David,
Even if it were covered by HIPAA (I don't
think the info the collector gets is truly PHI), it would still be a permitted
release of PHI, since it's for Payment.
I think even OCR has said that derivable
"releases" are not really releases of PHI, any more than seeing the patient's
car in the doctor's parking lot really releases anything.
As for that bill from the Oncologist that
implies a cancer diagnosis -- the true diagnosis could be just the opposite
(people will consult a specialist to verify that they don't have a condition, in
addition to seeking treatment for the condition).
The opinions expressed here are my own and not necessarily the opinion of
LCMH.
Douglas M. Webb Computer System Engineer Little Company of Mary
Hospital & Health Care Centers [EMAIL PROTECTED]
"This electronic message may contain information that is confidential
and/or legally privileged. It is intended only for the use of the individual(s)
and entity(s) named as recipients in the message. If you are not an
intended recipient of the message, please notify the sender immediately,
delete the material from any computer, do not deliver, distribute, or copy this
message, and do not disclose its contents or take action in reliance on the
information it contains. Thank you."
----- Original Message -----
Sent: Thursday, October 30, 2003 01:05
PM
Subject: RE: Collection Accts.
One more though on Leslie's last
paragraph.
Debt collection would not have specifics
as to the treatment, so there should not be any PHI in the issue. Now a
problem could arise, if for example an oncologist is trying to collect a bill
from a guarantor (note I didn't say patient), and someone else sees that
information, they can surmise the guarantor has cancer (apply this to any
other medical situation).
However, in collection activities, they are trying to collect money
from a guarantor, who may or may not be a patient. I don't see where the
fact you owe a debt to anyone BESIDES a healthcare provider would be treated
one way, and the collection for a health provider would be handled differently
(or not permitted). Too many scoundrels will hide behind that
loophole.
So, the question/point is -
Collection activities are between creditor and guarantor. HIPAA
therefore shouldn't apply. One cannot accurately assume the guarantor is
the patient. And except for (possibly) the fact that the name of
the service provider MAY indicate the type of diagnosis the patient had, there
is not necessarily a direct correlation. Following the original logic,
if I were involved in a parking lot auto accident at a physician office, the
police report could not be made public under HIPAA since it may indicate that
I have a certain medical condition.
Leslie,
Thank you for a timely and
well-written analysis.
So many bad things happen when
HIPAA is mis-read to restrict information exchange it really isn't
restrict.
The "may" in the regulations
also opens a can of worms, but it has to be emphasized that if the release
that HIPAA says may happen is denied, HIPAA cannot be used as an excuse
for the denial. The denial is either based on the prohibitions of
some other law, or the CE's paranoia.
The opinions expressed here are my own and not
necessarily the opinion of LCMH.
Douglas M. Webb Computer System Engineer Little
Company of Mary Hospital & Health Care Centers [EMAIL PROTECTED]
"This electronic message may contain information that
is confidential and/or legally privileged. It is intended only for the use of
the individual(s) and entity(s) named as recipients in the message. If
you are not an intended recipient of the message, please notify the sender
immediately, delete the material from any computer, do not deliver,
distribute, or copy this message, and do not disclose its contents or take
action in reliance on the information it contains. Thank you."
----- Original Message -----
Sent: Thursday, October 30, 2003 10:06
AM
Subject: Re: Collection Accts.
Charles et al.:
Funny you should raise this issue in light of the terse cover page
story in this morning's Wall Street Journal entitled, "Hospitals Try Extreme
Measures to Collect Their Overdue Debts." Maybe worth a read if your
blood pressure is lower than you'd like this a.m.
Your issue underscores the intersection of the federal Fair Debt
Collection Practices Act ("FDCPA"), the Fair Credit Reporting Act ("FCRA"),
and HIPAA. A quick trek to the preamble of the HIPAA privacy
rule and its modifications reveals that the Office for Civil Rights has
indicated in no uncertain terms (despite what the so called "credit repair"
websites reveal) that debt collections, locational activities (skip
tracing), and credit reporting consistent with the FCRA (which data elements
HIPAA tracks in describing what can be credit reported) all fall within the
"P" in TPO (treatment, payment and health care operations) -- whether
undertaken directly by a covered entity or by its collection agency business
associate. OCR's position on this is also in a number of the FAQs on
their website.
Marcallee is correct - if a debtor contacts a credit reporting agency
("CRA") and states that they dispute a debt reported either by a healthcare
provider or its collection agency because it has been paid, the CRA must,
under the FCRA, have the data furnisher ("data furnisher" is either the
provider or collection agency who reported the delinquent account to the
CRA), research it and respond within thirty (30) days (15 U.S.C. Section
1681i). The CRA must also mark the account as "disputed" on any credit
reports released before the verification is complete. If the CRA makes
a business decision not to investigate the consumer's dispute, or
alternatively investigates but the "data furnisher" does not respond, the
CRA must remove the reported delinquency from the patient's credit report
within that same 30 day period. Section 611 of the FCRA (15 U.S.C.
Section 1681i) is rather detailed on the specifics of how information is to
flow in response to a consumer's dispute. Of course if the CRA
determines that the dispute is frivolous or irrelevant it need not undertake
an investigation. A data furnisher has an obligation under the FCRA to
furnish accurate and complete information as well as to correct and update
information from time to time as new information becomes available to it
(certainly such as payment in full of a delinquent account). See, FCRA
at Section 623.
