HIPAA and Debt Collections: What Providers Can Share, What’s Prohibited

When medical bills go unpaid, you must balance revenue recovery with patient privacy. The HIPAA Privacy Rule allows certain disclosures of Protected Health Information (PHI) for payment activities, including collections, but it also imposes strict limits. This guide explains what you can share, what’s prohibited, how the Minimum Necessary Standard applies, and how to align Medical Debt Compliance with operational realities.

HIPAA Permitted Disclosures for Debt Collection

HIPAA permits using and disclosing PHI for treatment, payment, and healthcare operations. Debt collection falls under “payment,” so you may disclose limited PHI to internal staff or a third‑party agency acting on your behalf, provided you apply the Minimum Necessary Standard and maintain appropriate PHI safeguards.

Typical data elements you may share to pursue a legitimate collection effort include:

• Patient identifiers needed to locate the account (full name, date of birth, address, phone).
• Provider name, practice location, and contact information for remittance.
• Dates of service, account or invoice number, and the balance due.
• General service descriptions sufficient to validate the debt (for example, “office visit,” “laboratory services”), avoiding detailed clinical content unless truly necessary.
• Insurance billing information relevant to the outstanding balance and payment history.

If more detail is necessary to substantiate the debt (for example, a procedure code required to verify the charge), document why that information is needed and share only that specific element—nothing more.

Prohibited Information Sharing Under HIPAA

HIPAA prohibits disclosures that exceed what is needed for collection and restricts certain categories of information absent patient authorization or other specific legal permissions. Avoid sharing clinical content that does not directly support the existence, amount, or ownership of the debt.

• The entire medical record when a small subset of fields will suffice.
• Detailed diagnoses, imaging, lab results, operative reports, or progress notes unrelated to validating the debt.
• Psychotherapy notes (which have heightened protection) without the patient’s written authorization.
• Substance use disorder treatment records protected by 42 CFR Part 2 absent proper consent, and other specially protected data under applicable law (for example, certain HIV or genetic information).
• PHI for marketing, or any “sale of PHI” outside HIPAA’s narrow exceptions.
• Unnecessary disclosures to employers, family members, or other third parties not involved in the collection effort.

Applying the Minimum Necessary Standard

The Minimum Necessary Standard requires you to limit PHI to the smallest amount needed to accomplish the collection purpose. In practice, this means defining a standard dataset for collections and controlling any exceptions.

• Establish a default “collections dataset” (identifiers, dates of service, balance, account number, provider name, high‑level service type).
• Strip diagnosis and procedure codes unless they are specifically needed to validate the debt; if used, justify and document the need.
• Use role‑based access so staff and vendors only see what their role requires.
• Standardize letters, statements, and scripts to prevent over‑disclosure; preapprove any non‑templated requests.
• Apply PHI safeguards: encrypt data in transit, secure portals for file exchange, and audit logs for disclosures and vendor access.
• Remember the narrow exceptions: the Minimum Necessary Standard does not apply to disclosures to the patient, to the Department of Health and Human Services for compliance, or when otherwise required by law—most collection disclosures do not fall within these exceptions and therefore must be minimized.

Business Associate Agreements in Collections

A third‑party collections agency that receives PHI is a Business Associate. You must have a Business Associate Agreement (BAA) before sharing PHI, and you must ensure the agency can meet HIPAA Privacy and Security Rule obligations.

• Specify permitted uses and disclosures limited to collection activities; prohibit re‑use or secondary purposes.
• Require administrative, physical, and technical safeguards aligned with the Security Rule, plus workforce training and sanction policies.
• Mandate prompt breach reporting, cooperation in investigations, and mitigation duties.
• Flow down HIPAA obligations to any subcontractors and bar data offshoring unless assessed and approved.
• Provide for patient rights support (access, amendment, accounting of disclosures, where applicable).
• Include return or destruction of PHI at contract end and a clear right to audit or obtain security attestations.

Beyond the BAA, perform vendor due diligence (risk assessments, data‑flow maps, and testing of incident response) to ensure PHI safeguards are effective in practice.

