Medical Collection/hipaa

[donp]

What is the name of your state? New York

Hi I just recently received notice that i owe money to a psychological provider for office visits. With that said I have recieved from the collection company all the dates of service with the diagnosis codes as well as the procedure codes, furthermore after checking my credit report it states under collection accounts the name of the provider!!! The name of the provider is something like NY Psycological center. Can they do this? Now everybody knows my business, no wonder i did'nt get the job i recently interviewed for. Please help!

Thanks

[ecmst12]

I highly doubt you wouldn't get a job just because you're seeing a psychologist. Was it a job that they pulled your credit report for (financial industry)? If so it's more likely that they wouldn't hire you because of bad credit than that.

Anyway, I don't believe the name of the provider is protected under hipaa (but my current job isn't regulated by hipaa so I'm a little rusty). The diagnosis and procedure codes are, but there is a provision in Hipaa that states that health information can be shared in order to get a bill paid. I'm not sure if that covers sending your information to a collection agency (it's meant to allow for information to be sent to your insurance company so they can pay your bill, without you having to sign a release for it every time) but it might.

[Chien]

This is one of those subjects on which reasonable minds can differ. I appreciate the point made by ecmst12. HIPAA is newer and has been interpreted by a much smaller body of case law than, for example, the FDCPA.

I have compliance responsibilities for one client that is directly affected by HIPAA, and I would caution against providing or a CA disseminating the kind of information that you describe. But that caveat would be limited to procedure and diagnostic codes and it would be given in an abundance of caution - a very conservative position - err on the side of safety. I would find nothing wrong with a CA identifying the creditor and the dates and charges for services.

So, in my opinion, the problems, if any, would be related to the coded information. I don't know, and I don't know if you know if that information could be readily "de-coded" and, therefore, be considred proscribed. I do know that I believe disclosure is unnecessary for dunning purposes.

HIPAA still continues to pose compliance questions for healthcare providers. You must realize that, for the CA to have the data, the creditor did not see a problem with providing it. Do you want to caution the CA to stop giving it out on pain of litigation, or do you really want to be a test case?

(And I'm inclined to agree with ecmst12 on how relevant it was to the "hire - non-hire decision.)

[debtcollector`]

I am not going to address the HIPAA question. Chien is far better qualified with his experience and I don't do medical collections.

I concur with both previous posters that if you didn't get the job solely on the basis of the credit report, it was because of the bad credit -- not the medical.

Most HR people don't even look at the credit report unless you are on the line and they really want you for the job. Their job is to exclude people, not hire them. A low credit score is an easy "no".

DC

[Chien]

OP - I re-read my prior response, because I felt it was a bit ambivalent - less than the clear advice that you come here seeking.

I note that the post says only that the CRA had the name of the provider. I think that I read into that that it had all data. If the CA simply reported a creditor to the CRA and only gave ALL data to you (perhaps in response to a verification request), I would still advise my own client to give out less, even to the consumer, but I don't see a HIPAA violation.

(That's still just a personal opinion, and that doesn't mean that you still aren't free to caution the CA, and that might not be a bad idea - this is a slippery area.)

[donp]

Thanks for your help and responses. sticking with the hipaa subject. My main concern is has anything been violated. Putting aside the credit report. The provider in my case submitted account information to their CA, the CA in turn has forwared this information on to me. The account information submitted to the CA clearly states the dates of service, procedure code, diagnosis code and a description of the service performed on each date, in this case the descriptions given for each date of service is Psychotherapy and Medication management. After reading a little on Hipaa from what i read the only information a provider can submit to a collection agency is name, dob, ss#, payment history, and account number. WHat the provider is after is unpaid copays, should they have submitted medical condition information to the CA?

[Chien]

I was tempted to leave the response to someone else, because I don't have a definitive answer.

Q. has anything been violated?

A. I honestly don't know, because new regulations and opinions are being promulgated all the time. Your own state's Psychiatric Association once encouraged it's members to seek an extension for compliance because of the vagaries concerning who/what had a HIPAA-compliant plan for the electronic submission of data as opposed to those who, by virtue of size, were allowed to make paper-based submissions.

I have familiarity with the Act, but don't purport to be am expert, which is the reason that I would always err on the side of caution. Put another way, I would not want my client to receive more information than it absolutely needs to fulfill it's function, and would choose not to receive the type of data that this CA got.

But I also recognize that it sometimes gets it because providers have not "re-tooled" their computers systems to exclude it. For this reason, my client also has a HIPAA compliance plan. So I put a question to you: If you make a written request to a collection agency for verification of a claim and the CA sends you the information that you received, can it be argued that your request is also the written authorization required by HIPAA? I'll take either side of the question, but I'd prefer the CA's position that the answer is yes and there has been no violation. (And I'd still tell the CA to redact future responses "just in case" - win or lose, I don't want to be the test case.)

Also recognize that HIPAA draws distinctions between "information" and "code sets" and included the right to promulgate "further regulations" about both after HIPAA was enacted. I don't know what, if anything, has been promulgated about psychiatric/psychoanalytical code sets since that time.

Also recognize that the penalty for a single violation is $100, unless it's the product of "willful neglect".

