Medical Debt Reporting and HIPAA: What's Allowed and What's Not

HIPAA Privacy Rule Protections

HIPAA protects how covered entities (health plans, most health care providers, and clearinghouses) and their business associates use and disclose protected health information (PHI). Credit bureaus (consumer reporting agencies) are not HIPAA covered entities, so HIPAA does not directly regulate their handling of credit data. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html?hl=en&utm_source=openai))

For billing and collections, the HIPAA Privacy Rule permits a provider or health plan to use and disclose PHI for “payment” without your written authorization. That activity may be performed by a third party, such as a collection agency, under a business associate agreement, and must follow the “minimum necessary” standard—sharing only what’s needed to collect the bill (typically identifiers, dates of service, amounts owed; not diagnoses or clinical notes). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/standards-privacy-individually-identifiable-health-information/index.html?utm_source=openai))

HIPAA governs what your provider or its collection vendor can share; it does not by itself decide whether medical debt may appear on a credit report. Whether and how a medical collection tradeline can be reported is primarily governed by the Fair Credit Reporting Act (FCRA) and related rules. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/consumer-reports-what-insurers-need-know?utm_source=openai))

HIPAA Security Rule Requirements

The HIPAA Security Rule applies to electronic PHI (ePHI) held by covered entities and their business associates—not to consumer reporting agencies. It requires administrative, physical, and technical safeguards, including ongoing risk analysis, access controls, audit controls, contingency planning, and workforce training. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html?key5sk1=953418314db367e0c4aedc568bbb9089724e9125&utm_source=openai))

Key required elements include a documented risk analysis and risk management program (45 CFR 164.308), role-based access and authentication (45 CFR 164.312), and policies to address incident response and contingency operations. Some specifications (like encryption) are “addressable,” meaning you must implement them if reasonable and appropriate or document an equivalent measure. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.308?utm_source=openai))

Medical Debt Reporting Regulations

Under the FCRA, consumer reporting agencies (CRAs) and data furnishers operate within national standards. CRAs must follow reasonable procedures to assure “maximum possible accuracy,” and they must reinvestigate consumer disputes within set timelines. Only users with a “permissible purpose” may obtain a report. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/15/1681e?utm_source=openai))

Medical information is subject to special limits. FCRA section 604(g) restricts users’ access to medical information, and when medical debt is reported, it must be “coded” so the nature of services and provider identity are not revealed on the credit report. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/consumer-reports-what-insurers-need-know?utm_source=openai))

How long can a medical collection appear? Federal law’s seven-year reporting period is measured from 180 days after the original delinquency that led to collection. Additional federal protections apply to certain veteran medical debts less than one year old. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/15/1681c?utm_source=openai))

Industry policies further limit medical debt credit reporting. The three nationwide CRAs removed all paid medical collections and adopted a one-year waiting period before reporting medical collections starting in July 2022; on April 11, 2023, they also removed medical collections with an initial balance under $500. ([consumerfinancemonitor.com](https://www.consumerfinancemonitor.com/2022/03/24/equifax-experian-and-transunion-announce-changes-in-medical-debt-reporting/?utm_source=openai))

Roles of Consumer Reporting Agencies

Consumer reporting agencies compile and furnish consumer reports to lenders and other authorized users. In medical debt credit reporting, they:

• Receive coded medical collection tradelines from furnishers and suppress information that would reveal diagnoses or specific providers, consistent with FCRA medical-information limits.
• Maintain procedures for maximum possible accuracy and conduct reinvestigations when you dispute an item. ([ftc.gov](https://www.ftc.gov/sites/default/files/documents/reports/40-years-experience-fair-credit-reporting-act-ftc-staff-report-summary-interpretations/110720fcrareport.pdf?utm_source=openai))
• Provide reports only for permissible purposes defined by law (for example, credit underwriting or certain employment uses with consent). ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/15/1681b?utm_source=openai))

Fair Medical Debt Reporting Act Provisions

Several states have enacted “Fair Medical Debt Reporting Act” statutes. New York’s Fair Medical Debt Reporting Act, effective December 13, 2023, prohibits CRAs from including medical debt in credit reports for New Yorkers and bars hospitals, providers, and ambulance services from furnishing such debt to CRAs. ([ag.ny.gov](https://ag.ny.gov/resources/individuals/health-care-insurance/Reporting-medical-debt?utm_source=openai))

Maryland’s Fair Medical Debt Reporting Act (HB 1020), effective October 1, 2025, likewise prohibits CRAs from furnishing consumer reports with adverse information related to medical debt, restricts the use of medical debt in credit decisions, and bars disclosures of medical debt by specified health entities to CRAs. ([mgaleg.maryland.gov](https://mgaleg.maryland.gov/mgawebsite/Legislation/Details/hb1020?ys=2025RS&utm_source=openai))

Federal Rule on Medical Debt Reporting

On January 7, 2025, the Consumer Financial Protection Bureau finalized a Regulation V rule that would have barred CRAs from including medical debt information on credit reports and prohibited lenders from using such information. In July 2025, the U.S. District Court for the Eastern District of Texas vacated the rule; as of June 8, 2026, it is not in effect. ([consumerfinance.gov](https://www.consumerfinance.gov/rules-policy/final-rules/prohibition-on-creditors-and-consumer-reporting-agencies-concerning-medical-information-regulation-v/?utm_source=openai))