Compliance with FDCPA and Other Laws

HIPAA is only part of Medical Debt Compliance. Third‑party collectors must also follow the Fair Debt Collection Practices Act (FDCPA) and related regulations, which restrict harassment, deceptive practices, and third‑party disclosures. State debt‑collection and privacy laws may impose additional requirements.

• Communications: Avoid revealing PHI to unauthorized third parties. Use carefully crafted, limited‑content messages for voicemail or digital channels to prevent disclosure.
• Consumer rights: If a patient disputes a debt or requests validation, pause collection and verify. Honor cease‑communication requests as required.
• Workplace and time‑of‑day limits: Do not contact patients at inconvenient times or places, and stop workplace calls if the employer prohibits them.
• Credit reporting: Follow the Fair Credit Reporting Act, furnish accurate information, and align with credit bureau medical‑debt policies before reporting.
• Stricter laws: Certain data (for example, substance use disorder records under 42 CFR Part 2) and some state statutes may demand patient consent or add extra limits beyond HIPAA.

Coordinate HIPAA Privacy Rule requirements with FDCPA restrictions to ensure scripts, forms, and vendor practices do not trigger unauthorized disclosure or unfair practices.

Patient Rights in Medical Debt Collection

Patients retain HIPAA rights even when bills enter collections. You must respect these rights and build processes that make them easy to exercise.

• Access: Patients can obtain copies of their records and billing information used to substantiate a debt.
• Restrictions: Patients may request limits on certain disclosures; if a service is paid in full out‑of‑pocket, providers must restrict disclosure to the health plan for that item where HIPAA requires.
• Confidential communications: Patients can request alternative addresses, phones, or email routes for billing or collection notices.
• Accounting of disclosures: Patients can request a record of disclosures of their PHI, including those to a collection agency when applicable.
• Complaints: Patients may file complaints with the provider or with regulators if they believe their PHI was mishandled or they were subjected to unlawful collection practices.
• Debt‑collection rights: Under the FDCPA, consumers can dispute debts, request validation, and limit contact methods and frequency.

Enforcement and Penalties for Violations

The Department of Health and Human Services Office for Civil Rights enforces HIPAA. Violations tied to improper disclosures during collections can result in substantial civil penalties, corrective action plans, and multi‑year monitoring. Knowing misuse or wrongful disclosure of PHI can also trigger criminal liability.

Other enforcement avenues may apply. State attorneys general can bring actions under HIPAA and state laws, and consumer regulators can pursue unfair or deceptive collection practices. Contract breaches with a Business Associate may lead to indemnity claims, termination, and reputational harm.

Breach notification duties may arise if PHI is exposed or sent to the wrong recipient. Assess incidents promptly, mitigate harm, notify affected individuals when required, and remediate process gaps to prevent recurrence.

In short, share only what is truly needed, execute strong Business Associate Agreements, harden PHI safeguards, and align HIPAA Privacy Rule requirements with the Fair Debt Collection Practices Act to protect patients while resolving accounts responsibly.

FAQs.

Is selling medical bills to collections a HIPAA violation?

No. Assigning or referring accounts to a collection agency to obtain payment is a permitted “payment” activity under the HIPAA Privacy Rule when you apply the Minimum Necessary Standard and have a Business Associate Agreement in place. It can become a violation if PHI is disclosed beyond what’s needed, used for marketing, or exchanged as a prohibited “sale of PHI.”

What information can healthcare providers legally share with debt collectors?

Providers may share identifiers to locate the patient, dates of service, account or invoice numbers, the balance due, provider contact information, relevant insurance and payment history, and a high‑level description of services. Avoid full medical records, detailed diagnoses, or clinical notes unless a specific element is truly necessary to validate the debt—and document why.

How does the minimum necessary standard affect medical debt collection?

It requires you to disclose only the smallest amount of PHI needed to collect the debt. Define a standard collections dataset, restrict roles and access, remove diagnosis and procedure codes unless essential, and use approved templates and scripts. Any exception should be documented, time‑bound, and limited to the specific purpose.

What are patient rights regarding medical debt and PHI disclosures?

Patients can access their billing records, request restrictions on certain disclosures, choose confidential communication channels, and obtain an accounting of disclosures. They can also dispute debts and limit contact under the Fair Debt Collection Practices Act. You must have processes to receive, track, and honor these requests without over‑disclosing PHI.