A recent decision from a North Carolina Bankruptcy Court emphasizes the need for proper training for those who file proofs of claim on behalf of anyone providing consumer credit, including healthcare providers.Bankruptcy Rule 9037 requires that in all court filings containing an individual’s social security number, taxpayer-identification number, birth date and financial account number be redacted to the last four digits of the social security or taxpayer identification number, the year of the individual’s birth and the last four digits of the account number.Additionally, if the filing identifies a minor, it may only contain the minor’s initials.
Testimony at the sanctions hearing highlights the importance of an adequately training staff.At the sanctions hearing, staff for the hospital testified that their HIPAA training did not cover bankruptcy claims filing, no audit system was in place and there was no record keeping policy in place with respect to proofs of claim.At the sanction hearing, staff for the hospital further testified that they were unaware that electronically filed proofs of claim were accessible by persons other than the trustees and believed that the filing of proofs of claim were payment collections and thus, an exception to HIPAA.Testimony at the sanction hearing further made clear the issues alleged in the sanctions motions were systemic.
In its Sanctions Order, the court first noted that with respect to HIPAA, it did not believe it had jurisdiction to opine or determine sanctions for violations of HIPAA.The court however, did note that the majority of bankruptcy courts that have reviewed the issue have found there to be no private right of action under HIPAA and the remedy under Bankruptcy Rule 9037 is to restrict the offending information from public view.In re Branch, 2016 Bankr. LEXIS 3194 (E.D.N.C. Bank. Aug, 31, 2016).The court went on, however, to award sanctions for violation of Bankruptcy Rule 9037.The court concluded that the fact that there was no supervision or training indicated that the hospital was more than negligent.Id. at *34.“An institution that participates in the bankruptcy process as frequently as Wake Med simply cannot ignore the requirements of the court; the Code and Rules are of equal importance to the requirements of HIPAA and other regulations that govern Wake Med’s business practices.”Id. “Based upon the sheer volume and the limitations on the ability of the court staff to restrict access to more than 1,410 claims on any given day, it took several weeks for all of the claims to be restricted and/or redacted.” Id.The court awarded the lead consumers’ their attorney’s fees and ordered the hospital to pay punitive damages in the amount of $70,000.The court’s order requires remediation by the hospital and the filing of quarterly reports with the Bankruptcy Administrator for five years.
The hospital’s saga emphasizes the need for health care providers and other entities providing non-traditional financial services to examine their compliance management systems and insure compliance with not only HIPAA but also data privacy and other consumer protection statutes.
For healthcare providers in particular, the order serves as a wake up call.To the extent proofs of claim are filed, healthcare providers should insure that they are familiar with the Bankruptcy Rule requirements.Any proofs of claim filed with the bankruptcy court should:
- Be limited to the last four digits of the social security or taxpayer identification number,
- Be limited to the year of the individual’s birth
- Be limited to the last four digits of the account number; and
- Redact all individuals’ protected healthcare information.
Moreover, healthcare providers should have policies and procedures in place which require the retention of all filed proofs of claim, as well as periodic training and audits to insure there are no violations of HIPAA, federal or state privacy laws or the Bankruptcy Rules.