HIPAA NOTICE Clinic Policies and Procedures For Protecting the Privacy of Patient Health Information Patient Privacy Procedures and Policies CONSENT A consent form will be given to each patient before any treatment is initiated and this consent form must be read, signed and returned by the patient to this chiropractic office and placed in that patients? file before any treatment, payment, or health care operations. Background The Privacy Rule establishes a federal requirement that most doctors, hospitals, or other health care providers obtain a patient's written consent before using or disclosing the patient's personal health information to carry out treatment, payment, or health care operations (TPO). Today, many health care providers, for professional or ethical reasons, routinely obtain a patient's consent for disclosure of information to insurance companies or for other purposes. The Privacy Rule builds on these practices by establishing a uniform standard for certain health care providers to obtain their patients' consent for uses and disclosures of health information about the patient to carry out TPO. General Provisions Patient consent is required before a covered health care provider that has a direct treatment relationship with the patient may use or disclose protected health information (PHI) for purposes of TPO. Exceptions to this standard are shown in the next bullet. Uses and disclosures for TPO may be permitted without prior consent in an emergency, when a provider is required by law to treat the individual, or when there are substantial communication barriers. Health care providers that have indirect treatment relationships with patients (such as laboratories that only interact with physicians and not patients), health plans, and health care clearinghouses may use and disclose PHI for purposes of TPO without obtaining a patient's consent. The rule permits such entities to obtain consent, if they choose. If a patient refuses to consent to the use or disclosure of their PHI to carry out TPO, the health care provider may refuse to treat the patient. A patient's written consent need only be obtained by a provider one time. The consent document may be brief and may be written in general terms. It must be written in plain language, inform the individual that information may be used and disclosed for TPO, state the patient's rights to review the provider's privacy notice, to request restrictions and to revoke consent, and be dated and signed by the individual (or his or her representative). Individual Rights An individual may revoke consent in writing, except to the extent that our chiropractic office has taken action in reliance on the consent. An individual may request restrictions on uses or disclosures of health information for TPO. Our office is not required to agree to the restriction requested, but is bound by any restriction to which it agrees. An individual will have access to a notice of our office privacy practices and may review (but is not required to review) that notice prior to signing a consent. Administrative Issues Our chiropractic office must retain the signed consent for 6 years from the date it was last in effect. The Privacy Rule does not dictate the form in which these consents are to be retained by our office. Certain integrated covered entities may obtain one joint consent for multiple entities. If our office obtains consent and also receives an authorization to disclose PHI for TPO, we may disclose information only in accordance with the more restrictive document, unless the covered entity resolves the conflict with the individual. Transition provisions allow our office to rely on consents received prior to April 14, 2003 (the compliance date of the Privacy Rule for most covered entities), for uses and disclosures of health information obtained prior to that date. Q: Will the consent requirement restrict the ability of providers to consult with other providers about a patient's condition? A: No. A chiropractor with a direct treatment relationship with a patient would have to have initially obtained consent to use that patient's health information for treatment purposes. Consulting with another health care provider about the patient's case falls within the definition of "treatment" and, therefore, is permissible. If the provider being consulted does not otherwise have a direct treatment relationship with the patient, that provider does not need to obtain the patient's consent to engage in the consultation. Q: What is the interaction between "consent" and "notice"? A: The consent and the notice of privacy practices are two distinct documents. A consent document is brief (may be less than one page). It must refer to the notice and must inform the individual that he has the opportunity to review the notice prior to signing the consent. The Privacy Rule does not require that the individual read the notice or that our chiropractic office explains each item in the notice before the individual provides consent. We expect that some patients will simply sign the consent while others will read the notice carefully and discuss some of the practices with our office. Q: May consent for use or disclosure of PHI be provided electronically? A: Yes. The covered entity may choose to obtain and store consents in paper or electronic form, provided that the consent meets all of the requirements under the Privacy Rule, including that it be signed by the individual. Paper is not required. Q: Must someone from our office verify a signature on a consent form if the individual is not present when he signs it? A: No. Q: May consent be obtained by a chiropractor only one time even though there is a connected course of treatment involving multiple visits? A: Yes. A chiropractor needs to obtain consent from a patient for use or disclosure of PHI only one time. This is true regardless of whether there is a connected course of treatment or treatment for unrelated conditions. A chiropractor will need to obtain a new consent from a patient only if the patient has revoked the consent between treatments. Q: If an individual consents to the use or disclosure of PHI for TPO purposes, begins chiropractic care and then revokes consent before the chiropractor bills for such service, is the provider precluded from billing for such service? A: No. A health care provider that provides a health care service to an individual