HIPAA Rules on Disclosing Patient Account Balances: Requirements and Examples

Understanding HIPAA rules on disclosing patient account balances helps you collect payment efficiently while protecting privacy. This guide explains when balance information counts as Protected Health Information, what Covered Entities may share without Patient Authorization, how Accounting of Disclosures works, and the safeguards and agreements you must have in place.

Disclosure of Patient Account Balances

A patient’s account balance, when linked to an identifiable individual, is Protected Health Information (PHI). Providers, health plans, and healthcare clearinghouses are Covered Entities, and their workforce and vendors handling PHI must follow the Privacy and Security Rules.

Disclosing a balance means making it available outside your workforce. Internal access for billing staff is a “use,” while sending a statement to a patient, payer, or vendor is a “disclosure.” The minimum necessary standard applies to most non-treatment disclosures: share only the data needed to achieve the purpose.

Practical examples

• At check-in, telling a patient the amount due is permitted because you are disclosing PHI to the individual.
• Mailing a paper statement to the patient is allowed if you use reasonable safeguards (sealed envelope, correct address, no diagnoses printed on the envelope).
• Leaving a voicemail: you may leave limited information and a callback number; avoid detailed amounts unless the patient has asked for that mode or you can verify privacy.
• Discussing a balance with a spouse or caregiver is permitted only if the patient has identified the person, you can reasonably infer involvement in payment, or you have documented permission.

Common pitfalls to avoid

• Announcing balances in waiting areas where others can overhear.
• Emailing unencrypted statements without the patient’s informed request for that channel.
• Sharing details with an employer, landlord, or family member without a valid basis or Patient Authorization.

Permitted Disclosures Without Authorization

HIPAA allows certain disclosures of account balance information without Patient Authorization:

• To the individual: you may share the balance with the patient upon request or during normal interactions.
• For Treatment Payment Healthcare Operations (TPO): payment-related sharing with health plans, other providers, billing services, clearinghouses, and collection vendors is permitted, subject to minimum necessary.
• As required by law: disclose only what the law compels and document the request.
• To Business Associates: you may disclose PHI to vendors performing permitted functions for you, but only under Business Associate Agreements.
• To persons involved in payment: when the patient identifies a payer (for example, a parent paying an adult child’s bill) or you can reasonably infer involvement, you may share limited information relevant to payment.

Illustrative examples

• Sending balance data to a revenue cycle company to print statements.
• Providing a payer the patient responsibility amount and claim identifiers to adjudicate a remittance.
• Referring a delinquent account to a collection agency that is bound by a Business Associate Agreement.

Outside these categories, you need Patient Authorization before disclosing balance information to third parties.

Accounting of Disclosures

Patients can request an Accounting of Disclosures for certain disclosures made in the prior six years. Your record must include the date, recipient, a brief description of what was disclosed (for example, “balance due and dates of service”), and the purpose or a copy of the request that prompted it.

Accounting applies to disclosures outside treatment, payment, and operations. Example: if you disclose a patient’s outstanding balance to a court under a valid order, you must include that event in the accounting record.

Operational tips

• Capture required elements at the time of disclosure to avoid reconstruction later.
• Use a centralized log across departments so legal, billing, and HIM teams report consistently.
• Provide the accounting within HIPAA’s response timelines; the first accounting in a 12‑month period must be free, with reasonable cost-based fees allowed for additional requests.

Exceptions to Accounting Requirements

You do not have to account for disclosures:

• For treatment, payment, or health care operations.
• To the individual or the patient’s personal representative.
• That are incidental to an otherwise permitted use or disclosure and safeguarded appropriately.
• Made pursuant to a valid, written authorization.
• For facility directories or to persons involved in the patient’s care or notification, consistent with the rule.
• For national security or intelligence activities, or to correctional institutions/law enforcement regarding inmates.
• As part of a limited data set under a data use agreement.

Law enforcement may request a temporary suspension of accounting; document the request and follow the specified duration.

