California’s Confidential Health Information Act (SB 138)

University of California
San Francisco
Philip R. Lee Institute
for Health Policy Studies
School of Medicine



Suggested citation:
Malvin, J, Daniel, S,
Brindis, CD. California’s
Confidential Health
Information Act:
Implementation Readiness
Among Health Insurers and
Health Plans. Philip R. Lee
Institute for Health Policy
Studies, University of
California, San Francisco.
February 2015.
Available at:
http://bit.ly/PRL‐IHPS‐SB138Brief

http://healthpolicy.ucsf.edu

California’s Confidential Health
Information Act (SB 138)
Implementation Readiness Among Health Insurers and Health Plans
This brief…
 describes legal gaps that led to new legislation and privacy rights for patients
in California;
 reports findings from an exploratory study of insurers and health plans and
their readiness to implement the requirements of SB 138, the Confidential
Health Information Act.
Background

Signed into law in March 2010, the federal Patient Protection and Affordable Care Act
(ACA) expanded the opportunity for many individuals to maintain health insurance as
dependents on a policy registered in someone else’s name.1
For example, the
policyholder may be a spouse, domestic partner, or a parent in the case of a young
adult.2
One of the earliest provisions of the ACA to take effect allowed young adults
ages 19 to 26 to have coverage through their parents’ employer-based plans. In
California, this provision reduced the uninsured rate for these young adults from 28.9%
in 2009 to 26.0% in 2012.3
For private insurance dependents, increased access to health care coverage following
the ACA expansion may also test the limits of medical privacy protection. As the
primary policyholder, an insured individual is the main contact for all communications
related to claims for private insurance benefits. Because of insurance claim processing
requirements and laws designed to protect consumers, confidential information about a
dependent’s diagnosis or treatment may be communicated on at least six types of
communications.2
These include Explanation of Benefits (EOBs) forms, claims denials,
claims acknowledgments, requests for additional information, payment of claims, and in
communications about claims in circumstances of divorce or child custody. Typically,
these types of communications include personal health information that identifies the
dependent, the provider seen, and the services delivered.4,5
Confidentiality is less likely
to be compromised by means of EOBs and other communications for those enrolled in
public insurance programs because state and federal laws do not require them.6
Health Care Utilization and Data Confidentiality
Expanded dependent coverage will not necessarily improve health care access if the
unintended consequence of such expansion is concern about confidentiality. In a recent
survey, 71% of women ages 18 to 25 stated that keeping their health care information
confidential from a parent or spouse is important to them; whereas, only 37% were aware
that insurers send documentation about their use of services to the primary policyholder.7
As one young woman reported, she “took back the insurance card” she had furnished her
health care provider and paid out-of-pocket for her services because she “couldn’t use it
[her private insurance] without my parents finding out. People who are lucky enough to
have private insurance through another person, like a parent or partner, should feel safe
enough to use it”.8
Unfortunately, when an insurance communication to a parent exposes
sensitive services, such as a pregnancy test, relationships can suffer.9

