Comments from the OCR 12/03/02 Guidelines concerning collections agencies (key points undelined):
 Q: Does the HIPAA Privacy Rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?
 A: No.  The Privacy Rule's definition of "payment" includes disclosures to consumer reporting agencies.  These disclosures, however, are limited to the following protected health information about the individual: name and address; date of birth; social security number; payment history; and account number.  In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed.  The covered entity may perform this payment activity directly, or may carry out this function through a third party, such as a collection agency, under a business associate arrangement.
 The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by the Fair Credit Reporting Act (FCRA) or other law.  Therefore, the Department does not believe there is a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.
 Q: Does the HIPAA Privacy Rule prevent health plans and providers from using debt collection agencies?  Does the Privacy Rule conflict with the Fair Debt Collection Practices Act?
 A: The Privacy Rule permits covered entities to continue to use the services of debt collection agencies.  Debt collection is recognized as a payment activity within the "payment" definition.  See the definition of "payment" at 45 CFR 164.501.  Through a business associate arrangement, the covered entity may engage a debt collection agency to perform this function on its behalf.  Disclosures to collection agencies are governed by other provisions of the Privacy Rule, such as the business associate and minimum necessary requirements.
 The Department is not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act.  Where a use or disclosure of protected health information is necessary for the covered entity to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law.
 Q: Are location information services of collection agencies, which are required under the Fair Debt Collection Practices Act, permitted under the HIPAA Privacy Rule?
 A: "Payment" is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care.  The activities specified are by way of example and are not intended to be an exclusive listing.  Billing, claims management, collection activities and related data processing are expressly included in the definition of "payment."  See the definition of "payment" at 45 CFR 164.501.  Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity.  See 45 CFR 164.501.  The covered entity and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act.

Ron Moore
State HIPAA Coordinator
1201 Main Street, Suite 850
Columbia, SC   29201
Phone:   803-737-0627

>>> "Noel Chang" <[EMAIL PROTECTED]> 03/04/03 12:23AM >>>

I disagree with your conclusion that your collection agency is not a BA, even if all you give them is a name and an amount.

The definition of PHI draws on the definition of Individually Identifiable Health Information which is defined in section 160.103.  That definition says that IIHI is information that is "created or received by a health care provider" and relates to the "past, present, or future payment for the provision of health care to an individual" and that "identifies the individual".

Whether your collection agency realizes it or not, you (the covered entity) clearly know that you are releasing information that you 1) created or received, 2) pertains to the past payment for the provision of health care to an individual, and 3) it identifies the individual by giving their name. 
Thus YOU are releasing PHI to your BA, even if your BA doesn't realize it is PHI. Althoug one could reasonably argue that the BA ought to assume the data you are giving them pertains to payment for health care services because you are a health care provider and they are a collection agency.  You don't need much more information than that to fill in the blanks.  And HIPAA does require that the blanks be filled in!  HIPAA does say the PHI has to specify exactly what procedure the payment was for, or when the payment was due. 
Just that it pertains to payment for services.

Noel Chang

Open WebMail Project (

---------- Original Message -----------
From: "Clay, Roy III (NO)" <[EMAIL PROTECTED]>
To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]>
Sent: Mon, 3 Mar 2003 08:42:10 -0600
Subject: RE: Another thread on Security/Privacy question

>The name and the credit card number are not PHI under HIPAA. It does  not become PHI until some health information is added. If the information contains CPT codes, for example,  then you would either need to  include that information in the Notice of Privacy Practices or
obtain an authorization at the time of swiping the card.
> One of the questions we had to answer was if the collection agency 
we used to collect bad debt was a busness associate. We found that 
all they needed was the guarantor's contact information and an 
amount. No health information was needed for them to perform their 
task. Therefore they were not a business associate.

> Roy G. Clay III
> Interim Compliance Officer
> Louisiana State University Health Sciences Center
> New Orleans Campus
> Phone:    (504) 568-4367
> Fax:        (504) 568-6378
> -----Original Message-----
> From: Christine Hudnall [
> Sent: Friday, February 28, 2003 2:36 PM
> To: WEDI SNIP Privacy Workgroup List
> Subject: Another thread on Security/Privacy question
> I'm sending this out again, if someone could please help us.  Thanks.
> Christine
> What about the card swipes that we use when a patient makes a
> payment on their account using their credit card.  Yes, we only
> swipe the card and put in the last four digits of the number, but
> the patient name (or whoever owns the card) prints out on the
> receipt.
> Is that considered PHI, even though we are not sending them the
> name, but they print it from their records?
> If so, do we need to have an agreement with the company that we use
> the card swipe from?
> And as for eligibility, i.e., Medicaid.  We use ROVR, which is
> through Consultec (if I remember correctly).  Is an agreement needed
> with them?
> And how would I check for security for their program?  Is that
> something they would need to do and put in writing?
> Sorry for all the questions, just, my co-worker and I are trying to
> go down list of all possibilities that we need to check on.
> Thanks,
> Christin

This outbound message has been scanned for viruses.

The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at

Reply via email to