Massachusetts Law Strengthens Patient Privacy Protections

by Chris Brook on Friday September 18, 2020

The law closes a loophole that could allow sensitive health data to be shared with the primary subscriber of a health plan.

Massachusetts politicians recently passed legislation designed to protect patients' access to confidential health care. The bill, which was signed into law earlier this month, ensures that patients covered as dependents on another person's insurance policy can receive their medical information directly.

The law, S. 2296, a/k/a the Protecting Access to Confidential Health Care, or PATCH Act, requires the Massachusetts Division of Insurance to create a form for the state's health insurance carriers that less specifically lists charges on patient bills to improve patient privacy.

One of the main goals of the law, specifically, was to address when health plans send out explanation of benefits, or EOBs. Currently many health insurers send EOBs to the primary subscriber, regardless of whether it details data on the subscriber or his or her dependents, something that many privacy advocates argue violates HIPAA.

Under the new PATCH law:
• Insurers must allow patients to choose their preferred method of receiving EOBs, including at an alternate address or through HIPAA-compliant electronic means
• EOBs will provide generic information only, such as “office visit” or “medical care,” rather than more explicit descriptions that could violate confidentiality
• Patients can opt out of receiving an EOB when no remaining balance exists on a claim
• Patients would be informed of their options to request confidential means of receiving EOBs
• The state Division of Insurance and Department of Public Health are required to educate providers and patients on these protections

Blog Post

Digital Guardian Receives High Marks in KLAS Research’s 2017 Data Loss Prevention Report for Healthcare

READ NOW

As Michael Bertoncini, a labor and employment attorney with Jackson Lewis, a law firm in Boston notes, the PATCH law actually grants individuals greater protections than HIPAA.

“Insurance carriers will be required to communicate the members’ rights to request that medical information be sent to them rather than the policyholder and to suppress the common summary of payments form in plain language and in a clear and conspicuous manner in evidence of coverage documents, member privacy communications and on every common summary of payments form,” Bertoncini wrote in an analysis of the law this week, “This information also must be conspicuously displayed on the carrier’s member website and online portals for individual members.

The bill was spearheaded by Sen. Karen Spilka, D-Ashland and moved fairly quick through the state's legislature after it was referred from the state’s committee on Ways and Means. It passed the Senate on Feb. 14 and went into law roughly three weeks ago at a ceremonial bill signing hosted by Gov. Charlie Baker at the State House on April 1.

The news came just a few days after a local Boston-based healthcare facility, the Cambridge Health Alliance, notified 2,500 patients their private billing information was accessed by a third party and as a Massachusetts state department, the Department of Revenue, grapples with a data breach of its own. That breach stemmed from a mailing error; about 6,100 individuals who owe child support had their private data leaked after letters containing that information was mistakenly mailed to companies that don’t employ them.

A data breach at the DOR earlier this year made private information from about 39,000 business taxpayers, including names, tax identification numbers and the banking information of the payroll processors, visible to other companies. The breach was twice as large as initially thought, and lasted from early August through Jan. 23.

Tags: Healthcare , Industry Insights