HIPAA LEGAL BASIS

FCRA & HIPAA STATUTES-

HIPAA CHANGES IN STIMULUS PACKAGE STIMULUS PACKAGE

Read from pages 144 on; Here are some excerpts;

SEC. 13409. CLARIFICATION OF APPLICATION OF WRONGFUL DISCLOSURES CRIMINAL PENALTIES.

Section 1177(a) of the Social Security Act (42 U.S.C. 1320d– 6(a)) is amended by adding at the end the following new sentence:

‘‘For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.’’.

Here are some links explaining the changes

Law Firm Overview of Changes

Law Firm Explanation of Changes effective IMMEDIATELY ( Feb. 17) for Collection Agencies

HIPAA now has real teeth. Before ARRA, HHS took a soft, voluntary compliance approach to HIPAA and therefore, the dreaded HIPAA police never materialized. This approach will change under ARRA. The maximum annual civil penalty per violation is now $1.5 million (it had been $25,000 pre-ARRA). State attorneys general now are able to bring suit against a covered entity or business associate who has violated HIPAA to enjoin the wrongful practice and recover damages. HHS now has a statutory duty to investigate complaints, conduct audits and impose penalties. Penalties will be used to fund future HIPAA enforcement initiatives and repay victims of HIPAA violations. These enforcement provisions of HIPAA went into effect on February 17, 2009.

Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. ("FCRA")

Most provisions of the FCRA are directed at "consumer reporting agencies", generally defined as persons that regularly assemble or evaluate consumer credit information on consumers in order to furnish consumer reports to third parties.

The FCRA, however, also imposes significant obligations on users and resellers of consumer reports and any person or business that regularly reports information to a consumer reporting agency. Any information received in the form of a consumer report is subject to the FCRA.

In addition, the new FACTA regulations require the CRA's to do a REAL investigations and contact the Original Creditor for requested information in a CONSUMER DISPUTE. This is why you SHOULD use the NEW "CRA dispute letter BEFORE using any part of the HIPAA letter proccess.

"Consumer report" generally means any written, oral or other communication of information by a consumer reporting agency bearing on an individual's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living, which is used in establishing the consumer's eligibility for credit or insurance.

The term "consumer report," however, does not include any report containing information solely as to transactions or experiences between the consumer and the person making the report or certain communications among affiliates.

It is possible for a company to inadvertently become a credit reporting agency subject to the obligations under the FCRA by regularly communicating credit-related consumer information to third parties.

Under the FCRA no person may obtain a consumer report unless it is for a "permissible purpose".

A permissible purpose includes use of the report:

(1)

with the consumer's written authorization;

(2)

in connection with the extension of credit as a result of an application from a consumer;

(3)

in connection with the collection of a consumer's account;

(4)

in making a decision to hire or promote a consumer who has given written permission for the use;

(5)

in connection with the underwriting of insurance as a result of an application from a consumer;

(6)

in response to some other legitimate business need arising in connection with a business transaction initiated by the consumer;

(7)

to determine whether the consumer continues to meet the terms of an account; and

(8)

in a valuation or assessment by a potential investor or servicer, or current insurer, of the credit risks associated with an existing credit obligation.

In addition, creditors and insurers may obtain certain consumer report information for the purpose of making unsolicited offers of credit or insurance, provided that, among other conditions, the unsolicited offer must be a firm offer which can only be rescinded in specific circumstances.

Additional restrictions and requirements apply to various specific types of reports and situations. For example, if information from a credit reporting agency is used for employment purposes, the user must inform the prospective employee of that fact and obtain his or her prior written authorization.

If a user intends to obtain an investigative consumer report (one in which information is obtained through personal interviews), the user must notify the consumer in advance and disclose the nature and scope of the investigation.

Users are generally not permitted to obtain consumer reports that contain medical information of any individual without the specific prior consent of the individual.

Health Insurance Portability & Accountability Act of 1996, Public Law 104-191 ("HIPAA")

HIPAA required the Department of Health and Human Services ("HHS") to implement safeguards to protect the security and confidentiality of health records.

The rules issued by HHS (the "Privacy Rule") took effect on April 14, 2001. Proposed revisions to the Privacy Rule were published on March 27, 2002, and the comment period to the revisions has now expired.

Most covered entities have until April 14, 2003 to comply with the Rules. Small health plans (plans with annual receipts of $5 million or less) are not required to comply until April 14, 2004.

The Privacy Rule applies to "covered entities," which include health plans, health care providers and health care clearinghouses. A "health plan" is defined broadly to include most employer-sponsored health plans.

However, certain types of plans are not subject to the Privacy Rule, including self-administered health plans with less than 50 participants, and plans that provide accident-only, disability income or workers' compensation coverage.

The term "health care providers" includes any provider of medical or health services, and other persons who furnish, bill or are paid for health care in the normal course of business.

A "health care clearinghouse" is any entity that processes or facilitates the processing of third party health information between standard and nonstandard formats.

The Privacy Rule prohibits a covered entity from using or disclosing an individual's protected health information ("PHI") unless specifically authorized by the individual or otherwise allowed under the Privacy Rule.

In general, PHI encompasses substantially all "individually identifiable health information" that is transmitted or maintained in any medium. "Individually identifiable health information" includes health information that is created or received by a health care provider, health plan, employer, or health care clearinghouse, and that relates to an individual's physical or mental health or condition, including information related to an individual's care or the payment for such care.

In addition, the information must identify the individual or there must be a reasonable basis to believe that the information could be used to identify the individual.

The Privacy Rule allows a covered entity to use or disclose an individual's PHI without the individual's authorization, as necessary for "treatment, payment or health care operations," all of which are broadly defined.

Generally, once it is determined that a covered entity may use or disclose PHI, it must take reasonable measures to limit the use or disclosure to the minimum amount necessary to accomplish the intended purpose of the use or disclosure.

The proposed revisions clarify, however, that certain incidental uses and disclosures of PHI will be permitted. The Privacy Rule recognizes that there are certain instances when a covered entity has a legitimate need to disclose PHI to certain non-covered entities that perform functions on behalf of the entity, including third party administrators, service providers, consultants and attorneys. These outside entities, referred to as "business associates," include a person or organization that

(1)

performs or assists in performing a function or activity on behalf of the covered entity involving the use or disclosure of PHI, or

(2)

provides legal, accounting, actuarial, consulting, management or financial services, where the performance of such services requires the disclosure of PHI to the service provider.

Before disclosing PHI to a business associate, the covered entity must obtain "satisfactory assurances" that the business associate will appropriately safeguard the information. Satisfactory assurances must be in the form of a written agreement which contains certain provisions specified in the Privacy Rule. For example, a business associate contract must describe the permitted and required uses and disclosures of PHI, as well as require the business associate to implement appropriate safeguards to protect against use or disclosure not permitted by the contract.

The proposed revisions to the Privacy Rule include model language that can be used in business associate contracts. If a covered entity knows that its business associate has materially breached the contract, the covered entity must take reasonable steps to cure or end the breach. If the steps are unsuccessful, the covered entity must terminate the contract, or if termination is not feasible, report the breach to the HHS.

The proposed revisions to the Privacy Rule contain a transition period which allows covered entities (other than small health plans which already have an extra year to comply) to operate under existing contracts with business associates for a limited period of time.

To take advantage of the transition period, the covered entity must have an existing written contract with the business associate prior to the effective date of the proposed revisions (which is yet to be determined) and the contract must not be renewed or modified between the effective date and the April 14, 2003 compliance date.

A contract meeting these requirements would be deemed in compliance with the Privacy Rule until the earlier of

(1)

the date the contract is renewed or modified after April 14, 2003 or

(2)

April 14, 2004.

The Privacy Rule establishes substantial rights for individuals with respect to their PHI. These rights include the right of individuals to access their own PHI, to request amendments to their PHI and to request an accounting of the disclosures of their PHI.

The Privacy Rule also requires covered entities to provide notices to each individual whose PHI will be used or maintained by the entity. The notice must contain specific disclosures and other information, including the uses and disclosures that the entity may make of the PHI, and the individual's rights and the covered entity's obligations with respect to the PHI.

