HIPAA Compliance, Medical Collections, New Technology

HIPAA Compliance, Medical Collections, New Technology
February 22, 2022 | 4 minutes read

As medical debts are an all but inevitable reality due to the complex dynamics of the U.S. healthcare system, many collection agencies around the country will work to collect such debt at some point during their respective operations. Nevertheless, healthcare providers that are working with debt collectors must still comply with federal privacy regulations, the most notable of which is the Health Insurance Portability and Accountability Act of 1996 or HIPAA. Under the initial provisions of HIPAA, the requirements of the law were applicable solely to healthcare providers and other associated staff members and employees within a particular medical setting. To this point, many healthcare providers would circumvent HIPAA compliance by outsourcing certain job functions to business associates or third parties, as these parties were not subject to HIPAA compliance.

However, such practices were outlawed with the enactment of the Health Information Technology for Economic and Clinical Health Act or HITECH Act in 2009. Under the HITECH Act, all professionals that collect or make use of protected health information or PHI to are legally obliged to protect said information, in accordance with the HIPAA Business Associate Agreement or BAA. In the context of medical debt collection, this legislative change placed even further responsibilities on healthcare providers, as said providers were now responsible for all unauthorized disclosures of PHI, irrespective of how this information was disclosed. As such, healthcare providers are effectively responsible for ensuring that the PHI of the patients they serve is secure and protected at all times.

What personal information can healthcare providers legally disclose under HIPAA and the HITECH Act?

Under both HIPAA and the HITECH Act, health care providers are prohibited from disclosing a U.S. citizen’s medical records or PHI when working with medical debt collectors. Consequently, healthcare providers are generally limited to disclosing the following forms of personal information when working with debt collectors:

  • The name of the debtor.
  • Social security numbers.
  • Dates of birth.
  • Account numbers and payment history.
  • The name and address of a healthcare provider or facility.

How can healthcare providers maintain HIPAA compliance when working with debt collectors?

In conjunction with the provisions set forth in HIPAA and the HITECH Act, healthcare providers are forbidden from disclosing PHI pertaining to a particular patient when working with debt collectors. Despite this fact, while certain examples of PHI may seem rather obvious, such as information relating to a diagnosis or treatment, other forms of PHI may be less apparent. To illustrate this point further, under HIPAA and the HITECH, identifiers that are used in connection with a given patient’s condition or health, as well as payments that have been made in regards to healthcare, are also considered PHI under these laws. To this end, the following categories of personal information can also be considered PHI under HIPPA and the HITECH Act:

  • Email address.
  • Device identifiers and serial numbers.
  • IP address.
  • Photographic images.
  • Biometrics such as finger or voiceprints.
  • Web URLs.
  • Vehicle identifiers and serial numbers, including license plate numbers.
  • Certificate or license numbers.

In terms of maintaining compliance with HIPAA and the HITECH Act, healthcare providers can remain compliant with all applicable legislation through the process of redaction. Through redacting PHI and identifiers, industries that come into contact with PHI can ensure that they do not violate the personal rights of others when looking to perform their business functions. As effective redaction renders personally identifiable unusable or unreadable, a healthcare provider working with a debt collector will not need to worry about violating HIPAA or the HITECH Act, regardless of whether the disclosure of PHI involved a data breach or negligence on the part of a medical or business professional.

What’s more, while the process of redaction has historically been arduous and labor-intensive, the advent of automatic redaction software programs has made redaction easy and accessible to a wide range of consumers around the world. As such software programs allow users to automatically redact specific forms of personal information, such as medical records and contact information pertaining to a medical patient, healthcare providers can save time and effort when looking to maintain compliance with laws and regulations such as HIPAA and the HITECH Act. More importantly, however, American citizens can ensure that their privacy won’t be compromised when they incur medical debts.

As information can now be shared with individuals around the globe within seconds at the simple click of a button, ensuring the privacy of individuals is growing increasingly difficult. In the context of healthcare and debt collection, this level of difficulty is only increased further, as these businesses a looking to function in the most effective and efficient manner possible while also maintaining compliance with relevant legislation. Due to these challenges, redaction can prove to be a very useful tool and solution, as proper redaction methods ensure that the PHI of U.S. healthcare patients will never be disclosed or accessed without the expressed consent of said patients.