Join now!   |   Subscribe   |   Pay an Invoice   |   Sign In
Unclaimed Property Focus
Blog Home All Blogs
UNCLAIMED PROPERTY FOCUS is a blog written by and for UPPO members, featuring diverse perspectives and insights from unclaimed property practitioners across the U.S. and Canada. We welcome your submissions to Unclaimed Property Focus. Please contact Tim Dressen via with any questions about submitting a blog post for consideration and refer to our editorial guidelines when writing your blog post. Disclaimer: Information and/or comments to this blog is not intended as a substitute for legal advice on compliance or reporting requirements.


Search all posts for:   


Top tags: unclaimed property  Compliance  education  UPPO  audits  Delaware  due diligence  litigation  Advocacy  reform  Members  ULC  UPPO annual conference  RUUPA  UP101  Gift Cards  legislation  reporting  UP Laws  Uniform Law Commission  fall reporting  Holders Seminar  UPPO Asks  VDAs  Canada  service providers  california  securities  uniform unclaimed property act  Annual Conference 

HIPAA and Unclaimed Property

Posted By Administration, Thursday, December 6, 2018

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is intended, in part, to protect patients’ privacy. The law establishes standards for handling and securing potentially sensitive protected health information (PHI).


HIPAA is not typically associated with unclaimed property. However, for property holders in the health care field or that work with the health care field, it’s important to understand HIPAA implications. Considerations related to HIPAA most often come into play when dealing with an audit or a voluntary disclosure agreement. Auditors or VDA administrators may ask for information that, when shared, could violate HIPAA provisions.


HIPAA precludes covered entities, such as health plans, insurers and providers from disclosing PHI to third parties, with a few narrow exceptions. According to the Department of Health and Human Services, PHI includes demographic information relating to:

  • An individual’s past, present or future physical or mental health or condition.
  • The provision of health care to the individual.
  • Payment for health care that may identify the individual.


PHI includes common identifiers, such as name, address, birth date and Social Security number, when they can be associated with health information. It can also include identifiers that could be used to trace an account to a specific medical issue, such as internal account numbers.


“There is a general prohibition on disclosure of records dealing with mental health, substance abuse treatment, genetic testing and HIV/AIDS under HIPAA and various federal and state laws, absent patient consent,” said Scott Heyman, partner with Sidley Austin LLP. “Those laws are very strict and without exception. Even if exceptions are available for providing other PHI to third parties, they are not available for those conditions.”


HIPAA violations are subject to civil and criminal penalties, so great care needs to be taken to ensure compliance.


Three exceptions to PHI disclosure without patient consent exist under HIPAA:

  • Disclosure to public health authorities.
  • Disclosure in health oversight activities.
  • Disclosure for law enforcement purposes.


State treasurers and controllers conducting unclaimed property audits are not public health authorities and are not engaged in health oversight activities, so the first two exceptions do not apply. 


The “disclosure for law enforcement purposes” exception is broad enough to cover unclaimed property audits. In order to disclose information under the law enforcement exception: 

  • PHI sought must be “relevant and necessary to a legitimate law enforcement inquiry.”
  • The request must be ”specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.” 
  • “Deidentified information could not be reasonably be used.” 


Disclosure is permitted only to law enforcement officials, defined as “an officer or employee” of an eligible agency. Thus, PHI may not be disclosed to private government contractors without patient consent. In contrast, the public health and health oversight exceptions expressly permit disclosure of information to government contractors. 


PHI should be retracted from items provided to auditors. 


“If they insist that they need PHI for audit purposes, providing the information directly to the state and letting the state decide what to do with it may be a reasonable response,” Heyman said.


Redaction can be very time-consuming and one of the more burdensome aspects of an unclaimed property audit in the health care industry. 


“Often the information at issue includes things like explanations of benefits, where you’re proving out voids and reissuances,” said Heyman. “Those tend to be copies of paper documents. It means reading those documents and crossing out PHI with a black marker. It’s an intensively manual process, and knowing which boxes contain PHI and which don’t, and blacking them out appropriately, is essential.”  


Holders should refer to information from HHS for guidance on de-identifying PHI.


Unclaimed property compliance and audits are rarely simple. For holders in the health care space, HIPAA adds yet another compliance layer. 


The 2019 UPPO Annual Conference, March 24-27 in New Orleans, will include industry breakouts and an industry focus session for holders in the health care industry to discuss audit trends and compliance issues affecting them. Learn more and register today.



