UNIVERSITY OF CALIFORNIA UC LEGAL

Attorney-Client Privileged. Not for Circulation Outside of The University of California.

Page 1

UNIVERSITY OF CALIFORNIA

UC LEGAL - OFFICE OF THE GENERAL COUNSEL

Health Compliance Alert: Confidential Communication Requests and UC’s Health Plans

February 2023 (Update to March 2022)

Q: Are UC’s self-funded employee health plans, retiree plans and student health insurance plans

required to fulfill confidential communication requests (CCRs) from enrollees, and assure that

communications from the insurer that may disclose certain services received by the enrollee are not

provided to the subscriber?

A: Likely yes. Laws requiring health plans regulated by the Knox-Keene Health Care Plan Act and health

insurers

regulated by the California Insurance Code to fulfill CCRs recently have expanded. UC’s self-funded

health plans are exempt from the Knox-Keene Act, and UC also takes position that its self-funded plans are

not regulated by California Department of Managed Health Care (DMHC) nor the California Department of

Insurance (CDI). However, the California Constitution, other laws applicable to UC, and UC policies support

UC providing the same rights relating to CCRs as explicitly required of plans regulated by the DMHC or CDI.

Background

Many individuals, such as students and dependents of UC employees, are covered by UC health plans but

are not the subscriber or policyholder.

Routine communications sent by health plans, such as

explanation of benefit letters or denial of claims notices, are often sent to the subscriber or policyholder

and may contain personal and sensitive information about enrollees or insureds

who are not the

subscriber or policyholder. California’s Confidential Health Information Act (CHIA), which became

effective in 2015, is intended to provide greater privacy protection to enrollees and insureds. The rights

of enrollees and insureds further expanded in July 2022 and January 2023 with the passage of new laws.

California law prohibits health plans and health insurers from requiring enrollees and insureds to obtain

the policyholder or primary subscriber’s authorization to receive certain “sensitive services.” It also

allows enrollees and insureds to make requests for confidential communications (CCRs) to their health

plan and health insurers, which, when made, would prohibit the health plan or health insurer from

providing certain communications to the subscriber or policyholder. Cal. Civ. Code § 56.107; Cal. Ins.

Code § 791.29. This Alert is intended to raise UC health plan awareness to CCRs.

“Health insurance” means individual or group disability insurance policies that provide coverage for hospital,

medical, or surgical benefits. Cal. Ins. Code § 106.

Note that UC’s fully insured health plans are directly subject to the Knox-Keene Act, and therefore, the California

laws relating to CCRs apply to these plans. However, as these laws apply to health plans’ obligations with respect to

their enrollees and subscribers, they do not apply to health care service plans acting as third-party administrators

(TPAs) to UC’s self-funded health plans.

“Subscriber” means the individual responsible for payment to an insurance plan or whose employment is the

basis for eligibility for membership in the plan. Cal. Health & Safety Code § 1345(p). With respect to group

insurance, “policyholder” means the individual who is the current group certificate holder. Cal. Ins. Code §

791.02(t).

“Enrollee” means a person who is enrolled in an insurance plan and who is a recipient of plan services. Cal. Health

& Safety Code § 1345(c). “Insured” refers to an individual who is covered under an insurance policy. See Cal. Ins.

Code § 791.02.

Attorney-Client Privileged. Not for Circulation Outside of The University of California.

Page 2

CHIA and UC Health Plans

CHIA’s obligations for ensuring the confidentiality of certain communications with enrollees and insureds apply

to “health care service plans” that are regulated by the Knox-Keene Care Service Plan Act (Knox-Keene Act) and

to “health insurers” regulated by the California Insurance Code. Cal. Civ. Code § 56.05(f); Cal. Ins. Code § 791.29.

