HIPAA GUIDELINES
Q: Does the HIPAA Privacy Rule permit a covered entity or its collection
agency to communicate with parties other than the patient
(e.g., spouses or guardians) regarding payment of a bill?
A: Yes. The Privacy Rule permits a covered entity, or a business associate
acting on behalf of a covered entity (e.g., a collection agency), to disclose
protected health information as necessary to obtain payment for health
care, and does not limit to whom such a disclosure may be made.
Therefore, a covered entity, or its business associate, may contact persons
other than the individual as necessary to obtain payment for health care
services. See 45 CFR 164.506(c) and the definition of “payment” at
45 CFR 164.501.
However, the Privacy Rule requires a covered entity, or its business
associate, to reasonably limit the amount of information disclosed for such
purposes to the minimum necessary, as well as to abide by any reasonable
requests for confidential communications and any agreed-to restrictions on
the use or disclosure of protected health information.
See 45 CFR 164.502(b), 164.514(d), and 164.522.
Q: Does the HIPAA Privacy Rule prevent reporting to consumer credit
reporting agencies or otherwise create any conflict with the Fair Credit
Reporting Act (FCRA)?
A: No. The Privacy Rule’s definition of “payment” includes disclosures to
consumer reporting agencies. These disclosures, however, are limited to
the following protected health information about the individual: name and
address; date of birth; social security number; payment history; and
account number.
In addition, disclosure of the name and address of the health care provider
or health plan making the report is allowed. The covered entity may
perform this payment activity directly, or may carry out this function
through a third party, such as a collection agency, under a business
associate arrangement.
The Privacy Rule permits uses and disclosures by the covered entity or its
business associate as may be required by the Fair Credit Reporting Act
(FCRA) or other law.
Therefore, the Department does not believe there is a conflict between the
Privacy Rule and legal duties imposed on data furnishers by FCRA.
Q: Does the HIPAA Privacy Rule prevent health plans and providers from
using debt collection agencies? Does the Privacy Rule conflict with the
Fair Debt Collection Practices Act?
A: The Privacy Rule permits covered entities to continue to use the
services of debt collection agencies. Debt collection is recognized as a
payment activity within the “payment” definition. See the definition of
“payment” at 45 CFR 164.501.
Through a business associate arrangement, the covered entity may engage
a debt collection agency to perform this function on its behalf.
Disclosures to collection agencies are governed by other provisions of the
Privacy Rule, such as the business associate and minimum necessary
requirements. The Department is not aware of any conflict between the
Privacy Rule and the Fair Debt Collection Practices Act.
Where a use or disclosure of protected health information is necessary for
the covered entity to fulfill a legal duty, the Privacy Rule would permit such
use or disclosure as required by law.
Q: Are location information services of collection agencies, which are
required under the Fair Debt Collection Practices Act, permitted under the
HIPAA Privacy Rule?
A: “Payment” is broadly defined as activities by health plans or health care
providers to obtain premiums or obtain or provide reimbursements for the
provision of health care. The activities specified are by way of example
and are not intended to be an exclusive listing. Billing, claims management,
collection activities and related data processing are expressly included in
the definition of “payment.” See the definition of “payment” at
45 CFR 164.501. Obtaining information about the location of the
individual is a routine activity to facilitate the collection of amounts owed
and the management of accounts receivable, and, therefore, would
constitute a payment activity. See 45 CFR 164.501.
The covered entity and its business associate would also have to comply
with any limitations placed on location information services by the
Fair Debt Collection Practices Act.
The minimum necessary requirements (standard), outlined above are interesting
tho.
This standard states that only the MINMUM amount of information needed to
effect the payment for services is ALL that can be released. Once I had a CA
(on a medical) to which I requested validation. They sent me a copy of the claim
form which was submitted to my insurance co. On the claim form,
(HICFAA 1500) were the CPT Codes. The codes the medical industry uses to
describe the exact procedure that took place. This, I believe violates. Had
I not
gotten to the quick resolution I wanted I would have used it. Suppose the
CPT Code indicated a Rectal Exam, for example. I hardly think a CA needs to
know that much. Quite often you can ... well ... "induce" the CA AND the MP
into
violating for a medical just by demanding validation, here's how;
INCIDENTAL USES AND DISCLOSURES [45 CFR 164.502(a)(1)(iii)]
How the Rule Works General Provision. The Privacy Rule permits certain
incidental uses and disclosures that occur as a by-product of another permissible
or required use or disclosure, as long as the covered entity has applied reasonable
safeguards and implemented the minimum necessary standard, where applicable,
with respect to the primary use or disclosure.
See 45 CFR 164.502(a)(1)(iii). Interestingly the medical provider is REQUIRED
to have implemented safeguards to assure that your info. is protected. Much
like
the CRA's are required to implement procedures to assure maximum possible
accuracy. We see lawsuits all the time where this is the only count. "Failure
to
implement procedures to assure maximum possible accuracy" § 607.
Compliance procedures [15 U.S.C. § 1681e] (b) Accuracy of report.
Whenever a consumer reporting agency prepares a consumer report it shall follow
reasonable procedures to assure maximum possible accuracy of the information
concerning the individual about whom the report relates. Do take note, the MP
(medical provider) is required to acheive precisely the same standard.
To further clarify; An incidental use or disclosure is a secondary use or disclosure
that cannot reasonably be prevented, is limited in nature, and that occurs as
a result
of another use or disclosure that is permitted by the Rule.
In the scenario I outlined above, (that of the Rectal Exam) it would be impossible
to conclude that the disclosure was "incidental", meaning it could not have
been
reasonably avoided. Indeed, to purposely send ALL my medical info. to the CA
is
in direct violation, because of their outright failure to implement safeguards
to
assure that your info. is protected.
