Jump to content

DV reponse included personal medical records

Recommended Posts

Thanks in advance to anyone who takes a swing at this pitch :)

Back in 2001 I was living in Chicago, IL and due to an accident was taken to a local hospital for emergency services. Not having insurance at the time the enormous bill wound up in collection. I have worked out a payment arrangement with the CA representing the hospital and this issue is being taken care of.

Related, but seperate, a completely different CA in Minnesota is claiming they are owed $435 on behalf of a doctor who provided consultation services while I was in the hospital. Since the hospital bill included an itemized list of evrything down to the last cotton swab I assume that this demand for payment is bogus; otherwise it would be on the hospital bill with everything else. Anyway, I sent the second CA a DV letter.

In repsone the CA sent a nasty little letter which included two pages which appear to have been faxed from the doctor's office to the CA: 1) A statement for $435 for consultation services 2) a medical consultation sheet with hand written notes from the doctor which describes the injuries I suffered, the sysmptoms I displayed, treatment recommendations and even medications to be perscribed.

Thanks to this site I am all over the computer printout of the statement issue. I live in Indiana now, so I have the whole Spears v. Brennan thing going for me as well. What I haven't been able to figure out though is the medical record issue.

Can a doctor release personal medical records to a CA?

If they cannot; what laws should I be looking at?

Can a CA utilize personal medical records as part of their debt collection attempts?

If they cannot; what laws should I be looking at?

Any help would be greatly appreciated!

Link to comment
Share on other sites

...after reading the post fully, (heh) the doctor is also liable in this. (Malpractice also?) If the office sent those to the CA, that makes them liable for releasing your medical records without your permission. Which most of the time, it has to be written permission.

I don't know about you, but I would be filling suit right away against the doctor and hospital/office that you went to.

Releasing medical records without your permission. Big No-No! Releasing your personal medical records to a third party. Very Big No-No!!!

go geg em!

Link to comment
Share on other sites

Well the Dr releasing the statement to the CA is a non issue as far as HIPAA is concerned because the CA would need that to conduct the business, but the medical consultation sheet is a big no-no. That makes him liable for $100,000 in a private cause of action.

Send an ITS to the Dr now! Tell him he has violated HIPAA in the release of your private medical records to a third party without consent. Then tell him he can settle this quickly by recalling the debt and writing you a BIG FAT check. Is he associated with the hospital or just someone they called into consult? His violation may have produce liability for the hospital. Send them a letter advising of the action his office took.

Link to comment
Share on other sites

I just thought I would point this out to clarify something in the original question. The consulting MD would bill separately from the hospital so his/her bill is not bogus, i.e. it is correct that it would not show up on the hospital itemization. Consulting MD's bill separately from the hospital.

Aside from that though, it's a moot point now as this MD, or most likely his/her minimum wage level staff really blew it by releasing your information. Everyone is correct, you have every right to sue them for doing so. Serves them right for being to cheap to pay a decent wage in order to get their office run correctly.

Link to comment
Share on other sites

Before I forget - thanks to each of you who have posted so far.

I've now started to root through the HIPAA information. I had no idea this Act was in existance. The accident I noted was the last time I ever had anything medical happen to me; and since HIPAA is post-accident it just sailed right on past my focus.

For KentWA regarding the hospital liabilty issue: the consultation sheet the doctor filled out was a standard form supplied by the hospital with their info & logo right at the top :)

For reno2360: Excellent point on the seperate billing. I hadn't thought of that. I took another look at the consultation sheet used to see if I could determine who at the hospital called this doctor in for a consult. The REASON FOR CONSULTATION section is empty and the SIGNATURE OF ATTENDING PHYSICIAN (hospital staff doc) section has no signature. Maybe I caught a break there.

It's not that I am trying to weasle out of a $435 bill. The hospital bill is equal to new car prices and I'm paying that. My beef is that I was never given any notice by the hospital, or this consulting doctor, or the debt CA. I found out when I pulled my credit report.

Anyway, thanks again for the help everyone and any additional comments are welcome.

BTW - I got a lawyer referal from the county bar association :)

Link to comment
Share on other sites

Alright Josh, I'll be sure to keep the group posted. I'm not one to flood the board with posts relating to every tiny development, but I will be sure to include pertenant facts now and again.

One exception though. I just have to throw this out here. Spoke to the lawyer that the county bar association refered me to today. I was bringing her up to speed on what has happened thus far.

I was telling the lawyer that the CA mailed me two pages with their response letter which were obviously faxed from the doctors office to the CA. The first being the statement printout and I started saying "The second page is a Consultation Record"...

I didn't get a chance to finish. The lawyer interupted and her voice actually cracked as she raised the pitch one to many octaves hurridly asking...


I was able to keep from laughing, but the grin on my face stretched from ear to ear :D

Link to comment
Share on other sites

I hope your HIPPA research can enlighten me. If the MD responds to your DV of his CA by giving you copies of records that show he treated you in the hospital, how is that a violation. I.e., how can it be a violation when they ended up in your hands at your request?

I would write the OC directly, tell him you think he has violated HIPPA, but you will send him $100 to settle so long as he calls off the dogs and assures the CA doesn't ruin your credit.

Link to comment
Share on other sites

RA: Since we all value your opinion so much, I'm hoping you missed something in the OP. The doctor's office not only sent proof of the bill...he also sent a copy of his "...medical consultation sheet with hand written notes from the doctor which describes the injuries I suffered, the sysmptoms I displayed, treatment recommendations and even medications to be perscribed".

