. First, when communications are redirected or restricted to protect patients’ privacy, policyholders might not learn whether and how claims are affecting their deductibles and other financial liabilities. Second, the burden of electing to redirect or restrict communications lies entirely with the patient. This may be burdensome for patients who are unfamiliar with navigating health insurance choices, younger patients, or those in dangerous situations. Creative solutions to these and other questions are needed in order to allow health care providers to both protect patient privacy and receive payments from health insurers and to allow patients to access services they need using the health insurance coverage to which they are entitled.


  1. Morreale MC, Stinnett AJ, Dowling EC, eds. Policy Compendium on Confidential Health Services for Adolescents. 2nd ed. Chapel Hill, NC: Center for Adolescent Health and the Law; 2005. http://www.cahl.org/policy-compendium-2nd-2005/. Accessed December 20, 2015.

  2. English A, Summers R, Lewis J, Coleman C. Confidentiality, third-party billing, and the health insurance claims process: implications for Title X. National Family Planning and Reproductive Health Association. April 2015. http://www.confidentialandcovered.com/file/ConfidentialandCovered_WhitePaper.pdf. Accessed December 20, 2015.

  3. 45 CFR sec 164.522(a)(1) (2016).

  4. 45 CFR sec 164.522(b)(1) (2016).

  5. 45 CFR sec 164.522(b)(1)(ii) (2016).

  6. Population Research and Voluntary Family Planning Programs, 42 USC sec 300-300a-8 (2016).

  7. 42 CFR sec 59.11 (2016).

  8. English A, Bass L, Boyle AD, Eshragh F. State Minor Consent Laws: A Summary. 3rd ed. Chapel Hill, NC: Center for Adolescent Health and the Law; 2010.

  9. Ford C, English A, Sigman G. Confidential health care for adolescents: position paper of the Society for Adolescent Medicine. J Adolesc Health. 2004;35(2):160-167.
  10. English A, Ford CA. The HIPAA privacy rule and adolescents: legal questions and clinical challenges. Perspect Sex Reprod Health. 2004;36(2):80-86.
  11. English A, Gold RB, Nash E, Levine J. Confidentiality for individuals insured as dependents: a review of state laws and policies. New York, NY: Guttmacher Institute, Public Health Solutions; 2012. http://www.guttmacher.org/pubs/confidentiality-review.pdf. Accessed December 20, 2015.

  12. Family Violence Prevention Fund. National consensus guidelines on identifying and responding to domestic violence victimization in health care settings. February 2004. http://www.futureswithoutviolence.org/userfiles/file/Health care/consensus.pdf. Accessed December 20, 2015.

  13. 45 CFR sec 164.502(a)(1)(ii) (2016).

  14. Claims Procedure, 29 USC sec 1133 (2016).

  15. 29 CFR sec 2560.503-1(b) (2016).

  16. Interim final rules for group health plans and health insurance issuers relating to internal claims and appeals and external review processes under the Patient Protection and Affordable Care Act. See: Interim final rules for group health plans and health insurance issuers relating to internal claims and appeals and external review processes under the Patient Protection and Affordable Care Act; interim final rule. Fed Regist. 2010;75(141):43330-43364. To be codified at 26 CFR sec 54, 602; 29 CFR sec 2590, 45 CFR sec 147.

  17. English A, Park MJ. Access to health care for young adults: the Affordable Care Act is making a difference. Center for Adolescent Health and the Law and National Adolescent and Young Adult Health Information Center. March 2012. http://nahic.ucsf.edu/download/access-to-health-care-for-young-adults-the-affordable-care-act-of-2010-is-making-a-difference/. Accessed December 20, 2015.

  18. Slive L, Cramer R. Health reform and the preservation of confidential health care for young adults. J Law Med Ethics. 2012;40(2):383-390.
  19. 42 CFR sec 59.5(a)(9) (2016).

  20. Masselink L, Lewis J, Morales M, Borkowski L, Beeson T, Wood SF, Coleman C. Title X network perspectives on confidentiality and insurance billing. National Family Planning and Reproductive Health Association. January 2016. http://www.confidentialandcovered.com/file/ConfidentialandCovered_ResearchReport.pdf. Accessed February 4, 2016.

  21. Confidentiality of Health Information Act S 138, Reg Sess (Ca 2013).

  22. Confidentiality of Health Information Act, S 138 sec 2(e), Reg Sess (Ca 2013).

  23. HR 2758, 78th Leg, Reg Sess (Or 2015). https://olis.leg.state.or.us/liz/2015R1/Downloads/MeasureDocument/HB2758. Accessed February 4, 2016.

  24. An Act to protect access to confidential healthcare. HR 871, 189th Gen Ct, HD 595. (Mass 2015). https://malegislature.gov/Bills/BillHtml/141584?generalCourtId=12. Accessed February 5, 2016.

  25. Explanation of benefits forms relating to claims under certain accident and health insurance policies, NY Ins Law sec 3234(c). http://codes.findlaw.com/ny/insurance-law/isc-sect-3234-nr3.html. Accessed February 5, 2016.

  26. Wash Admin Code sec 284-04-510(1).

  27. Life, Accident, and Health, 3 Colo Code Regs 702-4-6. https://www.sos.state.co.us/CCR/GenerateRulePdf.do?ruleVersionId=5853&fileName=3%20CCR%20702-4. Accessed February 5, 2016


AMA J Ethics. 2016;18(3):279-287.



The viewpoints expressed in this article are those of the author(s) and do not necessarily reflect the views and policies of the AMA.