If your agency collects health care accounts, you need to be familiar with The Health Insurance Portability and Accountability Act (HIPAA.) HIPAA privacy laws were put in place to safeguard consumers’ protected health care information, or PHI. HIPAA governs how you access, distribute and protect PHI, and failure to comply can result in huge consequences, not only for your company, but for you, personally.
While there is no private right of action under HIPAA, Health and Human Services can take action against those who violate HIPAA and consumers can file complaints with them for HIPAA violations. In 2010, for instance, a doctor who accessed medical records without a valid reason was fined $2,000 for violating HIPAA and sentenced to four months in prison. And in 2015, a lab employee at a student health center was fired after she mentioned the results of a patient’s pregnancy test to a coworker.
What is PHI? As a debt collector, you are expected to help protect consumers’ sensitive and confidential health care information. Anything that could be used to identify consumers in relation to their health care information is considered PHI. This can include a person’s name, address, phone number, medical history, insurance details and health care bills.
How Can You Protect PHI? Don’t discuss information in the consumer’s file with anyone but the consumer—unless the consumer has given you permission to do so. This includes idle chit-chat with co-workers, even if you don’t mention the consumer’s name. Sometimes a situation may call for you to contact the consumer’s insurance company or you may get an information request from an attorney.
Before you email, fax, mail or discuss PHI with third parties, ask yourself: Do my company’s rules authorize me to do this? If so, has the consumer consented to the PHI release under HIPAA, and will the information I send be encrypted? (Email in particular is an often-overlooked PHI disclosure risk because it might not be secure.)
Although the Fair Debt Collection Practices Act allows you to communicate with a consumer’s spouse, parent or guardian, HIPAA may not. If consumers request that they do not want certain people, such as family members, to have knowledge of their situation or condition, you can’t disclose any health information to third parties.
How Should You Store PHI? While your company is responsible for securing its computer system and designing its collection notices to protect PHI, you also play a key role in this process. Don’t leave consumer information on your computer screen when you’re not at your desk, even if you just get up for a minute to get a drink of water.
Only print out documents containing PHI when you have a legitimate business reason to do so, and even then, you’ll need to dispose of those papers in a secure environment—a shredder your company uses for such a purpose, for example, not the day-to-day recycling bin by your desk.
Even written notes you leave on your desk referencing PHI can be considered a HIPAA violation, so either avoid doing this altogether or use HIPAA as good motivation to keep your desk clean and free of clutter, safely disposing of these written reminders as soon as possible.