SEC. 13409. CLARIFICATION OF APPLICATION OF WRONGFUL DISCLOSURES
Section 1177(a) of the Social Security Act (42 U.S.C. 1320d
6(a)) is amended by adding at the end the following new sentence:
For purposes of the previous sentence, a person (including an
employee or other individual) shall be considered to have obtained
or disclosed individually identifiable health information in violation
of this part if the information is maintained by a covered entity
(as defined in the HIPAA privacy regulation described in section
1180(b)(3)) and the individual obtained or disclosed such information
HIPAA now has real teeth. Before ARRA, HHS took a soft, voluntary compliance approach to HIPAA and therefore, the dreaded HIPAA police never materialized. This approach will change under ARRA. The maximum annual civil penalty per violation is now $1.5 million (it had been $25,000 pre-ARRA). State attorneys general now are able to bring suit against a covered entity or business associate who has violated HIPAA to enjoin the wrongful practice and recover damages. HHS now has a statutory duty to investigate complaints, conduct audits and impose penalties. Penalties will be used to fund future HIPAA enforcement initiatives and repay victims of HIPAA violations. These enforcement provisions of HIPAA went into effect on February 17, 2009.
Most provisions of the FCRA are directed at "consumer reporting agencies",
generally defined as persons that regularly assemble or evaluate consumer
credit information on consumers in order to furnish consumer reports to third
The FCRA, however, also imposes significant obligations on users and
resellers of consumer reports and any person or business that regularly reports
information to a consumer reporting agency. Any information received in the
form of a consumer report is subject to the FCRA.
In addition, the new FACTA regulations require the CRA's to do a REAL investigations
and contact the Original Creditor for requested information in a CONSUMER DISPUTE.
This is why you SHOULD use the NEW "CRA dispute letter BEFORE using any part of the
HIPAA letter proccess.
"Consumer report" generally means any written, oral or other communication
of information by a consumer reporting agency bearing on an individual's
creditworthiness, credit standing, credit capacity, character,
general reputation, personal characteristics or mode of living, which is used
in establishing the consumer's eligibility for credit or insurance.
The term "consumer report," however, does not include any report containing
information solely as to transactions or experiences between the consumer and
the person making the report or certain communications among affiliates.
It is possible for a company to inadvertently become a credit reporting
agency subject to the obligations under the FCRA by regularly communicating
credit-related consumer information to third parties.
Under the FCRA no person may obtain a consumer report unless it is for a
A permissible purpose includes use of the report:
with the consumer's written authorization;
in connection with the extension of credit as a result of an application from a consumer;
in connection with the collection of a consumer's account;
in making a decision to hire or promote a consumer who has given written permission for the use;
in connection with the underwriting of insurance as a result of an application from a consumer;
in response to some other legitimate business need arising in connection with a business transaction initiated by the consumer;
to determine whether the consumer continues to meet the terms of an account; and
in a valuation or assessment by a potential investor or servicer, or current insurer, of the credit risks associated with an existing credit obligation.
In addition, creditors and insurers may obtain certain consumer report
information for the purpose of making unsolicited offers of credit or
insurance, provided that, among other conditions, the unsolicited offer must
be a firm offer which can only be rescinded in specific circumstances.
Additional restrictions and requirements apply to various specific types
of reports and situations. For example, if information from a credit reporting
agency is used for employment purposes, the user must inform the prospective
employee of that fact and obtain his or her prior written authorization.
If a user intends to obtain an investigative consumer report (one in which
information is obtained through personal interviews), the user must notify the
consumer in advance and disclose the nature and scope of the investigation.
Users are generally not permitted to obtain consumer reports that contain
medical information of any individual without the specific prior consent of
FACT Act changes through final rules that were effective July 1, 2010.
Health Insurance Portability & Accountability Act of 1996,
Public Law 104-191 ("HIPAA")
HIPAA required the Department of Health and Human Services ("HHS")
to implement safeguards to protect the security and confidentiality of health
The rules issued by HHS (the "Privacy Rule") took effect on April 14, 2001.
Proposed revisions to the Privacy Rule were published on March 27, 2002,
and the comment period to the revisions has now expired.
Most covered entities have until April 14, 2003 to comply with the Rules.