What he sent was clearly "medical records" not proof of debt". So I guess the question is...does a DV letter give a doctor authorization to release that info?

Link to comment
Share on other sites

Here is what I have learned thus far concerning this question:

An example:

If I ask a CA to validate how they reached the amount of a medical bill it is fair game for the doctor to inform the CA that the bill includes say 4 X-Rays at $100 a pop. Thus validating $400 worth of billing.

If the doctor forwards the actual X-rays to the CA as proof then the doctor has released medical records without patient authorization. A HIPAA violation.

The CA, having received actual X-rays, should have immediately shredded them. The CA is allowed to have payment data in their files, not medical records.

This CA did me the favor of mailing the medical records to me as part of their proof of debt. Now the CA is also in violation of HIPAA as well.

The HIPAA Law is bulky and has opposing rules tangled up throughout. My case narrows down to the rules governing "payment" activity and "minimum necessary information" that a third party associate is allowed to have.

Hope this has helped. I'm sure I'll know more specifics as I go through this little adventure.

Link to comment
Share on other sites

Oh yeah, and as to the $100 to settle suggestion, the type of HIPAA violation here carries a minumium fine of $50,000 for each party in violation. That's 50K out of pocket from the doctor, the CA and the hospital (since the medical record used was issued by them).

These clowns may very well wish to settle the issue before a HIPAA violation complaint is made. So $150,000 if they lose the HIPAA complaint investigation or $100 to me? There is plenty of room to ask for more :)

Link to comment
Share on other sites

I suggest you ask the CA for its HIPPA agreement with the provider. If it has none, then you are talking violation.

Here is what the California Collectors Assn said 3 years ago:

The California Association of Collectors is in the process of developing a HIPPA educational program focused on how HIPAA impacts the California debt collector, underlying business and contracting issues, and how a California agency can best document many of the existing protections for consumer information under its existing practices.

In July 2001, the Department of Health and Human Services (HHS) issued a question and answer overview addressing a number of issues arising under the HIPAA regulations. Though not "controlling authority," these guidelines and interpretations provide a good sense of how to constructively approach the HIPAA regulations. The last two of these questions related to debt collection, as follows:

Q: Does the Privacy Rule [HIPAA] prevent health plans and providers from using debt collection agencies? Does the rule conflict with the Fair Debt Collection Practices Act?

A: The Privacy Rule permits covered entities to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the "payment" definition. Through a business associate arrangement, the covered entity may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies under a business associate agreement are governed by other provisions of the rule, including consent (where consent is required) and the minimum necessary requirements.

We are not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act. Where a use or disclosure of PHI is necessary for the covered entity to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law.

Q: Are location information services of collection agencies, which are required under the Fair Debt Collection Practices Act, permitted under the Privacy Rule?

A: "Payment" is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of "payment." Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. The covered entity and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act.

The guidelines also address the question of credit reporting a medical debt under HIPAA, stating,

Q: Does the rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?

A: No. The Privacy Rule’s definition of "payment" includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following PHI about the individual: name and address; date of birth; social security number; payment history; account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The covered entity may perform this payment activity directly or may carry out this function through a third party, such as a collection agency, under a business associate arrangement.

We are not aware of any conflict in the consumer credit reporting disclosures permitted by the Privacy Rule and FCRA. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by FCRA or other law. Therefore, we do not believe there would be a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.

In developing its program on HIPAA and the California debt collector, CAC will be following these general guidelines that reasonable and necessary debt collection activities are allowed under the rules. Since unreasonable restrictions on collecting the payment of bona fide medical debts would have the effect of further burdening the medical system, the HIPAA rules cannot be intended to prevent recovery of these monies. However, the debt collector will need to make sure that it has properly structured its practice so not only does it protect the consumer’s information from improper third party disclosure (as already required by the FDCPA), but that it does so in the form and terminology required under HIPAA.••

Link to comment
Share on other sites

see 45 CFR 164.506©. Comments to the reg:

“[T]he Privacy Rule permits a collection agency, as a business associate of a covered health care provider, to use and disclose protected health information as necessary to obtain reimbursement for health care services, which could include disclosures of certain protected health information to a credit reporting agency, or as part of collection litigation. See the definition of “payment” in §164.501.“The Department notes, however, that a covered entity, and its business associate through its contract, is required to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, where applicable, as well as abide by any reasonable requests for confidential communications and any agreed-to restrictions as required by the Privacy Rule.” August 14, 2002 Revisions, 67 Fed. Reg. 53219

The key is to see what the provider calls his privacy policy. Then, see if the CA has a contract with the provider that covers HIPPA-protected info. Compare from there.

Link to comment
Share on other sites

  • 3 weeks later...

I guess my question would be how is it that the doctor would have the legal ability to release information on his treatment and injuries?

He simply asked for debt validation, the doctor inturn RELEASED confidential medical information to a third party.

Either way you look at it, it would be a violation right?

I mean he never at anytime signed a consent form to the doctors office releasing the information to the collection agency.

I know I am not the smartest person, but I do know that medical institutions can not release medical records with out consent.

The debt validation was to the colection agency not to the doctors office.

Someone correct me if I am wrong.

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.. For more information, please see our Privacy Policy and Terms of Use.