Long Arms of the CFPB Don’t Exclude Healthcare Providers

Many healthcare providers aren’t aware that entities servicing healthcare receivables may have to answer to the CFPB. Though not directly in the CFPB’s purview (yet), any providers that report delinquent debt to credit reporting agencies, partner with first and third party collection agencies, or collect on patient accounts can all be indirectly impacted. Reality is that angry patients can (and do) log complaints with the CFPB about the collection practices of providers, Extended Business Offices (EBOs) or a third party working on behalf of them. When this happens, the party against which the consumer complained must provide a satisfactory response to the CFPB. And just like that, the long arms of the CFPB stretch to include the healthcare provider community.

This will only play out more and more frequently because the medical community, pressed as it is by the self-pay crisis and the realities of high-deductible plans, is increasingly relying on vendors to handle its receivables and find ways to improve the efficiency and effectiveness of its revenue cycle, including practice management, billing and collections. This evolution will require a growing awareness and well-maintained understanding of evolving compliance pitfalls.

What Changed?

It used to be that vendor compliance was managed contractually, compliance risk was assigned to vendors, and the whole business of whether a vendor did or did not follow federal or state regulations was kept at arm’s length. Those days are over.

Nowadays, CFPB examinations consider the full chain of custody. Blame shifting will not shield a party anywhere along that chain of custody. In effect, everyone sinks or swims together, so it’s in the best interest of vendors and their clients to participate fully in audit preparations.

The CFPB expects that anyone with a hand in collecting payments from consumers will oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law. Yes, that is a lot to carry on top of being a medical provider focused on clinical care. However, it is very clear that the CFPB believes there is an escalated consumer risk when medical debt is the subject of collection activity and/or credit reporting.

Creeping Jurisdiction

Way back in 2012, in defining governed debt collection participants subject to CFPB jurisdiction, the Bureau noted, "In some situations, a medical provider may grant the right to defer payment after the medical service is rendered. In those circumstances, the transaction might involve an extension of credit." At that point, it was obvious that the CFPB intended to extend its purview to include health care providers' billing and collection practices. Given the vast effect on, and risk to, consumers posed by delinquent medical bills, it stands to reason that the CFPB would increase its involvement with medical debt collections over time.

It won’t be a surprise if the CFPB eventually seeks to govern first-party medical debt collection, but for now, it certainly is watching the third-party medical collection space, and has heavily influenced the development of the new protocols (taking effect in September 2017) that govern the reporting of medical debt to credit reporting agencies, having long discouraged the practice as a means of passive debt collection.

This all amounts to a moment of opportunity for hospital systems and physician practices: If you thought the CFPB had no jurisdiction over your activities, there’s more to learn. If you haven’t sat with your vendors and learned what type of communications and consent to contact you need to secure from patients at the top of the patient encounter, now is the time. If you’ve never audited your vendors with your CFPB glasses on, there’s no time like the present.

5 Key Elements for Vendor Compliance Management

If you’re a provider or hospital, auditing collections or other vendors may not be a well-oiled machine in your organization. While it may seem overwhelming, it’s both critical and in everyone’s best interest. Consider starting here:

1. Thoroughly assess the risk of each vendor function. Consider:

  • Vendors performing consumer-facing activities
  • Vendors who receive and store confidential information
  • Vendors who have unattended access to anything protected

2.  Assess Policies & Procedure

  • Review the dependency of all functions (Who relies on who? For what?)
  • Get a consult on all applicable state and federal laws that are associated with each function
  • Benchmark vendor best practices in your field, but be aware that there’s always that first CFPB enforcement action that can make an example out of anyone. This is a time of great flux.

3. Properly document your assessment

  • Estimate account volume and scale internal and vendor personnel accordingly
  • Evaluate the data elements needed for all necessary functions
  • Assess the quality of your information security
  • Get advice on what kind of insurance you’ll need to cover the worst case vendor catastrophe scenarios
  • Be proactive about subcontractors: in theory everyone one in the supply chain is your responsibility

4. Formalize vendor onboarding

  • Require vendors to submit an RFP detailing their internal risk processes
  • List your policies and actively seek comments and enhancements from anyone qualified to opine
  • Detail all roles and responsibilities, including functional checklistsInvolve senior management in routine evaluations of risk and require signoff
  • Develop compliant templates for all channels of communication, and be active in having them reviewed by your counsel and other subject matter experts
  • Make sure good employee policies and training exists within each vendor organization, including background checks, primers on state and federal consumer financial laws, and information security awareness
  • Clarify a vendor’s obligation to notify you when it suspects any data or policy breach
  • Clarify what permissions need to be in place for vendors to share confidential data with any other entity or person
  • Set forth how the contract can or will terminate with reasonable notice and without penalty, and how data will be either transferred or destroyed, as appropriate, how long non-disclosure agreements will last, etc.
  • Require a formal process for consumer complaint escalation and resolution

5. Routinize audits

  • Within your organization and in your vendor organizations, document the requirements for monitoring and the audit process, including who is responsible for delivering what
  • Define what needs to be monitored (phone calls, employee training, consumer complaints)
  • Ensure that your documented policies and procedures can be scaled to fit within any potential vendor retention period

There is no doubt that the CFPB is extending its reach within the medical community, and its reasons for doing so are fundamentally sound. The nature of medical debt does gravely impact millions of consumers, and the numbers are avalanching with the self-pay crisis in full bloom. Since no one knows what this will eventually mean for the operational realities of the provider community, it is not a bad idea to get ahead of the rules and do everything possible to prepare for a CFPB examination. Should you ever have to face one, having practiced for an audit and having kept audit documentation may demonstrate your proactivity and good faith in complying with all relevant laws in your jurisdiction.

By Berta Alicia Bustamante