Put Your Collector Under the HIPAA Magnifying Glass
Published on Fri Mar 18, 2005
Use our expert checklist to ensure your third-party collector's compliance
You're already concerned about collecting past-due accounts, so the last thing you want to worry about is whether your collection agency is mishandling patients' PHI and exposing you to legal risk.
You need to know the HIPAA regulations governing compliance for outsourced collections and in-house collections if you plan on fully protecting your patients' personal health information (PHI). Here's a breakdown of the necessary HIPAA components you should be aware of for your office and your collector's. For Outside Collectors, BAA Is Vital The first thing your practice must have when contracting with an outside collector is a business associate agreement (BAA), which allows you to legally share PHI or electronic PHI (e-PHI) with the collector, says Robert Markette, an attorney with Gilliland & Caudill LLP in Indianapolis who specializes in HIPAA compliance.
HIPAA requires the BAA "contain a number of provisions, including assurances that the collector will safeguard the confidentiality" of your patients' PHI, says Wayne Miller, founding partner of the Compliance Law Group in Los Angeles. The BAA must be in addition to - or part of - the contract you sign with the collector, he adds.
Rule to live by: HIPAA allows certain payment-related PHI disclosures so healthcare providers can use third-party collectors to keep business running - but collectors must always comply with the "minimum necessary" rule as outlined in your BAA, Markette says. You must "curtail your disclosures to just the amount you need to collect the account," he says.
The minimum necessary amount of PHI "may vary depending on the case," Miller says, but your PHI disclosures "should be limited in scope." For example, you might only release billing records pertaining to the particular days of service that you're trying to collect on, he says.
Also: Keep in mind the Fair Debt Collection Practices Act (FDCPA) allows a debtor to dispute the validity of the debt and to request verification - and this may require you to disclose more of the patient's records to the collector, Markette says. Seek Satisfactory Assurances of Compliance In addition to the safeguards in your BAA, HIPAA requires that you obtain satisfactory assurances from your outside collector that it will appropriately safeguard PHI, says Mary Falbo, MBA, CPC, president of Millennium Healthcare Consulting Inc. in Lansdale, Pa.
Basically, you want proof the collector is "maintaining confidentiality and following other HIPAA standards, like ensuring only those who need to know have access to PHI," Miller adds. Here's a checklist of action points to help you gauge a collector's compliance efforts:
- Tour the collector's offices to make sure the business looks legitimate, Miller says. - Look for a clear set of policies and procedures defining who has [...]
You’ve reached your limit of free articles. Already a subscriber? Log in.
Not a subscriber? Subscribe today to continue reading this article. Plus, you’ll get:
