Medical Privacy Rule Provokes Lawsuit By Christine Hall CNSNews.com Staff Writer April 14, 2003 http://www.cnsnews.com/Politics/archive/200304/POL20030414a.html (CNSNews.com) - The Bush administration's new regulations governing medical privacy take effect on April 14, but some privacy advocates are so alarmed at the fine print that they've filed a lawsuit in federal court. "What the federal government is doing is giving...blanket permission on behalf of individuals for the use and disclosure of their health information, regardless of the individual's wishes," said Jim Pyles, attorney for the plaintiffs. "The regulations have a rather ominous facet to them in that they not only eliminate the right of the individual to give or withhold consent, but they also confer essentially a federal license on thousands of organizations to go get your information, and they call that 'regulatory permission,'" Pyles added. When patients realize that others can now get access to their medical files, Pyles believes, they will be reluctant to share as much information with their own doctors, thus jeopardizing the nation's health care system. The lawsuit was brought by a coalition of health privacy groups and physicians, including the American Psychoanalytic Association and the National Coalition of Mental Health Professionals. The suit alleges that the privacy rule as written runs contrary to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and that the rule violates the Fifth Amendment protection of liberty. WOW, I never thought of that ! The suit was filed in federal district court in Philadelphia because of the city's historical significance in the nation's founding principles, Pyles said. Critics like Pyles point to provisions of the rule that allow disclosure of personal health information without patient consent for purposes related to treatment, payment and a long list of "health care operations." Rep. Edward Markey (D-Mass.) believes that "health care operations" includes not just treatment and payment, but also a wide range of business planning, underwriting and fundraising activities. Markey has introduced a bill (H.R. 1709) that would require patient consent before disclosure of medical information (with exceptions for filling prescriptions and making referrals), require marketing companies to disclose to consumers their financial ties to drug companies and prohibit disclosures to the FDA for all but a limited list of public health reasons. Rep. Ron Paul (R-Texas) has introduced a bill to repeal the privacy regulations in their entirety. Bill Pierce, spokesman for the Department of Health and Human Services, declined to comment on the lawsuit because agency officials have not seen it. But criticisms of the regulations are misplaced, Pierce believes. "We think we have struck the appropriate balance between protecting patients' privacy and not interfering with the delivery of health care," said Pierce. "And we think that's very important. "What we've done is not interfered with the delivery and the expectation of the health care and at the same time provided first-ever federal protections," said Pierce. "Up to this point, there have never been federal protections in this area." Pyles blames not just the Bush administration, but also the insurance industry lobby for the final regulations. "The insurance industry is pushing hard to eliminate the right of consent for the public because they want unrestricted access to as much health information as they can get," said Pyles. "That helps them reduce their financial risk" and creates a valuable, marketable database of patient information, he said.
"What the federal government is doing is giving...blanket permission on behalf of individuals for the use and disclosure of their health information, regardless of the individual's wishes," said Jim Pyles, attorney for the plaintiffs. I just happened to pull out my HIPAA compliance manual today specifically to look up what it states regarding CA, due to recent posts I've read (here and else where). As I've previously said I am a Medical Billing Specialist and a HIPAA compliance officer. FYI- just as I thought- as long as there is a business associate contract and only demographics pertaining to the debt , name, address, ss#, amount owed, no medical info (which I never gave anyway, no reason to ) then there is no HIPAA violation. Contrary to what I've sen posted on other sites where individuals are being informed a HP is in violation of HIPAA if they use a CA. So, As much as I dislike CAs, being one of the many credit challenged, in my field I have to use them one occasions. I know in our setting we feel more restricted now than ever before. Before we could speak to family members regarding treatment since a lot of out patients need help ( the majority of our patients are retired or elderly). now we can only speak to whoever the patient has designated. What if they're not all there anymore and don't even know who their family members are? We can no longer speak to them in the waiting areas or fear someone else might over hear. We can't ask them about changes in address, insurance, anything in case someone might hear. If they have questions after they see the doctor, they can't ask any of us in the office, someone might hear, talk to them on the phone no can do, someone might hear. Try talking quietly with someone wearing a hearing aid....... OK, OK you get the picture. Sorry, being the industry , this thing has people stressed.
