Debt Buyers and Collection Agencies: HIPAA Rules for Disclosing Patient Information

HIPAA Privacy Rule and Debt Collection

Under the HIPAA Privacy Rule, covered entities may use and disclose Protected Health Information (PHI) for treatment, payment, and health care operations without patient authorization. Medical debt collection falls within “payment” when the disclosure is necessary to obtain reimbursement for health care services.

When a collection agency works on a provider’s behalf, it generally functions as a business associate and must follow HIPAA safeguards. A debt buyer, by contrast, typically acquires the receivable and is not acting on the provider’s behalf; the provider’s disclosure must still meet HIPAA’s requirements, including the Minimum Necessary Standard and any limits on the sale of PHI.

What “payment” means in collections

• Activities to collect on an account, verify coverage, resolve denials, and manage remittances are “payment.”
• Only information reasonably needed to perform those tasks should be disclosed, and only to parties with a legitimate role in the process.

Debt buyers vs. collection agencies

• Collection agencies operating on behalf of a provider are often business associates and must sign a Business Associate Agreement (BAA).
• Debt buyers usually are not business associates; disclosures to them must be carefully limited to the minimum necessary for collection and assessed for any prohibition on the sale of PHI.

Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit PHI disclosures to the smallest amount needed to achieve the collection purpose. Role-based access, predefined data sets, and need-to-know workflows help you comply.

Practical controls

• Use standardized “collection data packs” that include only essential elements (for example, patient/guarantor identifiers, dates of service, amounts owed, and payer identifiers).
• Suppress clinical narratives, test results, images, and diagnosis details by default.
• Require case-by-case justification before releasing any additional PHI, and log who requested and received it.
• Train staff and vendors on the Minimum Necessary Standard and audit periodically.

Business Associate Agreement Requirements

A Business Associate Agreement (BAA) is required when a collection agency or early-out vendor creates, receives, maintains, or transmits PHI on a provider’s behalf. The BAA contractually binds the agency to HIPAA safeguards and breach duties.

Core BAA terms for collection services

• Permitted and required uses/disclosures tied to payment and Medical Debt Collection Regulations.
• Administrative, physical, and technical safeguards for PHI, including incident response and breach notification.
• Downstream subcontractor compliance obligations.
• Access, amendment, accounting-of-disclosures support for the provider.
• Return or secure destruction of PHI at termination, with no retention beyond legal necessity.
• Minimum Necessary Standard enforcement and prohibition on unauthorized marketing or sale of PHI.

When a BAA is not appropriate

• For an outright sale of receivables to a debt buyer, a BAA often does not apply because the buyer is not acting on the provider’s behalf.
• Before transfer, scrub data so only the minimal billing identifiers needed for collection remain; avoid transmitting clinical content.

Permissible Information Disclosure

To pursue collection, you may disclose limited billing-related PHI without patient authorization, provided it is the minimum necessary. Typically appropriate elements include:

• Patient and guarantor name, postal address, and contact number.
• Internal account number and invoice/claim identifiers.
• Dates of service and provider name/location.
• Amount owed, payment history, adjustments, and insurance remittance data.
• Insurance payer name and policy/member numbers needed to resolve coverage disputes.

If a specific dispute truly requires additional detail (for example, a brief procedure descriptor to clarify a balance), release only what is strictly necessary and document the rationale.

Prohibited Information Disclosure

Do not disclose PHI categories that are unnecessary for collection or specially protected. Avoid sharing:

• Diagnosis details, treatment plans, clinical notes, test results, images, or full medical records.
• Psychotherapy notes, which have heightened protections.
• Substance Use Disorder records covered by 42 CFR Part 2 without proper consent.
• HIV status, genetic information, or other sensitive data not required for payment.
• Social Security numbers, driver’s license scans, or bank account details unless truly essential and permitted.
• Any PHI with third parties not involved in collection (employers, friends, or unrelated vendors).

Fair Debt Collection Practices Act Compliance

HIPAA controls what you may disclose; the Fair Debt Collection Practices Act (FDCPA) governs how third‑party collectors interact with consumers. Both sets of rules apply. Collection communications must respect privacy and avoid revealing medical context to unauthorized persons.

• Provide a clear validation notice and honor disputes before further collection.
• Avoid harassment, false representations, and communication at unusual times or places, including workplaces where contacting is prohibited.
• Do not disclose debt details to third parties; verify identity before any discussion.
• If furnishing to credit bureaus, follow the Fair Credit Reporting Act (FCRA): report accurately, use a permissible purpose, and exclude diagnosis or clinical information.

Patient Rights and Protections

Patients retain strong Patient Privacy Protections under HIPAA, FDCPA, and FCRA. You should design collection processes that respect these rights and make it easy for patients to exercise them.

• Right to access and obtain copies of their PHI and billing records.
• Right to request confidential communications (for example, use a different address or phone).
• Right to request restrictions, including limiting disclosure to a health plan for items paid out‑of‑pocket in full.
• Right to an accounting of certain disclosures.
• Right to dispute a debt and require validation under the FDCPA, and to dispute credit reporting under the FCRA.
• Right to file complaints about improper disclosures or collection practices.

Conclusion

For debt buyers and collection agencies, compliant medical debt collection hinges on three pillars: disclose only the Minimum Necessary Standard data, use BAAs when acting on a provider’s behalf, and align collection conduct with FDCPA and FCRA. Keep clinical details out of the process, verify identities, and document decisions to protect patients and reduce organizational risk.

FAQs.

Is selling medical debt considered a HIPAA violation?

Not automatically. The answer depends on what PHI is disclosed and the legal basis for the transfer. If a provider discloses only the minimum necessary billing data for collection/payment, the disclosure can be permissible. If remuneration is effectively for the PHI itself (a “sale of PHI”), HIPAA generally requires patient authorization unless a narrow exception applies. Many organizations mitigate risk by limiting datasets and evaluating whether authorization is needed before any sale.

What information can legally be shared with debt collectors under HIPAA?

Typically permitted elements are patient/guarantor identifiers, dates of service, provider name, amounts owed, account and claim numbers, and payer identifiers necessary to resolve coverage. Do not share diagnoses, clinical notes, test results, psychotherapy notes, 42 CFR Part 2 records, or other sensitive details unless a specific, documented payment need exists.

How does the Minimum Necessary Standard apply to medical debt collection?

You must limit disclosures to the smallest data set that will achieve collection. Use role‑based access, predefined billing-only data packs, default suppression of clinical content, case‑by‑case approvals for any additional PHI, and activity logs to demonstrate compliance.

Are debt buyers required to sign a Business Associate Agreement?

Only if they are performing services on the provider’s behalf that involve PHI. In an outright purchase of receivables, a debt buyer typically is not a business associate; the provider must instead ensure that any disclosure meets HIPAA (including Minimum Necessary) and does not constitute a prohibited sale of PHI without authorization.

What protections do patients have against improper disclosure of medical information?

Patients can access their records, request restrictions and confidential communications, and receive an accounting of certain disclosures under HIPAA. They can dispute debts and limit collection communications under the FDCPA, and challenge credit reporting under the FCRA. Breaches trigger notification duties and potential enforcement, providing additional Patient Privacy Protections.