Jump to content

HIPAA and DV from CA (Medical)


Recommended Posts

I was reading an older post and this got me thinking. And in the past i received a collection noticed on a medical acct i was not familiar with. They sent me the bill of service from the dr, which included the diagnosis, and treatments, i belive.

Now if you got a collection notice from a CA, and you requested a DV, and they responded with the dr's bill, which included the tests, treatments and diagnosis, wouldnt this be a HIPAA violation? Also would they provide this information to you? And by requesting a DV would that release them of any consequences? Because if the OC did provide the CA with that information the OC (doctor) would be in violation, and it would seem that would be a great bargaining chip to have them delete, settle or what not.


"SEC. 1177. (a) OFFENSE.--A person who knowingly and in violation of this part--

"(1) uses or causes to be used a unique health identifier;

"(2) obtains individually identifiable health information relating to an individual; or

"(3) discloses individually identifiable health information to another person,

shall be punished as provided in subsection (B).

"(B) PENALTIES.--A person described in subsection (a) shall--

"(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

"(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

"(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

Link to comment
Share on other sites

Medical providers can share such info with collection agencies they hire. I am not of the opinion that if a CA gives you a bill showing services to you that it is a violation.

What you can do is insist that the CA and OC provide you with the written agreement between them that covers the use of medical information, so you can inform yourself that the info was properly given the CA.

Link to comment
Share on other sites

Actually, unless they are 100% POSITIVE that the information is yours, then they WOULD be in violation of HIPAA. All that info is protected information and if they sent it to just anyone, they'd be in deep doo-doo.

Any company doing business with a medical provider MUST have a Business Associate Agreement (BAA) in place where they are agreeing to be bound by the laws just like any doctor's office in protecting your information.

HIPAA and medical collections is a minefield. The penalties for violations are HUGE, not small potatoes at all, so a CA DOES need to be very careful.

If you've ever signed a HIPAA release form, and most providers ask you to now, then you've signed away some of your privacy rights.

Link to comment
Share on other sites

As it has been explained in the past, when you DV the CA, you forfeit your rights under HIPAA as by your own writing, you have requested they send you the requested information. BUT, in my opinion, as I understand HIPAA, the Doctor is forbidden to send the "private" information in their original assignment to the CA. Therefore, my argument, after reading what you said, does this place the Doctor in violation for including this same "private" information in their response? It could fall into a gray area. As was also described before, you would protect yourself if you included the verbiage that you retain all rigths under HIPAA.

Here are two suggestions.

1. Send a CMRR letter to the Doctor that clearly states your knowledge of HIPAA and that , though you did request proof of debt, it still may be a violation as to their including the forbidden information. To me, if they had simply blanked the respective lines and included only charges, then it would be legit. Then go on to state that you are more than willing to work with them in resolving this matter entirely as long as they recall the debt from their assignee and assure it is deleted from all CRA's. Be sure to include that, in some states, an OC can be held liable for the actions of their assignee, and you would prefer not to take a chance of something happening.

2. Call your health insurance and ask them if they have any regulations in their book as to what a provider who accepts assignement is allowed to do with any claims. What you are looking for is if the OC can assign any claim from a beneficiary. An exmaple is our health insurance has in their book all providers are forbidden to ever send a claim to collection for any reason. Another is to assure that the claim was submitted properly and within the parameters of their agreement,. If denied, what part, if any, is the beneficiaries responsibility. Is Balance Billing involved?

If your insurance was involved, get this information first before you send the letter. If there is no insurance, your only choice to maybe get this out of the CA's hand and back to the OC is to do as #1.

By the time I got mine posted, I found that others had already posted. I'm glad to see Lady's post as it is something I was not aware of. No matter, you can still do as I mentioned as it is exactly what I did to get our problem resolved.

Link to comment
Share on other sites

Recovering Attorney, as to your question, it is the fact the medical provider placed in full view of a stanger, your personal health, without your permission. In short, would you want anyone with your name and address to be able to tell the world you have Cancer or some nasty disease? As we all know, the provider is to never allow actual treatments or diagnosis to be available to any but the patient or their representative. True, your insurance may know, but, they have to and they don't share your info unless they want to be closed down and broke. This is why when a medical debt is assigned, I have been under the impression that only dates and amounts can be given, but, some have said that assigned numbers can be used, as in the numbers used by carriers to identifiy what to pay. Others may be able to include something I may have missed.