The Privacy Rule includes specific delivery requirements of the notice, depending on the type of covered entity. The proposed revisions also require that a covered health care provider make a good faith effort to obtain an individual's written acknowledgment of receipt of the notice. Covered entities are required to adopt policies and procedures to safeguard the privacy of PHI.

The Privacy Rule establishes standards that covered entities must meet, but allows them to design their own policies and procedures to meet those standards. The requirements are scalable to account for the size and resources of the covered entity. Each covered entity generally must

(1)

adopt a written privacy policy designating who has access to protected information, how the information will be used within the entity, and when the information may be disclosed;

(2)

take steps to ensure that its business associates protect the privacy of the covered entity's PHI;

(3)

train employees with respect to the privacy policy; and

(4)

designate a privacy officer who will be responsible for ensuring the privacy policy is followed.

MEDICAL BILLING ADVOCATES

----------------------------------------------------------------------------------------------

HIPAA COMPLAINT PROCESS

THIS IS NOT TO BE USED FRIVOLOUSLY. THIS IS A GOVERNMENTAL AGENCY COMPLAINT. THERE IS NO POSSIBLE FINANCIAL BENEFIT TO THE COMPLAINANT. THERE IS NO "PRIVATE CAUSE OF ACTION" HOWEVER, UNDER THE NEW ARRA LEGISLATION THERE MAY BE STATE ACTION TO ENFORCE THE PRIVACY RULES JUST AS THERE IS WITH FCRA AND FDCPA VIOLATIONS. SEND THE COURTESY LETTER BEFORE FILING

--------------------------------------------------------

Basic Privacy Rule Covering Collection Agency and Credit Reporting Limits on Use of Personal Medical Information.

The privacy rule sets limits on how health plans and covered providers may use individually identifiable health information.

To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses and other providers to share information needed to treat their patients.

In other situations, though, personal health information generally may not be used for purposes not related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose.

In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care.

Check your Medical Information Bureau File

Tel:1-866-692-6901

The MIB is a private medical-information agency which has files on most Americans. You can check your records once a year free.

-------------------------------------------------------

HIPAA MAIN SITE

The main page with all links

HOW TO FILE A COMPLAINT

Instructions and addresses

---------------------------------------------------------

Sample Complaint

PLEASE NOTE THAT UNDER THE NEWLY ENACTED ARRA COLLECTION AGENCIES ARE NOW SUBJECT TO THE SAME RULES AS THE OC HEALTH CARE PROVIDER

Get the actual form from the link above

HIPAA HEALTH INFORMATION PRIVACY COMPLAINT FORM

Your full name

Address

City

State

Zip

Phone number

Fax number

Email address

Date

----------------------------------------------

Name: Name of Original Health Care Provider or name of Collection Agency

Address

Phone number

Date of violation; Date of change of your CRA entry or Date of letter from CRA advising of verification from OC or CA

----------------------------------------------

On (date) , I (or name of patient) was provided health services by (name of OC).

On or about (date of violation) and subsequent to 04/13/2003 (OC) ( CA) communicated private health care information to one or more unauthorized parties without any permissible purpose under HIPAA privacy rules, and absent my signed authorization.

Since there is NO balance due on this account, there is NO permitted business purpose under the HIPAA privacy rules.

This unauthorized dissemination of private health care information has been, and continues to be of great detriment to my welfare, and is a violation of the HIPAA privacy rules.

I have entered this complaint after exhausting all possible means of prevailing upon (OC)( CA) to cease and desist the continued dissemination of private health information to unauthorized parties and after (OC)(CA) has refused my requests to comply with the privacy rules of HIPAA.

I am including with this complaint, copies of the return receipts from (OC) (CA) acknowledging receipt of these letters requesting compliance (copies enclosed)

Enclosed please find the dated proof of the continued illegal dissemination of this private health information.

Include copy of letter from CRA stating they have verified or have investigated or have changed the entry in ANY WAY

--------------------------------------------------------

Why Chat's Credit Confusion Home