Jump to content

Please consider disabling your adblocker for CreditBoards if you have not already done so.  This site depends on advertising revenue to stay online.


OC response to HIPAA CRA Follow-up

Recommended Posts

Dear whychat, 

 

This account was showing on my reports. 

 

I completed the initial dispute to CRA, received a verified response, then completed the validation letter to the CA. Received a response from CA with original documents signed from OC. Sent HIPAA letter to OC with Cashier's Check, after it cleared I redisputed with CRA and sent the Follow-up cover to the OC

 

Here's the response from the OC

 

 

We are in receipt of your correspondence dated xx19 and your correspondence dated xx20. Thank you for your inquiries. This letter will serve as our response to the issues raised in your correspondence.

 

We disagree with your assertions that OC’s actions, as outlined in your correspondence, constitute a violation of HIPAA. In fact, the OC's actions were authorized by federal statute. HIPAA expressly permits the use of protected health information (PHI) for payment and business/healthcare operations purposes. These purposes include, but are not limited to, billing/collection matters. The OC has a Business Associate Agreement (BAA) in place with CRA. With this BAA in place, HIPAA permits the OC to disclose the information that is necessary in order for the Covered Entity (the OC) and the Business Associate (the Collection Agency) to effectuate the purpose. Here, that purpose is collecting payment that was appropriate and owed, and submission of information to credit reporting agencies.

 

Moreover, a guardian for Dear Daughter expressly authorized the OC to share information. A copy of the executed Financial Policy is enclosed. This policy specifically authorizes the OC  to share information with other entities, including collection agencies, as necessary in order to obtain payment for services rendered.

 

In summary, collecting payment for healthcare services is a healthcare operation. Submission of PHI to a Business Associate to accomplish that healthcare operation is a permissible use under HIPAA. Additionally, Dear Daughter expressly authorized, through her guardian, the OC to share information with other entities as necessary to obtain payment, and this includes collection agencies. In light of these facts, there was no violation of HIPAA with respect to the issues raised in your correspondence.

 

 

Clearly this administrator thinks I claimed they already violated HIPAA, and doesn't understand. 

 

Any advice is appreciated for a response. 

 

 

Share this post


Link to post
Share on other sites

Did they deposit the money order??

Is it off your reports?? 

 

Their response is accurate UP TO THE POINT that they accepted the payment.

Once they did they are no longer permitted to share data with the CA as the account has been paid in full.

Share this post


Link to post
Share on other sites
Posted (edited)

AGREED! That's exactly how I interpret this process. Here's my proposed response.  What do you think?

 

**EDIT** They cashed the check, but it has not been removed from reports yet. 

 

 

 

Thank you for your attention to this matter and for your prompt reply.

 

Regretfully, the tone of your most recent correspondence suggests that you have not taken time to thoroughly understand the situation in which your office now stands.

 

First, although your office may allege compliance to HIPAA for the collections process thus initiated prior to my letter dated xx19 which contained a cashier’s check for payment in full on the account, your office’s actions beyond the receipt of payment in full are what could potentially result in a HIPAA violation. Thus, the impetus for my courtesy letter dated xx20.

 

I made no claim in my xx19 letter to you nor in the xx20 letter that your collections activities prior to the xx19 letter (and included payment) were illegal violations of privacy.

 

However, it must be noted that after xx19 when you received and accepted payment in full your “permissible purposes” ended in respect to reporting my protected health information (PHI).

 

Per your Financial Policy and your own admission in your letter dated xx20 your claim to legally sharing of my protected health information lies in “collecting payment that was appropriate and owed, and submission of information to credit reporting agencies.” As of your receipt of my xx19 letter and acceptance of payment, your “collection” activities ceased to exist thereby removing your permissible purpose for reporting my personal private information to CA and consequently Equifax Information Services LLC.

 

Moreover, as guardian for Dear Daughter, I expressly requested that you refrain from information sharing as provided by §13405(a) of the HITECH Act. And, because the account was paid out-of-pocket, you as a covered entity are required to comply with my privacy request and refrain from disclosing information for the purposes of payment and business/healthcare operations.

 

You are required under the FCRA and FACTA to accurately report the status of any account to the credit bureaus, and you are prohibited under the HIPAA and State privacy regulations from doing so on a PAID account, as there is no longer any permitted business purpose.

 

Therefore, I am requesting you promptly rescind all such account information furnished to CA and require them to purge their records of all reference to this account, and that you ensure that any and all reporting of this account is immediately deleted from my credit reports.

 

This simple procedure to request the deletion of ALL reference to this account from the records of CA and to require them to have this account information deleted in its entirety from my credit reports will resolve this problem completely.