The Knox-Keene Act applies to health care service plans that undertake or arrange for the provision of health

care services to subscribers or enrollees, or that pay for or reimburse any part of the cost for those services, in

return for a prepaid or periodic charge paid by or on behalf of the subscribers or enrollees. Cal. Health & Safety

Code § 1435(f). However, health plans are exempt from the Knox-Keene Act where they meet a list of

requirements set forth in Section 1349.2(a).

UC’s self-funded plans meet all of these requirements, and

therefore, are exempt from the Knox-Keene Act.

CHIA also applies to health insurers. UC takes the position that its self-funded health plans are also not regulated

by the California Department of Managed Health Care (DMHC) nor the California Department of Insurance (DOI),

and therefore exempt from provisions of the Insurance Code.

Strong Arguments for Accommodating Requests for Confidential Communications

However, other laws and policies applicable to UC provide strong support for compliance with CHIA’s obligations

regarding confidential communications to enrollees:

• Health Insurance Portability and Accountability Act (HIPAA): UC’s self-funded health plans are subject

to HIPAA as a covered entity. UC HIPAA Administrative Requirements Policy. Under HIPAA, covered

entities must allow an individual to make specific privacy requests, including requests to receive

communications by alternative means or at alternative locations. HIPAA specifically requires health

plans to accommodate reasonable requests to receive communications by alternative means or at

alternative locations if the individual clearly states that the disclosure of information could endanger the

Specifically, in order to be exempt from the Knox-Keene Act, all of the following requirements must be satisfied:

(1) the health care service plan pays for or reimburses any part of the cost of the health care services, and is

operated by a public entity (or city, county, city and county, political subdivision, or public joint labor management

trust); (2) provides services or reimbursement only to employees, retirees, and the dependents of those employees

and retirees, of any participating public entity (or city, county, city and county, political subdivision, or public joint

labor management trust), but not to the general public; (3) provides funding for the program; (4) provides that

providers are reimbursed solely on a fee-for-service basis, so that providers are not at risk in contracting

arrangements; (5) Complies with Section 1378 of the Health and Safety Code, and, to the extent that a plan

contracts directly with providers for health care services, complies with Section 1379 of the Health and Safety

Code; (6) does not reduce or change current benefits except in accordance with collective bargaining agreements,

or, with respect to unrepresented employees, except as otherwise authorized by the governing body, and provides,

pays for, or reimburses at least part of the cost of all “basic health care services” as defined in Cal. Health & Safety

Code § 1345(b); (7) Refrains from any conduct that constitutes fraud or dishonest dealing or unfair competition, as

defined in (Cal. Bus & Prof. Code 17200) and notifies enrollees of their right to file complaints with the director

regarding such conduct; (8) maintains a fiscally sound operation and makes adequate provision against the risk of

insolvency so that enrollees are not at risk, individually or collectively; and (9) submits with the annual financial

statements a declaration, executed by a plan official authorized by the governing body of the plan, that the plan

complies with all the requirements set forth here. See Cal. Health & Safety Code § 1349.2(a).

Attorney-Client Privileged. Not for Circulation Outside of The University of California.

Page 3

individual.

45 C.F.R. § 164.522(b)(1)(ii). In other circumstances, health plans are generally not required

to agree to a privacy request.

45 C.F.R. § 164.522.

• Information Practices Act (IPA): UC is subject to the requirements of the IPA, as a result, any health

plans administered by UC are also subject to its requirements. Among other obligations, generally, UC is

prohibited from disclosing personal information about any person in which it maintains records unless:

(i) disclosed to the individual to whom the information pertains; or (ii) with the prior written consent of

the individual.

• California Constitution: Article I, Section 1 of the California Constitution affords individuals the right to

privacy. As a public trust created pursuant to Article IX, Section 9, UC is charged with affording this right

of privacy to individuals receiving services from or through UC.

• UC Mission: Accommodating requests for confidential communications is consistent with UC’s mission

of educating students and providing public services.