Link to comment
Share on other sites

Retmar, if I was counselling a medical provider, I would tell them to redact diagnosis codes and SS# and probably even prescription medicines that may be referred to. I think that is common sense if nothing else. But when I ask for medical info "belonging" to me I am not so worried about how it comes to me if it comes by and through the provider. And if I think the bill is not mine or is wrong, I will want as much info as I can get.

Link to comment
Share on other sites

I am in total agreement with you. But, where the problem lies, is the OC sends this info to the CA who, in turn, sends it to the consumer. The CA has no right to know your personal medical history. If I was gauranteed the OC would send the proof, you would not hear an argument out of me.

Link to comment
Share on other sites

I am in total agreement with you. But, where the problem lies, is the OC sends this info to the CA who, in turn, sends it to the consumer. The CA has no right to know your personal medical history. If I was gauranteed the OC would send the proof, you would not hear an argument out of me.

Working in the medical field, I can tell you this is incorrect. It is done all the time. HIPPA does not say you cannot release the information, what it says is that you cannot release the information to anyone who doesn't need to know the information without informing the patient and obtaining consent.

I would think that a business partner who is billing for a healthcare provider has that need to know.

Link to comment
Share on other sites

it is the fact the medical provider placed in full view of a stanger, your personal health, without your permission.

What you must underdstand is that there are legal agreements in place (or should be), between the provider and the CA they hired. The CA MUST follow the law and abide by the terms of the BAA or they are violating HIPAA.

You also must also realize that when you sign these release forms in any medical facility now, you are giving them PERMISSION to release certain information. The 'need to know' is a biggie and it includes CA's.

Do you realize that if you have a friend in the hospital and youc all to ask how he's doing that legally the hospital is NOT ALLOWED to tell you ??? They would be giving out information they're not allowed to give. You can't even get that info on a family member without first producing ID and proving you ARE a sibling. If you're not immediate family.. you're as good as a stranger under the law.

Link to comment
Share on other sites

I should have known about the BAA, as having previously worked for a helpdesk with access to patient records. I would assume that the practice must have anyone they do business that may involve patient records to have a BAA. However I also know that there were some practices that were stragglers, and had not had their BAA's completed in time, in order to be HIPAA compliant. So I am sure that the odds are that there would be a BAA, which would allow them to convey that information, but it seems that as part of the process, you could ask the OC for a copy of the BAA between them and the CA, and if they fail to produce you could have a way to get the office in trouble.

Link to comment
Share on other sites

I agree with everyone on this matter.

BUT, my main concern and gripe is still that a CA, no matter what papers a patient signed with the provider, does not have the right to be able to view anyone's personal medical history.

For example: How does knowing my personal health assist in the collection of an unpaid debt? It serves no purpose. This is over and above their having knowledge of my health. True, my family, friends, and I laugh about my scars and how I still set off very sensitive alarms, and I don't mind as it is one of the ways I deal with this, but, to have someone who I have no idea who they are come up and inquire or ask others, does upset me. Imagine how I am going to feel if a CA says something. Expecially today with this country so divided. Here is the perfect ecample for what I mean. Yes, I am going to say something that has always been a "private joke" since it happened. My Left Long Finger (The Finger) was blown off at the base by that Landmine in Vietnam because I was holding on to the Ring Mount at the front of the Truck. Yes, there is alot more damage to the hand, and the rest of the body, but, this is enough for now. I opted to not have the stub removed and have a "Three fingered Hand", so have gone on with a noticeable "gap". Being Left Handed, it is not hard to notice there is a problem. In short, use your imagination as to what I go through. Then, to have a total stranger make comments, especially if they want to belittle or intimitdate me, I don't think so. As to the funny side, yes, there are some things that have gotten me to laugh about this, but, very few.

To include, as we all know, those who ask us to "sign here", do not explain exactly what we are signing for, and, as in ER's, the person signing is in a hurry due to their emergency. Yes, it is the person's responsibility to read, but, at the same time, as far as I'm concerned, the patient should be properly advised of the fact that their personal history could be viewed by others not in the medical field, if nothing else. Myself, I had always thought in the beginning that HIPAA was created solely to protect all from the chance that someone other than their provider and carrier would have a chance to view, while also protecting the rights of both parties if the possibility of a violation occurred. Since the law does now allow this to happen, I guess my DW and I are now lucky as we do not have to worry about medical bills anymore. To me, it is wrong, no matter what anyone says.