However, an incidental use or disclosure is not permitted if it is a by-product
of an
underlying use or disclosure which violates the Privacy Rule. A disclosure is
permitted as long as it does not violate the rest of the rule, INCLUDING THE
REQUIREMENT to implement safeguards to assure that your info. is protected.
Reasonable Safeguards.
A covered entity must have in place appropriate administrative, technical, and
physical safeguards that protect against uses and disclosures not permitted
by the
Privacy Rule, as well as that limit incidental uses or disclosures.
See 45 CFR 164.530(c).
It is not expected that a covered entity’s safeguards guarantee the privacy
of
protected health information from any and all potential risks.
Reasonable safeguards will vary from covered entity to covered entity depending
on factors, such as the size of the covered entity and the nature of its business.
Didn't this just say that failure to implement is not necessarily always a violation?
YES - it did. So it depends on each individual case. It depends on numerous
mitigating components; "such as the size of the covered entity and the nature
of its
business." In other words you and your MP may have a disagreement, and here's
where the courts come in. Isn't the purpose of our Civil Litigation System to
resolve disputes such as those mentioned?
ANYTIME there's a disagreement as to matters of material fact, you have a
right to file suit.
Now - Here's How To Get Your Deletion: Since MP's are very concerned about
being sued, the mere filing of it should get you a resolution to your satisfaction.
You may have to pay the bill, but you don't have to live with lousy credit for
7 years.
If I flied a suit and offered to settle by paying the bill, (or some portion
of it) and
dropping the suit in exchange for my deletion, they'd be hard pressed to say
no.
The problem with the CPT codes is that those codes, along with Procedure codes,
APC codes and DRGs (Diagnostic Related Grouping) are all used to *calculate*
the bill based on fees assigned to those particular codes. If you request validation,
wouldn't they then be required to send those codes explaining how they got to
the
amount of the bill?? Unfortunately, that is not in violation of HIPAA.
I believe the mere filing, in most cases, will get you your deletion. All you
have to
do is figure the grounds upon which to file without a frivolous harassment sanction.
Sometimes you may want to just file and hope like hell that you'll get your
resolution and NEVER have to actually go to court.
Especially effective when dropping a case number off, via the Sheriff, to a
Medical
Provider. They'll be on the phone right smartly trying to figure out what you
want to
settle. Naturally you'll drop your case in exchange for deletion.
Sure this idea is very iffy and I wouldn't even try it but only as a last resort.
There are a few intrinsic violations in the law that seem to contradict each
other.
For example, it's a requirement to put the mini miranda ("This is an attempt
to
collect a debt, any information will be used for that purpose".) on ALL
correspondence.
On the other hand, some feel the mini miranda can be construed as continued
collection activity, which must be frozen in the face of a demand for validation.
Presents a weird catch 22 doesn't it? If you ever sued for the continued collection
activity a judge would probably tell you to go fly a kite, but at least it APPEARS
you filed in good faith. The net result is that you've increased, to a high
degree of
probability, that you'll get rosolution PRIOR to a court date.
the new regulations for HIPPA took in effect On April 14, 2003.
What is Hippa?
Federal HIPAA Regulation Mandates
Final privacy regulations were issued by the US Department of Health and Human Services for the HIPAA (Health Insurance Portability and Accountability of 1996) on August 14, 2002. HIPAA is the law right now. On April 14, 2003 penalties will be imposed to enforce compliance with the law.
The HIPAA laws affect almost every healthcare provider. HIPAA will change the way all these practices do business. It defines that the information in client files belongs to the client, not the practice and MUST be protected. HIPAA will cause sweeping changes in the way that information is handled and protected.
The HIPAA Privacy Rules require certain specific methods of handling the protected health information (PHI) of clients. On April 14, 2003, these changes must be implemented. Fines, penalties and possible jail time can be imposed for non-compliance. To be compliant, a practice must:
HIPAA compliance.
- Provide a Notice of Privacy Practices to all patients.
- Obtain HIPAA-compliant agreements with all business associates
- Get a signed Authorization every time patient information is released per request of a clien..t
HIPAA doesn't stop there. It also requires new procedures regarding patient access to their information: New procedures must be implemented to provide patients:
- Access to their medical information including providing copies at their request
- Ability to make amendments their records
- Accountings of any and all disclosures made of their medical information for any use other than treatment, payment and firm operations
And the practice must notify each patient of these rights with a "Notice of Privacy Practices." This notice must include the patient’s rights, the practice's HIPAA policies and the address of where to complain.
Statement from HIPPA REGULATION:
April 14, 2003, the penalties will be imposed. The fines are large enough to put a practice out of business. For a simple violation, such as not documenting release of protected health information in every client file affected, the fine is $100 per standard violated, per client per year. The maximum fine per standard violated is $25,000 per year. Suppose your firm had 3,000 clients and an employee neglected to put a copy of the transaction in half the files of your practice. The fine could be 1,500 patients times $100, or $150,000. And that is for ONE violation. What would the fine be for NOT being compliant at all? And for misuse of patient data the fine could be $250,000 plus jail time.
HIPAA compliance is not an option. HIPAA is the law right now. All covered entities must be compliant by April 14, 2003 or face the penalties imposed.
So Yes!....You may fine these suckers for disclosing your Hippa rights...
Good Luck!
Creditwrench has lots and lots of resources available for you to learn how
to
deal with your debt problems and re-establish your credit.
Our website is at http://www.creditwrench.com and we have a message board at
http://consumers.creditwench.com as well.