California’s Confidential Health Information Act (SB 138): Implementation Readiness Among Health Insurers and Health Plans| February 2015
Philip R. Lee Institute for Health Policy Studies at the University of California, San Francisco
2
Even if young adults are unaware of these
insurance company billing communications,
research indicates that perceptions about
confidentiality can influence health care behavior.10
The impact of confidentiality concerns can translate
into avoiding care, or not using private insurance
and seeking public care instead. This shifts health
care costs to state and local governments.11
Dependents of all ages may be especially reluctant
to seek care for a specific subset of services, such
as sexual health, mental health, or substance
abuse. Adolescents who avoid health care due to
concerns about confidentiality have been found to
be those in greatest need of services.12
Additionally, adolescents and young adults tend to
have low use of preventive services, including
screenings for sexually transmitted diseases and
emotional health, despite their high prevalence of
medically unsafe behavior.7,13,14
California policy
makers recognized that young dependents and
others on private insurance policies, especially
those who are predisposed to forgo care, should
not have to risk an inadvertent privacy breach
because they want to use their insurance coverage.
Closing the Legal Loophole for Private
Insurers and Health Plans
To address the privacy concerns of individuals
insured as dependents on a parent’s or partner’s
health plan, California enacted the Confidential
Health Information Act (Senate Bill 138) in October,
2013. This law allows patients to suppress
information disclosures about sensitive services.15
For nearly two decades, all insurers and health
plans have been required to follow the federal
Health Insurance Portability and Accountability Act
of 1996 (HIPAA) privacy rules which regulate the
disclosure of protected health information (PHI). By
design, HIPAA grants exceptions to patient privacy
rules for business purposes such as billing, which
makes dependents vulnerable to inadvertent
confidentiality breaches through legitimate
communications with policyholders.16
Although
HIPAA addresses a broad array of privacy issues,
California has operated by more stringent privacy
regulations concerning medical information since
1981, and has some of the strongest minor consent
laws in the nation. Despite its strong standing in
this area, the increasing number of Californians
suddenly receiving health coverage as dependents
intensified the need to fix a privacy loophole with
regard to insurance billing and claims procedures.
Although HIPAA grants patients the right to request
confidential communications be sent to them
directly “by alternative means or at alternative
locations,” the insurer is not obligated to accept the
request and is free to require that the individual use
specific language such as “endanger” to justify the
request. (See Table 1 for comparisons between
HIPAA and SB 138.)
SB 138, effective January 1, 2015, goes beyond
the foundation of rights established by HIPAA as it
requires insurers and health plans to comply with
confidential communications requests in two
contexts: (a) the dependent’s receipt of “sensitive
services,” and (b) when the patient receives any
type of service that, if disclosed, could threaten the
patient with harassment or abuse.15
The law also
defines “sensitive services” to include mental
health, reproductive health, STD testing and care,
sexual assault services, and drug treatment, and
it includes other details to improve compliance.16
Insurers and health plans have at least fifteen
months to prepare for implementation of these new
rules. To the extent that SB 138 may provide a
national model for closing the legal gaps that
prevent dependents from fully utilizing their health
benefits, it would help to understand insurance
transactions within the framework of protecting
confidentiality.
In this 2014 study, we explored preparedness for
the new SB 138 requirements, as well as current
practices regarding confidential communications
requests among health plans and insurance
carriers in the commercial insurance marketplace.
Telephone interviews were conducted with privacy
officers at selected organizations before SB 138
was in effect to close data privacy loopholes. In
addition, we examined the information available on
a wide range of websites that California patients
may access when seeking information about their
plan’s or insurer’s privacy practices.
SB 138 Implementation Study
Overview of Methods

This study was conducted between June and
November, 2014, prior to the effective date of the
new legislation, January 1, 2015. The aim of the
study was to identify common and unique
operational issues and solutions related to the
implementation of SB 138. It included data
collection and analysis from two sources: (1)
telephone interviews with California health
insurance carriers and health plans, and (2)
website content analysis of information related to
privacy practices. The main research questions
were: (a) “How will health insurance companies and

3
health plans be affected by the new law?” (b)
“What preparations are insurers and health plans
undergoing to get ready for implementation of the
law?,” and (c) “Currently, how easy or difficult is
it for consumers to gain information about
confidential communications requests from
insurers and health plans?”
The study was considered by the University of
California, San Francisco (UCSF) Institutional
Review Board to entail no risk to participants.
Hence, we were not required to obtain formal
human subjects approval.
Telephone Interviews
Instrument design. UCSF developed the
interview questions in consultation with key
stakeholders. Proponents of SB 138 as well as
insurance industry opponents (who removed their
objections before the final version of the bill) were
asked to review and comment on the draft
questions because they had been involved in
helping draft the legislation. The proponents were
represented by two non-profit consumer advocacy
organizations; and the insurance industry was
represented by a legislative and regulatory
advocate in California. The final instrument was
based upon the consensus of all stakeholders.
Sample selection. Based upon data from
the California Health Care Foundation17
, we
targeted for recruitment seven commercial health
insurance carriers with the largest enrollment in
employer group and individual policies. In addition,
three regional health plans were invited to
participate based on data from the California
Department of Managed Health Care.18
Procedure. Privacy Officers at insurance
carriers and health plans in California were invited
by email to participate in a telephone interview.
They were told that the University of California, San
Francisco is interested in identifying individuals at
various health insurance carriers and health plans
in California who may be willing to speak about
privacy protection and data confidentiality and
California's new law, the Confidential Health
Information Act (SB 138). Included with the
recruitment email was a Project Information Sheet.
Once they scheduled an interview, we emailed
participants the list of open-ended questions in
advance of the interview and promised to protect
the identities of their organizations and individual
responses.
Response rate. From the sample of seven
top insurers and three health plans recruited to
participate, a total of three top insurers and three
health plans were interviewed. These organizations
represent approximately 60% of California
residents who purchased health insurance
individually or through an employer group in 2011.17
Representativeness and limitations. As this
was an exploratory study, we aimed to identify a
variety of ways organizations go about planning
and adapting to the new privacy legislation.
Although four companies refused to participate,
the majority of privately insured Californians are
represented by those that did participate. In
addition, there were different types of companies
included in the study, such as large national and
state-based, and smaller regional plans
geographically distributed across California. Thus,
our findings characterize a diversity of responses.
Health Plan Website Content Reviews
Tool development. UCSF investigators
examined a sample of health plan websites to
explore the accessibility and content of legally-
required Notices of Privacy Practices (NPP) as well
as to gather information regarding the consumer’s
right to file a confidential communications request
(CCR). A spreadsheet was developed to compile
the information into two main content areas:
accessibility of NPP content and NPP content
details regarding CCRs.
Sample selection. The California
Department of Managed Health Care (DMHC)
regulates more than 90% of the commercial health
plans in the State. The sampling frame for the
website analysis was the population of full service
health plans that submitted a “Health Plan Financial
Summary Report”18
to the DMHC between January,
2013 and January, 2014. Of the 105 health plans
operating in the California marketplace that also
submitted a report to the DMHC, 59 plans provided
full service coverage and 52 of those had more
than one enrollee during the period of interest.
These 52 health plans were eligible for website
analysis; however, three were found to have no
NPP available online. A total of 49 health plans
were included in this analysis.
Procedure. Using a popular search engine,
analysts searched the internet to determine how
readily consumers may locate each health plan’s
NPP as well as specific information about CCRs.
Internet searching began by entering the search

