HIPPA and your credit report

Discussion in 'Credit Talk' started by Fuba, Jan 10, 2003.

  1. Fuba

    Fuba Well-Known Member

    I found this on this web page: http://www.calcollectors.net/financialpriv.htm


    Q: Does the rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?
     
    A: No. The Privacy Ruleâ??s definition of "payment" includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following PHI about the individual: name and address; date of birth; social security number; payment history; account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The covered entity may perform this payment activity directly or may carry out this function through a third party, such as a collection agency, under a business associate arrangement.
    We are not aware of any conflict in the consumer credit reporting disclosures permitted by the Privacy Rule and FCRA. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by FCRA or other law. Therefore, we do not believe there would be a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.
     
  2. lyttlemac

    lyttlemac Well-Known Member

    I followed a link from the AMA website, to HHS, Office of Civil Rights, where they offer detailed 'guidance' re: HIPAA. This appears to be a very recent interpretation of HIPAA, from the government's POV:

    http://www.hhs.gov/ocr/hipaa/privacy.html
     
  3. Butch

    Butch Well-Known Member

    Just reaffirms what we have already discovered.

    http://www.hhs.gov/ocr/hipaa/guidelines/sharingfortpo.rtf


    Q: Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill?

    A: Yes. The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506(c) and the definition of â??paymentâ? at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522.

    Q: Does the HIPAA Privacy Rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?

    A: No. The Privacy Ruleâ??s definition of â??paymentâ? includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following protected health information about the individual: name and address; date of birth; social security number; payment history; and account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The covered entity may perform this payment activity directly, or may carry out this function through a third party, such as a collection agency, under a business associate arrangement.

    The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by the Fair Credit Reporting Act (FCRA) or other law. Therefore, the Department does not believe there is a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.

    Q: Does the HIPAA Privacy Rule prevent health plans and providers from using debt collection agencies? Does the Privacy Rule conflict with the Fair Debt Collection Practices Act?

    A: The Privacy Rule permits covered entities to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the â??paymentâ? definition. See the definition of â??paymentâ? at 45 CFR 164.501. Through a business associate arrangement, the covered entity may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies are governed by other provisions of the Privacy Rule, such as the business associate and minimum necessary requirements.

    The Department is not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act. Where a use or disclosure of protected health information is necessary for the covered entity to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law.

    Q: Are location information services of collection agencies, which are required under the Fair Debt Collection Practices Act, permitted under the HIPAA Privacy Rule?

    A: â??Paymentâ? is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of â??payment.â? See the definition of â??paymentâ? at 45 CFR 164.501. Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. See 45 CFR 164.501. The covered entity and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act.
     
  4. Butch

    Butch Well-Known Member

    The minimum necessary requirements (standard), outlined above are interesting tho.

    This standard states that only the MINMUM amount of information needed to effect the payment for services is ALL that can be released.

    Once I had a CA (on a medical) to which I requested validation.

    They sent me a copy of the claim form which was submitted to my insurance co. On the claim form, (HICFAA 1500) were the CPT Codes. The codes the medical industry uses to describe the exact procedure that took place.

    This, I believe violates. Had I not gotten to the quick resolution I wanted I would have used it.

    Suppose the CPT Code indicated a Rectal Exam, for example. I hardly think a CA needs to know that much.

    LOL


    Quite often you can ... well ... "induce" the CA AND the MP into violating for a medical just by demanding validation, here's how;

    Continued;
     
  5. Butch

    Butch Well-Known Member

    INCIDENTAL USES AND DISCLOSURES
    [45 CFR 164.502(a)(1)(iii)]





    How the Rule Works

    General Provision. The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 CFR 164.502(a)(1)(iii).

    Interestingly the medical provider is REQUIRED to have implemented safeguards to assure that your info. is protected. Much like the CRA's are required to implement procedures to assure maximum possible accuracy. We see lawsuits all the time where this is the only count.

    "Failure to implement procedures to assure maximum possible accuracy"


    § 607. Compliance procedures [15 U.S.C. § 1681e]

    (b) Accuracy of report. Whenever a consumer reporting agency prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.



    Do take note, the MP (medical provider) is required to acheive precisely the same standard.