after obtaining consent from the individual may bill for such service even if the individual immediately revokes consent after the service has been provided. The Privacy Rule requires that an individual be permitted to revoke consent, but provides that the revocation is not effective to the extent that the health care provider has acted in reliance on the consent. Where the provider has obtained consent and provided a health care service pursuant to that consent with the expectation that he or she could bill for the service, the health care provider has acted in reliance on the consent. The revocation would not interfere with the billing or reimbursement for that care. Q: Must a revocation of consent be in writing? A: Yes. Q: Are health plans and health care clearinghouses required by the Privacy Rule to have some form of express legal permission to use and disclose health information obtained prior to the compliance date for TPO purposes? A: No. Health plans and health care clearinghouses are not required to have express legal permission from individuals to use or disclose health information obtained prior to the compliance date for their own TPO purposes. MINIMUM NECESSARY General Requirement The Privacy Rule generally requires our chiropractic office to take reasonable steps to limit the use or disclosure of, and requests for protected health information (PHI) to the minimum necessary to accomplish the intended purpose. The minimum necessary provisions do not apply to the following: Disclosures to or requests by a health care provider for treatment purposes. Disclosures to the individual who is the subject of the information. Uses or disclosures made pursuant to an authorization requested by the individual. Uses or disclosures required for compliance with the standardized Health Insurance Portability and Accountability Act (HIPAA) transactions. Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes. Uses or disclosures that are required by other law. The implementation specifications for this provision require a chiropractor to develop and implement policies and procedures appropriate for its own organization, reflecting the entity's business practices and workforce. Uses and Disclosures of, and Requests for PHI For uses of PHI, the policies and procedures must identify the persons or classes of persons within the chiropractic office who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. For routine or recurring requests and disclosures, the policies and procedures may be standard protocols and must limit PHI disclosed or requested to that which is the minimum necessary for that particular type of disclosure or request. Individual review of each disclosure or request is not required. For non-routine disclosures, chiropractors must develop reasonable criteria for determining, and limiting disclosure to, only the minimum amount of PHI necessary to accomplish the purpose of a non-routine disclosure. Non-routine disclosures must be reviewed on an individual basis in accordance with these criteria. When making non-routine requests for PHI, the chiropractor must review each request so as to ask for only that information reasonably necessary for the purpose of the request. Identification of Persons with Authorization of Access to Patient Health Information Those individuals or parties that could have access to Patient Health Information at Greco Family Chiropractic include but may not be limited to: The staff of Greco Family Chiropractic. This includes: Dr. Joseph A. Greco, President, Chiropractor Kimberly Greco, Controller Office Manager, Insurance Chiropractic Assistant, Front Desk Rehab Assistants Massage Therapists Necessary health care providers or vendors who may need to be consulted if related to the patient?s condition. This includes: NDC Electronic Claims Company Patient's Insurance Company, (as related to payment) The minimum categories and or types of Patient Health Information necessary for access by these individuals or parties include but are not limited to: See Standard Office Health History Form, Insurance form, etc   Conditions which are normally presented in this clinic and require PHI to be collected includes but is not limited to: Vertebral Subluxation It is the policy of Greco Family Chiropractic that: Non-routine disclosures will be reviewed individually by the doctor and the minimum amount of PHI will be given for those circumstances. When requesting PHI from other health care providers or vendors, the doctor will determine what is the minimum amount of information necessary and request only those records. If other health care providers request PHI from our records, the patient will be informed and a written consent may be requested although not required and obtained from the patient and put on file before releasing the patient records. Reasonable Reliance In certain circumstances, the Privacy Rule permits a health care provider to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted when the request is made by: A public official or agency for a disclosure permitted under ? 164.512 of the rule. Another covered entity. A professional who is a workforce member or business associate of the chiropractor holding the information. A researcher with appropriate documentation from an Institutional Review Board (IRB) or Privacy Board. The rule does not require such reliance, however, and the chiropractor always retains discretion to make its own minimum necessary determination for disclosures to which the standard applies.   Frequently Asked Questions About The Policies and Procedures of Greco Family Chiropractic Concerning the Enforcement of the Minimum Requirements of the Privacy Rule Q: How does your clinic expect to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose? A: The Privacy Rule requires a chiropractor to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow chiropractors the flexibility to address their unique circumstances, the rule requires chiropractors to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not a strict standard and chiropractors need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today to limit the unnecessary sharing of medical information. The minimum necessary standard is intended to make chiropractors evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override professional judgment and standards. Q: Won't the minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment? A: No. Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the minimum necessary requirements. The Privacy Rule provides the clinic with substantial discretion as to how to implement the minimum necessary standard, and appropriately and reasonably limit access to the use of identifiable health information within the practice. The rule recognizes that the chiropractor is in the best position to know and determine who in its workforce needs access to personal health information to perform their jobs. Therefore, the chiropractor can develop role-based access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes. Q: Does the rule strictly prohibit use, disclosure, or requests of an entire medical record? Does the rule prevent use, disclosure, or requests of entire medical records without case-by-case justification? A: No. The Privacy Rule does not prohibit use, disclosure, or requests of an entire medical record. Our clinic may use, disclose, or request an entire medical record, without a case-by-case justification, if we have documented in our records that the entire medical record is the amount reasonably necessary for certain identified purposes. For uses, our policies and procedures identify those persons or classes of person in the workforce that need to see the entire medical record and the conditions, if any, that are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non-routine disclosures identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes. In making non-routine requests, the attending physician may establish and utilize criteria to assist in determining when to request the entire medical record. The Privacy Rule does not require that a justification be provided with respect to each distinct medical record. Finally, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment or disclosures to the individual. Q: In limiting access, is your office required to completely restructure existing workflow systems, including redesigns of office space and upgrades of computer systems, in order to comply with the minimum necessary requirements? A: No. The basic standard for minimum necessary uses requires that chiropractor make reasonable efforts to limit access to PHI to those in the workforce that need access based on their roles in the covered entity. The Department of Health and Human Services generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. However, our chiropractic clinic has volunteered to make certain adjustments to our facility to minimize access, such as isolating and locking file cabinets or records rooms, and providing additional security, such as passwords, on computers maintaining personal information and keeping those computers from outside public access. Q: Do the minimum necessary requirements prohibit covered entities from maintaining patient medical charts in the treatment room or require that X-ray light boards be isolated? A: No. The minimum necessary standards do not require that chiropractors take any of these specific measures. Chiropractors must, in accordance with other provisions of the Privacy Rule, take reasonable precautions to prevent inadvertent or unnecessary disclosures. For example, while the Privacy Rule does not require that X-ray boards be totally isolated from all other functions, it does require the chiropractor to take reasonable precautions to protect X-rays from being accessible to the public. The patients? x-rays should not be left in full view of the public. Q: Will doctors' and physicians' offices be allowed to continue using sign-in sheets in waiting rooms? A: The Privacy Rule did not intend to prohibit the use of sign-in sheets, but understands that the Privacy Rule is ambiguous about this common practice. Therefore, there is proposed modifications to the rule to clarify that this and similar practices are permissible. ORAL COMMUNICATIONS Background The Privacy Rule applies to patient health information in all forms, electronic, written, oral, and any other. Coverage of oral (spoken) information ensures that information retains protections when discussed or read aloud from a computer screen or a written document. If oral communications were not covered, any health information could be disclosed to any person, so long as the disclosure was spoken. General Requirements Chiropractors must reasonably safeguard protected health information (PHI) - including oral information - from any intentional or unintentional use or disclosure that is in violation of the rule (see ? 164.530(c)(2)). They must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonably safeguard" means that chiropractors must make reasonable efforts to prevent uses and disclosures not permitted by the rule. However, we do not expect reasonable safeguards to guarantee the privacy of PHI from any and all potential risks. In determining whether a chiropractor has provided reasonable safeguards, the Department will take into account all the circumstances, including the potential effects on patient care and the financial and administrative burden of any safeguards. Greco Family Chiropractic makes it a practice to ensure reasonable safeguards for oral information - for instance, by speaking quietly when discussing a patient's condition with family members in a waiting room or other public area, and by avoiding using patients' names in public hallways and elevators. Frequently Asked Questions About Oral Communication Q: If health care providers engage in confidential conversations with other providers or with patients, have they violated the rule if there is a possibility that they could be overheard? A: The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this rule requiring the clinic to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers' primary consideration is the appropriate treatment of their patients. We also understand that overheard communications are unavoidable. The Privacy Rule is not intended to prevent appropriate behavior. We would consider the following practices to be permissible, if reasonable precautions were taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart): Health care staff may orally coordinate services at different stations in the office. Physicians, nurses or other health care professionals may discuss a patient's condition over the phone with the patient, a provider, or a family member. A health care professional