“The enforcement of HIPAA was like the enforcement of the FDCPA,” someone recently posted on our message board. “Everyone ran scared for awhile until it stopped being new.”
HIPAA, or the Health Insurance Portability and Accountability Act, was enacted by Congress in 1996 as a way to protect patients’ accounts in an age of healthcare portability. More and more employees are spending less time at one job; job changes often involve transferring medical records from one insurance carrier to another. Congress saw a need for protective legislation, especially with information as private as medical records and conditions.
HIPAA is divided into two parts: Title I protects health insurance coverage for workers and their families when they change or lose their jobs. Title II – and the part that is more germane to collection agencies and debt buyers – requires the establishment of national standards for electronic health care transactions, in addition to national identifiers for providers, health insurance plans, and employers.
In 2003 the Department of Health and Human Services, per HIPAA standards, enacted a Privacy Rule which established regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual.
And it’s true – in the wake of the Privacy Rule, many debt collection agencies and debt buyers were concerned that HIPAA would make collecting medical debt too difficult, if not impossible, to collect. This could also spell bad news for hospital administrators looking to recoup lost business expenses through collection agencies.
However, that hasn’t necessarily been the case. “If anything,” a source shared with insideARM.com, “it’s made my job easier, much the way the FDCPA made our jobs easier. That doesn’t make me too popular – I think a lot of my colleagues aren’t happy with too many rules. But both [the Privacy Rule] and the FDCPA puts me on solid ground, I feel.”
As medical debt continues in popularity in the debt purchasing realm, questions about HIPAA and third-party disclosures frequently come up. Also, thanks, in part, to recent FDCPA cases involving third-party disclosures, agencies have to put more energy into compliance training in order to remain on the right side of HIPAA.
Business compliance agreements, according to many medical debt collection agencies and debt buyers, are a necessity. The agreements establish “partner” arrangements between collection agencies and, for example, hospitals. Once in place, these agreements can ensure that both HIPAA and third-party violations do not occur, since the collection agency is ostensibly considered an extension of the hospital.
For agencies considering jumping in to medical collections, it is important to be as HIPAA-knowledgeable as possible – possibly more so than the clients you are seeking to add to your roster. Two sites that might prove helpful: http://www.hipaadvisory.com/regs/ and http://www.hhs.gov/ocr/hipaa/.
We would like to hear from any agencies with insights of their own into HIPAA compliance and medical collections. You can send an email to firstname.lastname@example.org or visit our message board and share your experiences with other posters: HIPAA and collections.