4
terms “[health plan name] notice of privacy
practices” to identify NPP accessibility, and “[health
plan name] confidential communications” to identify
CCR accessibility. “Ease of access” was defined by
whether or not there was a link to appropriate
content within the top two search results.
Secondarily, we explored whether the health plan
websites included a search field, and if the top two
search results within the website resulted in
appropriate content related to “notice of privacy
practices” or “confidential communications.” Once
located, the NPP was examined to ascertain
whether four content areas were covered by the
policy information: (1) instructions on requesting
confidential communications, (2) reasons for
confidential communications requests, (3) ways to
receive communications, and (4) contact
information for further health plan communications.
If the NPP contained a section on confidential
communications, the content was coded into
various subcategories under each content area
above. Frequencies were calculated for each
category of content, and the data were examined
for overall themes and policies regarding
confidential communications.
Representativeness and limitations. This
analysis was based on a sample, not a census of
health plans in California. Furthermore, UCSF
selected the criteria for health plan inclusion, such
as provision of full service coverage, more than one
enrollee, and availability of an online NPP. Other
criteria might have been considered which could
have resulted in a systematically different sample.
Results
Telephone Interviews
Interview participants. Telephone interviews
were conducted with nine individuals representing
six organizations. Two of the interviews were with
more than one representative on the call. The three
larger insurers/health plans report membership in
the range of one million to seven million; the three
smaller insurers/health plans ranged from
approximately 16,000 to 100,000 members.18
Altogether, the participating organizations account
for about 60% of the privately insured in
California.17
Interviewees were employed at their
organizations an average of eight years (range = 2-
19 years). All participants self-identified as having
official titles that included “Compliance,” “Privacy,”
or “Legal Counsel” and are responsible for ensuring
their companies remain compliant with all sources
of compliance rules, including state and federal
policies.
Knowledge of SB 138. With one exception,
all participants were familiar with the concept of
“requests for confidential communications” or
“CCRs.” The individual who had not heard of a
CCR had the impression we were asking about
authorization requests for release of health records
and was therefore ineligible for many follow up
questions. Although five said that they had heard
about SB 138, at least two of those had probably
become aware of the legislation only after being
recruited by UCSF. Among those who were aware
of CCRs, most associated them with the nature of
the communications, such as when mailings
contain any protected health information (PHI),
rather than with medical procedures received or the
patient’s personal circumstances. However, one
person mentioned that CCRs usually relate to a
patient’s receipt of sensitive services; and one
mentioned that a patient would have to indicate that
release of PHI would endanger them for a CCR to
apply.
Quote: “[CCR] covers all information we have
about the member that is personal to them
about their claims for treatment. It does not
apply to policy information like benefit
handbooks, ID cards, evidence of coverage,
privacy notices. That kind of thing would still be
provided to the primary subscriber, but the
individual requesting the CCR, everything else
about them that is PHI related to them, it
covers by the request.”
Reasons for CCR and patient awareness of
rights. Asked to speculate about the reasons
patients may submit a CCR, three mentioned
reproductive health-related reasons and two
mentioned spouse or divorce-related circumstances
that may involve fear for safety or privacy concerns.
Only one person stipulated that the reason for the
request must include a statement about
endangerment. Whereas, another mentioned that
endangerment would expedite the CCR but was not
required. Most organizations do not keep records
specifically related to the number of CCRs
received. One tracks this information, but it is
combined with the numerous requests they receive
for password restrictions to prevent inadvertent
release of PHI online or over the phone. Accounting
for the reported lack of systematic tracking of CCRs
and tendency to approve all requests (with minor

