Are Healthcare EOBs Covered by HIPAA? Rules, Privacy, and Compliance Explained

HIPAA Coverage of EOBs

An Explanation of Benefits (EOB) summarizes how a health plan processed a claim—what was billed, what the plan allowed, amounts paid, and what you may owe. Because an EOB ties these details to an identifiable person, it contains Protected Health Information and is therefore subject to HIPAA’s Privacy and Security Rules.

HIPAA permits covered entities to use and disclose PHI for treatment, payment, and healthcare operations without patient authorization. EOBs fall squarely under “payment,” so health plans may send them to the address of record for the plan member. Even so, plans must apply the “minimum necessary” standard and reasonable safeguards to limit incidental disclosure.

While HIPAA allows EOBs, you still retain rights to request added privacy. If you worry an EOB could reveal sensitive services to others at your household, you can ask the plan to communicate through alternate means or to a different address.

Covered Entities Under HIPAA

HIPAA applies to covered entities and their business associates that handle PHI. For EOBs, the primary covered entity is the health plan (insurer, HMO, employer-sponsored plan, or government plan) that adjudicates claims and issues the statements.

Healthcare providers and clearinghouses are also covered entities. Providers transmit claims to plans for payment, which triggers EOB creation by the plan. Vendors that print, package, email, store, or otherwise process EOBs are Business Associates and must have Business Associate Agreements that require appropriate security safeguards and limit use of PHI.

Disclosure of EOBs Without Authorization

Patient authorization is not required for disclosures necessary for payment. A provider may submit claim PHI to a health plan, and the plan may disclose claim outcomes via an EOB to the plan member as part of standard payment operations.

Authorization may become relevant if a disclosure goes beyond payment or operations (for example, marketing) or if you direct the plan to share EOB details with a third party. Also note a special restriction right: when you pay a provider out of pocket in full and request that the provider not disclose the related PHI to your health plan, the provider must honor that restriction—no claim is sent and no EOB is generated for that service.

For dependents, plans typically send EOBs to the subscriber on the policy. If that would compromise privacy, request confidential communications so EOBs are redirected to you rather than the subscriber, consistent with HIPAA and any stronger state protections.

Patient Rights to EOBs

You have a right of access to PHI in a designated record set, which for health plans includes claim and benefit information. You may request copies of past EOBs from your plan, usually within HIPAA’s access timelines (generally 30 days, with a limited extension). Plans may charge reasonable, cost-based fees for copies.

You can also request confidential communications—asking the plan to send EOBs to another mailing address, to a secure email address, or to an online portal. Plans must accommodate reasonable requests and must grant them if disclosure could endanger you. If you believe an EOB contains an error, you may request an amendment or file a complaint with the plan’s privacy office.

State Laws on EOB Privacy

HIPAA sets a national floor for privacy. Many states add protections, especially for dependents and sensitive services (for example, reproductive health, mental health, substance use, or sexual health). Depending on the state, you may be able to suppress, delay, or redirect EOBs, or require more generic service descriptions.

When state law is more protective of privacy than HIPAA, the state rule controls. Practical options you can ask your plan about include:

• Redirecting EOBs to an alternate address or secure electronic channel you control.
• Using generic descriptions on EOBs where permitted by state law.
• Suppressing EOBs for zero-balance claims or fully paid services, if allowed.
• Setting portal-only delivery with password protection, when offered.

HIPAA Compliance in Mailing EOBs

Mailing EOBs is allowed under HIPAA if covered entities and business associates implement reasonable safeguards to prevent unauthorized viewing or disclosure. For paper EOBs, that means sealed envelopes, accurate addressing, and processes that prevent PHI from appearing in address windows.

For electronic EOBs, HIPAA’s Security Rule requires administrative, physical, and technical security safeguards based on risk analysis. Common controls include encryption in transit and at rest, access controls, multi-factor authentication for portals, and audit logs.

If an EOB is misdirected or exposed (for example, mailed to the wrong person), the organization must perform a breach risk assessment. When there is more than a low probability of compromise, the Breach Notification Rule requires notifying affected individuals and, in some cases, regulators and media.

• Use “minimum necessary” data on envelopes and inserts.
• Validate addresses and suppress duplicate mailings.
• Train workforce and monitor vendors handling EOBs.
• Maintain incident response procedures for potential breaches.

Retention Periods for EOBs

HIPAA does not set a universal medical record retention period for EOBs. It requires covered entities and business associates to retain required HIPAA-related documentation (such as policies, procedures, notices, and logs) for six years from the date of creation or last effective date. That rule is about compliance records, not the medical or claim records themselves.

How long EOBs are kept is driven by broader Record Retention Requirements—state insurance statutes, federal program rules, ERISA, tax and audit needs, and contractual obligations. Many organizations retain claim and EOB records for six to ten years to meet audit and litigation-hold expectations, with longer periods possible for government programs or special cases.

Conclusion: Key Takeaways

• EOBs contain Protected Health Information and are covered by HIPAA.
• Health plans may issue EOBs without patient authorization as part of payment.
• You can request confidential communications to protect your privacy.
• State laws may add extra EOB privacy rights—ask your plan about options.
• Apply security safeguards to mailed and electronic EOBs and follow the Breach Notification Rule if something goes wrong.
• Set retention based on HIPAA documentation rules plus applicable record retention requirements from other laws and contracts.

FAQs

Are EOBs considered protected health information under HIPAA?

Yes. EOBs identify an individual and relate to healthcare services and payment, so they contain Protected Health Information and are subject to HIPAA’s Privacy and Security Rules.

Can healthcare providers disclose EOBs without patient authorization?

EOBs are generated by health plans, but providers may disclose PHI to plans for payment without patient authorization. That claim information enables the plan to issue an EOB. If you pay a provider in full out of pocket and request a restriction, the provider must not disclose that PHI to the plan, and no EOB should result.

What privacy protections exist for mailed EOBs?

Covered entities and business associates must use reasonable safeguards for paper mail (sealed envelopes, correct addressing, minimal visible data) and apply security safeguards for electronic delivery. If an EOB is misdirected or exposed, the Breach Notification Rule may require notifications.

How long must EOBs be retained under HIPAA?

HIPAA requires retention of compliance documentation for six years but does not set a specific retention period for EOBs themselves. EOB retention is typically determined by broader record retention requirements—such as state insurance laws, ERISA, and program or contractual rules—often ranging from six to ten years.