Beware of Violating Patient Privacy Laws in Bankruptcy Claim Filings

The Risk

Recent court filings highlight the need for health-care providers, as a matter of federal bankruptcy and privacy laws, to protect patient privacy by implementing specific procedures when filing claims in bankruptcy cases of their patients. Last year, WakeMed, a Raleigh, N.C.-based health-care system, asserted a claim for $553.00 for unpaid medical services in a Chapter 13 consumer bankruptcy case. In requesting payment of this small amount, WakeMed set off a chain of events that may well end up costing it thousands of dollars in court sanctions and civil, and possibly even criminal, penalties.

WakeMed’s mistake: It filed electronically in the bankruptcy court’s claims register a Proof of Claim that disclosed personally identifiable information (“PII”)—the debtor’s full Social Security number, full date of birth, gender and telephone number—in violation of federal bankruptcy law.

Upon noticing the disclosure of the PII, debtor’s lawyer filed a motion to seal the private information. But counsel didn’t stop there: Seeing what he believed to be a pattern of WakeMed’s indifference to patient privacy rights, counsel combed through records of consumer bankruptcy cases starting in 2013. Incredibly, he reportedly found 158 cases involving just his firm’s clients where WakeMed allegedly violated the law by including Social Security numbers, full dates of birth, and in some cases actual medical records, in filed proofs of claim. The debtor promptly filed a motion in the bankruptcy court against WakeMed, seeking an order of contempt, sanctions and damages. ¹The motion is available at https://ecf.nceb.uscourts.gov/doc1/130117581655. Depending on how the court rules, WakeMed could be required to pay attorneys’ fees, the cost of clearing debtor’s credit records, and even punitive damages if it is determined that WakeMed knew it was violating laws and did nothing to remedy the violations. WakeMed may also be subject to civil and criminal penalties for violations of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996), as amended (“HIPAA”), the federal patient privacy law, the accompanying patient privacy rules promulgated by the United States Department of Health and Human Services, and other state and federal privacy laws. The motion remains pending as of the date of this article.

Three years earlier, in 2012, Duke University Health System found itself subject to scrutiny when it discovered that the staff of its billing subsidiary attached copies of outstanding billing statements for services to support proofs of claim filed in Chapter 13 bankruptcies of its patients. The statements included the patient’s name and address, medical records number, insurance company and subscriber number and clinical information including a short description of services received. Duke issued a notice advising patients that it had taken a number of steps to remedy the disclosures of PII, including requesting that the bankruptcy court seal the records, revising the filing process to remove the billing statements from the filings, and revising its internal processes and retraining staff. ²The notice is available at http://corporate.dukemedicine.org/news_and_publications/news_office/news/notice-to-patients-who-previously-filed-chapter-13-bankrupty.

Bankruptcy Rules Governing Patient Privacy

At first glance, bankruptcy policy and privacy laws may appear to be at odds. The bankruptcy law starts with the premise that all court records are available to the public in order to foster openness and transparency. Indeed, it is often said that a debtor in bankruptcy “operates in a fishbowl.”

Congress, however, has responded to growing privacy concerns, in recent years by enacting legislation that requires the protection of private information even in otherwise publicly available court filings. For example, section 205(c)(3) of the E-Government Act of 2002, Pub. L. 107-347, 44 U.S.C. §3501, et seq. required the Supreme Court to prescribe rules “to protect privacy and security concerns relating to electronic filing of documents and the public availability … of documents filed electronically.”

To satisfy the requirement, the Supreme Court adopted Rule 9037 of the Federal Rules of Bankruptcy Procedure, which restricts the filing of documents containing the following types of PII:

• An individual’s Social Security number or Taxpayer Identification number;
• An individual’s birth date;
• The name of an individual, other than the debtor, known to be and identified as a minor; and
• A financial account number.

The place where PII is inadvertently disclosed by health-care providers most often is in filing claims for unpaid medical services. Creditor claims in bankruptcy must be prepared on Form B-410 of the Official and Procedural Bankruptcy Forms, a fillable form with instructions for its use. The instructions require the creditor to attach “redacted copies of any documents that show the debt exists,” and state only the last four digits of the debtor’s account or other number used to identify the debtor. Specifically regarding health-care providers, the instructions provide that: “If the claim is based on delivering health care goods or services, limit the disclosure of the goods or services so as to avoid embarrassment or the disclosure of confidential health care information.”

In addition to the instructions on Form B-410, reminders of Rule 9037 obligations appear on the page screens of filers who use electronic case filing (ECF) for filing proofs of claim. One of the reasons why debtor’s counsel in WakeMed is seeking sanctions is because the ECF page for the court required users to check a box indicating that: “I understand that, if I file, I must comply with the redaction rules. I have read this notice.” The debtor argues that WakeMed, by checking the box at least 158 times while actually not complying, demonstrated knowing and willful violation of Rule 9037.