5
exceptions, such as mailing to a foreign address) is
the observation by interviewees that these requests
are rare. One organization estimated that they
received 12-24 CCRs per year, one said 5-6 were
received per year, and one person stated that there
were no CCRs received in the past five years. The
consensus among all interviewees was that
consumers are generally unaware that they have
the right to request a CCR, even though it is
covered in notices of privacy practices.
Quote: “I am not sure how aware patients are
about their ability to make such a request. I
know that we do include that information in our
notice of privacy practices, but your average
patient, I don’t know [if he or she] reviews the
notice of privacy practices so I really don’t know
how aware people are of that right.”
Quote: “It does seem to be minors or ex‐wives
and things, who have a true need for it,
requesting it. But I don’t know if they
necessarily know they have a right to it. I don’t
know if that’s been that well communicated. In
other words, a minor may automatically say I
don’t want my mother or my father to know,
but I don’t think they know that they actually
have a right to protect that information from
being learned by others.”
Communication preferences and forms. To
gauge how easy or difficult it would be for a patient
to express their need for confidential
communications, we asked about organizational
preferences and required formats for submitting
CCRs. Most of our participants indicated that the
starting place for a patient’s CCR is with a phone
call to the member services representative. One
organization prefers to receive the CCR directly
from the patient by mail or fax, and two said they
will accept requests by any communication method.
Written requests were accepted by all, and though
some organizations have a specific form for
members to submit, none required that it be used.
Internal forms completed by employees were used
by two organizations that direct patients to first
contact member services. There was no indication
that new CCR forms were being developed as a
result of the passage of SB 138.
Quote: “The process is designed to be inclusive
not exclusive. We are not trying to hardball
members by saying, “you didn’t apply to the
right office.” So, they have some flexibility
there. Makes it easier for the member.”
Quote: “They can call the member services line.
They could do anything, they could send an
email, they could send a fax, they could send a
letter.”
Quote: “We do have a form that the member
would complete and upon receipt of that form,
we would process that request accordingly.
Mechanics of implementing CCRs. Although
most participants were not information systems
experts within their organizations, we asked about
back-end requirements to implement a member’s
CCR. All reported that IT systems would need to be
updated. In addition, several interviewees stated
that implementing a CCR is a complicated process
that may engage five or six different business units.
The types of business units that need to coordinate
may include member services, utilization
management, appeals, and vendors contracted to
prepare mailings, among others. Under SB 138, the
enhanced confidentiality protections are specifically
designed to prevent unauthorized disclosures when
a patient receives sensitive services or feels the
disclosure about their services would lead to harm
or harassment (Table 1). Most interviewees thought
that once a CCR is in place it would have to apply
to all communications about any services rather
Snapshot: In one organization, customers are
directed to call member services, which
collects the necessary information for the
confidential communications request on a
form that is then processed. The customer
service representative forwards the form to
the “HIPAA Member Rights Team”– this team
administers all of the HIPAA member rights,
CCR being one of them. The Team reviews
the form and updates systems to trigger
compliance with that request. They can key
the request into the different systems that
send out these communications to ensure
that they get directed to the correct address.

