Actually, if the patient requests non-release of PHI to the provider for its own TPO then the provider is well within its rights to determine how it will be paid for the services to be rendered. If the patient cannot provide adequate assurance to the provider that it will be paid for services rendered such that there would not be any disclosure of PHI in order to collect payment, the provider is not obligated to treat....unless there might be an EMTALA issue.
Rachel Rachel Foerster Rachel Foerster & Associates, Ltd. Voice: 847-872-8070 email: [EMAIL PROTECTED] -----Original Message----- From: Wellons, David L [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 4:19 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Collection Accts. then all I as a scoundrel patient need to do (particularly if self pay) is to request non-release of information without my permission and then just refuse to pay my bill. Sounds like the provider's only recourse would be to contact me directly - use of a collection agency would violate HIPAA since I haven't given my permission, as would posting a bad debt on my credit record. Sounds like a winner to me! As to my example about the parking lot accident - agreed that police are not HIPAA bound, but with the DOJ conclusion that anyone (not just CEs) who release PHI can be prosecuted (q.e.d.), it makes sense should they list my name and the physician office name publicly, someone could 'interpret' HIPAA as being applicable. (I know this won't happen, but just saying that under the current interpretations I've seen in these threads, there is merit to the example). Also, the issue of the CA having a BAA with the CE and thus can use PHI. >From other threads (the one about overseas transcriptions), someone said that HIPAA only applies to CEs, and that if BAAs are used, the non-CE who gets the data is not bound by HIPAA, their only exposure would be breach of contract issues with the CE. As the CA and CRAs are not CEs, then any collection data they have, even the PHI you list (name, amount) is not covered under HIPAA once they have it in their hands (EVEN with BAAs in place). While this may be circular logic, that is what I come up with when combining a couple of issues into one. Don't read my comments as argumentative, not meant that way, just a bit frustrated that even professional (as you and the others are) who are well-versed as anyone in HIPAA can't seem to find common agreement on some key points. Not your fault, just the way it was all written. The views expressed are mine personally and do not necessarily represent the views of my employer. -----Original Message----- From: Sherriann Hamilton [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 4:13 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Collection Accts. David ~ PHI includes much more information than just "specifics as to the treatment" - it also includes information that "Relates to ... the past, present, or future payment for the provision of health care to an individual..." So, a name, an amount, and the creditor/provider/CE = PHI; and I would assume that debt collection would involve at least that much information. The reason that collection by, or on behalf of, a creditor/provider/CE is (potentially) handled differently is that the creditor/provider/CE is bound by HIPAA and the debt information is PHI. The creditor/provider/CE would need to have a BA agreement with the collection agency so that the CA can use/disclose the PHI on behalf of the creditor/provider/CE. The BA's disclosure of the information to the CRA is permitted because it's related to payment. As for the auto accident in the parking lot of the physician's office... the police are not bound by HIPAA. I don't know the rules about police reports being made public, but if they can't be made public... it's not because of HIPAA. Just my 2c. Sherriann Hamilton, Privacy Officer/Training Director The Christian Church Homes of KY 12700 Shelbyville Road, Ste. 1000 Louisville, KY 40243 (502) 254-4254 - phone (502) 396-4217 - cell (502) 254-5117 - fax Please check out our web site at www.cchk.org -----Original Message----- From: Wellons, David L [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 2:06 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Collection Accts. One more though on Leslie's last paragraph. Debt collection would not have specifics as to the treatment, so there should not be any PHI in the issue. Now a problem could arise, if for example an oncologist is trying to collect a bill from a guarantor (note I didn't say patient), and someone else sees that information, they can surmise the guarantor has cancer (apply this to any other medical situation). However, in collection activities, they are trying to collect money from a guarantor, who may or may not be a patient. I don't see where the fact you owe a debt to anyone BESIDES a healthcare provider would be treated one way, and the collection for a health provider would be handled differently (or not permitted). Too many scoundrels will hide behind that loophole. So, the question/point is - Collection activities are between creditor and guarantor. HIPAA therefore shouldn't apply. One cannot accurately assume the guarantor is the patient. And except for (possibly) the fact that the name of the service provider MAY indicate the type of diagnosis the patient had, there is not necessarily a direct correlation. Following the original logic, if I were involved in a parking lot auto accident at a physician office, the police report could not be made public under HIPAA since it may indicate that I have a certain medical condition. -----Original Message----- From: Doug Webb [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 11:27 AM To: WEDI SNIP Privacy Workgroup List Subject: Re: Collection Accts. Leslie, Thank you for a timely and well-written analysis. So many bad things happen when HIPAA is mis-read to restrict information exchange it really isn't restrict. The "may" in the regulations also opens a can of worms, but it has to be emphasized that if the release that HIPAA says may happen is denied, HIPAA cannot be used as an excuse for the denial. The denial is either based on the prohibitions of some other law, or the CE's paranoia. