Join now!   |   Subscribe   |   Pay an Invoice   |   Sign In
Unclaimed Property Focus
Blog Home All Blogs
UNCLAIMED PROPERTY FOCUS is a blog written by and for UPPO members, featuring diverse perspectives and insights from unclaimed property practitioners across the U.S. and Canada. We welcome your submissions to Unclaimed Property Focus. Please contact Tim Dressen via with any questions about submitting a blog post for consideration and refer to our editorial guidelines when writing your blog post. Disclaimer: Information and/or comments to this blog is not intended as a substitute for legal advice on compliance or reporting requirements.


Search all posts for:   


Top tags: unclaimed property  Compliance  education  UPPO  audits  Delaware  due diligence  litigation  Advocacy  reform  Members  ULC  UPPO annual conference  RUUPA  UP101  Gift Cards  legislation  reporting  UP Laws  Uniform Law Commission  fall reporting  Holders Seminar  UPPO Asks  VDAs  Canada  service providers  california  securities  uniform unclaimed property act  Annual Conference 

HIPAA and Unclaimed Property

Posted By Administration, Thursday, December 6, 2018

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is intended, in part, to protect patients’ privacy. The law establishes standards for handling and securing potentially sensitive protected health information (PHI).


HIPAA is not typically associated with unclaimed property. However, for property holders in the health care field or that work with the health care field, it’s important to understand HIPAA implications. Considerations related to HIPAA most often come into play when dealing with an audit or a voluntary disclosure agreement. Auditors or VDA administrators may ask for information that, when shared, could violate HIPAA provisions.


HIPAA precludes covered entities, such as health plans, insurers and providers from disclosing PHI to third parties, with a few narrow exceptions. According to the Department of Health and Human Services, PHI includes demographic information relating to:

  • An individual’s past, present or future physical or mental health or condition.
  • The provision of health care to the individual.
  • Payment for health care that may identify the individual.


PHI includes common identifiers, such as name, address, birth date and Social Security number, when they can be associated with health information. It can also include identifiers that could be used to trace an account to a specific medical issue, such as internal account numbers.


“There is a general prohibition on disclosure of records dealing with mental health, substance abuse treatment, genetic testing and HIV/AIDS under HIPAA and various federal and state laws, absent patient consent,” said Scott Heyman, partner with Sidley Austin LLP. “Those laws are very strict and without exception. Even if exceptions are available for providing other PHI to third parties, they are not available for those conditions.”


HIPAA violations are subject to civil and criminal penalties, so great care needs to be taken to ensure compliance.


Three exceptions to PHI disclosure without patient consent exist under HIPAA:

  • Disclosure to public health authorities.
  • Disclosure in health oversight activities.
  • Disclosure for law enforcement purposes.


State treasurers and controllers conducting unclaimed property audits are not public health authorities and are not engaged in health oversight activities, so the first two exceptions do not apply. 


The “disclosure for law enforcement purposes” exception is broad enough to cover unclaimed property audits. In order to disclose information under the law enforcement exception: 

  • PHI sought must be “relevant and necessary to a legitimate law enforcement inquiry.”
  • The request must be ”specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.” 
  • “Deidentified information could not be reasonably be used.” 


Disclosure is permitted only to law enforcement officials, defined as “an officer or employee” of an eligible agency. Thus, PHI may not be disclosed to private government contractors without patient consent. In contrast, the public health and health oversight exceptions expressly permit disclosure of information to government contractors. 


PHI should be retracted from items provided to auditors. 


“If they insist that they need PHI for audit purposes, providing the information directly to the state and letting the state decide what to do with it may be a reasonable response,” Heyman said.


Redaction can be very time-consuming and one of the more burdensome aspects of an unclaimed property audit in the health care industry. 


“Often the information at issue includes things like explanations of benefits, where you’re proving out voids and reissuances,” said Heyman. “Those tend to be copies of paper documents. It means reading those documents and crossing out PHI with a black marker. It’s an intensively manual process, and knowing which boxes contain PHI and which don’t, and blacking them out appropriately, is essential.”  


Holders should refer to information from HHS for guidance on de-identifying PHI.


Unclaimed property compliance and audits are rarely simple. For holders in the health care space, HIPAA adds yet another compliance layer. 


The 2019 UPPO Annual Conference, March 24-27 in New Orleans, will include industry breakouts and an industry focus session for holders in the health care industry to discuss audit trends and compliance issues affecting them. Learn more and register today.



Tags:  audits  health care  HIPAA  unclaimed property 

Share |
PermalinkComments (0)

Common reporting errors in healthcare

Posted By Administration, Thursday, April 21, 2016

Nearly every holder that reports unclaimed property to the states faces certain nuances unique to their industry. Being aware of some of the challenges and potential pitfalls of those nuances can help ensure reports contain fewer errors. During the Industry Focus: Healthcare session at the 2016 UPPO Annual Conference, Leigh Underwood, senior manager of unclaimed property and insurance taxes for HCA Healthcare, shared some of the common reporting errors healthcare providers face.


Proper owner

Healthcare providers receive payments from multiple payers on a single account. They include patients, insurance companies, patient guarantors and, if the patient has passed away, estate executors. Doing sufficient due diligence is essential to ensuring the correct property owner is listed on the report.


“If you look at the account information and see that a patient’s birth date was seven years ago, you know that person isn’t making the payment,” Underwood says. “So you need to look at the patient account and see who the patient guarantor is.”


Social Security numbers vs. federal ID numbers

When remitting property to the state for an insurance company, ensure the field for a Social Security number or federal ID number lists the company’s federal ID number rather than the patient’s Social Security number. It is common for providers to inadvertently include the patient’s Social Security number, but doing so makes matching the account to the insurance company challenging.


Insurer’s last known address

The employees who enter information into the provider’s database are sometimes tempted to use shortcuts rather than thoroughly entering each piece of data properly. For example, they may enter “see address on insurance card” in the insurance company address field. Unfortunately, this presents a problem for the person filing the unclaimed property report, who doesn’t have access to patients’ complete records.


“Talk to the people who are gathering that information and make sure they understand the need for including complete information in the correct fields,” Underwood says.


Multiple patient addresses

If a patient’s record includes both a physical address and a mailing address, it is essential to be aware of any restrictions placed on use of the physical address. Patients may specify that they do not want any correspondence sent to the physical address for privacy reasons. Particularly in the case of providers specializing in sensitive areas such as psychiatric care, patients may not want other people who have access to mail sent to the physical address to know about the care they are receiving.


Multiple addresses also increase the chances of an incorrect city, state or ZIP code on the report. Ensure the information from these fields corresponds to the mailing address rather than the physical address.



UPPO offers several tools to help unclaimed property professionals meet their reporting requirements. The Jurisdiction Resource Guide outlines reporting requirements of U.S. and Canadian jurisdictions in one central location. Member forums provide an online medium to discuss reporting challenges and other issues with peers. The govWATCH legislative and regulatory tracking service helps members keep up with pending bills and enacted legislation that could affect reporting requirements.


More information

UPPO Jurisdiction Resource Guide

Identify and eliminate common reporting errors

How to avoid the five most common unclaimed property reporting and remitting errors

Tags:  compliance  health care  reporting  unclaimed property 

Share |
PermalinkComments (0)
Membership Software Powered by YourMembership  ::  Legal