The health law opened the door for millions of young adults to stay on their parents' health insurance until they turn 26. But there's a downside to remaining on the family plan: Chances are that Mom or Dad, as policyholder, will get a notice from the insurer every time the grown-up kid gets medical care, a breach of privacy that many young people may find unwelcome.

With this in mind, a handful of states have adopted laws or regulations in recent years that make it easier for dependents to keep medical communications confidential.

The privacy issue has long been recognized as important, particularly in the case of a woman who might fear reprisal if, for example, her husband learned she was using birth control against his wishes. But now the needs of adult children are also getting attention.

"There's a longstanding awareness that disclosures by insurers could create dangers for individuals," said Abigail English, director of the advocacy group Center for Adolescent Health and the Law, who has examined these laws. "But there was an added impetus to concerns about the confidentiality of insurance information with the dramatic increase in the number of young adults staying on their parents' plan until age 26" under the health law.


Advertisement

Federal law does offer some protections, but they are incomplete, privacy advocates say. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a key federal privacy law that established rules for when insurers, doctors, hospitals and others may disclose individuals' personal health information. It allows people to request that their providers or health plan restrict the disclosure of information. Young adults can ask that their insurer not send the ubiquitous "explanation of benefits" form — the EOB, which describes care received or denied — to their parents, for example. But an insurer isn't obligated to honor that request.

In addition, people can ask that their health plan communicate with them at an alternate location or using a method other than the one it usually employs. Someone might ask that EOBs be sent by email rather than by mail, for example, or to a different address than that of the policyholder. The insurer must accommodate those requests if the patient says that disclosing the information would endanger them.

A number of states, including California, Colorado, Washington, Oregon and Maryland, are passing laws that have the effect of clarifying and strengthening the confidentiality protections in HIPAA or ensuring their implementation.

In California, for example, all insurers must honor a request by members that their information not be shared with a policyholder if they are receiving "sensitive" care such as reproductive health services or drug treatment, or if the patient believes that sharing the health information could lead to harm or harassment.

"There was concern that the lack of detail in HIPAA inhibited its use," said Rebecca Gudeman, senior attorney at the National Center for Youth Law, a California nonprofit that helps provide resources to attorneys and groups representing poor children. She noted that HIPAA doesn't define endangerment, for example, and doesn't include details about how to implement confidentiality requests.

Concerns that their parents may find out about their treatment leads some young people to forgo the care altogether, while others go to free or low-cost clinics for reproductive and sexual health services, for example, and skip using their insurance. In 2014, 14 percent of people who received federal Title X family planning for low-income individuals had private health insurance coverage, according to the National Family Planning and Reproductive Health Association.

Even though most states don't require it, some insurers may accommodate confidentiality requests, said Dania Palanker, senior counsel for health and reproductive rights at the National Women's Law Center, a research and advocacy group.

Young adults covered under a parent's plan can "inquire whether there will be information sent and whether there's a way to have it sent elsewhere," Palanker said. "It may be possible that the insurer has a process even if a state doesn't have a law."

Insurers' perspective on these types of rules vary. In California, after some initial concerns about how the law would be administered, insurers worked with advocates on the bill, Gudeman said. "I give them a lot of credit," she said.

Restricting access to EOB details can be challenging, said Clare Krusing, a spokeswoman for America's Health Insurance Plans, a trade group. A plan may mask or filter out a diagnosis or service code on the EOB, but provider credentials or pharmacy information may still hint at the services provided.

There's also good reason in many instances for insurers and policyholders to know the details about when a policy is used, experts say. If some information is withheld, policyholders may have difficulty tracking cost-sharing details such as how much remains on their deductible.

In addition, "if a consumer receives a filtered or masked EOB, he or she has no way of knowing whether their account has been compromised or used as part of fraudulent activity," Krusing said.