Are Medical bills Private?

"Hay, why did you go to that doctor"? IRRELEVANT!!!

 

I don't know for sure, others on the board have had questions regarding this for sure, maybe someone else will chime in?

 

http://www.ftc.gov/speeches/varney/priv&ame.htm

C. Privacy of Medical Records

Presently, there is no federal legislation which directly protects the privacy of medical records. Most observers agree that traditional doctor/patient confidentiality concepts will not adequately protect health related data in the information age. Increasingly, medical care is provided in a networked environment, and information is readily available -- oftentimes appropriately -- to a large number of health care professionals.(17) Secondly, doctor/patient confidentiality does not protect medical product purchase data or information provided by patients to third parties. Finally, the pharmaceutical industry relies heavily on medical data to evaluate drug efficacy and to promote new product development. Schools, justice systems, employers and the media have access to individual medical information.

As a result, a number of private organizations in the health care industry have promulgated model health information codes that apply beyond physicians. Large physician networks, for example, have established security policies and provided for audits to ensure confidentiality. At the behest of the FTC, the Medical Information Bureau (MIB), which collects medical and other consumer information on 15 million Americans for life and disability insurance companies, voluntarily agreed to provide free copies of reports to consumers who are denied insurance coverage on the basis of an MIB report. On the regulatory front, members of Congress have introduced and gained considerable support for legislation to protect personally identifiable medical information without limiting legitimate access to aggregate data.(18) The Clinton Administration has endorsed a medical privacy bill although it appears unlikely to come up for a vote before the elections. Meanwhile, a number of states, including Massachusetts and Wisconsin, have adopted medical records privacy acts. A number of model codes and model statutes have also been promulgated

 

Here's the law that LKH's post mentions, 1996, it was passed. I don't think it got much media attention or if it did it was buried under all the cigar smoke ;-).

Health Insurance Portability and Accountability Act of 1996

Final Rule Published in the Federal Register (65 FR 82462): December 28, 2000

Rule Effective Date: April 14, 2001

Rule Compliance Date: April 14, 2003 (April 14, 2004, for small health plans)

I think those effective and compliance dates are REALLY important for us to take note of.

Here's what is required for constent:

Consent: http://www.hhs.gov/ocr/hipaa/consent.html

This is like our opt-out rights that are usually buried in fine print from the financial institutions. Just no one wants us to know :-( -- If you have more protection under your State's privacy laws you're in even a better place for keeping your information private.

HHS fact sheet: http://www.hhs.gov/news/press/2002pres/20020321.html

Background
The Privacy Rule establishes a federal requirement that most doctors, hospitals, or other health care providers obtain a patient's written consent before using or disclosing the patient's personal health information to carry out treatment, payment, or health care operations (TPO). Today, many health care providers, for professional or ethical reasons, routinely obtain a patient's consent for disclosure of information to insurance companies or for other purposes. The Privacy Rule builds on these practices by establishing a uniform standard for certain health care providers to obtain their patients' consent for uses and disclosures of health information about the patient to carry out TPO.

General Provisions

Patient consent is required before a covered health care provider that has a direct treatment relationship with the patient may use or disclose protected health information (PHI) for purposes of TPO. Exceptions to this standard are shown in the next bullet.
Uses and disclosures for TPO may be permitted without prior consent in an emergency, when a provider is required by law to treat the individual, or when there are substantial communication barriers.
Health care providers that have indirect treatment relationships with patients (such as laboratories that only interact with physicians and not patients), health plans, and health care clearinghouses may use and disclose PHI for purposes of TPO without obtaining a patient's consent. The rule permits such entities to obtain consent, if they choose.
If a patient refuses to consent to the use or disclosure of their PHI to carry out TPO, the health care provider may refuse to treat the patient.
A patient's written consent need only be obtained by a provider one time.
The consent document may be brief and may be written in general terms. It must be written in plain language, inform the individual that information may be used and disclosed for TPO, state the patient's rights to review the provider's privacy notice, to request restrictions and to revoke consent, and be dated and signed by the individual (or his or her representative).
Individual Rights

