Practice Management Alert

Use our expert checklist to ensure your third-party collector's compliance

You're already concerned about collecting past-due accounts, so the last thing you want to worry about is whether your collection agency is mishandling patients' PHI and exposing you to legal risk.

You need to know the HIPAA regulations governing compliance for outsourced collections and in-house collections if you plan on fully protecting your patients' personal health information (PHI). Here's a breakdown of the necessary HIPAA components you should be aware of for your office and your collector's.

For Outside Collectors, BAA Is Vital

The first thing your practice must have when contracting with an outside collector is a business associate agreement (BAA), which allows you to legally share PHI or electronic PHI (e-PHI) with the collector, says Robert Markette, an attorney with Gilliland & Caudill LLP in Indianapolis who specializes in HIPAA compliance.

HIPAA requires the BAA "contain a number of provisions, including assurances that the collector will safeguard the confidentiality" of your patients' PHI, says Wayne Miller, founding partner of the Compliance Law Group in Los Angeles. The BAA must be in addition to - or part of - the contract you sign with the collector, he adds.

Rule to live by: HIPAA allows certain payment-related PHI disclosures so healthcare providers can use third-party collectors to keep business running - but collectors must always comply with the "minimum necessary" rule as outlined in your BAA, Markette says. You must "curtail your disclosures to just the amount you need to collect the account," he says.

The minimum necessary amount of PHI "may vary depending on the case," Miller says, but your PHI disclosures "should be limited in scope." For example, you might only release billing records pertaining to the particular days of service that you're trying to collect on, he says.
 
Also: Keep in mind the Fair Debt Collection Practices Act (FDCPA) allows a debtor to dispute the validity of the debt and to request verification - and this may require you to disclose more of the patient's records to the collector, Markette says.  

Seek Satisfactory Assurances of Compliance

In addition to the safeguards in your BAA, HIPAA requires that you obtain satisfactory assurances from your outside collector that it will appropriately safeguard PHI, says Mary Falbo, MBA, CPC, president of Millennium Healthcare Consulting Inc. in Lansdale, Pa.

Basically, you want proof the collector is "maintaining confidentiality and following other HIPAA standards, like ensuring only those who need to know have access to PHI," Miller adds. Here's a checklist of action points to help you gauge a collector's compliance efforts:

- Tour the collector's offices to make sure the business looks legitimate, Miller says.

- Look for a clear set of policies and procedures defining who has access to PHI.

- Ask if all agency employees sign confidentiality agreements. Although collection agents are already trained in HIPAA compliance, a confidentiality agreement certifies that employees know not to discuss or share PHI inappropriately, says Paul Peach, president of Healthcare Collections Inc. in Phoenix. All of Peach's employees sign a confidentiality agreement.

- Ensure that "e-mail and computer systems are well protected against hackers or persons without authority," Miller says.

- Make sure the collector's document-destruction policies are secure. Shredding everything with a PHI reference is usually best. Your BAA should also spell out what will happen to PHI when you end your contract with the collector, Miller says. The best option is for the collector to return all PHI to the provider or destroy the information - and never maintain any copies, he adds.

- Check to see that in-person payment areas allow privacy and prevent debtors from seeing PHI - just like the privacy safeguards in your own practice's reception area.

For In-House Collections, NPP Covers the Bases

If you have an in-house collections policy of sending letters and making calls before forwarding past-due accounts to an outside collector, you should outline this policy in your Notice of Privacy Practices (NPP), Falbo says. Because all patients must receive the NPP and sign an acknowledgement form, this document will protect your in-house collections from HIPAA liability. A patient won't be able to argue that you violated his privacy with a collection letter when he has already signed a form agreeing to your policies.

Pay attention: Under HIPAA, a patient can request restrictions on how you contact him. And if your office agrees to such requests, the billing office must be aware so you don't send letters or make calls that violate this agreement, Markette says. A patient will surely file a complaint if you disregard such an agreement.

Minimum necessary: Although your NPP will safeguard your collection efforts, you can further deter HIPAA concerns by limiting the information in your collection letters. Avoid details about diagnoses and treatments whenever possible, and refer strictly to balance amounts for services on certain dates, Miller says.

Editor's note: For more information, visit www.HIPAAcomply.com and www.healthprivacy.org/resources.