Outsourcing can be an effective way to overcome patient collection challenges. But it can also backfire if the collection agency you contract with uses illegal, unethical or insensitive collection tactics. One of the keys to managing these risks is to include proper legal protections in your services contract. This article covers the three legal protections you should include in your collection agency contract.
Why the contract is so important
Of course, services contracts with your vendors are important no matter what business you are in or which function you outsource. But contract terms are even more important when the service provided is debt collection and the debts collected are medical debts.
- Liability risks: Medical debt collection is subject not just to general commercial consumer lending laws like the Fair Debt Collection Practices Act (FDCPA) and Fair Credit Reporting Act (FCRA), but also health care specific regulation including the Health Insurance Portability and Accountability Act (HIPAA).
- The ethical dimension: Debt collection requires not simply compliance but sensitivity and recognition that debtors are the client’s customers. And when the client is a medical practice and the customers are patients, conducting the collection process with dignity and respect becomes not only a business but an ethical imperative.
- The community dimension: Medical practices and their representatives must be guided by not just the provider-patient relationship but the mission to serve their community. Unsavory collection practices by your vendors can also generate negative press that harms the reputation you worked so hard to build.
3 essential legal protections
The first thing you need to do is to select a reputable collection agency, preferably one that adheres to industry guidelines like the best practices for medical debt collection created jointly by the Healthcare Financial Management Association and Association of Credit and Collection Professionals. The next step is to ensure your services agreement includes three protections.
1. HIPAA liability protection
Problem: To help it collect the debt, you may have to provide the agency what HIPAA defines as “protected health information” (PHI) about patients, including their name and tests performed. In so doing, the agency becomes your “business associate” under HIPAA. Result: If the agency compromises the PHI, you may be liable. Example: The Minnesota Attorney General charged a pair of local hospital systems with failing to protect the privacy of PHI they provided to their debt collection agency/revenue cycle management vendor.
Solution: You and the agency must make a separate agreement called a “HIPAA business associate contract” that:
- Specifies how the agency will use and disclose the PHI you provide;
- Bans agency uses and disclosures for any purpose not expressly allowed under the contract or required by law;
- Requires the agency to take security measures to protect the PHI;
- Requires the agency to provide notification of security breaches or unauthorized uses or disclosures as required by the Health Information Technology for Economic and Clinical Health Act (HITECH);
- Requires the agency to give patients’ access to their own PHI in accordance with HIPAA requirements, e.g., letting patients request copies and amendments to the information;
- Requires the agency to make its books and records available to HHS auditors;
- Requires the agency to destroy the PHI after the agreement ends;
- Requires the agency to hold the subcontractors to which it entrusts your PHI to privacy restrictions at least equivalent to the ones set out in your services agreement; and
- Lets you terminate the contract if the agency violates its privacy obligations.
2. Other liability protections
Problem: Agency violations can result in liability to your medical practice under other laws, including:
- The FDCPA, which bans deceptive or abusive conduct, e.g., calls at odd hours or to the debtor’s employer to collect consumer debts;
- The FCRA, which requires agencies to investigate and verify accuracy of information about debtors they provide to credit bureaus, medical information companies and other consumer reporting agencies;
- The Gramm-Leach-Bliley Act, which requires agencies to protect the privacy of debtors’ personal information;
- The Federal Trade Commission Act, which bans debt collection activities that constitute deceptive or unfair trade practices;
- The Affordable Care Act (ACA), which requires hospitals to use fair billing and debt collection practices; and
- State laws including those banning agencies from harassing, abusing, or deceiving debtors to collect a consumer debt.
Solution: Insert a clause that:
- Requires the agency to comply with all applicable laws;
- Gives you the right to terminate if the agency commits any violations:
- Consequences of noncompliance: Medical office may, at its sole discretion, treat an Agency violation of the foregoing compliance obligations as a material breach justifying termination of the Services Agreement.
- Require the agency to “indemnify,” or repay you for any losses you incur as a result of the violations it commits.
While the clauses are fairly uncontroversial, the agency may object to indemnification. Stay firm, especially if your bargaining position is strong. Talk to your attorney if the agency insists on making indemnification mutual.
3. Limits on agency collection procedures
Problem: The agency is your representative and its actions reflect on your medical office and its reputation.
Solution: Require the agency to follow collection methods and techniques that are sensitive to and consistent with your ethical principles and commitments to patients and community. Three options:
- Specifically describe the procedures the agency will use to collect debts from your patients. Issues to address:
- The point in the patient revenue cycle when the agent will be called in;
- Procedures for pulling back files; and
- Procedures for collecting from different kinds of patients, e.g., self-pay, Medicare/Medicaid, charitable care, etc.
- Expressly require the agency to adhere to your medical practice’s own internal policies, procedures, and mission statements, which should be attached as Exhibits to the agreement;
- Make adherence to the required patient policies, procedures, and/or mission statements one of the criteria used for evaluating the agency’s performance under the agreement.
Takeaway: When medical practices outsource collection activities, a written agreement should require the collection agency comply with various laws affecting health care and debt collection and follows medical practice policies and procedures.