While sending an account to collections is a standard healthcare practice, healthcare providers must understand how to navigate this process without violating HIPAA regulations.
Disclosing patient information to collections
§164.506 of the Privacy Rule states: “A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations”. However, when sending a patient account to collections, HIPAA guidelines must be adhered to to avoid potential violations.
- Minimize information disclosure: Only disclose the minimum necessary information needed for collection purposes. This means providing only financial details relevant to the debt, such as the amount owed, patient identifiers, and account information. Avoid disclosing sensitive medical information unless it directly impacts the collection process.
- Business associate agreement (BAA): If the collections agency is considered a business associate, ensure that a BAA is in place.
- Patient authorization: Generally, explicit patient authorization is not required to send an account to collections. However, any communication involving PHI must comply with HIPAA’s privacy and security rules. Make sure that your practice’s policies align with HIPAA requirements regarding disclosure and use of PHI.
Best practices for compliance
To ensure that you manage patient accounts in a HIPAA compliant manner, consider the following best practices:
- Develop clear policies: Establish and document clear policies for handling patient accounts, including the process for sending accounts to collections. Ensure these policies are compliant with HIPAA regulations.
- Train your staff: Provide regular training for staff on HIPAA compliance, especially regarding the handling of PHI. Make sure they understand the importance of protecting patient information during the collection process.
- Secure communications: When transmitting patient information to a collections agency, use secure methods to prevent unauthorized access. For electronic communications, ensure that encryption and other security measures are in place.
- Regular audits: Conduct regular audits of your collections practices to ensure ongoing compliance with HIPAA. Address any gaps or issues promptly to maintain compliance.
- Review and update agreements: Regularly review and update BAAs to reflect any changes in regulations or business practices. Ensure that all agreements are current and enforceable.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
What kind of information can be shared with a collections agency under HIPAA?
Under HIPAA, you should only share the minimum necessary information with a collections agency. This typically includes:
- Financial details: Information about the amount owed.
- Patient identifiers: Basic details such as the patient’s name and account number.
- Account status: Current status of the patient’s account.
Do I need patient authorization to send their account to collections?
No, you do not need explicit patient authorization to send their account to collections. However, any communication involving PHI must comply with HIPAA’s Privacy and Security Rules to ensure patient information is handled appropriately.
See also: What emails do not need patient authorization?
Tshedimoso Makhene
