Privacy/Compliance

Debt Collection in the United States is regulated by the Federal Trade Commission (FTC). Major statutes are defined in The Consumer Credit Protection Act (CCPA) and the Fair Credit Reporting Act (FCRA), respectively Public Law 90-321, originally enacted on May 29, 1968, and Public Law 91-508, enacted on April 25, 1971. The CCPA was subsequently amended with The Fair Debt Collection Practices Act (FDCPA), or Public Law 95-109, which was passed on September 20, 1977 and has itself been subsequently updated. You can order a free hard copy of the FDCPA at the FTC Bureau of Consumer Protection or download a free PDF. Debt collection is also regulated by the Consumer Financial Protection Bureau. The CFPB is an independent agency of the United States government designed to protect consumers in the area of finance.

Specific regulations apply to debt collection practices depending on the type of debt under consideration. For example, medical collections must adhere to the applicable statutes within the Health Insurance Portability and Accountability Act (HIPAA), or Public Law 104-191, enacted on August 21, 1996 and its stated privacy requirements. HIPAA’s “Privacy Rule” and the U.S. Department of Health and Human Services (HHS) identifies Protected Health Information (PHI) as “‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” You can download a free PDF of The HIPAA here.

Additional regulations apply to debt collection practices depending on the methodology used for debt collection. For example, the Telephone Consumer Protection Act (TCPA), or Public Law 102-243, passed on December 20, 1991 applies to debt collection agencies using the telephone as a medium to do their work. The TCPA is governed by the Federal Communications Commission (FCC) and covers things such as permitted times of day for collections calls and the legality of automated dialing technology.

The stated purpose of the Fair Debt Collection Practices Act is to “eliminate abusive debt collection practices by debt collectors, to insure that those debt collectors who refrain from using abusive debt collection practices are not competitively disadvantaged, and to promote consistent State action to protect consumers against debt collection abuses.”

At NSB we promote a strict “Code” of Ethics in an effort to self-regulate our collections processes above and beyond the legal requirements of the Consumer Credit Protection Act and the FDCPA. National Service Bureau adheres to ACA International’s Code of Ethics. The code applies to all owners and employees of NSB and is enforced through an internal auditing process. The intent of the NSB code is to promote a culture of personal integrity and honest business practices and to maintain the highest standards of fair behavior in the collections industry.

The Federal Trade Commission (FTC) makes relevant news and information known through press releases on its website. Additionally, the FTC lists Federal Register Notices for proposed rules and policy updates on its website.

This section governs what a collection agency representative can say, what he or she must say, when he or she must say it, and the various types of allowed and prohibited communication when speaking to someone other than the actual consumer (the individual who owes or allegedly owes payment) for the purpose of obtaining location information about the consumer.

This section discusses communication between a collection agency representative and the actual consumer. Reasonable hours for asset receivables collection practices are defined as those between local business hours. Additionally, Section 805 discusses the conditions upon which an asset receivables collection agent must cease communication with the consumer, related third parties, and/or when he or she must consult with the consumer’s attorney.

This prohibits the use of violent threats, profane language, non-transparent telephone practices intended to harass or annoy, and the sale of debt as a means to coerce asset receivables payment. Additionally it defines the organizations to whom collection firms can report persons or businesses that fail to pay the amount owed.

This prohibits a collection agency from making false or misleading representation of themselves and/or the asset receivables collection process. Amongst its included prohibitions are the following:

• Identifying themselves as a member of or affiliated with the United States government or fabricating documentation that might lead to such a conclusion.
• Misrepresenting themselves, the nature of their involvement, relevant information, and/or legal documentation relating to the asset receivables collection process.
• Threatening legal action to include seizure, garnishment, or sale of property that is not legally planned or possible.
• False representation that asset receivables have been turned over to innocent purchasers when they have not.

This prohibits a collection agency from engaging in “unfair” or “unconscionable” asset receivables collection practices. Amongst its included prohibitions are the following:

• Collection of an amount not specified in the agreement or permitted by law.
• Solicitation or acceptance of, and/or depositing a postdated check under certain circumstances.
• Taking or threatening to take nonjudicial action to effect the dissolution or disablement of property under certain circumstances.
• Certain communication practices such as the use of post cards or extraneous symbology on asset receivables collection letters.

This mandates certain actions for asset receivables collection agencies to be completed in writing during or within five days of initial communication. Amongst the stated requirements are the following:

• The amount of receivable.
• The creditor’s name.
• A statement that the receivable will be assumed valid if the consumer does not dispute it within 30 days of written notice.
• A statement that the original creditor (if different than the current creditor) will be made known to the consumer within 30 days of written notice if so requested by the consumer in writing.

This specifies that collection agencies in receipt of payments from a consumer with multiple outstanding assets payable may not apply the payment to a disputed payable and must apply it according to the specifications outlined by the consumer where applicable.

This specifies the legal jurisdiction in which a suit may be filed in relation to receivables collection.

This prohibits asset receivables collection agencies from furnishing forms that insinuate persons and/or organizations other than the creditor are participating in the collection of or an attempt to collect the specified receivable when in fact such persons and/or organizations are not participating.

Section 164.306 discusses the covered entities, business associates, and their obligations regarding PHI. Paragraph (a) General Requirements requires National Service Bureau to ensure the confidentiality, integrity, and availability of PHI received, maintained, or transmitted by RSi and its workforce and guard against reasonably anticipated security threats to such information.

Sections 164.308 – 164.312 discuss administrative safeguards, physical safeguards, and technical safeguards for handling PHI. Administratively, business entities (such as National Service Bureau) are required to implement policies and procedures to prevent, detect, contain, and correct security violations. NSB’s procedures are overseen by a compliance officer that monitors risk management measures, imposes sanctions against workforce members that fail to comply, conducts system audits, and publicizes policy guidance. Physical safeguard requirements include facility security and physical security of electronic information systems. Technical safeguards include software security features such as unique user identification, automatic logoff, encryption and decryption, and emergency access procedures.

Sections 164.314 – 164.316 discuss policies, procedures, and documentation requirements for business entities such as Nation Service Bureau that deal with PHI. Organizational requirements include mandatory business contract and subcontract inclusions, reporting requirements, and implementation specifications. Procedural mandates include time specifications for record retention, document availability and policy review and update requirements.

Section 164.404 discusses notification requirements to the individual whose Protected Health Information was disclosed (“breached”) in an unauthorized manner. Breach includes the acquisition, access, use, or disclosure of PHI and must be reported without unreasonable delay and in no case later than 60 calendar days to the affected individual. Additional requirements include provision of a description of what happened, written notice by first-class mail, and a toll-free number where individuals can learn the details of the incident.

Sections 164.406 – 164.408 discuss publicity requirements relating to the media and the Secretary of Health and Human Services for major breaches (more than 500 residents of a State or jurisdiction) as well as log requirements for breaches of less than 500 individuals.

Sections 164.502 – 164.504 discuss general rules and organizational requirements regarding the disclosure of PHI. Included are those times when disclosure is required, prohibited uses and disclosure of PHI, rules regarding the sale, transfer, merger, or consolidation of PHI, and implementation specifications for businesses handling PHI.

Sections 164.508 – 164.514 discuss those uses and disclosures of PHI for which an authorization from the affected individual is required, those that require an opportunity for an individual to agree or to object, and those for which an opportunity to agree or to object is not required.