Is Selling Medical Debt a HIPAA Violation? Requirements and Exceptions Explained

HIPAA Regulations on Medical Debt Collection

Under the HIPAA Privacy Rule, you may use and disclose Protected Health Information (PHI) for “payment” and certain “health care operations” without patient authorization. Debt collection falls within payment activities, provided you limit what you share and maintain appropriate safeguards.

Disclosing PHI to a collection agency you hire is generally permissible when it supports obtaining payment for care already rendered. The disclosure must be necessary for collection efforts, and your Notice of Privacy Practices should explain that you use PHI for payment activities, including collections.

An outright sale or assignment of receivables is more complex. HIPAA still permits disclosures that are for payment or qualifying operations, but you must avoid turning the transaction into a prohibited “sale of PHI.” Structure the deal to realize payment for care, not to monetize PHI itself, and disclose only what the collector needs to pursue the account.

Minimum Necessary Information Disclosure

HIPAA’s Minimum Necessary Standard requires you to share only the least amount of PHI needed to accomplish the collection purpose. This keeps disclosures proportionate and reduces risk if data is misused or breached.

Data elements typically sufficient

• Patient name, last known address, and contact numbers
• Date(s) of service, provider/facility name, and account number
• Amount owed, payment history, and insurance/explanation of benefits details
• Basic billing codes (e.g., CPT/ICD) only if strictly needed to validate the debt

Data you should avoid sharing

• Clinical narratives, lab or imaging results, detailed diagnoses not required for billing
• Psychotherapy notes or substance use disorder treatment records protected by stricter rules
• Any information unrelated to verifying and collecting the specific balance

Document your role-based access and a rationale for each category of PHI Disclosure. If a collector claims more detail is needed, require a written justification that maps to payment Activities.

Business Associate Agreements for Debt Collectors

When you engage a third-party collection agency to act on your behalf, the agency is a Business Associate. You must execute a Business Associate Agreement (BAA) that limits how the agency may use and disclose PHI, mandates safeguards, and requires breach reporting.

Key BAA terms to include

• Permitted uses/disclosures: strictly for Debt Collection Compliance and related payment activities
• Security: administrative, physical, and technical safeguards; encryption in transit and at rest
• Subcontractors: downstream BA obligations and flow-down requirements
• Breach and incident response: notification timelines, cooperation, and remediation
• Return/destruction of PHI at contract end and right to audit

Debt buyers that purchase the receivable outright are usually not Business Associates because they are not performing services for you. Your disclosure to a buyer must still comply with HIPAA’s payment/operations permissions and the Minimum Necessary Standard, and it must not constitute a prohibited sale of PHI.

Compliance Requirements for Selling Medical Debt

Selling receivables can be consistent with HIPAA if you align structure, contracts, and data-sharing with privacy requirements. The focus is obtaining payment for care rendered, not trading on PHI.

Practical compliance checklist

• Define purpose: document that the transfer enables payment activities for the covered services
• Scope data: share only data elements necessary to validate and collect the account
• Contractual controls: require confidentiality, permitted-use limits, and secure handling by the recipient
• Screen sensitive records: carve out specially protected data (e.g., psychotherapy notes or SUD records)
• Access controls and logs: maintain an accounting of disclosures where required
• Security due diligence: verify the buyer/collector’s safeguards and incident response capabilities
• Patient communications: provide clear statements, itemized bills, and avenues for disputes
• Breach preparedness: ensure the recipient can support notification duties if an incident occurs

Avoid arrangements where remuneration is principally for access to PHI. If compensation is tied to the information itself rather than collection of a valid receivable, you risk a prohibited sale of PHI absent a specific authorization.

State Laws Governing Medical Debt Sales

Beyond HIPAA, you must follow State Medical Debt Laws that regulate how, when, and to whom medical receivables can be assigned or sold. These rules can be stricter than federal privacy standards and often impose timing and disclosure requirements.

Common state-law requirements

• Licensing/registration of debt buyers and collectors
• Mandatory patient notices before and after transfer, with itemized statements
• Waiting periods, charity-care screening, or financial assistance determinations before sale
• Limits on interest, fees, and collection litigation practices
• Restrictions on credit reporting of medical debt and enhanced dispute rights
• Obligations to repurchase or withdraw accounts if the patient later qualifies for assistance

Map each portfolio to the originating patient’s state and verify local rules before any transfer. Contract terms should require the buyer to comply with all applicable state medical debt statutes and consumer protection laws.

Exceptions to HIPAA Authorization

HIPAA generally requires authorization for disclosures not tied to treatment, payment, or health care operations. The following scenarios typically do not require an authorization, provided you meet all conditions and limit the disclosure to the minimum necessary.

• Payment activities, including claims management, billing, collections, and obtaining payment
• Certain health care operations, such as due diligence in a sale, transfer, merger, or consolidation
• Disclosures required by law (e.g., court orders) with appropriate safeguards
• Regulatory disclosures to HHS for compliance investigations
• Public health or research disclosures that meet HIPAA’s specific exception criteria
• De-identified data disclosures that meet HIPAA’s de-identification standards

If a disclosure involves remuneration “in exchange for PHI” and does not fit within a payment/operations or other HIPAA exception, you should obtain a valid, specific authorization that states the remuneration. When in doubt, revisit purpose, data scope, and contractual limits to stay within permitted uses.

Best Practices for Healthcare Providers

Build a repeatable framework that combines HIPAA discipline with consumer-protection sensitivity. This protects patients, reduces disputes, and lowers enforcement risk.

Action steps

• Policy alignment: codify when to outsource, assign, or sell debt and what PHI may be disclosed
• Minimum Necessary Standard: maintain a data matrix approving only essential elements
• Contract hygiene: implement BAAs for service collectors and confidentiality limits for buyers
• Vendor oversight: risk-rate vendors, review security controls, and test incident response
• Patient-centered practices: offer plain-language bills, hardship screening, and resolution paths
• Training and audits: educate staff, sample disclosures, and remediate findings promptly
• Documentation: retain purpose analyses, data justifications, and state-law mappings

Conclusion

Selling or assigning medical receivables is not inherently a HIPAA violation. Keep disclosures tied to payment activities, apply the Minimum Necessary Standard, use the right agreements, and honor state-specific rules. With these controls, you can collect responsibly while protecting patient privacy.

FAQs.

Is selling medical debt considered a HIPAA violation?

No. Selling or assigning receivables is permissible when the disclosure of PHI is limited to what’s necessary for payment activities and the transaction is not a prohibited sale of PHI. Problems arise if you disclose excessive data, skip required agreements, or monetize PHI outside HIPAA’s permitted purposes.

What is the minimum necessary information rule in medical debt collection?

It requires you to disclose only the least amount of PHI needed for the collector to validate and pursue the debt—for example, identity, dates of service, amounts, and limited billing codes. Avoid sharing clinical notes or sensitive details unrelated to billing.

When is a business associate agreement required for debt collectors?

A BAA is required when a third-party collector performs collection services on your behalf, making it a Business Associate. If you sell the debt outright to a buyer, the buyer typically is not a Business Associate, but your disclosure must still be permitted under HIPAA and meet the Minimum Necessary Standard.

Are there state laws regulating the sale of medical debt?

Yes. Many states impose rules on medical debt sales and collection, including licensing, notice and documentation requirements, charity-care screening, limits on fees or credit reporting, and repurchase obligations. Always check the patient’s state laws in addition to HIPAA.