This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the Fair Debt Collection Practices Act (FDCPA). It summarizes that HIPAA establishes national standards for protecting individuals' personal health information and applies to health plans, providers, and clearinghouses. It also notes that the FDCPA aims to eliminate abusive debt collection practices and applies to debt collectors. Violations of these acts that could affect the reader are discussed.

1. HIPAA & FDCPA
HOW DO THESE ACTS EFFECT ME
This presentation is a summary of HIPAA and FDCPA
and not a complete and comprehensive guide to
compliance. In the event of a conflict between this
summary and the Rule, the Rule governs.

2. SUMMARY OF THE HIPAA PRIVACY RULE
• The Standards for Privacy of Individually Identifiable
Health Information (“Privacy Rule”) establishes, for the
first time, a set of national standards for the protection
of certain health information.

3. SUMMARY OF THE HIPAA PRIVACY RULE
• The U.S. Department of Health and Human Services
(“HHS”) issued the Privacy Rule to implement the
requirement of the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”).

4. SUMMARY OF THE HIPAA PRIVACY RULE
• A major goal of the Privacy Rule is to assure that
individuals’ health information is properly protected
while allowing the flow of health information needed to
provide and promote high quality health care and to
protect the public's health and well being.

5. SUMMARY OF THE HIPAA PRIVACY RULE
• The Privacy Rule standards address the use and
disclosure of individuals’ health information - called
“protected health information” by organizations subject
to the Privacy Rule – called “covered entities,”

6. Statutory & Regulatory
Background
• The Health Insurance Portability and Accountability Act
of 1996 (HIPAA), Public Law 104-191, was enacted on
August 21, 1996. Sections 261 through 264 of HIPAA
require the Secretary of HHS to publicize standards for
the electronic exchange, privacy and security of health
information. Collectively these are known as the
Administrative Simplification provisions.

7. Statutory & Regulatory
Background
• HIPAA required the Secretary to issue privacy
regulations governing individually identifiable health
information, if Congress did not enact privacy
legislation within three years of the passage of HIPAA.
• Because Congress did not enact privacy legislation,
HHS developed a proposed rule and released it for
public comment on November 3, 1999.
• In March 2002, the Department proposed and released
for public comment modifications to the Privacy Rule.

8. Who is Covered by the
Privacy Rule
• Health Plans. Individual and group plans that provide
or pay the cost of medical care are covered entities.

9. Who is Covered by the
Privacy Rule
• Health Plans. Individual and group plans that provide or pay
the cost of medical care are covered entities.
• Include, health, dental, vision, prescription drug insurers,
HMOs, Medicare, Medicaid, etc.

10. Who is Covered by the
Privacy Rule
• Health Care Providers. Every health care provider,
regardless of size, who electronically transmits health
information in connection with certain transactions, is a
covered entity.

11. Who is Covered by the
Privacy Rule
• Health care providers include all “providers of services”
(e.g., institutional providers such as hospitals) and
“providers of medical or health services” (e.g., non-institutional
providers such as physicians, dentists and
other practitioners) as defined by Medicare, and any
other person or organization that furnishes, bills, or is
paid for health care.

12. Who is Covered by the
Privacy Rule
• Health Care Clearinghouses. Health care clearinghouses are
entities that process nonstandard information they receive from
another entity into a standard (i.e., standard format or data
content), or vice versa.
• Health care clearinghouses include billing services, repricing
companies, community health management information
systems, and value-added networks and switches if these
entities perform clearinghouse functions

13. Business
Associates
• Business Associate Defined. In general, a business
associate is a person or organization, other than a
member of a covered entity's workforce, that performs
certain functions or activities on behalf of, or provides
certain services to, a covered entity that involve the use
or disclosure of individually identifiable health
information.

14. Business
Associates
• Business associate functions or activities on behalf of a
covered entity include claims processing, data analysis,
utilization review, and billing. Business associate
services to a covered entity are limited to legal,
actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial
services.

