HIPPA Compliance For Medical Bills And New Technology
February 22, 2022 | 4 minutes read
Medical debts are an all but inevitable reality due to the complex dynamics of the U.S. healthcare system. Many collection agencies around the country will work to collect such debt at some point during their respective operations. Nevertheless, healthcare providers who are working with debt collectors must still comply with federal privacy regulations. The most notable of which is the Health Insurance Portability and Accountability Act of 1996 or HIPAA.
Under the initial provisions of HIPAA, the requirements of the law applied solely to healthcare providers and employees within the medical setting. To this point, many healthcare providers would circumvent HIPAA compliance by outsourcing certain job functions to business associates or third parties; as these parties were not subject to HIPAA compliance.
However, such practices were outlawed with the enactment of the Health Information Technology for Economic and Clinical Health Act or HITECH Act in 2009. Under the HITECH Act, all professionals who work with protected health information (PHI) are legally obliged to protect it; per the HIPAA Business Associate Agreement or BAA. In the context of medical debt collection, this legislative change placed even further responsibilities on healthcare providers. As said providers were now responsible for all unauthorized disclosures of PHI, irrespective of how this information was disclosed. As such, healthcare providers are effectively responsible for ensuring that the PHI of the patients they serve is secure and protected at all times.
What personal information can healthcare providers legally disclose under HIPAA and the HITECH Act?
Under both HIPAA and the HITECH Act, healthcare providers are prohibited from disclosing a U.S. citizen’s medical records or PHI when working with medical debt collectors. Consequently, healthcare providers are generally limited to disclosing the following forms of personal information when working with debt collectors:
- The name of the debtor.
- Social security numbers.
- Dates of birth.
- Account numbers and payment history.
- The name and address of a healthcare provider or facility.
How can healthcare providers maintain HIPAA compliance when working with debt collectors?
In conjunction with the provisions outlined in HIPAA and the HITECH Act, healthcare providers are forbidden from disclosing PHI about a particular patient when working with debt collectors. Despite this fact, some forms of PHI may be hard to identify. To illustrate this point further, under HIPAA and the HITECH, identifiers that are used in connection with a given patient’s condition or health, as well as payments that have been made regarding healthcare, are also considered PHI under these laws. To this end, the following categories of personal information can also be considered PHI under HIPAA and the HITECH Act:
- Email address.
- Device identifiers and serial numbers.
- IP address.
- Photographic images.
- Biometrics such as finger or voiceprints.
- Web URLs.
- Vehicle identifiers and serial numbers, including license plate numbers.
- Certificate or license numbers.
Healthcare providers can remain compliant with all applicable legislation through the process of redaction. Effective redaction (blacking out) removes PHI, mitigating the risk of non-compliance or exposure in a data breach.
What’s more, the process of redaction has historically been arduous and labor-intensive. However, the advent of automatic redaction software programs has made redaction easy and accessible. As such software programs allow users to automatically redact (blackout) specific forms of personal information, such as medical records and contact information about a medical patient, healthcare providers can save time and effort when looking to maintain compliance with laws and regulations such as HIPAA and the HITECH Act. More importantly, however, American citizens can ensure that their privacy won’t be compromised when they incur medical debts.
As information can now be shared with individuals around the globe within seconds, ensuring the privacy of individuals is growing increasingly difficult. In the context of healthcare and debt collection, this level of difficulty is only increased further; as these businesses a looking to function in the most effective and efficient manner possible while also maintaining compliance with relevant legislation. Due to these challenges, redaction can prove to be a very useful tool and solution. Proper redaction (blacking out) methods ensure that the PHI of U.S. healthcare patients will never be disclosed or accessed without the expressed consent of said patients.