 

Please respond, in writing within 10 days that you are processing this request.

 

I am reserving the right, to take appropriate legal and civil action including reporting to any applicable regulatory authorities any lack of cooperation or compliance with this request.

 

I hereby waive my rights under HIPAA and any State Privacy Act for the single purpose of your transmission of this request and accompanying documentation in any required report you must make to your E &O insurance carrier.

Edited by xoate0100

Share this post


Link to post
Share on other sites

OK -- Great letter, however wait another week and AFTER you have followed the program regarding follow up disputes;( follows insert "c" in the program)

https://whychat.me/hipltr.html

 

INSTRUCTIONS FOR FOLLOW UP TO "HIPAA" LETTER TO ORIGINAL CREDITOR HEALTH CARE PROVIDER
ALL FURTHER CORRESPONDENCE SHOULD BE SENT CMRR
 

Share this post


Link to post
Share on other sites

Great thanks. Was looking back through some of my old posts, looks like I've run into this before. 

 

Seems like it might be the HIPAA officers acting out of prudence to respond to the HIPAA letter with payment and the subsequent follow-up. But when it comes down to it, they likely choose not to respond to any CRA disputes out of caution (I'd imaging that it's far more expensive to answer to a HIPAA/CFPB investigation than it is to simply pull the reporting after getting paid..) 

 

I'll wait for the CRA to dispute and see if the baddie comes off in a couple weeks (I only sent redispute on Apr 15th so it has only been 12 days)

 

Thanks for your thoughts Whychat

Share this post


Link to post
Share on other sites
Posted (edited)

Update: 

 

after following the directions in the Hipltr follow-up. I redisputed with credit bureau. They responded with:

 

"We verified that this item belongs to you. We have verified that this item has been reported correctly. THE FOLLOWING FIELDS HAVE BEEN MODIFIED: *STATUS DATE..."

 

The status date lists unpaid as of 05/2020 

 

This is obviously incorrect as I paid with Bank Cashier's check in 2019 and they cashed it.  So they clearly have not "verified" anything because it's definitely paid at the very least (even though they aren't allowed to report it as such anyways)

 

Suggestions? 

 

Thanks, 

xoate

Edited by xoate0100

Share this post


Link to post
Share on other sites

Was the account data you received from the reporting CA CURRENT DATA??

It is POSSIBLE that the reporting CA did not, does not have a current relationship to the OC

 

Is it reporting on ALL your reports??

 

File a complaint against the CA with the CFPB

https://whychat.me/hipaaftccomp.html

In your complaint do NOT refer to your payment to the OC

Send copies to the CA,the CRAs and the OC 

(In your copy to the OC state that this is for their records as  (CA ) has claimed a current business relationship with them)

Share this post


Link to post
Share on other sites
4 hours ago, Why Chat said:

Was the account data you received from the reporting CA CURRENT DATA??

 

 Not sure how I would tell if the CA is reporting Current DATA, it appears that they are NOT reporting current data as they apparently responded to the CRA with an "unpaid" status and updated date of 05/05 (recall I paid it 04/06)

4 hours ago, Why Chat said:

 

It is POSSIBLE that the reporting CA did not, does not have a current relationship to the OC

I don't believe so, the OC  definitely has a current relationship with the CA, they even confirm it in their "response" letter. 

4 hours ago, Why Chat said:

Is it reporting on ALL your reports??

no Just EQ

4 hours ago, Why Chat said:

File a complaint against the CA with the CFPB

https://whychat.me/hipaaftccomp.html

In your complaint do NOT refer to your payment to the OC

Send copies to the CA,the CRAs and the OC 

(In your copy to the OC state that this is for their records as  (CA ) has claimed a current business relationship with them)

Sounds good, Am I to assume that I should not communicate with the OC or attempt to redispute? Is there room to send the letter I previously suggested reminding the OC of their responsibility to report accurately and the prohibition from sharing PHI? 

Share this post


Link to post
Share on other sites

Your copy of the complaint to the CFPB should work better as they are obviously stonewalling you on the HIPAA violation issue. I do not suggest the letter you drafted although it is very good as all it would do is enlarge on the same issue they are ignoring. The complaint to the CFPB includes a reference to further action/complaint to the OCR on the HIPAA violation.

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.





About Us

Since 2003, creditboards.com has helped thousands of people repair their credit, force abusive collection agents to follow the law, ensure proper reporting by credit reporting agencies, and provided financial education to help avoid the pitfalls that can lead to negative tradelines.
×
×
  • Create New...

Important Information

Guidelines