HITECH Act's Changes to HIPAA Privacy Rule Soon Taking Effect

Covered entities and business associates subject to the HIPAA Privacy Rule, including health care providers and revenue cycle vendors, should take note that the amendments to the Rule brought about by the Health Information Technology for Economic and Clinical Health Act, §§13400-13424 of the American Recovery and Reinvestment Act of 2009 (the "HITECH Act"), take effect February 17, 2010.

Previously, business associates' only liability for mishandling Protected Health Information (PHI) arose under the business associate's contract with the health care provider, and the only party responsible for ensuring the existence of a proper Business Associate Agreement was the provider itself. Under the amended regulations, a business associate can now be held directly responsible for improper use of PHI and for the failure to maintain proper policies for its protection.  §13404(a).

The HITECH Act makes the following provisions, previously directed at covered entities only, applicable to business associates:

• Administrative safeguards (45 C.F.R. § 164.308)
• Physical safeguards (45 C.F.R. § 164.310)
• Technical safeguards (45 C.F.R. § 164.312)
• Policies and documentation (45 C.F.R. § 164.316)

Additionally, while HIPAA previously required action on breaches only by covered entities, the HITECH Act requires business associates to take action on known breaches of their agreements by the covered entities they serve, including curing the breach themselves, terminating the agreement, and/or notifying the department of the covered entity's breach. §13404(b).

The breach notification requirements affecting covered entities and business associates have also changed. The HITECH Act requires notification by a covered entity to the individual whose PHI has been breached, within a reasonable time, not longer than 60 days. Business associates must notify covered entities of any breach within the same time period. The notice must be sent in writing via first class mail, and in the case where the breach concerns 10 or more individuals and the individuals cannot be located, notice must be posted on the breaching party's website and through public media. Notice regarding the breach must also be provided to the Secretary, immediately in the case of a breach concerning 500 or more individuals, and via an annual log in the case of a breach of fewer than 500 individuals. §13402.

The penalties for failing to comply with these provisions include criminal charges, §13409, and civil sanctions, §13410. 

From a practical standpoint, this means that agencies should implement their own documented policies for protecting PHI and should immediately ensure that a Business Associate Agreement is executed with the covered entities with which they do business. Covered entities should review the policies of each and every business associate. If an agreement already exists (which it should), it may need to be amended. It must limit the exchange and use of PHI to the minimum amount necessary for the business associate to carry out its function. HHS has a website discussing the recommended contract language, here. Our sample contract is found below. Note: the agreement requires customization based upon the use of PHI contemplated by the parties' business relationship.

Sample Business Associate Agreement

View more documents from Jorge M. Abril, P.A..

Update: Advanced Collection Strategies

Jorge Abril, partner at the law firm of Jorge M. Abril, P.A., will speak at a National Business Institute seminar entitled Advanced Collection Strategies, on March 2, 2010.  His lecture will include discussions on illegal collection practices and on collecting business / commercial debt.  More information, including registration instructions and costs, can be found here.  A brochure detailing this presentation can be found here.

Another Federal Circuit Holds Debt Collectors Can't Leave Voicemail Without Violating the FDCPA

The Fair Debt Collection Practices Act (FDCPA) prohibits a debt collector from disclosing information regarding the debt to third parties in the debtor's home (except the debtor's spouse). It also requires a debt collector to disclose to the debtor in the first communication and in every subsequent communication, whether written or oral, that the communication is from a debt collector and is an attempt to collect a debt. See generally 15 USC sections 1692c and 1692e.

When read together, these requirements make it very difficult, if not impossible, to leave manual or automated messages on debtor voicemail systems or answering machines. If the debt collector leaves a message on a debtor's answering machine indicating its identity as a debt collector and the message is retrieved or overheard by a third party in the household, the debt collector has violated the first prohibition. If it leaves the message without the disclosure that the communication from the debt collector, it violates the second prohibition.

Another Federal Circuit weighed in on this predicament last week. The Eleventh Circuit (the Appeals Court residing over Florida's District Courts) held in Edwards v. Niagara Credit Solutions, Inc. (No. 08-17006, Decided October 14, 2009) that while it may prove difficult for a debt collector to balance these prohibitions, there is no guaranteed right to leave messages under the FDCPA, and if a debt collector believes these provisions read together make it impossible to leave messages without violating the FDCPA, it should not leave messages at all.

This is not a novel decision. The seminal case emerged from the Southern District of New York in 2006, Foti v. NCO Fin. Sys., 424 F.Supp.2d 643 (S.D.N.Y. 2006). It confirmed that both disclosing the identity as a debt collector and failing to disclose the identity as a debt collector on a machine or voicemail (whether through an automated call or a manual one) constitute an FDCPA violation. Florida District Courts have agreed. See Berg v. Merchant's Ass'n Collection Division, Inc., 586 F.Supp.2d 1336 (S.D. Fla. 2008); Belin v. Litton Loan Servicing, LP, 2006 WL 1992410 (M.D. Fla. 2006). The judges in these cases heard (and dismissed) many different arguments regarding Foti's reading of the FDCPA, from arguments that it is against public policy in general to arguments that it is an unconstitutional restriction on free commercial speech.

