A recent decision from a North Carolina Bankruptcy Court
emphasizes the need for proper training for those who file proofs of claim on
behalf of anyone providing consumer credit, including healthcare providers. Bankruptcy Rule 9037 requires that in all court
filings containing an individual’s social security number, taxpayer-identification
number, birth date and financial account number be redacted to the last four
digits of the social security or taxpayer identification number, the year of
the individual’s birth and the last four digits of the account number. Additionally, if the filing identifies a
minor, it may only contain the minor’s initials.
A series of sanctions motions brought in the Eastern
District of North Carolina alleged that a hospital filed a large volume of
proofs of claim which contained personal information of the debtors that should
have been redacted under Bankr. Rule 9037.
Moreover, a number of the proofs of claim also may have contained
protected health information. See In re
Wayne Edward Branch, Case No. 14-02379-5-SWH (Bankr. E.D.N.C.); In re Carla Lynette Bostick, Case No.
15-5318-5-SWH (Bankr. E.D.N.C.); In re
Janis Monroe Clark, Case No. 15-01265-5-SWH (Bankr. E.D.N.C.). The debtors asserted that the inclusion of
such information violated federal and state identity protection laws and Rule
9037 and also violated the hospital’s own “Privacy Policy” which is provided to
patients. See, e.g., In re Wayne Edward
Branch, Dkt Nos. 143 and 146.
Testimony at the sanctions hearing highlights the importance
of an adequately training staff. At the
sanctions hearing, staff for the hospital testified that their HIPAA training
did not cover bankruptcy claims filing, no audit system was in place and there
was no record keeping policy in place with respect to proofs of claim. At the sanction hearing, staff for the
hospital further testified that they were unaware that electronically filed
proofs of claim were accessible by persons other than the trustees and believed
that the filing of proofs of claim were payment collections and thus, an
exception to HIPAA. Testimony at the
sanction hearing further made clear the issues alleged in the sanctions motions
were systemic.
In its Sanctions Order, the court first noted that with
respect to HIPAA, it did not believe it had jurisdiction to opine or determine
sanctions for violations of HIPAA. The
court however, did note that the majority of bankruptcy courts that have
reviewed the issue have found there to be no private right of action under HIPAA
and the remedy under Bankruptcy Rule 9037 is to restrict the offending
information from public view. In re Branch, 2016 Bankr. LEXIS 3194
(E.D.N.C. Bank. Aug, 31, 2016). The
court went on, however, to award sanctions for violation of Bankruptcy Rule
9037. The court concluded that the fact
that there was no supervision or training indicated that the hospital was more
than negligent. Id. at *34. “An institution
that participates in the bankruptcy process as frequently as Wake Med simply
cannot ignore the requirements of the court; the Code and Rules are of equal
importance to the requirements of HIPAA and other regulations that govern Wake
Med’s business practices.” Id. “Based upon the sheer volume and the
limitations on the ability of the court staff to restrict access to more than
1,410 claims on any given day, it took several weeks for all of the claims to
be restricted and/or redacted.” Id. The court awarded the lead consumers’ their attorney’s
fees and ordered the hospital to pay punitive damages in the amount of $70,000. The court’s order requires remediation by the
hospital and the filing of quarterly reports with the Bankruptcy Administrator
for five years.
The hospital’s saga emphasizes the need for health care
providers and other entities providing non-traditional financial services to
examine their compliance management systems and insure compliance with not only
HIPAA but also data privacy and other consumer protection statutes.
For healthcare providers in particular, the order serves as
a wake up call. To the extent proofs of
claim are filed, healthcare providers should insure that they are familiar with
the Bankruptcy Rule requirements. Any
proofs of claim filed with the bankruptcy court should:
Be limited to the last four digits of the social
security or taxpayer identification number,
Be limited to the year of the individual’s birth
Be limited to the last four digits of the
account number; and
Redact all individuals’ protected healthcare
information.
Moreover, healthcare providers should have policies and
procedures in place which require the retention of all filed proofs of claim,
as well as periodic training and audits to insure there are no violations of
HIPAA, federal or state privacy laws or the Bankruptcy Rules.