Navigating patient confidentiality and explanation of benefits in medical billing
On this page: What is an EOB? | EOBs and privacy | Protecting information | Title X settings | Free guide
Maintaining patient confidentiality is a top priority for family physicians and their patients. A common concern is protecting sensitive services—including STI testing and treatment, mental health services, drug treatment, family planning, gender-affirming care and intimate partner violence care—from being disclosed in insurance billing documents such as explanations of benefits (EOBs).
What is an explanation of benefits (EOB)?
An EOB is a document from an insurer that details treatments and/or services provided, the amount the insurer will pay toward any covered charge and, if applicable, information about any benefit denied.
An EOB includes:
- the patient’s name
- the clinician’s name
- the date of service
- a description of the service
- the procedure code for the service
EOBs are mandated under the Employee Retirement Income Security Act (ERISA) Benefit Claims Procedure Regulation (FAQs Section C-12), which governs insurance plans offered via private-sector employers; and the Patient Protection and Affordable Care Act (ACA), which expanded health insurance coverage nationwide and introduced several standards beneficial to patients, including privacy protections.
Both ERISA and the ACA require insurers to communicate to policyholders about benefits received and denied. These requirements are intended to promote greater transparency in the health insurance claims process and provide consumer protection against fraud.
How an EOB affects health care privacy
Insurers generally send an EOB to the policy holder, even if the EOB describes a service for a spouse or a dependent. This practice can compromise confidentiality, particularly for patients covered under a parent’s health care plan.
Privacy protections are a key concern for:
- adolescents
- young adult individuals insured as dependents (which can be the case until the patient is 26)
- individuals in potentially coercive relationships
Patient safety issues may arise when confidentiality is not maintained. Various rules, state and federal laws and health insurance plan types influence health care privacy and patient privacy.
State laws and patient privacy
Some states safeguard confidentiality with allowances for confidential communications, specific protections for minors and, in some cases, specific protections for explanations of benefits.
A few states allow insurers to mail an EOB directly to the patient rather than to the policyholder. Insurance providers in New York and Wisconsin are not required to send an EOB to the policyholder if there is no balance due.
State privacy law supersedes HIPAA when a state law provides greater privacy protections for individually identifiable health information than HIPAA, or when a state law provides individuals with more privacy rights than HIPAA.
What can medical facilities do to protect patient information?
HIPAA allows patients, including minors who have consented to their own care, to request two kinds of protection.
First, they may request restrictions on the disclosure of their protected health information (PHI). HIPAA‑covered entities (i.e., physicians and other clinicians or health plans) are not required to agree to these requests. However, if they do agree, they must comply, and they must honor requests when the health care has been fully paid for by the patient or anyone other than the health plan.
Second, patients must be allowed to request that they receive communications regarding their PHI “by alternative means or at alternative locations.” Health plans must accommodate reasonable requests, and they may require a statement of endangerment. Physicians and other clinicians also must accommodate reasonable requests, but they may not require patients to claim they would be endangered by disclosure.
When a patient requests added privacy protection for their health information, the AMA provides customizable forms to support HIPAA compliance; these are included in the AAFP’s privacy toolkit.
Title X sites and confidentiality
For more than half a century, the Title X national family planning program has guaranteed confidentiality for all patients receiving its services, including minors. The program’s privacy regulations also cover family planning services.
To generate revenue and meet grant requirements, Title X facilities may bill health insurers for services covered by their patients’ commercial health plans or Medicaid. When an EOB is generated, confidentiality can be breached.
