Debt collectors who collect medical debt must be sure they understand the difference between what information is permitted to be disclosed under the Fair Debt Collection Practices Act (FDCPA) and what is permitted under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
The HIPAA Privacy Rule allows disclosure of protected health information (PHI) to third parties, if necessary. This does not allow a debt collector to disclose any information concerning the debt to these parties unless also permitted by the FDCPA. These two bodies of law do not conflict; however, they do not expand each other either.
Here's what your debt collection agents should know in each communications case:
Communication with a spouse or parent/guardian
Although the FDCPA permits communication with a consumer's spouse, parent or guardian, such communication may be restricted under the Privacy Rule. Therefore, a debt collector should exercise great caution when disclosing information to family, friends or other persons and limit the information disclosed.
Communication with a consumer's attorney
Communication with a consumer's attorney will depend in part upon the privacy policies and procedures of the covered entity and an assessment of risk. To ensure compliance, the safest approach is to require an authorization before any sharing of information, to properly document that the collector had authority to make the third-party disclosure of PHI.
Communication via an interpreter/relay service
A debt collector may use interpreter services to communicate with an individual who speaks a language other than English, or who is hearing impaired or deaf. A debt collector may disclose protected health information through an interpreter without the individual's authorization when:
- The interpreter is a member of the covered entity or business associate's workforce.
- When the interpreter is already a business associate of the covered entity.
Communication with a responsible party (other than the patient)
The definition of consumer under the FDCPA includes any party responsible for the payment of the debt;
therefore, the patient may not be the only individual responsible for the payment of a medical debt. The Department of Health and Human Services (HHS) has stated the HIPAA Privacy Rule allows a debt collector to use and disclose PHI as may be required or permitted by state law in so far as the disclosure does not conflict with the Privacy Rule. Additionally, HHS notes that a debt collector is required to limit the amount of PHI that is disclosed for collection purposes to that which is the "minimum necessary," as well as abide by reasonable requests from patients for confidential communications.
Source: ACA International
At Call Center Services International (CCSI)
, we understand your compliance responsibilities. Our knowledge of the industry allows us to recruit and train call center agents that will integrate to your debt collection operation and meet compliance. Read more about our debt collection solution here.