The HIPAA Privacy Regulations and Their Effect

On Collection of Health Care Receivables

 

Dateline: August, 2003

 

Overview:

The newly approved modifications to the Standards for Privacy of Individually Identifiable Health Information, or “Privacy Rule” as it is better known, went into effect on April 14, 2003.  The Privacy Rule was issued by the U.S. Department of Health and Human Services (“HHS”) to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  While the purpose of the Privacy Rule, to establish national standards to deal with the important issue of the use and disclosure of individual patients’ health and medical information, is considered commendable by most, there is a growing concern among health care providers that the Privacy Rule will have a detrimental effect on their ability to engage in collection procedures to recover amounts due for services rendered.  Most notably, there are concerns that the Privacy Rule will prevent hospitals and physicians from sending a patient’s medical records, including billing statements, to collection agencies and/or attorneys upon whom they normally rely to engage in collection efforts on their behalf.  However, it appears from a reading of the final regulations that these concerns have not only been addressed by HHS but, for the most part, have been alleviated to allow health care providers to continue in their collection efforts with minimal interruption.

 

Does the Privacy Rule apply to me/us?

The first issue that health care providers should concern themselves with is, “Does the Privacy Rule apply to me/us?”.  Although it has been widely assumed that the Rule applies to every health care practitioner, such is not the case.  Pursuant to the regulations, the Privacy Rule covers health plans (medical insurance companies, HMO’s, Medicaid, etc.), health care clearinghouses (billing services, repricing companies, etc.) and any health care provider who transmits health information in electronic form in relation to those transactions for which HHS has adopted standards pursuant to HIPAA. 45 C.F.R. sec.160.102,160.103.  In essence, this covers the use of computer-based technology to transmit health information, such as the Internet, private networks and magnetic tapes and discs, but does not apply to the use of fax machines to transmit such information.  Electronic transmission alone does not bring a provider under the regulation’s umbrella, only in connection with the standard transactions covered by the Rule.  Some of the more popular examples of the types of transactions that are covered include referral authorization, insurance claims, and enrollment eligibility in a health care plan.  It is important to note that this regulation applies even if the health care provider uses a third party to engage in the electronic submission of health information, such as a billing service.  Thus, if an office relies entirely on paper to submit insurance claims and engage in other transactions, it will not be covered by the rule until such time as they engage in electronic submissions of relevant transactions.  The types of health care providers, or “covered entities”, that are subject to the regulation include hospitals, physicians, dentists, pharmacists and any other person or group that furnishes, bills, or is paid for health care. 45 C.F.R. sec.160.102,160.103

 

What type of health information is covered under the Rule?

The next issue of concern is, “What type of health information is covered under the Rule?”.  The Privacy Rule is designed to protect all forms of “individually identifiable health information” created, held, received or transmitted by a covered entity, be it paper, electronic or oral. Such information is more commonly referred to as “protected health information” (PHI). 45 C.F.R. sec.160.103.  This means that, if the information relates to the past, present or future mental or physical health of a person, the past, present or future payment for health care provided, or the actual provision of health care to a person, it is covered under the regulations so long as the information actually identifies the person or there is a reasonable basis to believe that the information could be used to identify the person. 45 C.F.R. sec.160.103.  Common identifiers would include a person’s name, address, telephone number, social security number and date of birth, but there are many more such identifiers the use of which would bring the health information under the protective scope of the Rule.  Therefore, even though the Rule allows a covered entity to “de-identify” the information by removing certain identity indicators and disseminating it in this form, there are many, many identifiers that must first be removed, and even then the covered entity must not have actual knowledge that whatever information is left can still be used to identify the person.  Thus, it appears the safer bet to simply avoid dissemination of PHI to prevent the imposition of sanctions under the Rule.

 

Does the Privacy Rule now require consent from a patient before beginning collection proceedings?

Once a health care provider has determined that it is a “covered entity”, and that it has been transmitting PHI while engaging in collection activity, the most crucial question that will likely arise is, “Does the Privacy Rule now require consent from a patient before beginning collection proceedings?”.   Thankfully for the health care receivables industry, the general answer appears to be “no”.  Under the Rule, a covered entity may not use or disclose PHI except 1) with the consent of the individual, or 2) as expressly permitted or required by the Privacy Rule. 45 C.F.R. 164.502(a).  To this extent, the Rule specifically permits a covered entity to use and disclose PHI for the purpose of “treatment, payment and health care operations”, including the payment operations of other covered entities, without requiring prior consent of the individual. 45 C.F.R. sec.164.502(a)(1),164.506(a).  The term ‘payment” includes actions taken by health care providers to obtain payment or reimbursement after providing health care to the individual,  thus leaving little doubt that HHS had collection of receivables in mind when it finalized the Rule.  It is important to note, however, that the Rule requires a covered entity, when utilizing PHI for payment purposes, to make a reasonable effort to use and disclose only the minimum amount of PHI as is necessary to accomplish the purpose of obtaining payment or reimbursement. 45 C.F.R. sec.164.502(b),164.514(d).  Thus, covered providers must still be cautious when utilizing PHI for collection purposes in determining just how much PHI is needed to accomplish the specific goal of satisfying their account receivables.

 

Can we release PHI to our agents who assist us in collection efforts?

Once it has determined that it can engage in its own collection efforts to obtain payment on outstanding medical bills, health care providers may still be asking, “What about those who we normally employ to assist us in our efforts, like billing companies, collection agencies and attorneys?  Can we release PHI to them or do we have to do everything ourselves?”.  Once again, to the delight of health care providers everywhere, the Rule has made provisions which will continue to permit outside sources to be employed in the collection procedure.  The Rule addresses the concept of “business associates” who act on behalf of, or provide services to, the covered providers themselves and which will involve the use or disclosure of PHI.  The services are limited to such things as legal, accounting, management and financial, but it appears that collection agencies and attorneys would fall into this class. The Rule permits covered entities to transmit PHI to these business associates, and even allows the associates to use and disclose PHI in their efforts, on behalf of the covered provider, to obtain payment of outstanding receivables. 45 C.F.R. sec.160.103.   In addition, since the Rule does not limit to whom the disclosures may be made, collection agencies and attorneys can apparently continue to speak to such people as spouses and parents of minor children as is currently permitted under the Fair Debt Collection Practices Act (“FDCPA”), a major concern of those involved in every aspect of collection since communications to persons other than the debtor often result in payment being obtained on outstanding medical bills.

 

There is, however, one caveat to the relationship of covered entities and business associates under the Privacy Rule.  The Rule does require that a covered entity, before releasing PHI to a business associate, get assurances from the associate that such information will not be used for any purpose other than those permitted or required by the Privacy Rule and that the associate has an appropriate “safety net” in place to ensure compliance with the Rule.  These requirements must be in the form of a written contract or agreement between the covered entity and its business associates encompassing the concerns recited above.  45 C.F.R.sec.164.502(e), 164.504(e).  For those covered providers that already have agreements in place with their associates which were entered into prior to October 15^th, 2002, and not changed or renewed prior to April 14^th, 2003, they may continue to use that agreement until April 14^th, 2004, at which time it must be changed to ensure compliance with the Rule. 45 C.F.R. sec.164.532.  For everyone else, however, immediate compliance appears to be required.  Therefore, covered providers need to act swiftly to create such a contract so that the ability provided to them by HHS to continue to engage in collection of unpaid medical bills through the use of agencies and attorneys is not compromised.

 

Summary:

The area of health care collection is one of great concern to those health care practitioners who are attempting to maintain a high standard of care in the services they provide while at the same time remaining profitable, as well as to those who are employed by them to assist in the collection of account receivables.  It is of the utmost importance to review and answer the questions previously discussed prior to beginning collection activity on behalf of any health care provider. While it is recommended that all those involved read the Privacy Rule thoroughly to ensure absolute compliance, it does appear that HIPAA will continue to allow health care collection to flourish as it has without interfering with the ultimate goal of patient privacy protection.  After all is said and done, it seems that both sides will get what they want

   

This Article is a service of the Collections Practice Area of Fein, Such, Kahn & Shepard, P.C., 7 Century Drive, Suite 201, Parsippany, NJ 07960.  Phone: 973-538-4700. Website: www.feinsuch.com.  It does not constitute legal advice nor create an attorney-client relationship.  For more information contact Shareholder Philip A. Kahn at pkahn@feinsuch.com. 

 

© 2003, Fein, Such, Kahn & Shepard, P.C., all rights reserved.  Permission is granted to reproduce and redistribute this article so long as (i) the entire article, including all headings and the copyright notice are included in the reproduction, and (ii) no fee or other charge is imposed.