6
than be limited to specific services. Two
participants guessed that their systems could
accommodate CCRs for restrictions related to
specific services. Only one organization proactively
contacts patients when their CCRs are in place
although most make a note in the patient’s
electronic record. Patients generally need to initiate
communication with customer services or the
privacy office to confirm implementation of their
request. CCRs are rarely disapproved and remain
valid until the patient removes the restriction.
Quote: “Somebody from our team will process it
in the system. They’ll put the specific address in
and mark it as confidential so that it will
override any other address that’s in the system,
any of the systems…[it applies to] everything.
We don’t have a way to spike that [i.e., specific
services] out.”
Preparations for SB 138 requirements. Thus
far, accommodating CCRs has not been a problem
because the volume of requests has been low and
organizations tend to handle them on a case-by-
case basis. In view of the new legislation, insurers
and health plans talked about their preparations
and expectations regarding the organizational
impact of SB 138. Three reported that the
legislation mandates very little change from existing
HIPAA requirements. No one expected to see an
increase in demand for CCRs unless there is a
wide-ranging public education campaign. Only one
organization was actively engaged in preparations
for the implementation of SB 138. Their planning
activities included creating an internal workgroup
on SB 138 to anticipate the demands of the
legislation on existing systems and work flows; and
they developed a Frequently Asked Questions
document for internal use to highlight similarities
and differences between HIPAA and SB 138
requirements, including the list of seven “sensitive
services” to which the new law applies.
Snapshot: First we update the claims system
to automatically send mailings to the
confidential address. We have to update the
customer service system, so that it provides
an alert for anyone trying to access the
member or the subscriber account. We
update our files for transmission to vendors
to assure that they have the confidential
address for the member for any mailings we
have delegated to a third party vendor to
supply. There are lots of internal systems
and networks that we have to ensure get the
data feed. Unfortunately it’s not a
monolithic “enter one address” and all our
systems receive it. There’s quite a bit of
tracking to make sure that we have the
address updated everywhere it needs to be
in our systems and with our vendors. Then
we update our own privacy office tracking
database so that we have the information
about the request and the individual’s
address preference. We have no ability to
segment out specific services or types of
information. Once a member makes a
request, it’s kind of all or nothing.
Snapshot: In order to implement a CCR for a
specific service, rather than have it apply to
all services for that member, we would have
to have some way to identify it. It could
come down to a CPT code or a provider
name, there would have to be some way to
identify it in our records. A CPT code is a
procedure code, so when you go to the
doctor they code your visit as a 99‐
something‐something‐something. If a
member said, “I don’t want you to ever mail
anything to my home about my visits to this
particular doctor when it’s related to
reproductive activity,” for example, we
would have to figure out what they mean
and either apply a code to it or just block
everything about that provider.

7
Quote: “It is really a challenging notion to tell
insurance companies on a blanket basis “For
sensitive diagnoses, if somebody asks you not
to share that information to a particular
address or in a particular way, you know, don’t
follow that instruction, grant that request”
without saying “And here are all of the things
that would fall into that bucket of sensitive
information.” It’s just so nebulous. I think the
only way I would feel comfortable complying
with this [SB 138] is to continue to just say we
are just going to send everything to you at your
requested confidential address, and if you
change your mind and want it sent back to the
subscriber address, let us know.”
Needed support to implement SB 138. To
the extent that SB 138 implementation will make
new demands on insurers and health plans,
informants were asked to describe their need for
resources and support. One organization was
completely unfamiliar with the legislation and would
not speculate. The others were unconcerned about
the new requirements of the legislation because
they expected their HIPAA-related procedures to
cover their needs and the volume of requests to
date has been low.
Quote: “If you had asked me before we adopted
the law I would have said it’s a solution in
search of a problem…given the relative
infrequency of these sorts of requests, I’d be
hard pressed to say there is some pressing
social need that this is going to be addressing.”
One spokesperson requested guidelines on how to
help policyholders of family coverage reconcile their
deductibles without breaching the confidentiality of
other family members. Another suggestion was to
provide health plans with educational materials on
minor consent services – acknowledging that the
bigger part of compliance with the laws falls on the
shoulders of providers.
Quote: “It’s very challenging to help members
keep track of their deductibles and sort of
reconcile whether they should pay or not pay a
particular bill if we can’t share with them
information about other family members. Do
we say, “Here’s another charge, I’m not sure
what it is”? or do we say, “Here’s a charge
that’s for a sensitive service, but we can’t tell
you what it is?””
To understand health plan members’ access to
information about their rights, we conducted
systematic searches of the internet and health plan
websites, and a review of Notices of Privacy
Practices (NPPs), including instructions about
requesting confidential communications (Table 2).
Accessibility of NPPs and information on
CCRs. Although health plan NPPs are easily
located through internet searches or searching
within the health plan’s website, content related to
confidential communications is less transparent.
For the 49 health plans in our sample, the internet
search using health plan name and “confidential
communications” yielded 29 links to NPPs. Eight
links were to other pages that were not related to
CCRs or NPPs; 6 links were to an internet privacy
page; and 6 links were to CCR forms or a general
forms page. Similar results were found using the
search field on the health plan website. In addition,
almost two in five health plan websites did not have
a search field, potentially limiting a member’s ability
to find pertinent information regarding their right to
request confidential communications.
Snapshot: Under existing protocols, an insurer offers password restriction to protect the unauthorized
release of information. Even if someone called customer service he or she would have to give a
personal password before any records would be released. The customer service agent would see a
specific tab highlighted on the computer screen if the case is associated with a restriction, such as a
confidential address or password. A front‐end pop up screen would be reviewed and verified by the
customer service agent before proceeding with the inquiry. Usually, if there is a confidential address
for a member there will also be a password restriction. If the insurer notices one type of protection
without the other, they contact members to make sure they have both.