15. Business
Associates
• However, persons or organizations are not considered
business associates if their functions or services do not
involve the use or disclosure of protected health
information, and where any access to protected health
information by such persons would be incidental, if at
all.

16. Business Associates
Contract
• When a covered entity uses a contractor or other non-workforce
member to perform "business associate"
services or activities, the Rule requires that the covered
entity include certain protections for the information in a
business associate agreement

17. Business Associates
Contract
• In the business associate contract, a covered entity
must impose specified written safeguards on the
individually identifiable health information used or
disclosed by its business associates

18. What Information is
Protected
• The Privacy Rule protects all "individually identifiable
health information" held or transmitted by a covered
entity or its business associate, in any form or media,
whether electronic, paper, or oral.
• The Privacy Rule calls this information "protected
health information (PHI)

19. What Information is
Protected
• “Individually identifiable health information” is
information, including demographic data, that relates to:
• the individual’s past, present or future physical or mental health
or condition
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health
care to the individual

20. What Information is
Protected
• Any information which identifies the individual or for
which there is a reasonable basis to believe can be
used to identify the individual.
• Individually identifiable health information includes
many common identifiers (e.g., name, address, birth
date, Social Security Number).

21. What Information is
Protected
• The Privacy Rule excludes from protected health
information employment records that a covered entity
maintains in its capacity as an employer and education
and certain other records subject to, or defined in, the
Family Educational Rights and Privacy Act, 20 U.S.C.
§1232g.

22. General Principle for
Uses and Disclosures
• Basic Principle. A major purpose of the Privacy Rule is to
define and limit the circumstances in which an individual’s
protected heath information may be used or disclosed by
covered entities. A covered entity may not use or disclose
protected health information, except either:
• (1) as the Privacy Rule permits or requires; or
• (2) as the individual who is the subject of the information (or
the individual’s personal representative) authorizes in writing

23. Limiting Uses and Disclosures
to the Minimum Necessary
• Reasonable Reliance. Similarly, a covered entity may rely
upon requests as being the minimum necessary protected
health information from:
• a professional (such as an attorney or accountant) who is the
covered entity’s business associate, seeking the information to
provide services to or for the covered entity;

24. Data Safeguards
• A covered entity must maintain reasonable and appropriate
administrative, technical, and physical safeguards to prevent
intentional or unintentional use or disclosure of protected
health information in violation of the Privacy Rule and to limit its
incidental use and disclosure pursuant to otherwise permitted
or required use or disclosure

25. Complaints
• A covered entity must have procedures for individuals
to complain about its compliance with its privacy
policies and procedures and the Privacy Rule. The
covered entity must explain those procedures in its
privacy practices notice.72
• Among other things, the covered entity must identify to
whom individuals can submit complaints to at the
covered entity and advise that complaints also can be
submitted to the Secretary of HHS.

26. State Law
• Preemption. In general, State laws that are contrary to the
Privacy Rule are preempted by the federal requirements, which
means that the federal requirements will apply. “Contrary”
means that it would be impossible for a covered entity to
comply with both the State and federal requirements, or that
the provision of State law is an obstacle to accomplishing the
full purposes and objectives of the Administrative Simplification
provisions of HIPAA.

27. Criminal Penalties
• A person who knowingly obtains or discloses individually
identifiable health information in violation of HIPAA faces a fine
of $50,000 and up to one-year imprisonment. The criminal
penalties increase to $100,000 and up to five years
imprisonment if the wrongful conduct involves false pretenses,
and to $250,000

28. THE FAIR DEBT COLLECTION
PRACTICES ACT
• It is the purpose of this title to eliminate abusive debt collection
practices by debt collectors, to insure that those debt collectors
who refrain from using abusive debt collection practices are not
competitively disadvantaged, and to promote consistent State
action to protect consumers against debt collection abuses.