may discuss test results with a patient or other provider in a joint treatment area. Health care professionals may discuss a patient's condition during training rounds in an academic or training institution. Regulatory language has also been introduced to reinforce and clarify that these and similar oral communications (such as calling out patient names in a waiting room) are permissible. Q: Does the Privacy Rule require chiropractic offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard? A: No, the Privacy Rule does not require these types of structural changes be made to facilities. Chiropractic offices must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonable safeguards" mean that as health care providers we must make reasonable efforts to prevent uses and disclosures not permitted by the rule. The Department of Health and Human Services does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of our office regarding potential effects on patient care and financial burden. For example, the Privacy Rule does not require the following types of structural or systems changes: Private rooms. Soundproofing of rooms. Encryption of wireless or other emergency medical radio communications which can be intercepted by scanners. Encryption of telephone systems. Our office must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard. We are required to review our own practice and determine what steps are reasonable to safeguard their patient information. Examples of the types of adjustments or modifications to facilities or systems that may constitute reasonable safeguards are: The clinic could add curtains or screens to areas where oral communications often occur between doctors and patients or among professionals treating the patient. In an area where multiple patient-staff communications routinely occur, use of cubicles, dividers, shields, or similar barriers may constitute a reasonable safeguard. For example, as our clinic gets larger, the treatment area may reasonably use cubicles or shield-type dividers, rather than separate rooms. In assessing what is "reasonable," our office will also consider the viewpoint of prudent professionals. BUSINESS ASSOCIATES Background By law, the Privacy Rule applies only to health plans, health care clearinghouses, and certain health care providers. In today's health care system, however, most health care providers and health plans do not carry out all of their health care activities and functions by themselves; they require assistance from a variety of contractors and other businesses. In allowing providers and plans to give protected health information (PHI) to these "business associates," the Privacy Rule conditions such disclosures on the provider or plan obtaining, typically by contract, satisfactory assurances that the business associate will use the information only for the purposes for which they were engaged by the clinic, will safeguard the information from misuse, and will help the our clinic comply with the practice duties to provide individuals with access to health information about them and a history of certain disclosures (e.g., if the business associate maintains the only copy of information, it must promise to cooperate with our chiropractic clinic to provide individuals access to information upon request). PHI may be disclosed to a business associate only to help the providers and plans carry out their health care functions - not for independent use by the business associate. What is a "business associate"? A business associate is a person or entity who provides certain functions, activities, or services for or to our chiropractic clinic, involving the use and/or disclosure of PHI. A business associate is not a member of the health care provider, health plan, or other covered entity's workforce. A health care provider, health plan, or other covered entity can also be a business associate to another covered entity. The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes - for example, information exchanges between a hospital or medical doctor and our chiropractic physicians. Q: Is it reasonable for our practice to be held liable for the privacy violations of business associates? A: A health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. Our clinic is not required to actively monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract. Moreover, a business associate's violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by our practice. The contract must obligate the business associate to advise us when violations have occurred. If our office becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate's obligations under its contract, we must take "reasonable steps" to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the business relationship. If such steps are not successful, our office must terminate the contract if feasible. The rule also provides for circumstances in which termination is not feasible, for example, where there are no other viable business alternatives for our clinic to take. In such circumstances where termination is not feasible, we must report the problem to the Department of Health and Human Services.  Only if our clinic fails to take the kinds of steps described above would it be considered to be out of compliance with the requirements of the rule.   PARENTS AND MINORS General Requirements The Privacy Rule provides individuals with certain rights with respect to their personal health information, including the right to obtain access to and to request amendment of health information about themselves. These rights rest with that individual, or with the "personal representative" of that individual. In general, a person's right to control protected health information (PHI) is based on that person's right (under state or other applicable law, e.g., tribal or military law) to control the health care itself. Because a parent usually has authority to make health care decisions about his or her minor child, a parent is generally a "personal representative" of his or her minor child under the Privacy Rule and has the right to obtain access to health information about his or her minor child. This would also be true in the case of a guardian or other person acting in loco parentis of a minor. There are exceptions in which a parent might not be the "personal representative" with respect to certain health information about a