Small health plans (plans with annual receipts of $5 million or less) are not
required to comply until April 14, 2004.
The Privacy Rule applies to "covered entities," which include health plans,
health care providers and health care clearinghouses. A "health plan" is
defined broadly to include most employer-sponsored health plans.
However, certain types of plans are not subject to the Privacy Rule,
including self-administered health plans with less than 50 participants,
and plans that provide accident-only, disability income or workers'
The term "health care providers" includes any provider of medical or health
services, and other persons who furnish, bill or are paid for health
care in the normal course of business.
A "health care clearinghouse" is any entity that processes or facilitates
the processing of third party health information between standard and
The Privacy Rule prohibits a covered entity from using or disclosing an
individual's protected health information ("PHI") unless specifically authorized
by the individual or otherwise allowed under the Privacy Rule.
In general, PHI encompasses substantially all "individually identifiable
health information" that is transmitted or maintained in any medium.
"Individually identifiable health information" includes health information
that is created or received by a health care provider, health plan, employer,
or health care clearinghouse, and that relates to an individual's physical or
mental health or condition, including information related to an individual's
care or the payment for such care.
In addition, the information must identify the individual or there must be
a reasonable basis to believe that the information could be used to identify
The Privacy Rule allows a covered entity to use or disclose an individual's
PHI without the individual's authorization, as necessary for "treatment,
payment or health care operations," all of which are broadly defined.
Generally, once it is determined that a covered entity may use or disclose
PHI, it must take reasonable measures to limit the use or disclosure to the
minimum amount necessary to accomplish the intended purpose of the use or
The proposed revisions clarify, however, that certain incidental uses and
disclosures of PHI will be permitted. The Privacy Rule recognizes that there
are certain instances when a covered entity has a legitimate need to disclose
PHI to certain non-covered entities that perform functions on behalf of the
entity, including third party administrators, service providers, consultants
and attorneys. These outside entities, referred to as "business associates,"
include a person or organization that
performs or assists in performing a function or activity on behalf
of the covered entity involving the use or disclosure of PHI, or
provides legal, accounting, actuarial, consulting, management or
financial services, where the performance of such services requires the
disclosure of PHI to the service provider.
Before disclosing PHI to a business associate, the covered entity must
obtain "satisfactory assurances" that the business associate will appropriately
safeguard the information. Satisfactory assurances must be in the form of a
written agreement which contains certain provisions specified in the Privacy
Rule. For example, a business associate contract must describe the permitted
and required uses and disclosures of PHI, as well as require the business
associate to implement appropriate safeguards to protect against use or
disclosure not permitted by the contract.
The proposed revisions to the Privacy Rule include model language that can
be used in business associate contracts. If a covered entity knows that its
business associate has materially breached the contract, the covered entity
must take reasonable steps to cure or end the breach. If the steps are
unsuccessful, the covered entity must terminate the contract, or if termination
is not feasible, report the breach to the HHS.
The proposed revisions to the Privacy Rule contain a transition period
which allows covered entities (other than small health plans which already have
an extra year to comply) to operate under existing contracts with business
associates for a limited period of time.
To take advantage of the transition period, the covered entity must have an
existing written contract with the business associate prior to the effective
date of the proposed revisions (which is yet to be determined) and the contract
must not be renewed or modified between the effective date and the April 14,
2003 compliance date.
A contract meeting these requirements would be deemed in compliance with the Privacy Rule until the earlier of
the date the contract is renewed or modified after April 14, 2003
April 14, 2004.
The Privacy Rule establishes substantial rights for
individuals with respect to their PHI. These rights include the right of
individuals to access their own PHI, to request amendments to their PHI and
to request an accounting of the disclosures of their PHI.
The Privacy Rule also requires covered entities to provide notices to each
individual whose PHI will be used or maintained by the entity. The notice must
contain specific disclosures and other information, including the uses and
disclosures that the entity may make of the PHI, and the individual's rights
and the covered entity's obligations with respect to the PHI.
The Privacy Rule includes specific delivery requirements of the notice,
depending on the type of covered entity. The proposed revisions also require
that a covered health care provider make a good faith effort to obtain an
individual's written acknowledgment of receipt of the notice. Covered entities
are required to adopt policies and procedures to safeguard the privacy of PHI.