8
We also found that most of the content about CCRs
is embedded in the NPPs rather than freestanding.
Thus, a member seeking information about how to
receive confidential communications would need to
read through a lengthy document with unrelated
information to find the details regarding confidential
communications requests.
NPP content related to confidential
communications. While NPPs were readily
available for most health plans, 4 of 49 NPPs
analyzed did not contain any language regarding
the right to receive confidential communications.
Instructions on submitting a CCR. About
half of the health plan NPPs stated that a member
may submit a CCR request in writing; whereas,
thirteen NPPs required a written request. Nearly a
quarter of health plans asked members to call
member or customer services to initiate a CCR;
and eight cited the availability of a CCR form. Eight
NPPs mentioned that a member may call, write, or
submit a form to get the process started; whereas,
about half stipulated a preferred means of
requesting confidential communications, such as
written (16), telephone (6), or a specific form (4).
Most health plans did not require additional
documentation to support a CCR request, although
information on “how or where the member wishes
to be contacted” was specifically mentioned in 13
NPPs. Although the majority of NPPs contained
contact information for the health plan privacy office
or member services department, nine health plan
NPPs did not contain any information about whom
to contact for further information, contrary to federal
HIPAA privacy rules.
Endangerment as a reason for CCRs.
Nearly half of the NPPs mentioned endangerment,
danger or safety as reasons why a member may
seek confidential communications. Six health plans
required “a clear statement that all or part of the
communication could endanger” the member. Only
one NPP specifically directed the member to
explain “why you would be in danger if we did not
follow your request.” However, seven health plans
explicitly state that the member does not need to
provide a reason for the request.
Examples of ways to receive confidential
communications. The majority of NPPs (n=42)
list examples of how to receive confidential
communications, such as an alternate address,
location, or P.O. Box that is different from what is
on file for the policyholder. While six health plan
NPPs did not contain examples of alternative
means of communication, more than half offered
examples of two or more means of communication,
including email or fax.

9
Conclusions
 California enacted model legislation (SB 138) that incorporates and goes beyond HIPAA
privacy protections to empower dependents on a private health insurance policy to ensure that
they, not the policyholder, receive confidential communications about their medical care.
 Private insurance dependents who may be reluctant to seek care for sensitive or other services
that they fear will expose them to harm if discovered have one less barrier to health care and
preventive screening, if they are proactive about exercising their rights to confidential
insurance transactions.
 Privacy Officers at insurance companies and health plans have not been burdened with frequent
member requests for insurance communications to be sent to alternative locations. They were
generally uninformed about the details of SB 138, how it differs from HIPAA, and how
SB138 might impact the volume of requests.
 Insurers and health plans described complex systems changes required and departmental
handoffs generated following a member’s initiation of a confidential communications request
(CCR).The tendency has been to honor all requests and to not require much explanation. However,
a member’s request will turn off all insurance communications to the policyholder rather than just
those related to sensitive services or safety concerns.
 CCRs are generally referenced in the insurer’s pre-SB 138 Notices of Privacy Practices
required by federal law. However, the details and health literacy required to understand how to
initiate a request are not standardized. Nearly one-third of NPPs do not provide any instructions.
Young people are generally less familiar with health insurance terms and concepts than adults over
age 3019
; these gaps in knowledge could interfere with their ability to exercise their rights.
 Patients who are dependents on someone else’s health plan, as well as the providers they
see, need to become informed about patient rights regarding confidential health care, including
the affirmative steps they can take to prevent inadvertent disclosures of private information.
Targeted social marketing for those prone to avoiding care and public education at clinics,
community colleges, and universities should be supported.
 Motivated by the expected flood of new insurance dependents under ACA, legislators and
advocates crafted SB 138 to resolve a long-standing loophole in health privacy laws. However,
insurers and health plans are in an awkward position with respect to policyholders’ questions about
specific charges when they try to reconcile their deductibles with billing departments. Insurers
and health plans would benefit from the development of guidelines for having these difficult
conversations in keeping with privacy laws, and from education – along with health care
providers – about confidentiality rights and minor consent laws.
Acknowledgements
This project was funded by a grant from The California Wellness Foundation (TCWF). Created
in 1992 as a private independent foundation, TCWF’s mission is to improve the health of the
people of California by making grants for health promotion, wellness education and disease
prevention. We thank all of the individuals who shared their views with us.