The Risk of Disclosure in Consumer Bankruptcy Cases Is not a Minor Concern

It is impossible to overstate the risks to health-care bankruptcy claimants. Every day providers, insurers and other participants in the health-care industry are faced with patient bankruptcy filings. A recent study found that medical bills are the single largest causal factor in consumer bankruptcy, followed by loss of job and excessive spending. Austin, Daniel A., Medical Debt as a Cause of Consumer Bankruptcy, Maine Law Review, Vol. 67:1 (2014). Austin posited that medical debt is the predominant causal factor of a bankruptcy if it constitutes more than 50% of the debtor’s annual income or 50% of the debtor’s total unsecured debt, or if the debtor herself determines that medical debt was the primary reason for filing. Utilizing those criteria, Austin examined debt and income amounts reported by debtors on bankruptcy schedules, and debtor responses to a national survey. Austin’s findings are striking: First, twenty-six percent of surveyed debtors “agree” or “strongly agree” that they filed for bankruptcy because of medical bills. Second, sixty-one percent of all debtors in the study reported medical debt on Schedule F (schedule of unsecured claims). The average medical debt directly reported on bankruptcy schedules was $5,970.80, and that number doesn’t even include medical bills that may have been charged to credit cards. Third, a full eighteen percent of debtors have medical debt, adjusted to include the estimated proportion of medical debt included in credit card debt, of greater than half of their annual income or total unsecured debt.

Overall, Austin’s study concluded that medical debt is the predominant causal factor in 18-26% of all consumer bankruptcies. Sixty-one percent of consumer debtors in the study report medical debt.

If we apply the statistics derived from the study and apply those figures to the total consumer bankruptcy cases filed each year, the scope of the risk of inadvertent disclosure of PII becomes clear. According to the official data reported by bankruptcy courts across the United States, 909,812 nonbusiness bankruptcy cases were filed in 2014; 819,760 nonbusiness cases in 2015. Using the 2015 filings, and Austin’s conclusion that 61% of all consumer debtors have medical debt, we can estimate that there were over 500,000 consumer bankruptcy cases filed in the U.S. last year in which the debtor owed a medical bill. Many of these consumers may owe money to more than one provider. To put the point bluntly, that’s at least a half a million opportunities in a single year for busy medical receivables clerks around the country to inadvertently neglect to delete PII in a proof of claim! The opportunities for mistakes like those apparently made by WakeMed and Duke are massive.

Obviously, the risk of violating privacy laws is not limited to creditors holding claims based on medical services. Other vendors, including credit card companies, utilities providers, auto lenders and others also need to ensure compliance with bankruptcy laws governing privacy. However, the sheer volume of bankruptcy consumers who have medical debt should make the risk an overriding concern for medical providers.

The Risk of HIPAA Enforcement

Disclosures of protected health information (“PHI”) by HIPAA covered entities or business associates that go beyond that required by law or a court’s order, or that otherwise is beyond the minimum necessary, may be reportable data breaches under HIPAA’s Data Breach Notification Rule (45 C.F.R. Part 164, Subpart D) if the event compromises the privacy of that information (45 C.F.R. §164.402). Experience has shown that reports of data breaches have led to investigations by the Office of Civil Rights (“OCR”) and enforcement actions when OCR has found that the data breach arose from a violation of HIPAA’s rules.

Moreover, improper disclosures of PHI may lead to HIPAA enforcement arising from the complaint process. The HIPAA Enforcement Rule, 45 C.F.R. §160.306(c), requires OCR to conduct a preliminary review of the facts of each complaint it receives to determine whether the facts indicate a possible violation of HIPAA’s requirements due to willful neglect; if that preliminary review does indicate that a possible violation arose from willful neglect, then OCR is required to investigate the complaint. A demonstrated pattern of non-compliance with the bankruptcy court’s measures to protect patient privacy may well support such a finding of willful neglect, and the covered entity or business associate that disregards such privacy measures may find itself facing investigation and enforcement proceedings by OCR.

Practical Tips to Avoid the Risk of Inadvertent Disclosure

Health-care providers, and in particular their accounts receivable managers, may take several steps to minimize the risk of inadvertent privacy violations:

• Include compliance with Rule 9037 in the portion of your employee procedures manual that covers HIPAA and other privacy laws.
• Conduct training for all new employees in the collections department on how to fill out Form B-410, the official proof of claim form, while also complying with privacy requirements, and have a “cheat sheet” or other guide for completing the form available.
• Do not separate the function of preparing the claim forms from filing the claims. Only the individuals who actually log on to the bankruptcy court’s website to file the proofs of claim are likely to be familiar with the court rules, which can be updated and changed frequently. If one employee is preparing all claims, and another is filing all of the claims, a risk of lack of communication between the two functions exists.
• Conduct periodic internal audits of filed bankruptcy claims to insure compliance with patient privacy laws.
• Immediately seek assistance of counsel if you discover that confidential patient information has been included in your filed claims. A party that promptly takes responsibility for the error, files a motion to seal the improperly disclosed information, and otherwise complies with applicable laws regarding release of private information will likely receive more lenient treatment from the court than a party that ignores the problem.

Conclusion

HIPAA covered entities and business associates have been taught to be diligent in the course of their regular business activities to protect patient privacy in accordance with HIPAA and other state and federal regulatory schemes. Bankruptcy filings present another, less familiar area in which privacy rules may be inadvertently violated. Because of this, provider law departments are well-advised to seek outside guidance in bankruptcy filings involving their patients.