The use and disclosure of "payment" information between CRA,
provider, collection agency, and debtor/patient is potentially governed by
each of these three federal consumer information protection oriented laws
(i.e., FDCPA, FCRA, and HIPAA -- as well as potentially Section 5 of the
Federal Trade Commission Act) -- in fact it may be mandated. If a CRA
received a consumer dispute, contacted a hospital or collection agency for
verification, and the hospital or collection agency refused to respond
(remember that 164.512(a) "permits" a covered entity to make "disclosures
required by law" -- but HIPAA itself would not mandate the disclosure)
- the refusal would be at odds with their legal requirement under the FCRA
to report accurate and complete information.
It would not seem then that Judith's debtor or the credit repair
helpsite are accurately interpreting HIPAA -- or the FCRA. HIPAA does
not require a hospital to obtain a debtor's written permission to use a
business associate to either credit report, skiptrace, or collect his/her
delinquent account -- or even to handle insurance billing and follow up on
his/her account. A quick word of caution, if upon admission a patient
seeks to "opt out" and restrict communications about his/her PHI to anyone
but for a specified list of people and a provider agrees to that -- under
those very limited circumstances a debtor/patient may indeed have somewhat
of an argument that his HIPAA rights were violated when he is turned over to
a collection agency if the provider agreed to harsh restrictions on
communications per that patient's request.
Leslie
Leslie Bender
----- Original Message -----
Sent: Thursday, October 30, 2003 9:04
AM
Subject: RE: Collection Accts.
A few months ago, I had a patient send
me a certified letter that had much of this exact wording in it. I
complied with the timeframe of the 10 days, but refused his request,
sitting the payment language and the BA information. (He also stated
that using a collection agency could only be done with his written
permission, therefore, we had violated his HIPAA rights.) I have not
heard from him or his attorney again.
If anyone would like to see my
response, email me and I will be happy to forward it (minus the PHI,
of course!!!!)
Judith
Judith Bentz-Miller
Privacy Officer
Arnett Clinic
765-448-8843
I recently came across some information that some credit
repair websites are giving out in relation to medical collections being
reported to the Credit Reporting Agencies (CRA). If a person disputes a
listing on a credit report, the CRA must request a validation from the
Collection Agency (CA), which must get a validation from the Original
Creditor (Health Care Provider). These credit repair websites are saying
that if the bill is paid in full the Health Care Provider has no
"business purpose" to send the information to the CA (no payment due).
See this Link
Has anyone seen this?
Any thoughts or opinions?
Charles Whitaker HIPAA Coordinator/IT Madison Parish
Hospital Tallulah, LA (318)574-2374 Fax (318)574-2396 [EMAIL PROTECTED]
--- The WEDI SNIP listserv to which you are subscribed is not
moderated. The discussions on this listserv therefore represent the
views of the individual participants, and do not necessarily represent
the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to
receive an official opinion, post your question to the WEDI SNIP Issues
Database at http://snip.wedi.org/tracking/. These listservs should not
be used for commercial marketing purposes or discussion of specific
vendor products and services. They also are not intended to be used as a
forum for personal disagreements or unprofessional communication at any
time.
You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED] To unsubscribe from this list, go to the
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank
email to [EMAIL PROTECTED] If you need to
unsubscribe but your current email address is not the same as the
address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org --- The WEDI SNIP
listserv to which you are subscribed is not moderated. The discussions on
this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of Directors nor WEDI SNIP. If you wish to receive an official opinion,
post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services. They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any
time.
You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED] To unsubscribe from this list, go to the
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank
email to [EMAIL PROTECTED] If you need to
unsubscribe but your current email address is not the same as the address
subscribed to the list, please use the Subscribe/Unsubscribe form at
http://subscribe.wedi.org --- The WEDI SNIP listserv to
which you are subscribed is not moderated. The discussions on this listserv
therefore represent the views of the individual participants, and do not
necessarily represent the views of the WEDI Board of Directors nor WEDI
SNIP. If you wish to receive an official opinion, post your question to the
WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs
should not be used for commercial marketing purposes or discussion of
specific vendor products and services. They also are not intended to be used
as a forum for personal disagreements or unprofessional communication at any
time.
You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED] To unsubscribe from this list, go to the
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank
email to [EMAIL PROTECTED] If you need to
unsubscribe but your current email address is not the same as the address
subscribed to the list, please use the Subscribe/Unsubscribe form at
http://subscribe.wedi.org --- The WEDI SNIP listserv to which
you are subscribed is not moderated. The discussions on this listserv
therefore represent the views of the individual participants, and do not
necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP.
If you wish to receive an official opinion, post your question to the WEDI
SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should
not be used for commercial marketing purposes or discussion of specific vendor
products and services. They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.
You
are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To
unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED] If you need to unsubscribe but
your current email address is not the same as the address subscribed to the
list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
*****
"The information transmitted is intended only
for the person or entity to which it is addressed and may contain
confidential, proprietary, and/or privileged material. Any review,
retransmission, dissemination or other use of, or taking of any action in
reliance upon, this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the
sender and delete the material from all
computers.60"
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
|