10
Table 1
Comparison of HIPAA and California Senate Bill 138 Requirements
Adapted from Gudeman, R., Confidential Communications Requests: Comparing the Requirements under HIPAA and
California Senate Bill 138. Oakland, CA: National Center for Youth Law. September 2014.
Characteristics HIPAA California Senate Bill 138
Individual’s right
to submit confidential
communications requests to
their Insurer/Health Plan
 
Insurer’s/Plan’s
duty to respond to requests
regarding “endangerment”
“Reasonable” request for confidential
communications accommodated if an
individual states that disclosure of
information could endanger them.
Request accommodated if an individual
states that disclosure could “endanger”
them; no conditional language, such as
“reasonable.”
duty to respond to requests
regarding “sensitive
services”
HIPAA does not address this. Request accommodated if an individual
states that disclosure of information
pertains to receipt of “sensitive services.”
Insurer/Plan free to
require specific format
for request
Insurers and plans may require the
individual to make request in
writing.
Insurers and plans may require the
individual to make request in writing or
by electronic transmission.
require specific content
in request
Insurers and plans may require that a
request contains a statement that
disclosure could endanger the
individual.
Insurers and plans may require that a
request contains a statement that disclosure
would pertain to either sensitive services
or it could endanger the individual.
Insurers and plans shall not require an
explanation as to the basis for an
individual’s statement.
provide contingent
accommodation
Insurers and plans only required to
grant “reasonable” requests;
accommodation contingent on:
(a) information about how payment
will be handled; and (b) receipt of
alternative address, method of contact.
Insurers and plans required to
accommodate requests to receive
communication in a specific form or
format but only if the requested form or
format is readily producible.
duty to fulfill request
by specific deadline
HIPAA does not address this. Insurers and plans must implement an
individual’s request within seven
calendar days if received by phone or
electronic transmission; 14 calendar
days if received by first-class mail.
duty to respond
to inquiries
HIPAA does not address this. Insurers and plans must acknowledge the
request and provide the status of
implementation if the requester asks.
Duration of Request HIPAA does not address this. Request remains in effect until an
individual expressly revokes/revises it.
Definitions No definition of “endanger” or
“reasonable request” in HIPAA.
Various terms defined by SB 138
including: Sensitive Services, Endanger,
Enrollee, Insured, Confidential
Communications Request, Subscriber.
Implementation Date HIPAA privacy rule since 2003/2004. Effective January 1, 2015.

11
Table 2
NPP Content Related to Confidential Communications Request (CCR)
Health Plan Websites
reviewed (total n=49)
Does NPP mention patient’s right to request confidential communications?
NPP did contain language regarding CCRs 92% (45)
NPPs did not contain language regarding CCRs 8% (4)
Does NPP provide instructions on how to request confidential communications?
Mentions writing 49% (24)
Requires written request 27% (13)
Verbal requests accepted but may also require written confirmation 4% (2)
No instructions on how to make a request 31% (15)
Call member services or customer service 22% (11)
Asks member to complete a form 16% (8)
Requires member to specify how or where the member wishes to be contacted 27% (13)
May require legal documentation for requests involving a minor child 2% (1)
Does NPP require statements or explanations to be included in the CCR?
NPP mentions endangerment, danger, or safety reasons 47% (23)
Required “a clear statement that all or part of the communication could endanger”
the member
12% (6)
“Why you would be in danger if we did not follow your request” 2% (1)
Explicitly states that the member does not need to provide a reason for CCR 14% (7)
Does NPP list alternative means of receiving confidential communications?
Alternate address, location, P.O. Box or “in a certain way/method” 86% (42)
Work or office contact information 33% (16)
Phone number 28% (14)
Fax 6% (3)
Email 4% (2)
Via 3 means of communication 18% (9)
No example of how communications could be received 12% (6)
Does the NPP describe how the health plan will follow up?
Health plan will accommodate reasonable requests 65% (32)
“If your request has a cost that you will have to pay for, we will let you know.” 2% (1)
Does the NPP provide information on how to contact health plan?
Address or P.O. Box 76% (37)
Phone numbers to either member services or privacy officer 74% (36)
Email address to privacy or compliance officer 22% (11)
Fax number 16% (8)
No contact information listed 18% (9)