• Parity: UC’s fully insured health plans must comply with CHIA, and therefore, must offer and

accommodate CCRs. UC Legal has not identified any legal, policy, or other justification to deny enrollees

of UC’s self-funded plans the same privacy protections as those enrolled in such fully insured plans

particularly where, as here, the plan administrators are required to implement the same rules in other

plans they offer.

Confidential Health Information Act (CHIA)

CHIA gives rights to an adult enrollee and insured (and a minor who has the right to consent to the

relevant medical care

), referred to as a “protected individual”

, where their health plan is regulated by

the Knox-Keene Act or their health insurer is subject to the California Insurance Code. These rights are

summarized below.

The health plan may require the individual to make a request for a confidential communication in writing. The

covered entity may also condition the provision of a reasonable accommodation for confidential communications

on: (i) when appropriate, information as to how payment, if any, will be handled; and (ii) specification of an

alternative address or other method of contact. Health plans may also require that a request contain a statement

that disclosure of all or part of the information to which the request pertains could endanger the individual. 45

C.F.R. 164.522(b)(2).

However, if it does agree to honor the individual’s privacy request, it must comply unless the individual needs

emergency treatment and the restricted protection health information is necessary to provide the treatment. In an

emergency situation where the covered entity must disclose information it agreed to restrict, it must request that

the information not be further disclosed. See 45 C.F.R. § 164.522(a). Note also that a covered entity must agree to

an individual’s request to restrict disclosure of their PHI to a health plan if: (i) the disclosure is for the purpose of

carrying out payment of a health care operations and is not required by law; and (ii) the PHI only pertains to an

item of service for which the individual has paid in full. 45 C.F.R. § 164.522(a)(1)(vi).

In California, individuals age 18 and above, individuals below 18 who are emancipated, individuals on active

military duty, and individuals who are married or previously married may consent to their own care. Cal. Family

Code § 6929(g). In addition, a minor has the right to consent to: (i) pregnancy and contraception (except

sterilization) (Cal. Family Code § 6925); (ii) if at least 12 years old, communicable diseases, including HIV testing

(Cal. Family Code § 6926); (iii) care related to rape and sexual assault (Cal. Family Code §§ 6927, 6928); and (iv) if at

least 12 years old, care related to drug and alcohol abuse (Cal. Family Code §6929(b)).

In order to request confidentiality of communications relating to sensitive services, the individual must be legally

able to consent to the services provided. Under California law, to the extent there is an age requirement to consent

to such services, in most cases, the individual must be at least 12 years old. See Cal. Civ. Code § 56.05(l); Cal. Ins.

Code § 791.02(ab).

Attorney-Client Privileged. Not for Circulation Outside of The University of California.

Page 4

1. Prohibits Authorization to Receive Sensitive Services

Specifically, the law prohibits these health plans and health insurers from requiring a protected

individual to obtain the policyholder or primary subscriber’s authorization to receive “sensitive services”

or to submit a claim for “sensitive services.” “Sensitive services” include birth control, abortion services,

sexual assault services, STD tests, mental and behavioral health care, substance use disorders, gender

affirming care, and intimate partner services.

Further, health plans and insurers are prohibited from

disclosing medical information

related to sensitive services to the policyholder, primary subscriber, or

any other enrollee or insured without authorization from the protected individual receiving sensitive

services.

2. Requires Directing All Communications Regarding Sensitive Services to the Protected Individual

Health plans and health insurers are required to direct all communications regarding a protected

individual’s receipt of sensitive services directly to the protected individual receiving care.

The types

of “communications” that must be directed to the protected individual include:

• bills and attempts to collect payment;

• notices of adverse benefit determinations;

• explanation of benefits notice;

• requests for additional information regarding a claim;

• notices of contested claims;

• the name and address of a provider, description of services provided, and other information

related to a visit; and

• any written, oral, or electronic communication from an insurer that contains protected health

information as defined under the Health Insurance Portability and Accountability Act.

Cal. Civ. Code § 56.107(a); Cal. Ins. Code § 791.29(a).

