You are on page 1of 6

HIPAA & FCRA The Legal Basis

FORM LETTER TO ORIGINAL HEALTH CARE


PROVIDER
(Your Name)
(address)
(City,State, zip)
s.s.# (social security #)
HIPAA Compliance Office
( health care provider creditor)
(address)
(date)
Dear Sir/Madam;
This letter is in reference to (account #) for services provided to (name of patient) on
(date of service).
In regard to the bill on this account in the amount of ($___):
Insert correct insert here:( see inserts) (a) (b) or (c)
Please be advised that under Federal Statutes. the Fair Credit Reporting Act, (15 U.S.C. §
1681 et seq)and (name of your State)'s Consumer Credit Statutes,and subtitle D of the
ARRA ,SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES
TO BUSINESS ASSOCIATES OF COVERED ENTITIES;and SEC. 13407(1)
BREACH OF SECURITY.—The term ‘‘breach of security’’ means, with respect to
unsecured PHR identifiable health information of an individual in a personal health
record, acquisition of such information without the authorization of the individual. you
may be held liable for the actions of (collection agency name). Please note that the
effective date for commencing enforcement of penalties against you for any vicarious
liability is February 17, 2009.
(a) Duty of furnishers of information to provide accurate information.
(1) Prohibition.
(A) Reporting information with actual knowledge of errors.
A person shall not furnish any information relating to a consumer to any consumer
reporting agency if the person knows or consciously avoids knowing that the information
is inaccurate.
In addition, the HIPAA and (name of your State)'s Medical Privacy Statutes and the
penalty provisions of the ARRA section D, privacy provisions are in effect in this
situation even though the health care services you provided may have been prior to
enactment of HIPAA or ARRA .
The Privacy Rules prohibits a covered entity from using or disclosing an individual's
protected health information ("PHI") unless specifically authorized by the individual or
otherwise allowed under the Privacy Rules.
In general, PHI encompasses substantially all "individually identifiable health
information" that is transmitted or maintained in any medium. "Individually identifiable
health information" includes health information that is created or received by a health
care provider, health plan, employer, or health care clearinghouse, and that relates to an
individual's physical or mental health or condition, including information related to an
individual's care or the PAYMENT for such care.
Your furnishing of my account information to (collection agency name), is not in
compliance with HIPAA,or (name of your State}'s Privacy Act, and any subsequent
reporting of this account on my credit reports to (credit reporting bureaus) is a clear
violation of Public Law 104-191 ("HIPAA") since there can be no permissible business
purpose in divulging protected health information to anyone on an account once there is
no longer any payment due.
You are required under the FCRA and FACTA to accurately report the status of any
account to the credit bureaus, and you are prohibited under the HIPAA and State privacy
regulations from doing so on a PAID account, as there is no longer any permitted
business purpose.
Therefore I am requesting you promptly rescind all such account information furnished to
(collection agency) and require them to purge their records of all reference to this
account, and that you insure that any and all reporting of this account is immediately
deleted from my credit reports.
This simple procedure to request the deletion of ALL reference to this account from the
records of ( collection agency name) and to require them to have this account information
deleted in its entirety from my credit reports will resolve this problem completely.
Please respond, in writing within 10 days that you are processing this request.
I am reserving the right, to take appropriate legal and civil action including reporting to
any applicable regulatory authorities any lack of cooperation or compliance with this
request.
I hereby waive my rights under HIPAA and any State Privacy Act for the single purpose
of your transmission of this request and accompanying documentation in any required
report you must make to your E &O insurance carrier.
Sincerely,
signature
(Your Name)
-----------------------------------------------------------------------------------------------------------
-

