The Explorer Winter 2018 Explorer_Fall_2018 | Page 8

DO COLLECTION AGENCY EFFORTS
VIOLATE HIPAA - IT DEPENDS
®
Reprinted with permission from California Dental Association
CDA Practice Support recently received
a call from a dentist about a disgruntled
patient who was accusing the dentist of
violating the patient’s HIPAA privacy
rights because of a past-due bill.
Specifically, the patient claimed that
they received a letter from a collection
agency and the fact that the collection
agency had their information was a
violation of the Health Insurance
Portability and Accountability Act
(HIPAA). CDA confirmed that this is
not a violation of HIPAA as long as the
dentist took the proper steps to inform
patients how the practice uses patient
information and to provide to the
collection agency only the minimum
necessary information for the agency to
perform its work.
of Medical Information Act, which
requires explicit written authorization
from a patient to release information.
Information provided by the practice to
the collection agency should be limited
to the patient’s name, contact
information, date treatment was
provided with amount incurred, amount
and dates of payments made (if any) and
the current amount due. The practice
may not provide treatment details or
purpose of treatment information to the
collection agency.
“To further limit issues related to
collections, CDA recommends dental
practices have patients sign financial
agreement forms that clearly state a
patient’s payment obligations,”
Pichay said.
Sample financial agreement forms are
available on cda.org/practicesupport.
Congress passed HIPAA in 1996 to
simplify, and thereby reduce the cost of,
the administration of health care.
HIPAA does this by encouraging the use
of electronic transactions between
health care providers and payers,
thereby reducing paperwork. Congress
deemed that if the electronic
transmission of patient health
information was to be encouraged by
the legislation, there needed to be
means to protect the confidentiality of
that information, and thus, the HIPAA
Security Rule was created.
For more information on patient
privacy and HIPAA requirements, visit
cda.org/Privacy-HIPAA.
For additional information on
collections, refer to Chapter 6 of CDA’s
Legal Reference Guide. 䡲
“A notice of privacy practices typically
includes a statement that patient
information is used or disclosed to
obtain payment for treatment,” said
CDA Practice Support Analyst Teresa
Pichay. “The use of a collection agency
is recognized as part of a covered
entity’s efforts to obtain payment. The
notice of privacy practices, however, is
simply a notice. It is not a consent form
or an agreement. ”
When using a collection agency, a
dental practice must have a HIPAA
business associate agreement with the
agency. In the agreement, the collection
agency must agree not to disclose
further (typically to a credit bureau) the
patient information provided by the
dental practice. This provision is to
comply with California’s Confidentiality
Los Angeles Dental Society Explorer