Cal. Civ. Code § 56.05(n); Cal. Ins. Code § 791.02(ac).

Medical information” includes any individually identifiable information, in electronic or physical form, in possession

of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor

regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means

that the medical information includes or contains any element of personal identifying information sufficient to allow

identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or

social security number, or other information that, alone or in combination with other publicly available information,

reveals the identity of the individual. Cal. Civ. Code § 56.05(i).

The law previously required that a protected individual request confidential communications related to these

“sensitive services. AB 1184 and AB 2091 removed this requirement and made confidential communications a

standing obligation of health insurers and health care service plans. The law directs that if the protected individual

has a designated alternative mailing address, email address or telephone number, the health plan or health insurer

must send or make all communications related to the protected individual’s receipt of sensitive services to the

alternative contact information designated. If the protected individual has not designated an alternative mailing

address, email address, or telephone number, the health plan or health insurer must send or make all

communications related to the protected individual’s receipt of sensitive services at the address or telephone

number on file.

Attorney-Client Privileged. Not for Circulation Outside of The University of California.

Page 5

3. Right of Protected Individuals to Request CCRs for All Medical Services

Health plans and health insurers are required, upon request by a protected individual, to accommodate

any request for confidential communications.

The protected individual may request that the

communications be in any form and format, so long as readily producible.

Health plans and health

insurers must implement a CCR within 7 calendar days of receiving an electronic or telephonic request,

and within 14 calendar days of receiving a request via first-class mail.

Thereafter, health plans and health insurers must apply the CCR to all communications that disclose

medical information of the protected individual, as well as to all communications that disclose the

provider’s name and address related to the protected individual’s receipt of medical services. Health

plans and health insurers must abide by the CCR until the subscriber or enrollee submits a revocation of

the CCR, or submits a new CCR. Cal. Civ. Code § 56.107(b); Cal. Ins. Code § 791.29(b).

Health plans and health insurers are prohibited from conditioning enrollment or coverage on an enrollee

or insured waiving their rights to receive confidential communications. Cal. Civ. Code § 56.107(e); Cal.

Ins. Code § 791.29(e).

4. Requires Notification to Enrollees and Insureds Regarding CCRs

Health plans and health insurers must notify their enrollees and insureds that they may request a

confidential communication in a specified format and how to make that request.

Specifically, the

information must be provided to subscribers/policyholders and enrollees/insureds upon initial

enrollment and annually thereafter upon renewal. It must be provided:

• In a conspicuously visible location in the evidence of coverage; and

• On the health plan or health insurer’s website, accessible through a hyperlink and in a manner

that allows subscribers, policyholders, enrollees, insureds, and members of the public to easily

locate the information.

Cal. Civ. Code § 56.107(c); Cal. Ins. Code § 791.29(c).

Conclusion

Though California requirements to provide confidential communications to enrollees and insureds

explicitly apply only to health plans regulated by the Knox-Keene Act and health insurers regulated by

the DMHC and DOI, the constitutional right to privacy, other state laws applicable to UC, and UC’s

mission itself provide support for UC’s self-funded health plans to comply with the CHIA. UC’s self-

funded health plans therefore are encouraged to develop appropriate notifications and circulate them to

all enrollees.

Contact: Hillary Kalay, UC Legal, (510) 987-0355; Margia Corner, UC Legal, (510) 987-0828

Prior to enactment of AB 1184 and AB 2091, the law only permitted confidential communications where the

medical service related to a more narrow scope of “sensitive services” or where disclosure would endanger the

individual.

If not readily producible in the form and format requested by the protected individual, it may be produced in an

alternative manner. The health plan and health insurer may require the protected individual to make a request for

a confidential communication in writing or electronically. Cal. Civ. Code § 56.107(b); Cal. Ins. Code § 791.29(b).

However, insurers are required to accommodate requests for confidential communications in any form and

format requested by the individual, so long as it is readily producible.