minor child. In the following situations, the Privacy Rule defers to determinations under other law that the parent does not control the minor's health care decisions and, thus, does not control the PHI related to that care. When state or other law does not require consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service, the parent is not the minor's personal representative under the Privacy Rule. The minor may choose to involve a parent in these health care decisions without giving up his or her right to control the related health information. Of course, the minor may always have the parent continue to be his or her personal representative even in these situations. When a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor, the parent is not the personal representative of the minor for the relevant services. For example, courts may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself. In order to not undermine these court decisions, the parent is not the personal representative under the Privacy Rule in these circumstances. In the following situations, the Privacy Rule reflects current professional practice in determining that the parent is not the minor's personal representative with respect to the relevant PHI: When a parent agrees to a confidential relationship between the minor and the physician, the parent does not have access to the health information related to that conversation or relationship. For example, if a physician asks the parent of a 16-year old if the physician can talk with the child confidentially about a medical condition and the parent agrees, the parent would not control the PHI that was discussed during that confidential conference. When a physician (or other covered entity) reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child's personal representative could endanger the child, the physician may choose not to treat the parent as the personal representative of the child. Relation to State Law In addition to the provisions (described above) tying the right to control information to the right to control treatment, the Privacy Rule also states that it does not preempt state laws that specifically address disclosure of health information about a minor to a parent (? 160.202). This is true whether the state law authorizes or prohibits such disclosure. Thus, if a physician believes that disclosure of information about a minor would endanger that minor, but a state law requires disclosure to a parent, the physician may comply with the state law without violating the Privacy Rule. Similarly, a provider may comply with a state law that requires disclosure to a parent and would not have to accommodate a request for confidential communications that would be contrary to state law. Q: Does the Privacy Rule allow parents the right to see their children's medical records? A: The Privacy Rule generally allows parents, as their minor children's personal representatives, to have access to information about the health and well-being of their children when state or other underlying law allows parents to make treatment decisions for the child. There are two exceptions: (1) when the parent agrees that the minor and the health care provider may have a confidential relationship, the provider is allowed to withhold information from the parent to the extent of that agreement; and (2) when the provider reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child's personal representative could endanger the child, the provider is permitted not to treat the parent as the child's personal representative with respect to health information. Secretary Thompson has stated that he is reassessing these provisions of the regulation. PAYMENT General Requirements As provided for by the Privacy Rule, this practice may use and disclose protected health information (PHI) for payment purposes. "Payment" is a defined term that encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and for a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. In addition to the general definition, the Privacy Rule provides examples of common payment activities that include, but are not limited to: Determining eligibility or coverage under a plan and adjudicating claims; Risk adjustments; Billing and collection activities; Reviewing health care services for medical necessity, coverage, justification of charges, and the like; Utilization review activities; and Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity). Q: Does the rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)? A: No. The Privacy Rule's definition of "payment" includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following PHI about the individual: name and address; date of birth; social security number; payment history; account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The chiropractor may perform this payment activity directly or may carry out this function through a third party, such as a collection agency, under a business associate arrangement. We are not aware of any conflict in the consumer credit reporting disclosures permitted by the Privacy Rule and FCRA. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by FCRA or other law. Therefore, we do not believe there would be a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA. Q: Does the Privacy Rule prevent our office from using debt collection agencies? Does the rule conflict with the Fair Debt Collection Practices Act? A: The Privacy Rule permits chiropractors to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the "payment" definition. Through a business associate arrangement, the chiropractor may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies under a business associate agreement are governed by other provisions of the rule, including consent (where consent is required) and the minimum necessary requirements. We are not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act. Where a use or disclosure of PHI is necessary for the practice to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law. Q: Are location information services of collection agencies, which are required under the Fair Debt Collection Practices Act, permitted under the Privacy Rule? A: "Payment" is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of "payment." Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. The clinic and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act.