But this most recent installment discusses the situation from the perspective of the bona fide error defense, which we have detailed in prior posts and discussed on the Debt Collection Regulations Forum on LinkedIn (username and password required). Niagara argued that it's policy to not disclose its identity was a decision it made so as to avoid violation of the provision prohibiting disclosure to a third party. It had already conceded that it in fact violated the FDCPA, and I think at this point all authority indicates that it did. Thus, the only question before the Court was whether a debt collector can avoid liability under the bona fide error defense when it intentionally violates one provision of the FDCPA in order to comply with another.

Not surprisingly, the Court answered the question in the negative, holding that one cannot 'destroy the village to save it.' It reasoned that none of the three elements of a bona fide error were present. The testimony indicated that the policy was instituted on purpose, which means the violation was not unintentional. It also indicated that the debt collector was well aware that the policy would result in a violation of the meaningful disclosure requirement, and thus the violation was not bona fide or objectively reasonable, inasmuch as it was not a mistake at all. Finally, with respect to the third requirement, procedures reasonably adapted to avoid the error, the Court relied without explanation on the trial court's finding that this element was not satisfied.

If it wasn't previously abundantly clear, it should be now: leaving automated voice messages is problematic at best. Whenever possible, upon initial debtor contact the debt collector should get authorization from the debtor to leave a message on subsequent calls if the debtor is unavailable. And absent this preauthorization (which may rarely be given), debt collectors should be very careful to leave messages at all. With respect to the challenges this presents to debt collectors, courts are almost universally in agreement: Congress provides the only appropriate forum for raising public policy arguments regarding the FDCPA, and I think consumer advocates and creditor's rights attorneys can agree- the FDCPA needs to be updated (see a recent conversation I had with Bob Lawless on his blog, Credit Slips.)

Chrysler Fraudulent Transfer Case Study Part II - Constructive Fraudulent Transfer Under the Bankruptcy Code and the Uniform Fraudulent Transfer Act

It is now time for Part II of our fraudulent transfer case study, where we discuss constructive fraudulent transfers under the Bankruptcy Code and the Uniform Fraudulent Transfer Act. This installment is being posted on our JD Supra page, as its content proves too long for a single blog post. Click here to view the article. In Part III, coming soon, we will discuss the challenges to pleading and proving a case of intentional fraudulent transfer.

Availability of the FDCPA's Bona Fide Error Defense to Debt Collectors Who Don't Seek Legal Advice

A recent Federal case has suggested that it is difficult, if not impossible, for a debt collector to shield itself from liability for violation of the Fair Debt Collection Practices Act (FDCPA) due to a misunderstanding of the law unless it has sought the advice of legal counsel or a governmental agency.

In Ruth v. Triumph Partnerships, et.al., decided by the U.S. Court of Appeals for the Seventh Circuit in August, the Plaintiff consumer filed a class action lawsuit alleging that the Defendant collector violated the FDCPA by notifying the consumer that information related to the debt could be shared with third parties for the purposes of servicing the account unless the debtor completed and returned an included "Opt-Out Response Form" (a violation of the provision precluding threats of action that cannot legally be taken). The collector defended on the ground that because after soliciting sample letters from a vendor, submitting the notice to the collector's compliance department for approval, and consulting applicable industry publications, it had concluded that the language was required under the Gramm-Leach-Bliley Act's notice provisions and not in violation of the FDCPA, the collector could avoid liability under the bona fide error defense.


The court disagreed. It first recited the elements of the FDCPA's bona fide error defense: (1) that the violation was unintentional, (2) that the violation resulted from a bona fide error, and (3) that the error occurred despite the collector's maintenance of procedures reasonably adapted to avoid the error. The court then noted a circuit split currently existing as to whether the bona fide error defense applies to legal errors like the one in this case at all, and the U.S. Supreme Court's recent granting of certiorari in Jerman v. Carlisle, McNellie, Rini, Kramer & Ulrich on that very issue. The Second, Eighth, and Ninth Circuits currently hold that the bona fide error defense applies only to clerical errors, and not mistakes of law, while the Sixth and Tenth Circuits have held that mistakes of law do qualify for the bona fide error defense.

The Ruth court declined to take a side in the circuit split, finding that even if the bona fide error defense is available to collectors who commit an FDCPA violation as a result of a misunderstanding of the law, the defense was not available to the collector in the case at bar because it had not taken actions sufficient to satisfy the requisite third element of the defense.  In order to satisfy this element, the court held, it was not enough to consult industry pamphlets and attend FDCPA compliance training; but rather:

"if the bona fide error defense is available at all for errors of law, it is available only to debt collectors who can establish that they reasonably relied on either: (1) the legal opinion of an attorney who has conducted the appropriate legal research, or (2) the opinion of another person or organization with expertise in the relevant area of law—for example, the appropriate government agency."

Therefore, in the absence of record evidence that the collector sought an opinion from a legal or regulatory authority, the court entered judgment against the collector on the availability of the bona fide error defense.

This decision should be of note to collectors, especially if the U.S. Supreme Court sides with the Sixth and Tenth Circuits in the case before it (which will be monitored on this blog, and more on which can be read here, and the lower court's decision here).  Obtaining a legal opinion from an experienced attorney is a relatively inexpensive endeavor (sometimes less than $1,000) when compared to potential liability in an FDCPA class action lawsuit (which could be up to $500,000 or more, plus costs and attorney's fees).