    To further clarify;

    An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.

    In the scenario I outlined above, (that of the Rectal Exam) it would be impossible to conclude that the disclosure was "incidental", meaning it could not have been reasonably avoided. Indeed, to purposely send ALL my medical info. to the CA is in direct violation, because of their outright failure to implement safeguards to assure that your info. is protected.


    However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.

    A disclosure is permitted as long as it does not violate the rest of the rule, INCLUDING THE REQUIREMENT to implement safeguards to assure that your info. is protected.


    Reasonable Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. See 45 CFR 164.530(c). It is not expected that a covered entityâ??s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business.

    Didn't this just say that failure to implement is not necessarily always a violation? YES - it did. So it depends on each individual case. It depends on numerous mitigating components; "such as the size of the covered entity and the nature of its business."


    In other words you and your MP may have a disagreement, and here's where the courts come in.

    Isn't the purpose of our Civil Litigation System to resolve disputes such as those mentioned?

    ANYTIME there's a disagreement as to matters of material fact, you have a right to file suit.

    Now - Here's How To Get Your Deletion:

    Since MP's are very concerned about being sued, the mere filing of it should get you a resolution to your satisfaction. You may have to pay the bill, but you don't have to live with lousy credit for 7 years.

    If I flied a suit and offered to settle by paying the bill, (or some portion of it) and dropping the suit in exchange for my deletion, they'd be hard pressed to say no.


    Also keep in mind, I'm not advocating that one use these tactics on a legitimate debt. Merely pointing out what some might do if they have "less than perfect" scrupples.

    :)
     
  6. keepmine

    keepmine Well-Known Member

    Butch,

    Here is what is happening with medical debt in my county. Doctors, dentist, and these day surgery centers have jammed small claims court. We've got 3 SC Court judges and it is taking 4 months to get a trial date. What happens is the doctors lawyer or, a rep from the CA shows the judge the healthcare providers printout with reason code and all other info. THey then present a sworn statement fromthe Doctor or billing administrator that the defendant has a complete patient file that corresponds to treatment dates and diagnois that are on the printout and are available for the courts inspection upon request. The judges here are granting the judgment based on the reasonable and customary billing pratices in the health care industry.
    Any time a defendant complains, the judge offers to stay the ruling for a brief time and says they will instruct the doctor or health care provider to produce the records. Lawyers tell me the couple of times defendants requested this, the records supported the orginal evidence.
    Times are changing. These younger doctors are really getting squeezed with rising cost and many have massive student loan debt. They're demanding to be paid and are willing to make a fight out it.
     
  7. lyttlemac

    lyttlemac Well-Known Member

    Butch, you are amazing. When I read the guidance last night, I went to bed thinking, "yeah, right, this is suppposed to protect our privacy?"

    Then I wake up this morning, turn on my computer, and what do I see? You've taken HIPAA apart and put it back together -- in OUR favor.

    If we plan to file suit, citing a HIPAA violation, it seems like we would have to wait until the Act's effective date in April, right?

    Thank You!
     
  8. Fuba

    Fuba Well-Known Member

     
  9. Butch

    Butch Well-Known Member

    Excellent!

    Sounds like a hell of a lot of work to me.

    Wouldn't it be easier to just delete the derog/retract the collection account in exchange for payment? (which is precisely my point).

    You're right, all these guy's want is to get paid. They're not that motivated to screw your credit. All we are looking for is some leverage.

    :)
     
  10. Butch

    Butch Well-Known Member

    I'm not sure. I think the minimum info. standard has been effective since 2000.

    The only thing that happens in April is the "Final Rule".

    Breeze would probably know.

    :)
     
  11. Fuba

    Fuba Well-Known Member

     
  12. Butch

    Butch Well-Known Member

    Fuba,

    Did you get your question resolved?

    ???
     
  13. Pandora

    Pandora Well-Known Member

    Butch/Fuba,
    Sorry, I would have said something sooner, but I've been offline a couple of days. The problem with the CPT codes is that those codes, along with Procedure codes, APC codes and DRGs (Diagnostic Related Grouping) are all used to *calculate* the bill based on fees assigned to those particular codes.
    If you request validation, wouldn't they then be required to send those codes explaining how they got to the amount of the bill?? Unfortunately, that is not in violation of HIPAA.
     