[Ladynred]

The FACTA amendment to the FCRA DOES cover the reporting of medical information:

Quote:

§ 604. Permissible purposes of consumer reports [15 U.S.C. § 1681b]

(g) Protection of Medical Information
(1) Limitation on consumer reporting agencies. A consumer reporting agency shall not
furnish for employment purposes, or in connection with a credit or insurance
transaction, a consumer report that contains medical information (other than
medical contact information treated in the manner required under section
605(a)(6)) about a consumer, unless--
(A) if furnished in connection with an insurance transaction, the consumer
affirmatively consents to the furnishing of the report;
December 23, 2003 21
(B) if furnished for employment purposes or in connection with a credit
transaction--
(i) the information to be furnished is relevant to process or effect the
employment or credit transaction; and
(ii) the consumer provides specific written consent for the furnishing of the
report that describes in clear and conspicuous language the use for
which the information will be furnished; or

(C) the information to be furnished pertains solely to transactions, accounts, or
balances relating to debts arising from the receipt of medical services,
products, or devises, where such information, other than account status or
amounts, is restricted or reported using codes that do not identify, or do
not provide information sufficient to infer, the specific provider or the
nature of such services, products, or devices, as provided in section
605(a)(6).

Quote:

§ 605. Requirements relating to information contained in consumer reports [15 U.S.C. §1681c]
(a) Information excluded from consumer reports. Except as authorized under subsection
(b) of this section, no consumer reporting agency may make any consumer report
containing any of the following items of information:

(6) The name, address, and telephone number of any medical information furnisher that has notified the agency of its status, unless--
(A) such name, address, and telephone number are restricted or reported using
codes that do not identify, or provide information sufficient to infer, the
specific provider or the nature of such services, products, or devices to a
person other than the consumer; or
(B) the report is being provided to an insurance company for a purpose
relating to engaging in the business of insurance other than property and
casualty insurance.

I believe this part of FACTA was included BECAUSE of HIPAA.
I think that what you've got on your report is a pretty clear violation of the FCRA.

[Chien]

LNR -
As I read the post, the OP got the code set from the CA and only got the creditor's name from the CRA. I don't see that as a FCRA or HIPAA violation.

I was unclear at the outset too. Maybe he'll clarify.

[Chien]

LNR -
Throughout, I was responding to the OP's questions about HIPAA and the CA, but I double checked and cross-referenced legislative intent and opinions re: FACTA

With regard to medical information, legislative intent was:
Medical Information Protections: Any medical information in a consumer report must be coded to obscure the specific healthcare provider and the nature of medical services provided. Creditors are prohibited from obtaining or using medical information in credit decisions. (Final regulations for limitation on creditors due within six months, effective 90 days thereafter.) Prohibits the sharing among affiliates of medical information, including individual or aggregate lists based on payments for products or services. (The remainder of the medical privacy section is effective 180 days after enactment.) Medical providers must identify themselves as such within 15 months.

Not necessarily disagreeing with your conclusions (except perhaps the "pretty clear"), because I don't know how "coded to obscure the specific healthcare provider" has been interpreted (yet). Do you say "Some healthcare provider"? Or do you provide a code number for each one that anyone could decipher anyway? Or do you only disclose the name to the consumer himself and everyone else gets something more "obscure"? To me, it would seem like only the last option would fully satisfy both HIPAA and the FCRA, and maybe that's what's happening.

[Chien]

LNR - My focus was where it was because the OP said he was "Putting aside the credit report", but I've continued to wonder about the point that you made about the FCRA after FACTA.

I still don't see how a CRA could completely obscure the identity of a healthcare provider (creditor) and still adequately satisfy it's disclosure obligations. Do you?

I know some folks at one of the "Big Three" and am going to try to find out how this is handled, but you could save some time, if you know.

[ecmst12]

OP does have the option of contacting the doctor's office and speaking to the office manager or HIPAA compliance person about their policies when sending patients to collection agencies. At least he could get an explanation of the reasons why they think it's ok to send diagnosis/procedure code information to them, and maybe get them to revise their policy. I don't think it's NECESSARY for the CA to have that information, even if it isn't a flat violation, the dates of service would certainly be sufficient for their purposes.

[Chien]

On that point I agree with you but, from personal experience, I expect that the likely answer is that, since it isn't a violation, they're unwilling to incur the cost to make the change.

Remember, "service providers" and "contractors" for healthcare providers are bound by HIPAA too to the extent that they receive information to perform their function. That shifts the liability from the healthcare provider. You can think of it as callous, but why should the healthcare provider care or incur the cost. The expense would just have to be passed on, and there are enough complaints about the cost of healthcare and who must bear that burden now.

[ecmst12]

And a complaint from a patient who didn't pay their bills will probably not have as much weight as one from a patient in good standing, but still, if they get enough complaints they might do something about it.

[Chien]

I'm not arguing with either of you and I don't want to be repetitious. And this thread is getting far off the original post.

HIPAA compliance is a pain in the a**. But, while there's merit to the ideas, there are pragmatic reasons why they are unlikely to be implemented.

Because of the paperwork incidental to the practice of medicine today, almost nobody and no entity can handle the paper and still handle their primary function. For that reason, an entire industry has come into existence to do it for them. Huge billing organizations handle workers comp., Medicare, Medicaid, insurance and direct pay paperwork for thousands and sometimes tens of thousands of doctors, therapists, hospitals, labs etc. Complaints from every patient at a single hospital or in an entire city are not likely to make a change. (And no one wishes it would change more than the healthcare providers themselves.)

If there's going to be a change, it will have to come from new legislation, and that's the problem that started this discussion. Bottom line: we have a very flawed and inefficient healthcare system operating at the moment.