I had the same problem so I did a little research. Write a letter to the hospital and tell them that under HIPPA, you have the right to ask them (hospital) to contact the collection agency and demand the be account deleted and any trade lines as well, also explain to tell them what the collection agency did. If you have a copy of  the receipt showing payment in full and the notices from the CA after balance was paid, send them too. I would mail everything Certified with return receipt (the green postcard looking thing), and then follow up by contacting the credit office manager. If they agree to delete the account, ask for the agreement in writing. I know it sounds like a lot, but they don't make things easy for people.

Sorry for the typos.

Remember.... HIPAA is your friend.

 

---

 

FCRA & HIPAA STATUTES- Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. ("FCRA") Most provisions of the FCRA are directed at "consumer reporting agencies", generally defined as persons that regularly assemble or evaluate consumer credit information on consumers in order to furnish consumer reports to third parties. The FCRA, however, also imposes significant obligations on users and resellers of consumer reports and any person or business that regularly reports information to a consumer reporting agency. Any information received in the form of a consumer report is subject to the FCRA. In addition, the new FACTA regulations require the CRA's to do a REAL investigations and contact the Original Creditor for requested information in a CONSUMER DISPUTE. This is why you SHOULD use the NEW "CRA dispute letter BEFORE using any part of the HIPAA letter proccess. "Consumer report" generally means any written, oral or other communication of information by a consumer reporting agency bearing on an individual's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living, which is used in establishing the consumer's eligibility for credit or insurance. The term "consumer report," however, does not include any report containing information solely as to transactions or experiences between the consumer and the person making the report or certain communications among affiliates. It is possible for a company to inadvertently become a credit reporting agency subject to the obligations under the FCRA by regularly communicating credit-related consumer information to third parties. Under the FCRA no person may obtain a consumer report unless it is for a "permissible purpose". A permissible purpose includes use of the report: (1) with the consumer's written authorization; (2) in connection with the extension of credit as a result of an application from a consumer; (3) in connection with the collection of a consumer's account; (4) in making a decision to hire or promote a consumer who has given written permission for the use; (5) in connection with the underwriting of insurance as a result of an application from a consumer; (6) in response to some other legitimate business need arising in connection with a business transaction initiated by the consumer; (7) to determine whether the consumer continues to meet the terms of an account; and (8) in a valuation or assessment by a potential investor or servicer, or current insurer, of the credit risks associated with an existing credit obligation. In addition, creditors and insurers may obtain certain consumer report information for the purpose of making unsolicited offers of credit or insurance, provided that, among other conditions, the unsolicited offer must be a firm offer which can only be rescinded in specific circumstances. Additional restrictions and requirements apply to various specific types of reports and situations. For example, if information from a credit reporting agency is used for employment purposes, the user must inform the prospective employee of that fact and obtain his or her prior written authorization. If a user intends to obtain an investigative consumer report (one in which information is obtained through personal interviews), the user must notify the consumer in advance and disclose the nature and scope of the investigation. Users are generally not permitted to obtain consumer reports that contain medical information of any individual without the specific prior consent of the individual. Health Insurance Portability & Accountability Act of 1996, Public Law 104-191 ("HIPAA")HIPAA required the Department of Health and Human Services ("HHS") to implement safeguards to protect the security and confidentiality of health records.

 

The rules issued by HHS (the "Privacy Rule") took effect on April 14, 2001. Proposed revisions to the Privacy Rule were published on March 27, 2002, and the comment period to the revisions has now expired.

 

Most covered entities have until April 14, 2003 to comply with the Rules. Small health plans (plans with annual receipts of $5 million or less) are not required to comply until April 14, 2004.

 

The Privacy Rule applies to "covered entities," which include health plans, health care providers and health care clearinghouses. A "health plan" is defined broadly to include most employer-sponsored health plans.

 

However, certain types of plans are not subject to the Privacy Rule, including self-administered health plans with less than 50 participants, and plans that provide accident-only, disability income or workers' compensation coverage.

 

The term "health care providers" includes any provider of medical or health services, and other persons who furnish, bill or are paid for health care in the normal course of business.

 

A "health care clearinghouse" is any entity that processes or facilitates the processing of third party health information between standard and nonstandard formats.