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. Webb Computer System Engineer Little Company of Mary Hospital & Health Care Centers [EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." ----- Original Message ----- From: Lbender To: WEDI SNIP Privacy Workgroup List Cc: B BURGESS ; [EMAIL PROTECTED] Sent: Thursday, October 30, 2003 10:06 AM Subject: Re: Collection Accts. Charles et al.: Funny you should raise this issue in light of the terse cover page story in this morning's Wall Street Journal entitled, "Hospitals Try Extreme Measures to Collect Their Overdue Debts." Maybe worth a read if your blood pressure is lower than you'd like this a.m. Your issue underscores the intersection of the federal Fair Debt Collection Practices Act ("FDCPA"), the Fair Credit Reporting Act ("FCRA"), and HIPAA. A quick trek to the preamble of the HIPAA privacy rule and its modifications reveals that the Office for Civil Rights has indicated in no uncertain terms (despite what the so called "credit repair" websites reveal) that debt collections, locational activities (skip tracing), and credit reporting consistent with the FCRA (which data elements HIPAA tracks in describing what can be credit reported) all fall within the "P" in TPO (treatment, payment and health care operations) -- whether undertaken directly by a covered entity or by its collection agency business associate. OCR's position on this is also in a number of the FAQs on their website. Marcallee is correct - if a debtor contacts a credit reporting agency ("CRA") and states that they dispute a debt reported either by a healthcare provider or its collection agency because it has been paid, the CRA must, under the FCRA, have the data furnisher ("data furnisher" is either the provider or collection agency who reported the delinquent account to the CRA), research it and respond within thirty (30) days (15 U.S.C. Section 1681i). The CRA must also mark the account as "disputed" on any credit reports released before the verification is complete. If the CRA makes a business decision not to investigate the consumer's dispute, or alternatively investigates but the "data furnisher" does not respond, the CRA must remove the reported delinquency from the patient's credit report within that same 30 day period. Section 611 of the FCRA (15 U.S.C. Section 1681i) is rather detailed on the specifics of how information is to flow in response to a consumer's dispute. Of course if the CRA determines that the dispute is frivolous or irrelevant it need not undertake an investigation. A data furnisher has an obligation under the FCRA to furnish accurate and complete information as well as to correct and update information from time to time as new information becomes available to it (certainly such as payment in full of a delinquent account). See, FCRA at Section 623. The use and disclosure of "payment" information between CRA, provider, collection agency, and debtor/patient is potentially governed by each of these three federal consumer information protection oriented laws (i.e., FDCPA, FCRA, and HIPAA -- as well as potentially Section 5 of the Federal Trade Commission Act) -- in fact it may be mandated. If a CRA received a consumer dispute, contacted a hospital or collection agency for verification, and the hospital or collection agency refused to respond (remember that 164.512(a) "permits" a covered entity to make "disclosures required by law" -- but HIPAA itself would not mandate the disclosure) - the refusal would be at odds with their legal requirement under the FCRA to report accurate and complete information. It would not seem then that Judith's debtor or the credit repair helpsite are accurately interpreting HIPAA -- or the FCRA. HIPAA does not require a hospital to obtain a debtor's written permission to use a business associate to either credit report, skiptrace, or collect his/her delinquent account -- or even to handle insurance billing and follow up on his/her account. A quick word of caution, if upon admission a patient seeks to "opt out" and restrict communications about his/her PHI to anyone but for a specified list of people and a provider agrees to that -- under those very limited circumstances a debtor/patient may indeed have somewhat of an argument that his HIPAA rights were violated when he is turned over to a collection agency if the provider agreed to harsh restrictions on communications per that patient's request. Leslie Leslie Bender roiWebEd Company [EMAIL PROTECTED] ----- Original Message ----- From: Bentz-Miller, Judith To: WEDI SNIP Privacy Workgroup List Sent: Thursday, October 30, 2003 9:04 AM Subject: RE: Collection Accts. A few months ago, I had a patient send me a certified letter that had much of this exact wording in it. I complied with the timeframe of the 10 days, but refused his request, sitting the payment language and the BA information. (He also stated that using a collection agency could only be done with his written permission, therefore, we had violated his HIPAA rights.) I have not heard from him or his attorney again. If anyone would like to see my response, email me and I will be happy to forward it (minus the PHI, of course!!!!) Judith Judith Bentz-Miller Privacy Officer Arnett Clinic 765-448-8843 -----Original Message----- From: Charles Whitaker [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 5:57 PM To: WEDI SNIP Privacy Workgroup List Subject: Collection Accts. I recently came across some information that some credit repair websites are giving out in relation to medical collections being reported to the Credit Reporting Agencies (CRA). If a person disputes a listing on a credit report, the CRA must request a validation from the Collection Agency (CA), which must get a validation from the Original Creditor (Health Care Provider). These credit repair websites are saying that if the bill is paid in full the Health Care Provider has no "business purpose" to send the information to the CA (no payment due). See this Link http://community-2.webtv.net/YCHANGE/STORAGE/page14.html Has anyone seen this? Any thoughts or opinions? Charles Whitaker HIPAA Coordinator/IT Madison Parish Hospital Tallulah, LA (318)574-2374 Fax (318)574-2396 [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org ***** "The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers.60" --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org ***** "The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers.61" --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org