Getting Payment for a Clean Bill of Health: Reconciling the Health Insurance Portability and Accountability Act ("HIPAA") with the Fair Debt Collection Practices Act ("FDCPA") for Health-Care Debt Collection

• Author: Kirsten N. Arnold
• Position: Kirsten N. Arnold: J.D. Candidate, The University of Iowa College of Law
• Pages: 05

Kirsten N. Arnold: J.D. Candidate, The University of Iowa College of Law, 2008. I thank my husband, Ben, and the rest of my family for their unconditional love and support. I thank the Editors and Student Writers of Volumes 92 and 93 of the Iowa Law Review for their excellent editorial assistance.

Page 607

I Introduction

Health-care costs have been a major issue in the United States for decades.¹ Health-care debt is such a significant problem for many consumers that half of bankruptcy filings can be at least partially attributed to health- care costs.² This is not surprising, considering that the Department of Health and Human Services, through its Agency for Healthcare Research and Quality, projected that, by 2008, the average U.S. citizen over the age of sixty-five will spend more than $11,000 annually on health-care costs.³Additionally, according to the National Consumer Law Center, third-party debt collectors contact about twenty percent of Americans concerning health-care-related debts.⁴

Health-care providers struggle with increased expenditures as well. Providers are coping with increased premiums for malpractice insurance, Page 608 which increased as much as fifteen percent (and even more for certain specialized areas) between 2000 and 2002.⁵ Additionally, providers are incurring tremendous costs due to the modern era of managed care-an era in which providers must make enormous expenditures in providing data to various groups.⁶

In the midst of these issues, providers struggle to find the proper, lawful way to collect health-care debts, while at the same time maintaining patient privacy. Two laws, the Health Insurance Portability and Accountability Act ("HIPAA")⁷ and the Fair Debt Collection Practices Act ("FDCPA"),⁸ attempt to deal with two different problems: patient privacy and consumer protection, respectively. HIPAA protects doctor-patient confidentiality through its privacy provision.⁹ The privacy provision requires that medical providers protect the confidentiality of patients' medical records by not disclosing identifying information.¹⁰ The FDCPA protects consumers through its validation requirements, in addition to its other provisions.¹¹ The validation requirements oblige creditors to substantiate claims for payment upon the debtor's request.¹² The laws conflict, however, in the collection of health-care debts through third-party debt collectors. The conflict results Page 609 because the combination of the two laws may force debtors to choose between divergent rights: if debtors demand validation of medical debts, they must allow third-party debt collectors or the debtors' attorneys to see their medical records in order to explain the source of charges. This, however, affects the debtor's right to doctor-patient confidentiality.¹³ The conflict between these laws requires a solution that protects Americans as both patients and consumers and gives health-care providers and debt collectors a clear blueprint for protecting patient rights as they attempt to collect legitimate debts.

Part II of this Note discusses the basis for patient privacy rights and the rights' importance in health-care quality. Part II also provides background information on both HIPAA and the FDCPA. Part III discusses the intersection of the laws and explains the conflict. Part IV analyzes possible solutions to the conflict, discussing the respective advantages and disadvantages of each. In conclusion, this Note argues that Congress should clarify the right of a medical-service provider to send debt validation directly to the patient-debtor in order to preserve patient privacy, while still allowing for the collection of legitimate debts. This is the simplest and most sensible option to protect the rights of both patient-debtors and health-care providers.

II The Basis For Patient Privacy And The Two Laws In Conflict

People have valued privacy rights for millennia, and privacy's importance stems from both ethical and practical considerations. Congress enacted HIPAA in 1996 in part to strengthen patient privacy in the United States.¹⁴ Congress has been determined to protect citizens in other areas of life as well. In furtherance of this goal, Congress enacted the FDCPA in 1977 to protect citizens in their capacities as consumers and debtors.¹⁵

Understanding the history of privacy and the background of both laws makes it clear that both patient privacy and consumer protection are necessary to the American legal and medical systems. Yet, the way that the two laws were written makes it unclear whether citizens may enjoy the full benefits of both. This problem arises very clearly in the context of medical debts.

Page 610

A The Importance Of Patient Privacy And Its Relationship To Doctor-Patient Confidentiality

Doctor-patient privacy is a statutory and ethical protection against disclosure of patients' health-related information to unauthorized third parties.¹⁶ Societies have revered privacy in health care since the work of Hippocrates.¹⁷ The Hippocratic oath states that when physicians are given private health-care information, they "'will keep silence thereon.'"¹⁸ The primary reason for the creation of doctor-patient confidentiality is the importance of trust between health-care providers and patients.¹⁹ If patients are able to trust their health-care providers, the patients will feel less hesitant to disclose potentially embarrassing or personal information, thereby giving the doctors all of the information necessary for accurate diagnosis and treatment.²⁰

The statutory protection of private patient information facilitates trust by ensuring patient privacy: it mandates that health-care providers cannot disclose this sensitive information unless authorized to do so.²¹ Courts have generally held that this protection extends not only to patients' verbal disclosures, but also to patients' medical records.²² Protecting patients' rights to private health-care information is vital to the quality and effectiveness of the U.S. national health-care infrastructure because it will almost certainly have a profound impact on many parts of patients' lives,²³including-but not limited to-their health.²⁴

Page 611

B The Health Insurance Portability And Accountability Act Of 1996 ("HIPAA")

Congress attempted to protect patient privacy through the privacy provisions of HIPAA.²⁵ Congress intended HIPAA to serve many goals. In particular, Congress anticipated that the Act would "improve portability and continuity of health insurance coverage in the group and individual markets[;] combat waste, fraud, and abuse in health insurance and health care delivery[;] improve access to long-term care services and coverage[; and] simplify the administration of health insurance."²⁶

Congress enacted parts of HIPAA to give Americans greater trust in the security of their medical information.²⁷ It was the first comprehensive medical-privacy law enacted by the federal government.²⁸ Among other provisions, HIPAA prohibits "wrongful disclosure of individually identifiable Page 612 health information."²⁹ The Administrative Simplification section defines the term "individually identifiable health information" as

any information, including demographic information collected from an individual, that-(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.³⁰

Thus, HIPAA established an initial outline of patient privacy, but more work was needed to ensure proper implementation of these ideals.

HIPAA's provisions mandated that Congress create standards of privacy to further explain the practical implementation of the Act; if Congress failed to follow this mandate, HIPAA included a back-up plan: the Secretary of Health and Human Services ("HHS") would then be required to do so.³¹Due to Congress's inaction, the Secretary fulfilled HIPAA's mandate to create standards of privacy,³² which became effective in 2003.³³ HHS has summarized its resulting Privacy Rule as an attempt to reach a compromise that "permits important uses of information, while protecting the privacy of people who seek care and healing."³⁴ In addition to the Privacy Rule, the Page 613 standards promulgated by HHS include criminal and civil penalties for a health-care provider's failure to comply with the privacy regulations.³⁵

HHS's regulations have helped to clarify the HIPAA privacy requirements. The relevant regulation of the privacy requirements, "Uses and Disclosures to Carry Out Treatment, Payment, or Health Care Operations," describes allowable uses for protected health information.³⁶HHS promulgated these regulations in accordance with the HIPAA grant of authority³⁷ to the Secretary³⁸ in order "to prescribe standards, requirements, and implementation specifications under [HIPAA]."³⁹

According to the regulations, permitted disclosures include information revealed to another "covered entity" or other medical personnel to assist in payment for that covered entity's services.⁴⁰ The HHS regulations provide examples of what disclosures are...