An individual may revoke consent in writing, except to the extent that the covered entity has taken action in reliance on the consent.
An individual may request restrictions on uses or disclosures of health information for TPO. The covered entity need not agree to the restriction requested, but is bound by any restriction to which it agrees.
An individual must be given a notice of the covered entity's privacy practices and may review that notice prior to signing a consent.
Administrative Issues

A covered entity must retain the signed consent for 6 years from the date it was last in effect. The Privacy Rule does not dictate the form in which these consents are to be retained by the covered entity.
Certain integrated covered entities may obtain one joint consent for multiple entities.
If a covered entity obtains consent and also receives an authorization to disclose PHI for TPO, the covered entity may disclose information only in accordance with the more restrictive document, unless the covered entity resolves the conflict with the individual.
Transition provisions allow providers to rely on consents received prior to April 14, 2003 (the compliance date of the Privacy Rule for most covered entities), for uses and disclosures of health information obtained prior to that date.
CLICK on the above link for the Q and A, it was too large to post and I lost track of myself when trying to get it to fit.

Our medical information is private and we do have the right to control it's release and distribution, but, like all rights would should know, no one's willing to tell us because of the liability it creates and the lack of control that gives someone else over our medical information.

One of the Q and A's even speaks to blanket waivers that only refer to the privacy rights, the medical community is counting on us just signing them without reading, Let's prove them wrong!

We have the right to revoke consent as well or you could make it good for one visit only if you wanted too or you can limit specifically for which uses the information will be released and no other.

Here's the table of contents-ISH link: http://www.hhs.gov/ocr/hipaa/assist.html for the whole thing.

American Medical Association articles on the subject and requirements and changes being made to comply:

http://www.ama-assn.org/cgi-bin/sea...blic&collection=members&collection=publishing

Sassy

 

FOR THE RECORD:
DECLARATION OF MEDICAL PRIVACY INTENT
For Healthcare Services & Information
To:


--------------------------------------------------------------------------------
Fill in name of institution/person (Physician/Health care practitioner/Health plan/Hospital/Clinic/School/Pharmacy/Other)
I reject the governmentâ??s claim that citizens have a public responsibility to disclose private and personal medical information as stated in the medical privacy recommendations written by the U.S. Department of Health and Human Services (9/11/97).

I also find the federally permitted use and disclosure of personal, medical and health data by various institutions, corporations, and individuals under the Health Insurance Portability and Accountability Act (Public Law 104-191-August 21 1996) and the subsequent federal medical privacy rule (Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164) to be detrimental to medical privacy and the confidentiality of medical records and individually-identifiable health data. The federal medical privacy rule took effective April 14, 2001 with implementation and enforcement set for April 14, 2003. Only stricter state medical privacy laws can supersede the requirements of the federal rule.

For the record, I therefore and hereby declare my express wish and intent for the truly confidential treatment of medical records, health information, psychological testing, genetic testing, and all other information received, heard, said, written, or stored in the course of interactions with the above named person/corporation/agency. Please keep this form on file. To be specific, without written, specific, informed and voluntary consent, I ask you (the above) not to disclose, sell, or otherwise release, to the following agencies/groups or for the following purposes (as checked below), the personal, medical, psychological, financial, genetic, demographic, or health data, or body parts and tissues of ________________________________________ (Name of self, child, or guardian responsibility).

Payment and Treatment
Health care operations
Hospital and facility patient directories
Public safety
Environmental Protection Agency
Central Intelligence Agency
National Transportation Safety Board
Food and Drug Administration
Occupational Safety & Health Admin.
State departments of health
Medical or other review boards
Federal Bureau of Investigation
Departments of agriculture
Mine Safety and Health Administration
Government oversight agencies
Community agencies/groups
Government welfare departments
Government education agencies
Government human services departments
Government contractors
Any government agency/department
Foreign governments/organizations.
Fundraising
Newborn metabolic testing data collection
Birth defect registries/data collection
Immunization registries/data collection
Cancer registries/data collection
Public health surveillance
Workforce/Injury data collection
Indian health registries
Minority, race, or health disparities databases
Newborn hearing screening database
Genetic testing/DNA databases
Medical error reporting systems
Private registries/data collections
Health status databases
OASIS - home health database/collection
Computerized smart cards
Disease-specific organizations
Centers for Disease Control & Prevention
U.S. Dept. of Health and Human Services
Pharmaceutical benefit management co.
Disease management companies
Tissue or organ donation organizations
Public health agencies/officials
Any government database/data collection
Law enforcement officers/agencies
Public policy researchers
National security
Medical/Scientific researchers
Peer review organizations
Certification processes
Marketing of services or products
Accreditation and licensing
Clinical guideline development
Training programs
Social service agencies
Pharmaceutical companies
Litigation/Lawyers
Judges/Administrative law staff
Members of the clergy
Coroners/Medical examiners
State fire marshals
Health boards
State or other ombudsman
Workmanâ??s Compensation
Banks/credit card payments
Media/Press/News Services
Other___________________