The Privacy Rule establishes standards that covered entities must meet,
but allows them to design their own policies and procedures to meet those
standards. The requirements are scalable to account for the size and resources
of the covered entity. Each covered entity generally must
protected information, how the information will be used within the entity,
and when the information may be disclosed;
take steps to ensure that its business associates protect the
privacy of the covered entity's PHI;
designate a privacy officer who will be responsible for ensuring
Please check your own State's Statutes for additional applicable Consumer Credit
and Medical Privacy statutes.
THIS IS NOT TO BE USED FRIVOLOUSLY.
THIS IS A GOVERNMENTAL AGENCY COMPLAINT.
THERE IS NO POSSIBLE FINANCIAL BENEFIT TO THE COMPLAINANT.
THERE IS NO "PRIVATE CAUSE OF ACTION" HOWEVER, UNDER THE NEW ARRA LEGISLATION THERE CAN BE STATE ACTION TO ENFORCE THE PRIVACY RULES JUST
AS THERE IS WITH FCRA AND FDCPA VIOLATIONS. SEND THE COURTESY LETTER BEFORE FILING
Basic Privacy Rule Covering Collection Agency and Credit Reporting
Limits on Use of Personal Medical Information.
The privacy rule sets limits on how health plans and covered providers may
use individually identifiable health information.
To promote the best quality care for patients, the rule does not restrict
the ability of doctors, nurses and other providers to share information needed
to treat their patients.
In other situations, though, personal health information generally may not
be used for purposes not related to health care, and covered entities may use
or share only the minimum amount of protected information needed for a
In addition, patients would have to sign a specific authorization before a
covered entity could release their medical information to a life insurer,
a bank, a marketing firm or another outside business for purposes not related
to their health care.
PLEASE NOTE THAT UNDER THE NEWLY ENACTED ARRA COLLECTION AGENCIES ARE NOW SUBJECT TO THE SAME RULES AS THE OC HEALTH CARE PROVIDER
Get the actual form from the link above
HIPAA HEALTH INFORMATION PRIVACY COMPLAINT FORM
Your full name
Name: Name of Original Health Care Provider or name of Collection Agency
Date of violation; Date of change of your CRA entry or Date of letter from
CRA advising of verification from OC or CA
On (date) , I (or name of patient) was provided health services by
(name of OC).
On or about (date of violation) and subsequent to 04/13/2003 (OC) ( CA)
communicated private health care information to one or more unauthorized
parties without any permissible purpose under HIPAA privacy rules, and absent
my signed authorization.
Since there is NO balance due on this account, there is NO permitted business
purpose under the HIPAA privacy rules.
This unauthorized dissemination of private health care information has been,
and continues to be of great detriment to my welfare, and is a violation of
the HIPAA privacy rules.
I have entered this complaint after exhausting all possible means of
prevailing upon (OC)( CA) to cease and desist the continued dissemination of
private health information to unauthorized parties and after (OC)(CA) has refused
my requests to comply with the privacy rules of HIPAA.
I am including with this complaint, copies of the return receipts from (OC) (CA)
acknowledging receipt of these letters requesting compliance (copies enclosed)
Enclosed please find the dated proof of the continued illegal dissemination
of this private health information.
Include copy of letter from CRA stating they have verified or have investigated or have changed the
entry in ANY WAY
Send this to the HIPAA Compliance Office of the HC provider or CA before filing the HIPAA complaint.
Dear HC provider
I am sending this to you as a courtesy prior to my filing a complaint on your HIPAA violations with the OCR.
Please note that the penalty section of the new privacy rules in the ARRA are in full effect, as are the penalty rules of the HITECH Act as issued 11/30/2009 and in full effect 09/23/2013 including
penalties for violation of the Omnibus Final Rule which includes:
2. Under the final rule, when patients pay out of pocket in full, they
can instruct their provider to refrain from sharing information
about their treatment with their health plan.
4. The final rule sets new limits on how information can be used and disclosed for marketing and fundraising purposes, and it prohibits
the sale of an individuals' health information without their permission.
I have sent the following letters and/or payments:
( List ALL correspondence to them and to the CRA)
I will be filing the complaint in 10 days after your receipt of this letter.