HIPAA I thought the idea about using HIPAA after April 14 for deletion of a paid medical collection is that the hc provider could only share your info with a CA to collect on an unpaid bill -- and that even the existence of a paid medical collection account on your credit report is a violation of HIPAA.
I'm not quite sure what your questioning. There are no HIPAA violatons for a HP as long as they have a business contract w/ the CA and they only give the CA your basic info. If they give them any personal , private, medical info (which the CA doesn't need ) then they violated HIPAA, contract or no contract. As far as an unpaid bill vs a paid bill, the HP should only be sending someone who has a legitimate balance due. If you have a paid bill on your CR then that is a matter to be handled the same as any other paid collection on your CR, that doesn't make it a violation.
If a medical bill is completely paid, and the patient is no longer being treated by the hc provider, then they have no relationship. So, the hc provider no longer has a legitimate reason to communicate any info about that bill or that patient to a collection agency. ...Taken a step further, this bill that was paid to the hc provider (insurance company finally paid hc provider directly), had previously been turned over to a collection agency. Now, not only is the collection agency reporting this paid bill as an unpaid collection account on the patient's credit report, the CA continually verifies with the CRA's when consumer disputes the collection account. If the CA verifies this account with the CRA after 4/14, then the CA has 'communicated' information about the patient without the patient's written consent, and the CA has violated HIPAA. And so has the hc provider, since the hc provider is responsible for the actions of it's collection agency, who is acting on behalf of the hc provider. Please feel free to disagree with this approach, and/or to comment further with explanations as to why anyone feels this wouldn't be a viable course of action.
This is completely correct, as it relates to health care account information provided to collection agencies prior to the privacy requirements of HIPAA. As long as there is no ongoing communication between the HC provider and the CA post 4/14, regarding this information, there IS no violation. However, the FCRA MANDATES that an OC creditor provide validation to a CA upon request. So, if they DO provide the requested validation of the account they will be violating the HIPAA privacy rules, and if the DON'T provide it they will be violating the FCRA. This ONLY is workable for a legitimate dispute. EITHER a paid account, OR an account that is in error.It CANNOT work for a legitimate unpaid account as tha would not bear up under the legal "justifiable excuse" provisions of HIPAA or the FCRA. It is also obviously NOT for anyone who has signed a waiver of their privacy rights under the new HIPAA rules.So, this is a limited strategy for "old" health provider accounts that are either paid or not valid.
Re: Re: Re: HIPAA Hiya Vaz. As it so happens, 4 days before you joined us we beat this issue rather brutally on the following thread: http://consumers.creditnet.com/straighttalk/board/showthread.php?s=&threadid=40803&highlight=hipaa You may want to study that one. The Foxy Mrs. Butch is also a medical billing specialist and Hipaa Guru. We still need to formulate a strategy tho, to see if we can use this to our advantage when it comes to collections. I'd be delighted to work with you on that. )
Re: Re: Re: HIPAA Oh well, a day late and a dollar short. Sorry to hear about the foxy Mrs. Butchs profession. Unless she really enjoys it of course. I read the previous threads, very interesting. Personally I think it is going to be based a lot on what type of record keeping or programs the HP uses. My program has a function for each account that if needed to be printed out would only show dos, charge, date of payments if any, adjustments, if any, if sent to the patient I can note the reason- no coverage, deductible etc. That is all that is needed to validate the debt. So if more than that is given to the CA then yes screaming violation. I don't know about your spouse, but I have been in contact with other offices , just to see what they're doing and I'm shocked to see how many aren't doing much. Even where I work there are still a few old timers who think we are the only office doing this. Well I'll keep quiet for now until I have something new to contribute.
