HIPAA & FCRA The Legal Basis

FORM LETTER TO ORIGINAL HEALTH CARE PROVIDER
(Your Name) (address) (City,State, zip) s.s.# (social security #) HIPAA Compliance Office ( health care provider creditor) (address) (date) Dear Sir/Madam; This letter is in reference to (account #) for services provided to (name of patient) on (date of service). In regard to the bill on this account in the amount of ($___): Insert correct insert here:( see inserts) (a) (b) or (c) Please be advised that under Federal Statutes. the Fair Credit Reporting Act, (15 U.S.C. § 1681 et seq)and (name of your State)'s Consumer Credit Statutes,and subtitle D of the ARRA ,SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES;and SEC. 13407(1) BREACH OF SECURITY.—The term ‘‘breach of security’’ means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. you may be held liable for the actions of (collection agency name). Please note that the effective date for commencing enforcement of penalties against you for any vicarious liability is February 17, 2009. (a) Duty of furnishers of information to provide accurate information. (1) Prohibition. (A) Reporting information with actual knowledge of errors. A person shall not furnish any information relating to a consumer to any consumer reporting agency if the person knows or consciously avoids knowing that the information is inaccurate.

In addition, the HIPAA and (name of your State)'s Medical Privacy Statutes and the penalty provisions of the ARRA section D, privacy provisions are in effect in this situation even though the health care services you provided may have been prior to enactment of HIPAA or ARRA . The Privacy Rules prohibits a covered entity from using or disclosing an individual's protected health information ("PHI") unless specifically authorized by the individual or otherwise allowed under the Privacy Rules. In general, PHI encompasses substantially all "individually identifiable health information" that is transmitted or maintained in any medium. "Individually identifiable health information" includes health information that is created or received by a health care provider, health plan, employer, or health care clearinghouse, and that relates to an individual's physical or mental health or condition, including information related to an individual's care or the PAYMENT for such care. Your furnishing of my account information to (collection agency name), is not in compliance with HIPAA,or (name of your State}'s Privacy Act, and any subsequent reporting of this account on my credit reports to (credit reporting bureaus) is a clear violation of Public Law 104-191 ("HIPAA") since there can be no permissible business purpose in divulging protected health information to anyone on an account once there is no longer any payment due. You are required under the FCRA and FACTA to accurately report the status of any account to the credit bureaus, and you are prohibited under the HIPAA and State privacy regulations from doing so on a PAID account, as there is no longer any permitted business purpose. Therefore I am requesting you promptly rescind all such account information furnished to (collection agency) and require them to purge their records of all reference to this account, and that you insure that any and all reporting of this account is immediately deleted from my credit reports. This simple procedure to request the deletion of ALL reference to this account from the records of ( collection agency name) and to require them to have this account information deleted in its entirety from my credit reports will resolve this problem completely. Please respond, in writing within 10 days that you are processing this request. I am reserving the right, to take appropriate legal and civil action including reporting to any applicable regulatory authorities any lack of cooperation or compliance with this request. I hereby waive my rights under HIPAA and any State Privacy Act for the single purpose of your transmission of this request and accompanying documentation in any required report you must make to your E &O insurance carrier. Sincerely,

signature (Your Name) -----------------------------------------------------------------------------------------------------------

INSERTS
.............................................................................. ............................................. (insert a) Enclosed please find my remittance of ($___) for payment in full of this account. (insert this if the payment is less than billed)This payment in full is for services as per the attached fee schedule from XXXX XXXX) Health Care Billing Charts Please note, my remittance is payable ONLY to (hc provider) and may not be signed over or transferred to any third party collection agency, as this would constitute an additional violation of HIPAA and State Privacy Act rules . Copies of this correspondence and a copy of the remittance check may be used for any further actions with State or Federal agencies .......................................................................... .............................................. (insert b) This account is in error. It has either been paid, is a billing error,or was not transmitted in a timely manner to my insurance company. It is not a valid bill and has been properly disputed, therefore I request complete deletion from all your agent (name of CA)'s records and archives. .......................................................................... ............................................... (insert c) This is not my account, It has been billed to me in error. and has been properly disputed, therefore I request complete deletion from all your agent ( name of CA)'s records and archives. .......................................................................... ................................................

INSTRUCTIONS FOR FOLLOW UP TO "HIPAA" LETTER TO ORIGINAL CREDITOR HEALTH CARE PROVIDER
ALL FURTHER CORRESPONDENCE SHOULD BE SENT CMRR 1Make sure any money order has been deposited ,or you have received a return receipt from your letter if insert "b" or "c" were used. 2Send the follow up letter posted below. 3Send a copy of the follow up letter to the OC (legal dept) with the cover letter, (follows letter to CRA) 4If the CRA responds with verification from the CA or the OC, file a complaint with the HIPAA administration for the OC's violation of the privacy rules of HIPAA,and with any available State's Medical Privacy Act administration. If they do NOT respond with any verification and the account is NOT deleted, file a civil suit against the OC and the CA for their liability for violations of the FCRA and FACTA. 5DO NOT under any circumstances, write or correspond with the CA regarding this matter, any correspondence or communication that YOU instigate, while not a waiver of your privacy rights under HIPAA, will impede any cause of action you might have as the non permitted "communication" would have come from YOU. Please understand, the CA may have NO liability under HIPAA, they are NOT the health provider. They are not in any way covered under the provisions of the act for "old accounts", however, if the account is "new" they ALSO must abide by all the privacy act rules,if THEY violate, they can also be named in your filed complaints. Letter To Cra After HIPAA Letter Use this AFTER you have received the green card back and received verification that any money order has been deposited (if using insert "a") To Equiexptu Sirs; This is a dispute of account information on my credit report, (report #)

Please re-investigate (or investigate if you have not previously disputed) the following disputed account on my credit report. (give CA name and acct. #) Please furnish me with verification that (CA name) is reporting this account from (OC name) for ($ amount) in my name. I require the identification of the reporting party and the date of their verification. Please be advised that this request is being made in accordance with the requirements of the FCRA and FACTA and the reporting privacy rules of the HIPAA and (your State)'s Medical Privacy Act. Sincerely, Ido N Tnow

(Send a copy to the HIPAA Compliance Dept. of the OC health provider with the following cover letter)
Cover Letter Your Name Address HIPAA Compliance Office OC Name Address Re: Letter of (date of orginal letter) Account #(original account #) Dear Sir or Madam; Enclosed please find a copy of my letter(s) of dispute to (CRA (s)). Please note, I am providing you with an additional opportunity to have this account removed from (CA) and deleted from my credit reports if you have not already done so. I have no desire to cause you unnecessary difficulty,however,this entry of my private health care information,on my credit report, for an account that no longer has ANY permitted business purpose waiver since there is NO payment due, has caused injury to my credit reputation,and has left me no choice but to proceed with the following: Upon my receipt of the FCRA and FACTA mandated reply from (CRA),if the account has NOT been deleted in its entirety,I will take appropriate action to enforce my rights under the HIPAA, FCRA and FACTA rules, ARRA and (your State)'s Consumer

Protection and Medical Privacy statutes. Sincerely, HIPAA COMPLAINT PROCESS FILING A HIPAA COMPLAINT FTC COMPLAINT AGAINST CRA