This restriction on data disclosure, use and access shall be valid until otherwise removed by written authorization of the subject (or parent or guardian of subject if subject is a minor or under guardianship) of the information.

--------------------
Signature

--------------------
Relationship to Above Person

--------------------
Date


--------------------
Printed Full Name


--------------------
Address

--------------------
City / State

--------------------
Zip code

--------------------------------------------------------------------------------

CCHC DISCLAIMER: CCHC is a non-profit 501(c)3 organization. CCHC provides this form only as information to assist individuals in restricting access to or use of their individually identifiable medical or financial information. CCHC specifically does not warrant the effectiveness of said form in restricting access to or use of personal information by government agencies or private organizations. CCHC is not liable for any injury, either in whole or in part, caused, directly or indirectly, by use of this form. With the advice to the user that under the law this form may not be binding, it does however express your desire for medical, financial and personal privacy. It also expresses your protest if your medical records and other personal information are accessed, used or disclosed without your written, informed and voluntary consent.

Form created and distributed for CCHC's:
"For the Record" Medical Privacy Project
Citizens' Council on Health Care
1954 University Ave. W., Suite 8
St. Paul, MN 55104, 651-646-8935
info@cchconline.org,
Website: www.cchconline.org


Copyright © Citizens' Council on Health Care 2001

 

These forms and the background information are too important for cutting and pasting, go read them for yourself: http://www.cchconline.org/fortherecord.php3

There's one for medical, medical and financial, and HOME care even, god forbid.

How come all the consumer protections laws are such a double-edged sword?

Sassy

 

Hi Gang,

I'm glad to see this issue addressed again.

Hre's a link that appears to specifically permit the transmition of medical data for the purpose of collections.

http://www.hhs.gov/ocr/hipaa/payment.html

It states:


OCR HIPAA Privacy TA 164.501.002
Payment

[45 CFR 164.501]

General Requirements

As provided for by the Privacy Rule, a covered entity may use and disclose protected health information (PHI) for payment purposes. "Payment" is a defined term that encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and for a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.

In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:

Determining eligibility or coverage under a plan and adjudicating claims;
Risk adjustments;
Billing and collection activities;
Reviewing health care services for medical necessity, coverage, justification of charges, and the like;
Utilization review activities; and
Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).
Frequently Asked Questions

Q: Does the rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?

A: No. The Privacy Rule's definition of "payment" includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following PHI about the individual: name and address; date of birth; social security number; payment history; account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The covered entity may perform this payment activity directly or may carry out this function through a third party, such as a collection agency, under a business associate arrangement.

We are not aware of any conflict in the consumer credit reporting disclosures permitted by the Privacy Rule and FCRA. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by FCRA or other law. Therefore, we do not believe there would be a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.

Q: Does the Privacy Rule prevent health plans and providers from using debt collection agencies? Does the rule conflict with the Fair Debt Collection Practices Act?

A: The Privacy Rule permits covered entities to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the "payment" definition. Through a business associate arrangement, the covered entity may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies under a business associate agreement are governed by other provisions of the rule, including consent (where consent is required) and the minimum necessary requirements.

We are not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act. Where a use or disclosure of PHI is necessary for the covered entity to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law.

Q: Are location information services of collection agencies, which are required under the Fair Debt Collection Practices Act, permitted under the Privacy Rule?

A: "Payment" is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of "payment." Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. The covered entity and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act.

 

BTW,

The revision date on that is July 6, 2001. AFTER the effective date of HIPPA.

 

Dear Fuba,

In plain english; I wish it was that simple.

 

Fuba,

I'm thinking it would be a good thing to ask for as part of validation. The article that Butch posted as well as my own makes it clear to me anyway, that the new laws aren't supposed to impact the ability to report to CRA's; however, what it says and what it does are two different things.

Further, in my state, you should check this too before deciding whether or not to ask for it, medical records are private, period, the end.

I suppose it ultimately all depends what you signed when you were a patient being seen for the first time, and I'm hard pressed to remember any of the wording, but I don't think it included disclosure of information for collection, maybe so, that's the difficulty who knows.

You can however, revoke your consent, which I think is a good idea or make it date specific. I won't be signing any of those blanket waivers anymore, that's for sure.

The new law requires specific business associate agreements for third party services outside of the doctor's office and further than that chain of trust agreements -- they are supposed to ensure privacy of personal information at every stop in the processing chain.

The problem with the new law is that beyond the consent and authorization compliances, the law is 1,500 pages long, compliance doesn't kick in until 2003, and it's doubtful whether the doctors, hospitals whoever can comply because it is so burdensome.

Which gets us back to, what are the requirements now. I think, and it is my opinion only, as one who lives in a state where medical records are declared confidential, that I could ask for a copy of the agreement I signed agreeing to disclosure of my confidential information to anyone other than the doctor or his office itself. I think you could say without an agreement your privacy is being all kinds of trampled on. The problem is, with places like the Medical Information Bureau and if you use insurance as a method of payment.

Further, even if I did consent to release of my information for payment or collection or anything related, unless there is specific wording including credit reporting agencies, that really isn't an informed consent. If I agreed to its release for collection, then how can the release go beyond the collection agency itself, that is, reporting to the credit bureaus where it is available to god and everybody. Or, what if the collection agency transferred or sold to another collection agency, and onward the chain goes -- under the new laws, each of those require a new agreement.

The laws seek to cover anyone in the chain, from billing services who use your information for coding and submission to your insurance company, your insurance company itself, from the doctor to collection agencies, labs and x-rays and everyone else in between.

I think a copy of your authorization, there's a big difference between consent and authorization in the new laws, btw, is a valid thing to ask for and I think you could probably make some noise that without your express authorization and further without something specifically assuring the confidentiality and sensitivity of the information between all the organizations it passes through, your rights to confidentiality and privacy have been violated, whether you can hang your hat on that, I don't know.

Sassy

 

Also, just thought of this, requesting a copy of the privacy policy and documentation showing you were advised of the policy and agreed to its terms.

Ok, I'm done thinking now.

Sassy

 

ok, found this when I was doing something else, gotta love the synchronicity in it popping up too, LOL.

Sec. 1681a. - Definitions; rules of construction

(i) The term ''medical information'' means information or records obtained, with the consent of the individual to whom it relates, from licensed physicians or medical practitioners, hospitals, clinics, or other medical or medically related facilities.

...WITH THE CONSENT of the individual to whom it relates...

One day I'll figure out how to use the bold function.

Sassy

 

Sassy,

what are you still doin up?

Addicted?

~

 

Hi Butch,

shhhhhhhhhhhhh, don't tell, you'll wake up all the other addicts ;-)

Sassy

 

***YAWN***


~streching~ You woke me up sassy!

 

See also;

Sec 604 (f) (g) Furnishing Reports Containing Medical Information;

Last paragraph just before section 605 in FCRA

 

Sassy,

I really think this topics deserves exhuastive study because most of the collection accounts we see on here are probably due to medical reasons. Think of all those that could be helped.

I think you mentioned Sharon Kay Foundation. I actualy bought his package which he sells for $30.

HUGE disappointment. 90% of the package is a hard copy of the FCRA.

I HATE it when someone takes law, reprints and then resells it.

His package is very superficially researched with NO legal sites other than the 2 you and I just mentioned.

You also mentioned that the consent agreement runs all the way to the end user. which I think it does too. therein may lie the problem. From the Medical provder to the CA to the CRA to the new creditor. the consent may run all the way through....