PLEASE NOTE THAT THE HIPAA LETTER PROGRAM WAS DESIGNED TO OBTAIN DELETIONS AND TO PAY
VALID MEDICAL BILLS TO THE ORIGINAL HEALTH CARE PROVIDER. USING PORTIONS OF THE PROGRAM OUT OF ORDER WILL PREVENT
IT FROM WORKING AS DESIGNED AND WILL PREVENT YOU FROM TAKING A TAX DEDUCTION FOR MEDICAL PAYMENTS OR OBTAINING
A TOTAL DELETION
FROM YOUR REPORTS
This letter should ONLY be used AFTER the initial dispute letter has provided you with a
documented current relationship between the Health Care Provider and the reporting CA.
It will ONLY work if the claim is either INACCURATE, or you remit the
valid correct amount due with the letter, and ONLY if you have confirmed a CURRENT relationship between the OC and the CA.
Please make sure that your payment is in the form of a bank cashiers check or bank
money order,(do not use a postal money order). THIS IS CONSIDERED THE SAME AS A CASH PAYMENT, that you make a photo copy of the front and back of the remittance,
that your name and address are CLEARLY printed on the remittance, that it is
made to the order of THE ORIGINAL HEALTH CARE PROVIDER, and that you print or
type clearly in the endorsement section "For Deposit Only to the Account of
(name of H.C. provider)(This of course allows your IRS deduction as a medical
expense). MAKE SURE that you put the account # if available ( not the CA account # but from your
original billing), in the "for" section on the front of the money order.
If you do NOT have the original account # OR if you have several accounts with the SAME OC under
ONE account #, put the name of the patient, date of service and patient's SS # in the "for" area.
Send ALL correspondence to the HIPAA COMPLIANCE OFFICE of the HC provider,CMRR.
( If the OC has changed ownership or moved or gone BK, send it certified WITHOUT the return receipt requested.)
Do NOT "fax" or "e-mail" anything.
FORM LETTER TO ORIGINAL HEALTH CARE PROVIDER
s.s.# (social security #)
HIPAA Compliance Office
( health care provider creditor)
This letter is in reference to (account #) for services provided to
(name of patient) on (date of service).
In regard to the bill on this account in the amount of ($___):
Insert correct insert here:( see inserts) (a) (b) or (c)
Please be advised that under Federal Statutes. the Fair Credit Reporting
Act, (15 U.S.C. § 1681 et seq)and (name of your State)'s Consumer Credit Statutes,and subtitle D of the ARRA ,SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES
TO BUSINESS ASSOCIATES OF COVERED ENTITIES;and SEC. 13407(1) BREACH OF SECURITY.—The term ‘‘breach of security’’
means, with respect to unsecured PHR identifiable health
information of an individual in a personal health record,
acquisition of such information without the authorization of
you may be held liable for the actions of
(collection agency name).
Please note that the these liabilities
are under the penalty rules of the Omnibus Final Rule effective 09/23/2013
interpreting and implementing various provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)
as issued 11/30/2009
(a) Duty of furnishers of information to provide accurate information.
(A) Reporting information with actual knowledge of errors.
A person shall not furnish any information relating to a consumer to any
consumer reporting agency if the person knows or consciously avoids knowing
that the information is inaccurate.
In addition, the HIPAA and (name of your State)'s Medical Privacy Statutes and the penalty provisions of the ARRA section D,
privacy provisions ,the penalty rules of the HITECH Act as issued 11/30/2009 and the Omnibus Final Rule effective 09/23/2013
and the FACT Act final rules effective July 1, 2010.are in effect in this situation.
The Privacy Rules prohibits a covered entity from using or disclosing an
individual's protected health information ("PHI") unless specifically
authorized by the individual or otherwise allowed under the Privacy Rules.
In general, PHI encompasses substantially all "individually identifiable
health information" that is transmitted or maintained in any medium.
"Individually identifiable health information" includes health information
that is created or received by a health care provider, health plan, employer,
or health care clearinghouse, and that relates to an individual's physical or
mental health or condition, including information related to an individual's
care or the PAYMENT for such care.
Your furnishing of my account information to (collection agency name),
is not in compliance with HIPAA,or (name of your State}'s Privacy Act, and any subsequent reporting of this account
on my credit reports to (credit reporting bureaus) is a clear violation of
Public Law 104-191 ("HIPAA") since there can be no permissible business
purpose in divulging protected health information to anyone on an account once there is no longer any
payment due.In addition the new Omnibus Final Rule states:when patients pay out of pocket in full,
they can instruct their provider to refrain from sharing information.This letter serves as that instruction
You are required under the FCRA and FACTA to accurately report the status of any
account to the credit bureaus, and you are prohibited under the HIPAA and State privacy
regulations from doing so on a PAID account, as there is no longer any permitted business
Therefore I am requesting you promptly rescind all such account information
furnished to (collection agency) and require them to purge their records of
all reference to this account, and that you insure that any and all reporting
of this account is immediately deleted from my credit reports.
This simple procedure to request the deletion of ALL reference to this
account from the records of ( collection agency name) and to require them to
have this account information deleted in its entirety from my credit reports
will resolve this problem completely.
Please respond, in writing within 10 days that you are processing this
I am reserving the right, to take appropriate legal and civil action
including reporting to any applicable regulatory authorities any lack of
cooperation or compliance with this request.
I hereby waive my rights under HIPAA and any State Privacy Act for the single purpose of your
transmission of this request and accompanying documentation in any required
report you must make to your E &O insurance carrier.
Please note, my remittance is payable ONLY to (hc provider) and may not be
signed over or transferred to any third party collection agency, as this would
constitute an additional violation of HIPAA, State Privacy Act rules and the Omnibus Final Rules.
Copies of this correspondence and a copy of the remittance check may be used
for any further actions with State or Federal agencies
INSTRUCTIONS FOR FOLLOW UP TO "HIPAA" LETTER TO ORIGINAL CREDITOR HEALTH
ALL FURTHER CORRESPONDENCE SHOULD BE SENT CMRR
Make sure any money order has been deposited ,or you have received a
return receipt from your letter if insert "b" or "c" were used.
Send the follow up letter posted below.
Send a copy of the follow up letter to the OC (legal dept) with the
cover letter,(follows letter to CRA)
If the CRA responds with verification from the CA or the OC,
file a complaint with the HIPAA administration for the OC's , the CA's and the CRA's violation of the
privacy rules of HIPAA,and with any available State's Medical Privacy Act administration.
If they do NOT respond with any verification and the account is NOT deleted, file a civil suit against
the OC and the CA for their liability for violations of the FCRA and FACTA.
DO NOT under any circumstances, write or correspond with the CA
regarding this matter, any correspondence or communication that YOU instigate,
while not a waiver of your privacy rights under HIPAA, will
impede any cause of action you might have as the non permitted "communication" would
have come from YOU.
Please understand, that any CA or CRA now has FULL liability under HIPAA, even if they are NOT the
health provider and/or have no business relationship with them. They are NOW covered under the provisions of the act
for all medical accounts", they are now also subject to the the penalty rules of the HITECH Act as issued 11/30/2009.
if THEY violate, they can also be named in ALL your
Letter To Cra After HIPAA Letter, send CMRR
Use this AFTER you have received the green card back and received
verification that any money order has been deposited
(if using insert "a")
This is a dispute of account information on my credit report,
Please re-investigate (or investigate if you have not previously disputed)
the following disputed account on my credit report.
(give CA name and acct. #)
Please furnish me with verification that (CA name) is reporting this
account from (OC name) for ($ amount) in my name.
I require the identification of the reporting party and the date of their
I require documentation of the authorized HIPAA business relationship between (CA name)and (OC name) and documentation of your
authorized HIPAA business relationship between yourself and either ( name of CA) or (name of OC).
Please be advised that this request is being made in accordance with the
requirements of the FCRA and FACTA
and the privacy rules of the HIPAA and (your State)'s Medical Privacy Act.
Please be advised that you are subject to the penalty rules of the HITECH Act as issued 11/30/2009 and Omnibus Final Rules effective 09/23/2013.
Please note that your Credit Reporting Agency is now subject to Federal consumer financial laws, including, among others,
the FCRA and Title X of the Dodd-Frank Act, and related regulations including a ban on “Abusive” Acts or Practices.( Section 1031 of the Dodd-Frank Act )
Ido N Tnow
(Send a copy to the HIPAA Compliance Dept. of the OC health provider(CMRR) with the following
HIPAA Compliance Office
Re: Letter of (date of original letter)
Account #(original account #)
Dear Sir or Madam;
Enclosed please find a copy of my letter(s) of dispute to (CRA (s)).
Please note, I am providing you with an additional opportunity to have this account
removed from (CA) and deleted from my credit reports if you have not already
I have no desire to cause you unnecessary
difficulty,however,this entry of my private health care
information,on my credit report, for an account that no longer has ANY permitted business
purpose waiver since there is NO payment due,
has caused injury to my credit reputation,and
has left me no choice but to proceed with the following:
Upon my receipt of the FCRA and FACTA mandated reply from (CRA),if the account has NOT
been deleted in its entirety,I will take appropriate action to enforce my rights
under the HIPAA, FCRA and FACTA rules and ARRA , including the penalty rules of the HITECH Act as issued 11/30/2009 and Omnibus Final Rules effective 09/23/2013.
and (your State)'s Consumer Protection and Medical Privacy