29. THE FAIR DEBT COLLECTION
PRACTICES ACT
• The term “debt collector” means any person who uses
any instrumentality of interstate commerce or the mails
in any business the principal purpose of which is the
collection of any debts, or who regularly collects or
attempts to collect, directly or indirectly, debts owed or
due or asserted to be owed or due another.

30. THE FAIR DEBT COLLECTION
PRACTICES ACT
• The term does not
• any person while serving or attempting to serve legal
process on any other person in connection with the
judicial enforcement of any debt;

31. THE FAIR DEBT COLLECTION
PRACTICES ACT
• Consumer” defined
• For the purpose of this section, the term “consumer”
includes the consumer’s spouse, parent (if the
consumer is a minor), guardian, executor, or
administrator.

32. FDCPA VIOLATION TRIGGER(S)
• 805. Communication in connection with debt
collection
• if the debt collector knows the consumer is represented
by an attorney with respect to such debt
Communication with third parties

33. FDCPA VIOLATION TRIGGER(S)
• 806. Harassment or abuse
• The use or threat of use of violence or other criminal
means to harm the physical person, reputation, or
property of any person.
• The use of obscene or profane language or language
the natural consequence of which is to abuse the
hearer or reader.

34. FDCPA VIOLATION TRIGGER(S)
• 806. Harassment or abuse
• Causing a telephone to ring or engaging any person in
telephone conversation repeatedly or continuously with
intent to annoy, abuse, or harass any person at the
called number.

35. FDCPA VIOLATION TRIGGER(S)
• 807. False or misleading representations
• The threat to take any action that cannot legally be
taken or that is not intended to be taken.
• The use of any business, company, or organization
name other than the true name of the debt collector’s
business, company, or organization.

36. FDCPA VIOLATION TRIGGER(S)
• 811. Legal actions by debt collectors
• Venue - Any debt collector who brings any legal action
on a debt against any consumer shall—
• (1) in the case of an action to enforce an interest in real
property securing the consumer’s obligation, bring such
action only in a judicial district or similar legal entity in
which such real property is located; or

37. FDCPA VIOLATION TRIGGER(S)
• 811. Legal actions by debt collectors
• (2) in the case of an action not described in paragraph
(1), bring such action only in the judicial district or
similar legal entity -
• (A) in which such consumer signed the contract sued
upon; or
• (B) in which such consumer resides at the
commencement of the action.

38. FDCPA VIOLATION TRIGGER(S)
• 813. Civil liability
• Amount of damages
• Except as otherwise provided by this section, any debt
collector who fails to comply with any provision of this
title with respect to any person is liable to such person
in an amount equal to the sum of -
• (1) any actual damage sustained by such person as a
result of such failure;

39. FDCPA VIOLATION TRIGGER(S)
• 813. Civil liability
• (2) (A) in the case of any action by an individual, such
additional damages as the court may allow, but not
exceeding $1,000; or
• (B) in the case of a class action,
• (i) such amount for each named plaintiff as could be
recovered under subparagraph (A), and

40. FDCPA VIOLATION TRIGGER(S)
• 813. Civil liability
• (ii) such amount as the court may allow for all
• other class members, without regard to a minimum
• individual recovery, not to exceed the
• lesser of $500,000 or 1 per centum of the net
• worth of the debt collector;

41. FDCPA VIOLATION TRIGGER(S)
• 813. Civil liability
• (3) in the case of any successful action to enforce the
foregoing liability, the costs of the action, together with
a reasonable attorney’s fee as determined by the court.
On a finding by the court that an action under this
section was brought in bad faith and for the purpose of
harassment, the court may award to the defendant
attorney’s fees reasonable in relation to the work
expended and costs.

42. HOW CAN THIS AFFECT ME
• HIPAA does not apply to process serves
• FDCPA exempts process servers
• Why bore me with the mess, I seem protected

43. HOW CAN THIS AFFECT ME
• Term “You” meaning you, your company, your
administrative staff or your process server(s)

44. HOW CAN THIS AFFECT ME
• HIPPA violations made against you to your client
• FDCPA violations made against you
• Discussion