  14. Butch

    Butch Well-Known Member

    Excellent point Pandora, and you're right on.

    My point was to figure out some way to file suit. You're talking about winning the suit ... :)

    I believe the mere filing, in most cases, will get you your deletion. All you have to do is figure the grounds upon which to file without a frivolous harassment sanction.

    Lizardking is good with this. He believes, as do I, sometimes you may want to just file and hope like hell that you'll get your resolution and NEVER have to actually go to court. Especially effective when dropping a case number off, via the Sheriff, to a Medical Provider. They'll be on the phone right smartly trying to figure out what you want to settle. Naturally you'll drop your case in exchange for deletion.

    Sure this idea is very iffy and I wouldn't even try it but only as a last resort.

    There are a few intrinsic violations in the law that seem to contradict each other, like the one you mention.

    For example, it's a requirement to put the mini miranda ("This is an attempt to collect a debt, any information will be used for that purpose".) on ALL correspondence. On the other hand, some feel the mini miranda can be construed as continued collection activity, which must be frozen in the face of a demand for validation. Presents a weird catch 22 doesn't it?

    If you ever sued for the continued collection activity a judge would probably tell you to go fly a kite, but at least it APPEARS you filed in good faith. The net result is that you've increased, to a high degree of probability, that you'll get rosolution PRIOR to a court date.

    I'm just trying to figure out HOW to get an MP to delete a derog, not win a lawsuit.

    :)
     
  15. Pandora

    Pandora Well-Known Member

    Hi Butch, I gotcha now. Beautifully explained. I'm not sure I'd ever have the cahones to do it though. I'm a wuss when it comes to authority. More power to you if you can get the deletions!
     
  16. QUEEN_BEE

    QUEEN_BEE Well-Known Member

    Question for Butch and Breeze

    Can either of you point me to where the HIPAA references this?
     
  17. islandboy

    islandboy Well-Known Member

  18. Why Chat

    Why Chat Well-Known Member

    Question for Butch and Breeze

    You need to remember there is NO private cause of action for violations of HIPAA.

    In the letter designed to allow people who either wish to PAY a HC provider,or who are victims of billing errors or other incorrect procedures,the references are to violations of the FCRA (where there IS a private cause of action) as well as the HIPAA.

    There is a "catch 22" between the requirements of the FCRA and HIPAA, it ONLY applies if the debt is either PAID or inaccurate, AND is being reported by a CA to the CRA's.

    Here is a link to the legal basis of the letter,(preceding page from letter) on my site.

    http://community-2.webtv.net/YChallenge/storage/page17.html

    Any attempt, IMO to use HIPAA provisions for "cleaning credit reports" on legitimate health provider debts, is doomed to failure as the HIPAA provisions CLEARLY allow legitimate collection activities.
     
  19. Butch

    Butch Well-Known Member

    Re: Question for Butch and Breeze

    The primary thesis of this entire thread is NOT that HIPAA fails to allow for legitimate collection activity.

    It has only to do with "Minimum Requirement Standards."


    :)
     
  20. Why Chat

    Why Chat Well-Known Member

    Re: Re: Question for Butch and Breeze

    I understand Butch, and I agree, however, what I am trying to point out is that a violation of HIPAA "privacy standards" in either validation or reporting is not actionable.

    Let me give you an example, you request validation on a medical bill (that is valid) They fulfil the requirements of the FDCPA and give you COMPLETE validation in all the gory and private and embarassing detail. You cannot take action against them on the FDCPA, because they have complied with full validation, and there is NO WAY to "get them" on HIPAA violations because there is NO private cause of action and you can't report them to the HIPAA administration for violations because they have a legitimate reason to give you and the world your health history since your service was pre-HIPAA. You can't file a complaint against the OC, because there was no violation on their part either.

    Now, I suppose that the threat of some action MIGHT make an OC withdraw the account from the CA,but I don't see how, because IF the account is legit, then the very act of removing it from the CA WOULD "trigger" an HIPAA violation, since this would be a "new" business relationship.
     

Share This Page