12
References
1. U.S. Dept. of Health and Human Services. Key Features of the Affordable Care Act By Year.
<http://www.hhs.gov/healthcare/facts/timeline/timeline-text.html>
2. English A. Confidentiality for Individuals Insured as Dependents: A Review of State Laws and
Policies. 2012. <http://tinyurl.com/mnkpbd4>
3. Charles SA, Jacobs K, Roby DH, Pourat N, Snyder S, Kominski GF. The State of Health
Insurance in California: Findings from the 2011/2012 California Health Interview Survey. Los
Angeles, CA: UCLA Center for Health Policy Research. 2014. <http://tinyurl.com/pc9smuo>
4. Tebb KP, et al. Protecting Adolescent Confidentiality Under Health Care Reform: The Special
Case Regarding Explanation of Benefits (EOBs). 2014. <http://bit.ly/EOB-PolicyBrief>
5. Gold RB. Unintended Consequences: How Insurance Processes Inadvertently Abrogate Patient
Confidentiality. Guttmacher Policy Review, vol.12:4. 2009. <http://tinyurl.com/q8msf3g>
6. Fox H, Limb, SJ. Fact Sheet No. 5: State Policies Affecting the Assurance of Confidential Care
for Adolescents. 2008. <http://www.thenationalalliance.org/jan07/factsheet5.pdf>
7. Salganicoff A, et al. Women and Health Care in the Early Years of the Affordable Care Act: Key
Findings from the 2013 Kaiser Women's Health Survey. Kaiser Family Foundation Report. 2014.
<http://tinyurl.com/qygzdko>
8. Sherman R. What's the Use of Private Insurance If You Don't Feel Safe Using It? RH
RealityCheck. 2013. <http://rhrealitycheck.org/article/2013/07/29/whats-the-use-of-private-
insurance-if-you-dont-feel-safe-usingit/>
9. Nguyen V. SB 138 Keeps Young California's Health Information Safe. Young Invincibles Blog:
Guest Post. November 14, 2013. <http://tinyurl.com/qy3sasm>
10. Frerich E. Health Care Reform and Young Adults' Access to Sexual Health Care: An Exploration
of Potential Confidentiality Implications of the Affordable Care Act. American Journal of Public
Health. 2012. 102(10):1818-1821.
11. Slive L. Health Reform and the Preservation of Confidential Health Care for Young Adults.
Journal of Law, Medicine & Ethics. 2012(Summer):383-390.
12. Lehrer JA, Pantell R, Tebb K, Shafer MA. Forgone Health Care among U.S. Adolescents:
Associations between Risk Characteristics and Confidentiality Concern. Journal of Adolescent
Health. 2007. 40:218-226.
13. Berlan, ED, Bravender,T. Confidentiality, consent, and caring for the adolescent patient. Current
Opinion in Pediatrics. 2009. 21(4): 450-456.
14. Lau JS, Adams SH, Irwin CE, Jr., Ozer EM. Receipt of preventive health services in young
adults. Journal of Adolescent Health. 2013. 52(1):42-49.
15. California Senate Bill 138, Confidentiality of Medical Information (2013).
<http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB1382013>
16. Gudeman R. The Affordable Care Act and Adolescent Health: Closing confidentiality loopholes
so that adolescents nationwide can benefit fully from newly available health benefits and
insurance. Youth Law News. 2013. XXXII(3). <http://tinyurl.com/m7ylcg7>
17. California Health Care Foundation. California Health Plans and Insurers: A Shifting Landscape.
2013. California Health Care Almanac. <http://tinyurl.com/p2l8u9n>
18. California Department of Managed Health Care. Enrollment Summary Report-2013.
<http://www.dmhc.ca.gov/DataResearch/FinancialSummaryData.aspx#.VIYOcXt-4ts>
19. Norton, M., Hamel L, Brodie M. Assessing Americans' Familiarity With Health Insurance Terms
and Concepts. Kaiser Family Foundation Report. 2014. <http://tinyurl.com/oj6f7mt>
University of California
San Francisco

California’s Confidential Health Information Act (SB 138)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (8)

Ähnlich wie California’s Confidential Health Information Act (SB 138)

Ähnlich wie California’s Confidential Health Information Act (SB 138) (20)

Mehr von Philip R. Lee Institute for Health Policy Studies

Mehr von Philip R. Lee Institute for Health Policy Studies (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

California’s Confidential Health Information Act (SB 138)