Tags:  audits  health care  HIPAA  unclaimed property 

Share |
PermalinkComments (0)

Thinking Outside the Unclaimed Property Box: Other Implications Affecting Unclaimed Property

Posted By Contribution from Jennifer Waryjas, 2018/19 UPPO secretary, Thursday, May 31, 2018

As unclaimed property holders become more knowledgeable about their compliance responsibilities, they may risk exposure in tangentially related areas if their focus is too narrow. Holders may be completely compliant with unclaimed property requirements and get blindsided by a legal violation in another area related to their unclaimed property practices. For this reason, a well-rounded approach to unclaimed property compliance that goes beyond just state unclaimed property statutes is important. Following are several risk areas worth considering. 


Mergers and Acquisitions

There’s a common misconception with mergers and acquisitions that all unclaimed property obligations flow through to the purchaser if it’s a stock deal, and none of it flows through if it’s an asset deal. However, that is way too broad of a generalization. 


When a holder has become aware that a merger or acquisition has occurred, the holder must analyze the specific terms of the agreement to know what’s being purchased and what’s being retained – and whether there’s a provision addressing unclaimed property – is essential. 


There’s another misconception that unclaimed property is covered under the tax provisions in an M&A document. Unclaimed property is not a tax and is not included in the definition of tax in the standard definition of tax in most M&A agreements. Unless the deal team knows what unclaimed property is and why it matters, they’re not likely to include provisions responsive to potential unclaimed property obligations in the agreement. Likewise, unless the unclaimed property team understands the deal itself, it may make false generalizations and improperly take into account the effect of that a merger or acquisition has on your unclaimed property reporting obligations. 


Health Insurance Portability and Accountability Act

HIPAA is not typically associated with unclaimed property. However, for holders in the medical field or that work with the medical field, it’s important to understand HIPAA implications. HIPAA rules define what information can and cannot be released. Companies in the healthcare market deal with sensitive information. Patients often don’t want information about their health conditions shared without their consent. Unclaimed property holders need to take this into consideration. For example, when escheating uncashed checks to the state, question whether the information is revealing something that the property owner wouldn’t want made public. 


When dealing with an audit or a VDA, handling sensitive information can be even more complex. Auditors or VDA administrators may ask for information that, when shared, could violate HIPAA provisions. For example, a medical device provider specializing in an area that would be easy to associate with a specific medical condition could inadvertently release medical information when sharing requested information. Great care needs to be taken to ensure compliance not only with unclaimed property statutes, but also with HIPAA. 


Probate Law

When managing the unclaimed property treatment of securities, does the holder or third party administrator understand the implications of probate law?  Relatives of deceased property owners may contact transfer agents to let them know of the death and to inquire about transfer of the shares. Auditors may require that property be escheated, without delving into the legal implications of the contact with a related party under the general presumption that the owner has not made sufficient contact. However, under the relevant probate law, that person may in fact be the heir. Therefore, the holder or third party administrator should identify the relevant probate law to determine if the auditor’s request is proper, or if they should request to provide adequate time for resolution of the probate process before escheating those shares. 


False Claims Act

Under the False Claims Act, whistleblowers report a finding to the state and are rewarded for raising an issue about which the state was otherwise unaware. In the unclaimed property arena, False Claims Act cases take what could be a normal audit and transcend it into treble damages and attorney fees. 


When hit with a False Claims Act case, information not under privilege becomes public. Every email is traceable, every document becomes potentially discoverable. While a holder is unlikely to anticipate litigation, they can decrease risk of disclosing information if they have taken the proper steps to ensure an internal or third-party unclaimed property analysis is done under privilege. 


Nondisclosure Agreements

Information shared with an auditor during an unclaimed property audit could become discoverable in an unrelated lawsuit filed after the audit has been completed. This occurred in the case of City of Sterling Heights General Employees Retirement System vs. Prudential Financial, in which plaintiff shareholders subpoenaed the auditor for audit documentation. 


It’s important to make sure when signing nondisclosure agreements with an auditor conducting an examination that they include provisions outlining how long the auditor keeps nonpublic information and work papers, in what form and what they are doing with them when the audit is complete.


Taking a comprehensive view of unclaimed property compliance beyond only state unclaimed property statutes reduces risk and helps avoid costly surprises. Awareness of these areas that are especially prone to cause potential headaches is a significant step toward creating a truly well-rounded compliance program. 

Tags:  False Claims Act  HIPAA  mergers  probate law 

Share |
PermalinkComments (0)
Membership Software Powered by YourMembership  ::  Legal