Link to comment
Share on other sites

The following is the EXACT verbage required on the "Authorization for Release of Protected Health Information (PHI)"

I acknowledge, and hereby consent to such, that the released information may contain alcohol, drug abuse, psychiatric, HIV testing, HIV results or AIDS information. _______________ (Initial). If not, applicable, check here .

I understand that:

1. I may refuse to sign this authorization and my treatment will not be conditioned upon signature of this authorization (except for non-health related services such as pre-employment testing, life insurance exams, or drug screenings).

2. I may revoke this authorization at any time in writing, but if I do, it will not have any affect on any actions taken prior to receiving the revocation. Further details may be found in the Notice of Privacy Practices.

3. If the requester or receiver is not a health plan or health care provider, the released information may no longer be protected by federal privacy regulations and may be re-disclosed.

4. I understand that I may see and obtain a copy the information described on this form, for a reasonable copy fee, if I ask for it.

5. I will receive a copy of this form after I sign it.

The "NOTICE OF PRIVACY PRACTICES" also required by law, is a very long document or I'd post the whole thing here. EVERY facility where you receive medical treatment is required to give you this notice.

The notice includes the following:

We are required by law to maintain the privacy of your health information and provide you a description of our privacy practices. We will abide by the terms of this notice.

Uses and Disclosures:

How we may use and disclose Health Information about you.

The following categories describe examples of the way we use and disclose health information:

For Treatment: We may use health information about you to provide you treatment or services. We may disclose health information about you to doctors, nurses, technicians, health students, or other hospital/medical office personnel who are involved in taking care of you at the hospital / medical office.

For example: a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. Different departments of the hospital medical office also may

share health information about you in order to coordinate the different things you may need, such as prescriptions, lab work, meals, and x-rays.

We may also provide your physician or a subsequent healthcare provider with copies of various reports that should a$$ ist him or her in treating you once you're discharged from this hospital.

For Payment: We may use and disclose health information about your treatment and services to bill and collect payment from you, your insurance company or a third party payer. For example, we may need to give your insurance company information about your surgery so they

will pay us or reimburse you for the treatment. We may also tell your health plan about treatment you are going to receive to determine whether your plan will cover it.

We may also use and disclose health information:

• To business associates we have contracted with to perform the agreed upon service and billing for it;

Business Associates: There are some services provided in our organization through contracts with business associates. Examples include physician services in the emergency department and radiology, certain laboratory testsbilling services, transcriptionists, and a copy service we use when making copies of your health record. When these services are contracted, we may disclose your health information to our business associate so that they can perform the job we've asked them to do and bill you or your third-party payer for services rendered. To protect your health information, however, we require the business associate to appropriately safeguard your information.

An Accounting of Disclosures: You have the right to request an accounting of disclosures.

This is a list of certain disclosures we make of your health information for purposes other than treatment, payment or healthcare operations where an authorization was not required.

Request Restrictions: You have the right to request a restriction or limitation on the health information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the health information we disclose about you to

someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information about a surgery you had.

We are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment.

There's more, but that's a large part of it.

Link to comment
Share on other sites

You better believe I wouldn't sign that, without notes made. I can see the patient can limit, but, it also appears they could refuse treatment if you did, according to what you have noted. I have no problem of any personnel who is caring for me to have this information, my whole complaint is that no one other than those "fixing" me, should be allowed to view.

I understand this is not complete, and something may already be in there, but, to me, there should be wording that those not in the medical field, such as a CA, will not be afforded the privilige of viewing the records. Or some type of limitations placed.

Link to comment
Share on other sites

  • 4 months later...

I dont know why this was bumped, but for anyone still interested that has medical collections with a CA try this:

1.) Send notice CMRRR to the OC that you revoke all consent to release information regarding the accounts in question without an authorized signature by you.

2.) DV the CA with those accounts CMRRR.

3.) Wait awhile and dispute the CA listings to force the DV

4.) If the CA goes fishing for info on the DV from the OC, the OC should refuse them as a result of your revocation of consent, and if not you have grounds to initiate an HIPAA infraction investigation against the OC

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.. For more information, please see our Privacy Policy and Terms of Use.