Examples and Checklist: Disclosing PHI to Collection Agencies Under HIPAA

When a patient account becomes delinquent, HIPAA allows you to disclose certain Protected Health Information to a collection agency to obtain payment. The key is to keep every disclosure tied to Payment Activities, apply the Minimum Necessary Standard, and put the right contracts, controls, and records in place. Use the examples and checklists below to operationalize compliant practices without slowing cash flow.

Permitted Disclosures to Collection Agencies

Under the HIPAA Privacy Rule, you may disclose PHI for Payment Activities without patient authorization. Collection activities performed by a third party on your behalf fall within “payment,” as do limited disclosures to Consumer Reporting Agencies when furnishing information about an account. Your justification should be obtaining payment for care already provided—never marketing or unrelated purposes.

Examples: Typical payment scenarios that are permissible

• Placing a delinquent account with a third‑party collector to send notices, make calls, and process payments.
• Providing limited account details to outside counsel pursuing a judgment strictly to collect the debt.
• Furnishing minimal identity, dates of service, and balances to Consumer Reporting Agencies consistent with applicable law and bureau requirements.
• Sharing limited data with a skip‑tracing vendor engaged by your collector to locate a responsible guarantor.
• Responding to a patient dispute routed through the collector with documents that support the amount owed, but excluding clinical content not needed to resolve the dispute.

Checklist — Permitted Disclosures

• Purpose is payment/collection of an existing account, not marketing or research.
• Only disclose information your collector needs to bill, locate, or validate the debt.
• Confirm a Business Associate Agreement is executed before any routine disclosures.
• For Consumer Reporting Agencies, align content and timing with bureau and legal requirements.
• Exclude clinical details unless indispensably required for payment validation.

Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit PHI to the smallest amount needed to accomplish the payment task. It applies to routine disclosures to collection agencies and Consumer Reporting Agencies. Build processes that make the “right‑sized” disclosure the default, with exceptions documented and approved.

Operationalizing the Minimum Necessary Standard

• Use role‑based templates that include only identifiers, dates of service, account numbers, and balances.
• Redact diagnosis, procedure codes, and clinical notes from placement files and dispute responses unless truly required.
• Require requestors to specify why any additional element is necessary; retain that rationale.
• Automate file feeds that exclude clinical fields by design; audit quarterly.
• Escalate unusual requests (e.g., pathology reports) to compliance/legal before releasing.

Example: Right‑sizing a disclosure

• Appropriate: Patient name, guarantor name, addresses, contact info, date(s) of service, account/invoice number, payer status, balance owed, payment history.
• Overbroad: Operative report, lab results, medication lists, full EHR visit notes, diagnostic images.

Checklist — Minimum Necessary

• Default data sets exclude clinical content.
• Written criteria define when extra data may be released and who approves it.
• Disclosures are logged with purpose and data elements sent.
• Staff trained annually on what to include and what to exclude.

Business Associate Agreements

Collection agencies acting on your behalf are Business Associates because they handle PHI to perform Payment Activities for you. Before sending any PHI, execute a Business Associate Agreement that sets boundaries, demands safeguards, and requires breach reporting. Subcontractors engaged by the collector who access PHI must also be bound by written agreements with equivalent protections.

Core BAA terms to include

• Permitted uses/disclosures limited to collection and payment support.
• Administrative, physical, and technical safeguards (including encryption in transit/at rest where feasible).
• Security incident and breach notification duties and timelines.
• Flow‑down obligations to subcontractors.
• Access, amendment, and accounting support as applicable.
• Return or destruction of PHI at contract end; restrictions on retention.
• Right to audit and remedies for non‑compliance.

When a BAA may not apply

If you sell or assign debt outright, the purchaser may not be acting “on your behalf.” Even then, share only the Minimum Necessary information to validate and collect the account, and require strong contractual privacy and security commitments. Confirm all other laws governing debt buyers are met.

Checklist — Business Associate Agreement

• BAA fully executed before first disclosure; keep countersigned copy on file.
• Security questionnaire and diligence completed; gaps remediated.
• Subcontractors identified and bound by equivalent agreements.
• Annual review of controls and breach history.

PHI Elements for Disclosure

For most placements, a lean, standardized file will satisfy Payment Activities. The goal is to confirm identity, establish the debt, and enable contact and payment—nothing more. Below are elements typically sufficient and elements that should be excluded.

Typically sufficient identifiers and data elements

• Patient and guarantor full name and relationship.
• Postal address, phone numbers, and email (as available and lawful to use).
• Date of birth (only as needed to verify identity); last four digits of SSN if already in your records and necessary for matching.
• Account/invoice number, medical record number (if required for matching and non‑diagnostic).
• Date(s) of service and facility/provider name.
• Primary payer status (e.g., denied, partial payment), and coordination of benefits notes that are non‑clinical.
• Charge amount, adjustments, payments/credits, and current balance owed.
• Documents needed to validate the debt without clinical detail (e.g., itemized statement with descriptions scrubbed of diagnosis/procedure codes).

