Requirements and Best Practices for Sending Patient Accounts to Collections

Getting paid while protecting patient trust requires a clear, compliant framework. This guide translates the requirements and best practices for sending patient accounts to collections into practical steps you can implement today. By aligning Patient Account Management with Debt Collection Compliance, you reduce risk, speed cash flow, and maintain a patient-first experience.

You will find actionable guidance on Internal Collection Policies, Payment Plan Agreements, Privacy Rule Requirements, and how to work with agencies without exposing Protected Health Information. Use these standards to create a consistent process that is fair, transparent, and legally sound.

Financial Policy

Build clear Internal Collection Policies

• Define when an account becomes delinquent, what events pause the clock (e.g., active insurance appeals, disputes), and exact criteria for placement with an agency.
• List exclusions from placement, such as accounts under formal dispute, active Payment Plan Agreements, or approved financial assistance.
• Specify responsible party rules (e.g., minors, divorce situations) and documentation required before assignment.

Establish fair Payment Plan Agreements

• Offer standardized terms based on balance ranges, with written consent for autopay and clear default conditions.
• State any fees or interest up front, consistent with State Debt Collection Laws, and avoid terms that could be considered unfair or deceptive.
• Document every agreement, including the schedule, communication preferences, and hardship review dates.

Screen for discounts and assistance

• Apply financial assistance or discount policies before collections. Keep a documented denial or approval in the account file.
• Use objective criteria and a uniform review process to ensure consistency and equity.

Write it down—and train

• Publish your Financial Policy in plain language, reference applicable Privacy Rule Requirements, and train staff at onboarding and annually.
• Audit a sample of pre-collection accounts each month to confirm adherence.

Front Desk Procedures

Verify early and often

• Confirm identity, insurance eligibility, coordination of benefits, and coverage limits at or before check-in.
• Capture preferred contact methods and consent to text, email, or call for billing purposes.

Set expectations at check-in

• Discuss estimated patient responsibility and available Payment Plan Agreements in a respectful, scripted manner.
• Provide a simple one-page summary of charges, estimate assumptions, and how additional services may affect the final bill.

Collect compliantly at point of service

• Offer convenient options (card-on-file, portal, mobile payments) and issue receipts immediately.
• Escalate sensitive conversations to a private area to protect Protected Health Information.

Billing Transparency

Send clear, comprehensible statements

• Use plain language, large fonts, and a clean layout that separates provider charges, insurance payments, adjustments, and the patient balance.
• Explain the difference between an Explanation of Benefits and your bill to reduce confusion and inbound call volume.

Itemize and explain

• Provide dates of service, CPT/HCPCS descriptions in understandable terms, and reasons for denials when known.
• Display how prior payments or credits were applied and how to dispute inaccuracies.

Respect Privacy Rule Requirements

• Apply the minimum necessary standard: include only data needed to identify the account and balance; exclude diagnosis details unless essential.
• Ensure that mailed statements and envelopes do not expose sensitive information.

Offer easy ways to pay and get help

• Provide multiple payment channels and publish clear hours for billing support.
• Prominently present Payment Plan Agreements and hardship options before mentioning external collections.

Follow-Up Procedures

Use a consistent outreach timeline

• 0–30 days: courtesy statement and reminder.
• 31–60 days: second statement and digital reminders with an invitation to set up a plan.
• 61–90 days: final notice with plain-language next steps and a clear response window.

Pause and resolve disputes

• Log every dispute, pause collections activity, and provide a written resolution or correction before resuming.
• Track returned mail, undeliverable emails, and wrong numbers; attempt verified alternative contacts.

Set measurable escalation criteria

• Escalate only when outreach milestones, assistance screening, and plan offers are documented.
• Require a final internal review to confirm Debt Collection Compliance before placement.

Use of Collection Agencies

Vet the partner thoroughly

• Confirm licensing, bonding, insurance, and experience with healthcare-specific State Debt Collection Laws.
• Review policies on complaints, call frequency, credit reporting, and settlement authority.

Control the data you share

• Limit disclosures of Protected Health Information to the minimum necessary for payment activities.
• Transmit data securely, define data retention periods, and require breach notification procedures.

Set expectations in writing

• Execute a Business Associate Agreement when the agency acts as your business associate; if selling accounts, use a compliant data-disclosure framework instead of a BAA.
• Define placement criteria, recall rights, fee structures, settlement guidelines, and patient complaint handling.

Monitor performance and conduct

• Track recovery rates, consumer complaints, cease-and-desist compliance, and call audits.
• Require regular reports and reserve the right to pull accounts that risk patient harm or reputational damage.

HIPAA Compliance

Know your lawful bases

• HIPAA permits using and disclosing PHI for payment and health care operations without patient authorization, subject to the minimum necessary rule.
• Reflect these practices in your Notice of Privacy Practices and Internal Collection Policies.

Apply the minimum necessary standard

• Share only identifiers, dates of service, and balance details required to collect; avoid unnecessary clinical content.
• Mask sensitive notes and restrict workforce access to need-to-know roles.

Secure the information

• Use encryption in transit and at rest, role-based access, and audit logs for all billing and collections systems.
• Maintain incident response plans and promptly address potential breaches.

Honor patient rights

• Respect reasonable requests for confidential communications and any restrictions that apply when patients pay in full out of pocket.
• Maintain processes to correct PHI and to document authorizations when needed.

Legal Considerations

Understand the regulatory landscape

• Debt Collection Compliance includes federal rules for third‑party collectors and additional state requirements that may also bind original creditors.
• Train staff on disclosures, call frequency and timing limits, and prohibitions on misleading or unfair practices.

Account for State Debt Collection Laws

• Confirm licensing or registration, message content rules, and consent requirements for texts and emails in every state where patients reside.
• Review restrictions on convenience fees, surcharges, and settlement disclosures.

Special obligations for certain providers

• Hospitals and similar entities may face additional requirements before taking extraordinary collection actions; ensure financial assistance screening and notice standards are met.
• Define when credit reporting, lawsuits, or wage garnishment are prohibited or require senior approval.

Documentation and auditability

• Maintain a defensible audit trail: statements sent, contact attempts, disputes, plan offers, consents, and placement approvals.
• Set retention schedules that satisfy legal and payer requirements.

Conclusion

When you combine transparent billing, structured outreach, and disciplined vendor oversight, sending patient accounts to collections becomes a last, measured step—not a reflex. Center your Patient Account Management on patients’ needs, follow Privacy Rule Requirements, respect State Debt Collection Laws, and enforce Internal Collection Policies. The result is faster resolution, fewer complaints, and sustained trust.

FAQs.

Is selling medical bills to collections a HIPAA violation?

Not inherently. HIPAA permits disclosures of PHI for payment and health care operations. However, you must share only the minimum necessary information, secure the transfer, and ensure all other applicable requirements are met. If you sell accounts (instead of using a business associate), treat it as a disclosure to a third party and limit PHI accordingly.

What patient information can be shared with collection agencies?

Limit disclosures to what is necessary to identify the debtor and collect the balance—such as patient name, contact information, dates of service, account numbers, and amounts owed. Avoid unnecessary diagnostic details or sensitive notes unless essential and justified under the minimum necessary standard.

How can healthcare providers ensure HIPAA compliance during collections?

Document policies that specify lawful uses, apply the minimum necessary rule, execute Business Associate Agreements when appropriate, use secure data transfers, restrict workforce access, and maintain audit logs. Train staff regularly and pause collections activity when disputes, corrections, or privacy concerns arise.