This is what has all along been a very predictable result from the poor way in which the HIPAA Privacy Rule was drafted. In the HIPAA statute, Congress basically said that if Congress could not agree on privacy legislation by a certain date, then DHHS should draft a privacy regulation defining violations of medical privacy.
DHHS didn't do this; instead it approached the problem backwards. DHHS made a poor choice by basing the Rule on state professional misconduct statutes which basically say that it is professional misconduct for a physician or a medical provider to use or disclose patient information without a patient's consent. So, rather than drafting a more straightforward regulation telling CEs what it would be impermissible for them to do, instead, DHHS made the general foundation of the Privacy Rule that CEs can not use or disclose PHI, to anyone for any reason, unless there is an exception. That IS the Privacy Rule, folks. If anyone asked you to sum up the Privacy Rule in one sentence, the rule is that CEs cannot use or disclose PHI. Everything else contained within the regulation is an attempt to define an exception. It is what I like to call The Rule of a Thousand Exceptions. Defining all of the possible exceptions is an impossible project. Health care is just too complex. The only REQUIRED disclosures under the Privacy Rule are to DHHS, or to the patient. As you note, other disclosures MAY be made, but only if they meet an exception. Of course I understand your point, that a CE workforce member may be wrong when they say that the HIPAA Privacy Rule forbids them from releasing information, when the fact is that such a release may very well fit within one of the thousands of exceptions. But I guess I'm a little more charitable towards the workforce member, who I wouldn't expect to have absorbed as many of the thousands of exceptions that I have after several years of HIPAA study. Let's give credit where it is due, to the poor drafting of a rule which even NCVHS has characterized as a "mess". Please direct the "Wrath of Deborah" accordingly. <smile> In defense of beleaguered and overly-regulated healthcare workers everywhere, John John C. Cody, Esq. NYS Central HIPAA Coordination Project NYS Office for Technology http://www.oft.state.ny.us/hipaa/index.htm [The opinions expressed herein are my own and do not necessarily reflect the policies, practices or opinions of my employer or anyone else. Nothing herein constitutes legal advice - if you need legal advice, please consult your own attorney.] -----Original Message----- From: Deborah Campbell [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 11:42 AM To: WEDI SNIP Privacy Workgroup List Subject: RE:Misusing quoting HIPAA I know I have, and I'm sure you all have, experienced many providers using HIPAA as an excuse for not releasing information. (I'm not saying it was an excuse in this case. There are a lot of misunderstandings about the regs and certainly a lot of different interpretations.) But I just got off the phone yesterday with my mother's doctor. She called me saying her doctor's office wouldn't give her some information (about her X-rays) saying HIPAA won't allow it. My blood pressure skyrocketed. I called the woman and asked what exact section she was citing of the regulations because I have been "doing" HIPAA for 2 years and can't find anything on that. I then proceeded to quote several other sections that allow the release. She started stammering and then admitted she didn't know what regulation it was or where the policy came from. I suggested she look into it immediately and stop using HIPAA as an excuse. (I really was furious. There are so many patients out there who will just accept that excuse because they haven't been reading the regulations for years.) This is not an isolated case. I've had other providers try the same thing on me. But - don't mess with my mother unless you want the "Wrath of Deborah" to descend upon you. :-) Thanks for letting me rant. Deborah Campbell -----Original Message----- From: Doug Webb [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 11:27 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: Collection Accts. Leslie, Thank you for a timely and well-written analysis. So many bad things happen when HIPAA is mis-read to restrict information exchange it really isn't restrict. The "may" in the regulations also opens a can of worms, but it has to be emphasized that if the release that HIPAA says may happen is denied, HIPAA cannot be used as an excuse for the denial. The denial is either based on the prohibitions of some other law, or the CE's paranoia. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. Webb Computer System Engineer Little Company of Mary Hospital & Health Care Centers [EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." ----- Original Message ----- From: Lbender To: WEDI SNIP Privacy Workgroup List Cc: B BURGESS ; [EMAIL PROTECTED] Sent: Thursday, October 30, 2003 10:06 AM Subject: Re: Collection Accts. Charles et al.: Funny you should raise this issue in light of the terse cover page story in this morning's Wall Street Journal entitled, "Hospitals Try Extreme Measures to Collect Their Overdue Debts." Maybe worth a read if your blood pressure is lower than you'd like this a.m. Your issue underscores the intersection of the federal Fair Debt Collection Practices Act ("FDCPA"), the Fair Credit Reporting Act ("FCRA"), and HIPAA. A quick trek to the preamble of the HIPAA privacy rule and its modifications reveals that the Office for Civil Rights has indicated in no uncertain terms (despite what the so called "credit repair" websites reveal) that debt collections, locational activities (skip tracing), and credit reporting consistent with the FCRA (which data elements HIPAA tracks in describing what can be credit reported) all fall within the "P" in TPO (treatment, payment and health care operations) -- whether undertaken directly by a covered entity or by its collection agency business associate. OCR's position on this is also in a number of the FAQs on their website. Marcallee is correct - if a debtor contacts a credit reporting agency ("CRA") and states that they dispute a debt reported either by a healthcare provider or its collection agency because it has been paid, the CRA must, under the FCRA, have the data furnisher ("data furnisher" is either the provider or collection agency who reported the delinquent account to the CRA), research it and respond within thirty (30) days (15 U.S.C. Section 1681i). The CRA must also mark the account as "disputed" on any credit reports released before the verification is complete. If the CRA makes a business decision not to investigate the consumer's dispute, or alternatively investigates but the "data furnisher" does not respond, the CRA must remove the reported delinquency from the patient's credit report within that same 30 day period. Section 611 of the FCRA (15 U.S.C. Section 1681i) is rather detailed on the specifics of how information is to flow in response to a consumer's dispute. Of course if the CRA determines that the dispute is frivolous or irrelevant it need not undertake an investigation. A data furnisher has an obligation under the FCRA to furnish accurate and complete information as well as to correct and update information from time to time as new information becomes available to it (certainly such as payment in full of a delinquent account). See, FCRA at Section 623. The use and disclosure of "payment" information between CRA, provider, collection agency, and debtor/patient is potentially governed by each of these three federal consumer information protection oriented laws (i.e., FDCPA, FCRA, and HIPAA -- as well as potentially Section 5 of the Federal Trade Commission Act) -- in fact it may be mandated. If a CRA received a consumer dispute, contacted a hospital or collection agency for verification, and the hospital or collection agency refused to respond (remember that 164.512(a) "permits" a covered entity to make "disclosures required by law" -- but HIPAA itself would not mandate the disclosure) - the refusal would be at odds with their legal requirement under the FCRA to report accurate and complete information. It would not seem then that Judith's debtor or the credit repair helpsite are accurately interpreting HIPAA -- or the FCRA. HIPAA does not require a hospital to obtain a debtor's written permission to use a business associate to either credit report, skiptrace, or collect his/her delinquent account -- or even to handle insurance billing and follow up on his/her account. A quick word of caution, if upon admission a patient seeks to "opt out" and restrict communications about his/her PHI to anyone but for a specified list of people and a provider agrees to that -- under those very limited circumstances a debtor/patient may indeed have somewhat of an argument that his HIPAA rights were violated when he is turned over to a collection agency if the provider agreed to harsh restrictions on communications per that patient's request. Leslie Leslie Bender roiWebEd Company [EMAIL PROTECTED] ----- Original Message ----- From: Bentz-Miller, Judith To: WEDI SNIP Privacy Workgroup List Sent: Thursday, October 30, 2003 9:04 AM Subject: RE: Collection Accts. A few months ago, I had a patient send me a certified letter that had much of this exact wording in it. I complied with the timeframe of the 10 days, but refused his request, sitting the payment language and the BA information. (He also stated that using a collection agency could only be done with his written permission, therefore, we had violated his HIPAA rights.) I have not heard from him or his attorney again. If anyone would like to see my response, email me and I will be happy to forward it (minus the PHI, of course!!!!) Judith Judith Bentz-Miller Privacy Officer Arnett Clinic 765-448-8843 -----Original Message----- From: Charles Whitaker [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 5:57 PM To: WEDI SNIP Privacy Workgroup List Subject: Collection Accts. I recently came across some information that some credit repair websites are giving out in relation to medical collections being reported to the Credit Reporting Agencies (CRA). If a person disputes a listing on a credit report, the CRA must request a validation from the Collection Agency (CA), which must get a validation from the Original Creditor (Health Care Provider). These credit repair websites are saying that if the bill is paid in full the Health Care Provider has no "business purpose" to send the information to the CA (no payment due). See this Link http://community-2.webtv.net/YCHANGE/STORAGE/page14.html Has anyone seen this? Any thoughts or opinions? Charles Whitaker HIPAA Coordinator/IT Madison Parish Hospital Tallulah, LA (318)574-2374 Fax (318)574-2396 [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org