Do not disclose (absent a specific, documented need)

• Diagnosis, procedure codes (CPT/ICD), clinical notes, test results, images, or care plans.
• Psychotherapy notes and substance use disorder records protected by specialized rules.
• HIV/STD results, genetic information, reproductive health details, or any sensitive data restricted by state law.

Examples of common disclosure packets

• Initial placement: Identity, contact, dates of service, account identifiers, balance, payer status, and a scrubbed itemized statement.
• Consumer dispute: Prior packet plus remittance/EOB pages showing patient responsibility; still exclude diagnoses and clinical narratives.
• Legal escalation: Only court‑needed proofs (authenticating the account and balance); coordinate with counsel to keep disclosures minimal.

Checklist — PHI Elements

• Standard file layout excludes clinical fields by default.
• Redaction rules remove diagnosis/procedure language from statements sent externally.
• Any additional element is justified and approved in writing.
• Data minimization reviewed at least annually.

Compliance with Other Laws

HIPAA is only one piece. The Fair Debt Collection Practices Act governs how third‑party collectors interact with consumers. The Fair Credit Reporting Act controls what and how you furnish information to Consumer Reporting Agencies. Nonprofit hospitals must also comply with financial assistance and extraordinary collection action rules. State medical debt laws, surprise billing protections, and Medical Debt Relief initiatives can further restrict timing, content, and reporting.

Your program should map each step—placement, notices, disputes, credit furnishing, and litigation—against federal and state requirements. Train vendors on your policies, and require written approval before they change scripts, forms, or data feeds.

Checklist — Cross‑law alignment

• FDCPA compliance validated for scripts, call times, and dispute handling.
• FCRA compliance verified for furnishing accuracy, permissible purpose, and dispute workflows.
• State medical debt rules reviewed for waiting periods, balance thresholds, and content bans.
• Hospital financial assistance and extraordinary collection action rules applied where applicable.
• Consumer Reporting Agencies’ current submission criteria confirmed before furnishing.

Documentation and Record-Keeping

Maintain PHI Disclosure Documentation that proves what you disclosed, why it was necessary, and under what authority. Although HIPAA’s accounting of disclosures typically excludes payment, robust internal records demonstrate compliance, support audits, and speed dispute resolution.

Document your data minimization decisions, BAAs, vendor due diligence, and training. Keep evidence of encryption, access controls, incident response, and remediation actions. Retain records in line with your retention policy and applicable law.

What to record for each disclosure

• Date, recipient (collector/subcontractor/consumer reporting agency), and purpose.
• Specific data elements sent and the Minimum Necessary rationale.
• Authorizing policy/procedure and any approvals for exceptions.
• Method of transmission and security measures used.
• Related patient disputes and how they were resolved.

Artifacts to maintain

• Executed Business Associate Agreements and subcontractor agreements.
• Data layout specifications, redaction rules, and change logs.
• Training rosters and materials for staff and vendors.
• Security assessments, penetration tests, and remediation plans.
• Incident and breach logs, including notification records.

Conclusion

Effective collections and HIPAA compliance are compatible. Anchor every disclosure in Payment Activities, enforce the Minimum Necessary Standard, bind vendors with a strong Business Associate Agreement, restrict PHI elements to what is essential, align with other laws, and keep airtight PHI Disclosure Documentation. With these controls, you can recover revenue while protecting patient privacy.

FAQs

Is it permissible to sell medical bills to collection agencies under HIPAA?

Yes. You may sell or assign receivables, but HIPAA still limits the PHI you disclose to what is necessary to validate and collect the debt. When the buyer is not acting on your behalf, a Business Associate Agreement may not apply; however, you should contractually require privacy and security safeguards and ensure all other federal and state debt‑buyer rules are followed.

What PHI can be disclosed to collection agencies without patient authorization?

Identifiers and account data needed for payment: names, contact information, date of birth (as needed for identity), account/invoice numbers, dates of service, provider/facility name, payer status, balance, payment history, and scrubbed itemized statements. Do not include diagnoses, procedure codes, clinical notes, test results, or other sensitive clinical details unless a specific, documented payment need exists.

Are Business Associate Agreements required when working with collection agencies?

Generally yes. If a collection agency performs Payment Activities for you, it is a Business Associate and you must execute a Business Associate Agreement before sharing PHI. If you transfer or sell the debt and the purchaser is not acting on your behalf, a BAA may not be required, but you should still limit data to the Minimum Necessary and impose strong contractual safeguards.

How does HIPAA interact with state laws on medical debt collection?

HIPAA sets a federal baseline for privacy. State laws may be stricter on disclosures, communications, reporting, and timing, and Medical Debt Relief policies can impose additional limits. You must comply with both HIPAA and more protective state requirements, as well as federal consumer protection laws governing collections and credit reporting.