 

The Privacy Rule prohibits a covered entity from using or disclosing an individual's protected health information ("PHI") unless specifically authorized by the individual or otherwise allowed under the Privacy Rule.

 

In general, PHI encompasses substantially all "individually identifiable health information" that is transmitted or maintained in any medium. "Individually identifiable health information" includes health information that is created or received by a health care provider, health plan, employer, or health care clearinghouse, and that relates to an individual's physical or mental health or condition, including information related to an individual's care or the payment for such care.

 

In addition, the information must identify the individual or there must be a reasonable basis to believe that the information could be used to identify the individual.

 

The Privacy Rule allows a covered entity to use or disclose an individual's PHI without the individual's authorization, as necessary for "treatment, payment or health care operations," all of which are broadly defined.

 

Generally, once it is determined that a covered entity may use or disclose PHI, it must take reasonable measures to limit the use or disclosure to the minimum amount necessary to accomplish the intended purpose of the use or disclosure.

 

The proposed revisions clarify, however, that certain incidental uses and disclosures of PHI will be permitted. The Privacy Rule recognizes that there are certain instances when a covered entity has a legitimate need to disclose PHI to certain non-covered entities that perform functions on behalf of the entity, including third party administrators, service providers, consultants and attorneys. These outside entities, referred to as "business associates," include a person or organization that

 

(1) performs or assists in performing a function or activity on behalf of the covered entity involving the use or disclosure of PHI, or (2) provides legal, accounting, actuarial, consulting, management or financial services, where the performance of such services requires the disclosure of PHI to the service provider.

 

Before disclosing PHI to a business associate, the covered entity must obtain "satisfactory assurances" that the business associate will appropriately safeguard the information. Satisfactory assurances must be in the form of a written agreement which contains certain provisions specified in the Privacy Rule. For example, a business associate contract must describe the permitted and required uses and disclosures of PHI, as well as require the business associate to implement appropriate safeguards to protect against use or disclosure not permitted by the contract.

 

The proposed revisions to the Privacy Rule include model language that can be used in business associate contracts. If a covered entity knows that its business associate has materially breached the contract, the covered entity must take reasonable steps to cure or end the breach. If the steps are unsuccessful, the covered entity must terminate the contract, or if termination is not feasible, report the breach to the HHS.

 

The proposed revisions to the Privacy Rule contain a transition period which allows covered entities (other than small health plans which already have an extra year to comply) to operate under existing contracts with business associates for a limited period of time.

 

To take advantage of the transition period, the covered entity must have an existing written contract with the business associate prior to the effective date of the proposed revisions (which is yet to be determined) and the contract must not be renewed or modified between the effective date and the April 14, 2003 compliance date.

 

A contract meeting these requirements would be deemed in compliance with the Privacy Rule until the earlier of

 

(1) the date the contract is renewed or modified after April 14, 2003 or (2) April 14, 2004.

 

The Privacy Rule establishes substantial rights for individuals with respect to their PHI. These rights include the right of individuals to access their own PHI, to request amendments to their PHI and to request an accounting of the disclosures of their PHI.

 

The Privacy Rule also requires covered entities to provide notices to each individual whose PHI will be used or maintained by the entity. The notice must contain specific disclosures and other information, including the uses and disclosures that the entity may make of the PHI, and the individual's rights and the covered entity's obligations with respect to the PHI.

 

The Privacy Rule includes specific delivery requirements of the notice, depending on the type of covered entity. The proposed revisions also require that a covered health care provider make a good faith effort to obtain an individual's written acknowledgment of receipt of the notice. Covered entities are required to adopt policies and procedures to safeguard the privacy of PHI.

 

The Privacy Rule establishes standards that covered entities must meet, but allows them to design their own policies and procedures to meet those standards. The requirements are scalable to account for the size and resources of the covered entity. Each covered entity generally must

 

(1) adopt a written privacy policy designating who has access to protected information, how the information will be used within the entity, and when the information may be disclosed; (2) take steps to ensure that its business associates protect the privacy of the covered entity's PHI; (3) train employees with respect to the privacy policy; and (4) designate a privacy officer who will be responsible for ensuring the privacy policy is followed.