Separately, in October 2025 the CFPB published an interpretive rule asserting that the FCRA generally preempts state laws governing the content of credit reports; consumer advocates note that this guidance is not legally binding and expect ongoing litigation over state medical-debt reporting bans. ([bankingjournal.aba.com](https://bankingjournal.aba.com/2025/10/cfpb-federal-law-preempts-state-law-on-credit-reporting/?utm_source=openai))

State Laws Governing Medical Debt Reporting

Beyond the federal FCRA baseline, a growing number of state medical debt regulations restrict or prohibit medical debt credit reporting. As of June 8, 2026, examples include:

• Colorado (HB23-1126; effective 2023–2024): Prohibits CRAs from including medical-debt information in consumer reports and restricts collectors’ representations about credit reporting, with narrow exceptions tied to jumbo-size credit transactions. ([leg.colorado.gov](https://leg.colorado.gov/laws/session-laws/HB23-1126/374/download?utm_source=openai))
• New York (Fair Medical Debt Reporting Act; effective Dec. 13, 2023): Bars reporting and furnishing of medical debt. ([ag.ny.gov](https://ag.ny.gov/resources/individuals/health-care-insurance/Reporting-medical-debt?utm_source=openai))
• California (SB 1061; effective July 1, 2025): Prohibits medical-debt information from appearing on consumer credit reports. ([oag.ca.gov](https://www.oag.ca.gov/news/press-releases/attorney-general-bonta%E2%80%99s-sponsored-bill-ban-medical-debt-credit-reports-signed?utm_source=openai))
• Delaware (SB 156; effective Oct. 27, 2025): Prohibits reporting of medical debt to CRAs and the use of medical-debt information in credit, employment, or housing decisions. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c025j/index.html?utm_source=openai))
• Connecticut (Public Act 24-6; effective July 1, 2024): Bars providers and hospitals from reporting medical debt to credit rating agencies. ([cga.ct.gov](https://www.cga.ct.gov/2024/act/pa/pdf/2024PA-00006-R00SB-00395-PA.pdf?utm_source=openai))
• Rhode Island (S0169/S0172; effective January 1, 2026): Prohibits CRAs from including medical-debt information for state residents and adds related collection limits. ([natlawreview.com](https://natlawreview.com/article/rhode-island-enacts-ban-reporting-medical-debt-credit-bureaus?utm_source=openai))
• Maryland (HB 1020; effective Oct. 1, 2025): Prohibits CRAs from furnishing or using adverse medical-debt information and bars specified health entities from disclosing medical debt to CRAs. ([labor.maryland.gov](https://labor.maryland.gov/finance/advisories/advisory-ind-collectionmedicaldebt.shtml?utm_source=openai))
• Washington (ESSB 5480; effective July 27, 2025): Exempts medical debt from consumer credit reports and voids debts reported in violation. ([lawfilesext.leg.wa.gov](https://lawfilesext.leg.wa.gov/biennium/2025-26/Htm/Bill%20Reports/Senate/5480-S.E%20SBR%20FBR%2025.htm?utm_source=openai))

Important context: The CFPB’s October 2025 preemption interpretation contends that FCRA generally preempts state content rules, but that guidance is not itself binding law; the scope of preemption will be resolved through case-by-case litigation. ([bankingjournal.aba.com](https://bankingjournal.aba.com/2025/10/cfpb-federal-law-preempts-state-law-on-credit-reporting/?utm_source=openai))

Bottom line: Today, medical debt credit reporting is shaped by three layers—HIPAA limits on what providers and their collection vendors may disclose, FCRA duties on CRAs and furnishers, and state-level bans that may restrict reporting or use altogether. As of June 8, 2026, the federal CFPB rule that would have eliminated medical-debt reporting nationwide has been vacated, while most CRAs’ voluntary policies (paid-debt deletion, one‑year delay, and the under‑$500 exclusion) remain in place. ([apnews.com](https://apnews.com/article/41f212ee6b89f9902deb267d75ab8443?utm_source=openai))

FAQs.

Does HIPAA protect medical debt information?

Yes—HIPAA limits what your provider or its business associate (for example, a collection agency working under contract) can disclose about you. Disclosures for “payment” are permitted but must meet the minimum‑necessary standard; HIPAA does not directly regulate what a consumer reporting agency may show on a credit report. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/standards-privacy-individually-identifiable-health-information/index.html?utm_source=openai))

What rules govern the reporting of medical debt?

The FCRA sets national rules for accuracy, disputes, and permissible purpose; additional medical‑information limits apply, and certain veteran medical debts have special protections. On top of that, CRAs have industry policies (since 2022–2023) that remove paid medical collections, delay reporting for one year, and exclude collections under $500. Some states now ban medical‑debt reporting altogether. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/15/1681e?utm_source=openai))

How does the Fair Medical Debt Reporting Act affect credit reports?

Fair Medical Debt Reporting Act statutes—such as New York’s (effective December 13, 2023) and Maryland’s (effective October 1, 2025)—prohibit CRAs from including medical‑debt information and bar health‑care entities from furnishing such debts for credit reporting in those states. ([ag.ny.gov](https://ag.ny.gov/resources/individuals/health-care-insurance/Reporting-medical-debt?utm_source=openai))

Are consumer reporting agencies allowed to report medical debt?

Under federal law today, CRAs may report properly coded medical collections, subject to FCRA accuracy, dispute, and medical‑information restrictions. However, many state laws now prohibit medical‑debt reporting for their residents, and the nationwide bureaus have voluntarily removed paid medical collections, waited one year before reporting, and excluded balances under $500. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/consumer-reports-what-insurers-need-know?utm_source=openai))