Recent court filings highlight the need for health care providers to protect patient privacy by implementing specific procedures when filing claims in bankruptcy cases of their patients, as a matter of federal bankruptcy and other law. Last year, WakeMed, a Raleigh, North Carolina-based health care system, asserted a claim for $553.00 for unpaid medical services in a chapter 13 consumer bankruptcy case. In requesting payment of this small amount, WakeMed set off a chain of events that may well end up costing it thousands of dollars in court sanctions and civil, and possibly even criminal, penalties.
WakeMed’s mistake: It filed electronically in the bankruptcy court’s claims register a Proof of Claim that disclosed personally identifiable information (“PII”)--the debtor’s full Social Security number, full date of birth, gender and telephone number--in violation of federal bankruptcy law.
Upon noticing the disclosure of the PII, debtor’s lawyer filed a motion to seal the private information. But counsel didn’t stop there: Seeing what he believed to be a pattern of WakeMed’s indifference to patient privacy rights, counsel combed through records of consumer bankruptcy cases starting in 2013. Incredibly, he reportedly found 158 cases involving just his firm’s clients where WakeMed allegedly violated the law by including Social Security numbers, full dates of birth, and in some cases actual medical records, in filed proofs of claim. The debtor promptly filed a motion in the bankruptcy court against WakeMed, seeking an order of contempt, sanctions and damages. Depending on how the court rules, WakeMed could be required to pay attorneys’ fees, the cost of clearing debtor’s credit records, and even punitive damages if it is determined that WakeMed knew it was violating laws and did nothing to remedy the violations. WakeMed may also be subject to civil and criminal penalties for violations of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996), as amended (“HIPAA”), the federal patient privacy law, the accompanying patient privacy rules promulgated by the United States Department of Health and Human Services, and other state and federal privacy laws. The motion remains pending as of the date of this post.
Three years earlier, in 2012, Duke University Health System also found itself subject to scrutiny when it discovered that the staff of its billing subsidiary attached copies of outstanding billing statements for services to support proofs of claim filed in chapter 13 bankruptcies of patients of Duke. The statements included the patient’s name and address, medical records number, insurance company and subscriber number and clinical information including a short description of services received. Duke issued a notice advising patients that it had taken a number of steps to remedy the disclosures of PII, including requesting that the bankruptcy court seal the records, revising the filing process to remove the billing statements from the filings, revising its internal processes and retraining staff.
Bankruptcy Rules Governing Patient Privacy
At first glance, bankruptcy policy and privacy laws may appear to be at odds. The bankruptcy law starts with the premise that all court records are available to the public in order to foster openness and transparency. Indeed, it is often said that a debtor in bankruptcy “operates in a fishbowl.”
Congress, however, has responded to growing privacy concerns, in recent years by enacting legislation that requires the protection of private information even in otherwise publicly available court filings. For example, section 205(c)(3) of the E-Government Act of 2002, Pub. L. 107-347, 44 U.S.C. § 3501, et seq. required the Supreme Court to prescribe rules “to protect privacy and security concerns relating to electronic filing of documents and the public availability … of documents filed electronically.”
To satisfy the requirement, the Supreme Court adopted Rule 9037 of the Federal Rules of Bankruptcy Procedure, which restricts the filing of documents containing the following types of PII:
- An individual’s Social Security number or Taxpayer Identification number;
- An individual’s birth date;
- The name of an individual, other than the debtor, known to be and identified as a minor; and
- A financial account number.
The place where PII is inadvertently disclosed by health care providers most often is in filing claims for unpaid medical services. Creditor claims in bankruptcy must be prepared on Form B-410 of the Official and Procedural Bankruptcy Forms, a fillable form with instructions for its use. The instructions require the creditor to attach “redacted copies of any documents that show the debt exists,” and state only the last four digits of the debtor’s account or other number used to identify the debtor. Specifically regarding health care providers, the instructions provide that: “If the claim is based on delivering health care goods or services, limit the disclosure of the goods or services so as to avoid embarrassment or the disclosure of confidential health care information.”
In addition to the instructions on Form B-410, reminders of Rule 9037 obligations appear on the page screens of filers who use electronic case filing (ECF) for filing proofs of claim. One of the reasons why debtor’s counsel in WakeMed is seeking sanctions is because the ECF page for the court required users to check a box indicating that: “I understand that, if I file, I must comply with the redaction rules. I have read this notice.” The debtor argues that WakeMed, by checking the box at least 158 times while actually not complying, demonstrated knowing and willful violation of Rule 9037.
Practical Tips to Avoid the Risk
Health care providers, and in particular their accounts receivable managers, may take several steps to minimize the risk of inadvertent privacy violations:
- Include compliance with Rule 9037 in the portion of your employee procedures manual that covers HIPAA and other privacy laws.
- Conduct training for all new employees in the collections department on how to fill out Form B-410, the official proof of claim form, while also complying with privacy requirements, and have a “cheat sheet” or other guide for completing the form available.
- Do not separate the function of preparing the claim forms from filing the claims. Only the individuals who actually log on to the bankruptcy court’s website to file the proofs of claim are likely to be familiar with the court rules, which can be updated and changed frequently. If one employee is preparing all claims, and another is filing all of the claims, a risk of lack of communication between the two functions exists.
- Conduct periodic internal audits of filed bankruptcy claims to insure compliance with patient privacy laws.
- Immediately seek assistance of counsel if you discover that confidential patient information has been included in your filed claims. A party that promptly takes responsibility for the error, files a motion to seal the improperly disclosed information, and otherwise complies with applicable laws regarding release of private information will likely receive more lenient treatment from the court than a party that ignores the problem.