Patient Rights to Access and Accounting

Patients have the right to access their PHI, including account balance information. You must provide access within the HIPAA timeframe (with one permitted extension when necessary) and may charge only reasonable, cost-based fees for copies. Patients can ask that you send information to a designated third party.

Patients also have the right to an Accounting of Disclosures for the six years prior to the request, with one free accounting per 12 months. Maintain clear request channels so patients can exercise their rights without friction.

Additional patient options affecting balances

• Restrictions: if a patient pays a covered service in full out of pocket, they can require you not to disclose that information to a health plan for payment or operations related to that service.
• Confidential communications: patients may request that bills or calls go to an alternative address, phone number, or through Secure Communication Channels such as a patient portal.

Safeguards for PHI

Implement layered safeguards before sharing balance data:

Administrative safeguards

• Policies defining who may disclose balances, to whom, and by which channels.
• Workforce training with scripts for identity verification and minimum necessary.
• Vendor due diligence and documented approvals for new data flows.

Physical safeguards

• Secure printing and mailing (locked printers, sealed envelopes, verified addresses).
• Clean desk and shredding procedures for documents showing balances.

Technical safeguards

• Access controls, audit logs, and role-based permissions in billing systems.
• Encryption in transit and at rest; prefer Secure Communication Channels (patient portals, secure email, EDI).
• Multi-factor authentication for remote access by staff and vendors.

Channel-specific guidance

• Phone: verify identity with multiple data points before discussing amounts.
• Email: use secure email; if a patient requests unencrypted email after being advised of risk, document the request.
• Texting: use secure messaging platforms; avoid full balance details in standard SMS.
• Voicemail: leave limited information and a callback number unless the patient authorizes detailed messages.

Business Associate Agreements

Vendors that create, receive, maintain, or transmit PHI for you—such as revenue cycle firms, statement printers, cloud hosts, and collection agencies—are Business Associates. You must execute Business Associate Agreements (BAAs) before sharing balance data.

What a strong BAA should include

• Permitted uses/disclosures limited to defined payment or operations tasks.
• Obligations to implement administrative, physical, and technical safeguards.
• Prompt breach and incident reporting, with cooperation duties for patient and regulator notifications.
• Flow-down clauses requiring subcontractors to sign equivalent agreements.
• Minimum necessary commitments, access controls, and Secure Communication Channels.
• Return or destruction of PHI at contract end and termination rights for material breach.

Examples

• A statement-print vendor receives names, addresses, account numbers, and balances solely to mail bills under a BAA.
• A collection agency accesses limited demographics, dates of service, and amounts owed to collect on your behalf, with auditing and reporting obligations defined in the BAA.

Summary and key takeaways

• Balance information is PHI; disclose the minimum necessary.
• Most routine sharing for payment is permitted without authorization, but document and safeguard it.
• Track non-TPO disclosures for Accounting of Disclosures requests.
• Use Secure Communication Channels and execute strong Business Associate Agreements before sending any PHI to vendors.

FAQs.

Does sharing a patient account balance require HIPAA authorization?

Usually no. You may disclose a balance to the patient, and you may share limited balance data for payment and certain operations without Patient Authorization. If a disclosure falls outside these bases—such as sharing with an unrelated third party for non-payment reasons—you must obtain valid authorization first.

Can patient account balances be disclosed for payment purposes?

Yes. HIPAA permits disclosures necessary for payment, including to health plans, other providers involved in the claim, clearinghouses, and collection vendors. Apply the minimum necessary rule, verify identity, and ensure a Business Associate Agreement is in place when a vendor handles PHI on your behalf.

What safeguards must be in place for sharing billing information?

Use administrative, physical, and technical safeguards: identity verification, role-based access, audit logs, and encryption. Prefer Secure Communication Channels such as portals or secure email, limit voicemail details, and document patient preferences for alternative communications.

What are patient rights regarding access to their account balance information?

Patients have a right to timely access to their PHI, including balances, and may direct copies to a third party. They receive one free Accounting of Disclosures per 12 months, can request confidential communications (for example, a different address), and may restrict disclosures to a health plan for services they pay for in full out of pocket.