INSERTS
.............................................................................. .............................................
(insert a)
Enclosed please find my remittance of ($___) for payment in full of this account.
(insert this if the payment is less than billed)This payment in full is for services as per
the attached fee schedule from XXXX XXXX)
Health Care Billing Charts
Please note, my remittance is payable ONLY to (hc provider) and may not be signed
over or transferred to any third party collection agency, as this would constitute an
additional violation of HIPAA and State Privacy Act rules .
Copies of this correspondence and a copy of the remittance check may be used for any
further actions with State or Federal agencies
.......................................................................... ..............................................
(insert b)
This account is in error.
It has either been paid, is a billing error,or was not transmitted in a timely manner to
my insurance company.
It is not a valid bill and has been properly disputed, therefore I request complete
deletion from all your agent (name of CA)'s records and archives.
.......................................................................... ...............................................
(insert c)
This is not my account,
It has been billed to me in error. and has been properly disputed, therefore I request
complete deletion from all your agent ( name of CA)'s records and archives.
.......................................................................... ................................................
INSTRUCTIONS FOR FOLLOW UP TO "HIPAA" LETTER TO
ORIGINAL CREDITOR HEALTH CARE PROVIDER
ALL FURTHER CORRESPONDENCE SHOULD BE SENT CMRR
1-
Make sure any money order has been deposited ,or you have received a return receipt
from your letter if insert "b" or "c" were used.
2-
Send the follow up letter posted below.
3-
Send a copy of the follow up letter to the OC (legal dept) with the cover letter,
(follows letter to CRA)
4-
If the CRA responds with verification from the CA or the OC, file a complaint with
the HIPAA administration for the OC's violation of the privacy rules of HIPAA,and
with any available State's Medical Privacy Act administration.
If they do NOT respond with any verification and the account is NOT deleted, file a civil
suit against the OC and the CA for their liability for violations of the FCRA and FACTA.
5-
DO NOT under any circumstances, write or correspond with the CA regarding this
matter, any correspondence or communication that YOU instigate, while not a waiver
of your privacy rights under HIPAA, will impede any cause of action you might have
as the non permitted "communication" would have come from YOU.
Please understand, the CA may have NO liability under HIPAA, they are NOT the health
provider. They are not in any way covered under the provisions of the act for "old
accounts", however, if the account is "new" they ALSO must abide by all the privacy act
rules,if THEY violate, they can also be named in your filed complaints.
Letter To Cra After HIPAA Letter
Use this AFTER you have received the green card back and received verification that any
money order has been deposited (if using insert "a")
To Equiexptu
Sirs;
This is a dispute of account information on my credit report, (report #)
Please re-investigate (or investigate if you have not previously disputed) the following
disputed account on my credit report.
(give CA name and acct. #)
Please furnish me with verification that (CA name) is reporting this account from (OC
name) for ($ amount) in my name.
I require the identification of the reporting party and the date of their verification.
Please be advised that this request is being made in accordance with the requirements of
the FCRA and FACTA and the reporting privacy rules of the HIPAA and (your State)'s
Medical Privacy Act.
Sincerely,
Ido N Tnow

(Send a copy to the HIPAA Compliance Dept. of the OC health provider


with the following cover letter)
Cover Letter
Your Name
Address
HIPAA Compliance Office
OC Name
Address
Re: Letter of (date of orginal letter)
Account #(original account #)
Dear Sir or Madam;
Enclosed please find a copy of my letter(s) of dispute to (CRA (s)).
Please note, I am providing you with an additional opportunity to have this account
removed from (CA) and deleted from my credit reports if you have not already done so.
I have no desire to cause you unnecessary difficulty,however,this entry of my private
health care information,on my credit report, for an account that no longer has ANY
permitted business purpose waiver since there is NO payment due, has caused injury to
my credit reputation,and has left me no choice but to proceed with the following:
Upon my receipt of the FCRA and FACTA mandated reply from (CRA),if the account
has NOT been deleted in its entirety,I will take appropriate action to enforce my rights
under the HIPAA, FCRA and FACTA rules, ARRA and (your State)'s Consumer
Protection and Medical Privacy statutes.
Sincerely,
HIPAA COMPLAINT PROCESS
FILING A HIPAA COMPLAINT
FTC COMPLAINT AGAINST CRA