Health Information Compliance Alert

Privacy:

Expert Tips To Help You Cover Your Bill Collection Bases

Use our checklist to ensure your collector's compliance.

The last thing you need to worry about is whether your collection agency is mishandling patients' PHI.

Here's a breakdown of HIPAA's mandates for outsourced and in-house collections:

Sign A BAA With Outside Collectors

The first thing your practice must have when contracting with an outside collector is a business associate agreement (BAA), which allows you to legally share PHI or electronic PHI (e-PHI) with the collector, says Daniel Shepherd, an attorney with Singing River Hospital System in Ocean Springs, MS.

HIPAA requires the BAA "contain a number of provisions, including assurances that the collector will safeguard the confidentiality" of your patients' PHI, explains Wayne Miller, founding partner of the Compliance Law Group in Los Angeles. The BAA must be in addition to -- or part of -- the contract you sign with the collector, he adds.

Rule to live by: HIPAA allows certain payment-related PHI disclosures so that healthcare providers can use third-party collectors to keep business running -- but collectors must always comply with the "minimum necessary" rule as outlined in your BAA. You must "curtail your disclosures to just the amount you need to collect the account," he advises.

The minimum necessary amount of PHI "may vary depending on the case," Miller points out, but your PHI disclosures "should be limited in scope." For example, you might only release billing records pertaining to the particular days of service that you're trying to collect on, he says.

Note: Keep in mind that the Fair Debt Collection Practices Act (FDCPA) allows a debtor to dispute the validity of the debt and to request verification - and this may require you to disclose more of the patient's records to the collector.

Seek Satisfactory AssurancesOf Compliance

In addition to the safeguards in your BAA, HIPAA requires that you obtain satisfactory assurances from outside collectors and other business associates that they will appropriately safeguard PHI, notes Mary Falbo, president of Millennium Healthcare Consulting Inc. in Lansdale, PA.

Basically, you want proof the collector is "maintaining confidentiality and following other HIPAA standards, like ensuring only those who need to know have access to PHI," Miller adds. Here's a checklist of action points to help you gauge a collector's compliance efforts:

Tour the collector's offices to make sure the business looks legitimate, Miller suggests.

Look for a clear set of policies and procedures defining who has access to PHI.

Ask if all agency employees sign confidentiality agreements. Althoughcollection agents are already trained in HIPAA compliance, a confidentiality agreement certifies that employees know not to discuss or share PHI inappropriately, explains Paul Peach, president of Healthcare Collections Inc. in Phoenix.

Ensure that "e-mail and computer systems are well protected against hackers or persons without authority," Miller counsels.

Make sure the collector's document destruction policies are secure. Shredding everything with a PHI reference is usually best.

Your BAA should also spell out what will happen to your PHI when you end contracts with collectors. The best option is for the collector to return all PHI to the provider or destroy the information -- and never maintain any copies, Miller says.

Check to see that in-person payment areas allow privacy and prevent debtors from overseeing PHI just like the privacy safeguards in your own practice's reception area.

For In-house Collections, Use Your NPP

If you have an in-house collections policy of sending letters and making calls before forwarding past-due accounts to an outside collector, you should outline this policy in your Notice of Privacy Practices (NPP), Falbo says. That way, a patient won't be able to argue that you violated his privacy with a collection letter when he already signed a form agreeing to your policies.

Remember: A patient can request restrictions on how you contact him. And if your office agrees to such requests, the billing office must be aware of this so you don't send letters or make calls that violate this agreement, Shepherd advises. A patient will surely file a complaint if you disregard such an agreement.

Although your NPP will safeguard your collection efforts, you can play it safe by limiting the information in your collection letters. Avoid details about diagnoses and treatments whenever possible, and refer strictly to balance amounts for services on certain dates, Miller recommends.

The bottom line: Before you send another piece of patient information to your bill collection team or service, be sure you are taking all steps necessary to protect their information -- and remain compliant with HIPAA's rules.