HIPAA and FCRA

Bob McComasBob McComas 2 Posts
in HR & Employment Law Vote Up0Vote Down
Does the Fair Credit Reporting Act allow for reporting of PHI under HIPAA? Since the PHI would be considered a consumer report, does the law allow for dissemination of the information even if there is an authorized release by the applicant? This was a question from one of my clients, and I did not have an informed answer.
Share on Facebook Share on Twitter

Comments

  • 1 Comment sorted by Votes Date Added
  • santiresantire 48 Posts
    PMVote Up0Vote Down
    Bob, the question you pose could have a clear answer or could be too early for an answer. It is definetly a very good question and an appropriate one for your clients to address. The potential conflict between HIPAA and the FCRA has been addressed by the Dept. of Health & Human Services which drafted the Privacy Rule as directed by the HIPAA legislation. However, that interpretation was made in the middle of the year 2001. Since then, a significant set of revisions have been proposed for the Privacy Rule and the final form of the revised rule is to be published in August of this year. Before I address what that interpretation said, I would also like to point out that since you are in Texas your question could be impacted by a piece of legislation passed by Texas in September of 2001, the state’s version of HIPAA which is actually broader than HIPAA and for which the Texas Dept. of Insurance is promulgating regulations. That Texas legislation was SB-11 which is titled the Texas Medical Privacy Act. I do not believe that the Texas legislation would impact on your particular question though the possibility exists. Getting back to HIPAA and FCRA, the HHS interpretation said that HIPAA would not prevent reporting a consumer’s information pursuant to the FCRA in response to a proper request concerning payment. Note that the Privacy Rule defines “payment” as including reports to consumer reporting agencies but such disclosure is limited to elements of PHI consisting of the person’s name, address, birth date, social security number, and payment history. It clearly does not encompass actual health information related to such person. You mentioned an authorization. I presume the authorization was by the individual whose PHI is in question or by that person’s properly authorized representative and that the authorization included a full notification to such individual of how the information was to be used. The prime questions that remain are: To whom is the information being disclosed? How is it to be used? Why is it being disclosed? (i.e. if to obtain payment, possibly disclosure of the PHI as limited above is OK – if for other purposes, a problem could exist.) This is probably a more complex, even evasive, answer than desired. However, HIPAA and particularly the Privacy Rule are very complex in their wording. This is further complicated not just by the fact that a major revision is due but by the fact that despite HHS having rendered an interpretation, we have no Court decisions on this matter as of yet.
    Stanley P. Santire, JD

    Share on Facebook Share on Twitter
Sign In or Register to comment.