Who Can You Tell a Patient’s Balance? HIPAA Privacy Checklist

When you handle patient account balances, you’re working with Protected Health Information and must follow HIPAA’s privacy rules, the Minimum Necessary Rule, and evolving Balance Billing Regulations. This checklist clarifies who a Covered Entity may inform about a balance, when patient authorization is required, what to document, and how state and federal protections (including the No Surprises Act) affect Payment Disclosure.

Disclosure of Patient's Balance

Who you may tell without authorization (payment and operations)

• The patient and the patient’s personal representative, after reasonable identity verification.
• Health plans and clearinghouses for payment, eligibility, coordination of benefits, and adjudication of claims.
• Business associates (for example, billing vendors or collection agencies) under a signed business associate agreement.
• Providers and facilities involved in treatment or related healthcare operations that require limited financial details.
• Family or friends involved in payment, when the patient is present and does not object or when you use professional judgment to determine it’s in the patient’s best interest.

Who you may not tell without authorization

• Employers, academic institutions, or unrelated third parties.
• Family members not involved in payment or care, or anyone the patient has specifically excluded.
• Consumer apps or financing companies that are not business associates, unless the patient directs or authorizes the disclosure.
• Public forums or social media under any circumstances.

Practical safeguards for Payment Disclosure

• Confirm identity before discussing balances (e.g., two identifiers) and use secure channels for statements and reminders.
• Apply the Minimum Necessary Rule: share only the balance, dates of service, provider, and payment status—omit diagnosis and clinical notes unless required.
• Use discreet messages: avoid detailed PHI in voicemails or postcards; direct recipients to call back the billing office.

Patient Authorization Requirements

When authorization is required

You need a valid HIPAA authorization if a disclosure is not for treatment, payment, or healthcare operations; if it’s to a non–business associate third party; for marketing; or when the patient has requested a restriction that applies to the disclosure. Authorizations are also prudent when a patient asks you to share balance details with a person you otherwise would not disclose to.

What a valid authorization includes

• Specific description of the information (e.g., “account balance and dates of service for 04/01/2025–06/30/2025”).
• Recipient, purpose, expiration date or event, and the patient’s signature and date.
• Statements about the right to revoke and the possibility of redisclosure by the recipient.

Required restriction for fully self-paid services

If a patient pays a service in full out of pocket and requests it, you must restrict disclosure of that service’s PHI to the health plan for payment or operations. Flag these accounts so balances for those services are not shared with the plan.

Revocation and special cases

Patients may revoke authorization in writing at any time, prospectively. For minors and incapacitated adults, disclosures generally go to the personal representative unless state law grants the patient independent authority for specific services; honor those limits in all balance communications.

Accounting of Disclosures

What typically must be logged

Maintain an accounting for disclosures of PHI that are not for treatment, payment, or healthcare operations and are not otherwise exempt. Examples include disclosures required by law, certain public health and law enforcement disclosures, and those made without authorization under specific HIPAA permissions.

What is usually excluded

Routine balance communications for payment or healthcare operations generally do not require inclusion in the Accounting of Disclosures. Still, keep internal records consistent with policy, especially when using business associates or if a disclosure is unusual or sensitive.

How to document

• Date of disclosure, recipient, and a brief description of the information disclosed.
• Purpose or legal basis (e.g., patient authorization; required by law).
• Who made the disclosure and the Minimum Necessary determination.

Responding to patient requests

• Timeframe: provide an accounting within 60 days; one 30‑day extension is permitted with written notice.
• Scope: up to six years prior to the request date (or your documented policy period if shorter but compliant).
• Fees: the first accounting in a 12‑month period is free; reasonable fees may apply for additional requests.

Compliance with State Balance Billing Laws

How state requirements interact with HIPAA

HIPAA sets a federal privacy floor; states may impose stricter privacy and Balance Billing Regulations. If state law is more protective or prohibits balance billing for certain services, follow state requirements in addition to HIPAA’s privacy rules.

State‑law checkpoints before discussing a balance

• Network status and service type: some states bar out‑of‑network balance billing for emergencies or at in‑network facilities.
• Required notices: verify any mandated disclosures, timelines, or dispute pathways before contacting the patient about amounts due.
• Escalation rules: some jurisdictions limit third‑party collections or specify pre‑collection steps and content.

Operational safeguards

• Maintain a state‑by‑state matrix for balance billing limits and required communications.
• Configure your EHR/practice management system to surface network status and state rules at the point of Payment Disclosure.
• Train staff to pause outreach when applicability of state protections is unclear.

Minimum Necessary Standard for Financial Information

Applying the Minimum Necessary Rule

For payment and healthcare operations, disclose only the minimum PHI needed to accomplish the task. Limit access based on role, and standardize what data elements may be used when responding to balance inquiries.

A minimal financial data set for Payment Disclosure

• Patient name, account number, and dates of service.
• Provider/facility name and place of service.
• Charge amount, payments, adjustments, and current balance due.
• Claim or authorization identifiers when needed to resolve payment.

When Minimum Necessary does not apply

• Disclosures to the individual (the patient) or pursuant to a valid authorization.
• Disclosures to another provider for treatment purposes.
• Disclosures required by law or to HHS for compliance investigations.

Controls and auditing

• Role‑based access, break‑the‑glass procedures for exceptions, and user activity logs.
• Template language for voicemails and statements to avoid unnecessary PHI.
• Periodic audits to confirm adherence to the Minimum Necessary Rule.

Notice of Privacy Practices Transparency

What your Notice of Privacy Practices should explain

• That PHI may be used and disclosed for payment and healthcare operations, including contacting you about balances.
• Examples of financial communications (statements, eligibility checks, prior authorization, collections via business associates).
• Your rights: access, amendments, Accounting of Disclosures, request for restrictions, and alternative communications.
• How to submit privacy complaints and whom to contact with questions.

Distribution and acknowledgment

• Provide the Notice of Privacy Practices at first service and upon request.
• Obtain and retain acknowledgment of receipt or document a good‑faith effort if acknowledgment is not obtained.
• Update and redistribute the notice when your uses/disclosures or patient rights materially change.

Aligning policy and practice

• Ensure billing scripts, letters, and patient portal messages mirror the Notice of Privacy Practices language.
• Document alternative communication requests (e.g., different address or phone) and apply them to all balance outreach.

No Surprises Act Patient Protections

Core protections to factor into balance communications

• No out‑of‑network balance billing for emergency services and certain non‑emergency services at in‑network facilities, beyond in‑network cost sharing.
• Good Faith Estimates for uninsured or self‑pay patients before services, and a process to resolve significant estimate‑to‑bill discrepancies.
• Notice‑and‑consent exceptions in limited scenarios, with strict content and timing requirements.
• Plan–provider dispute resolution that may affect what the patient ultimately owes.

Implications for quoting or discussing a balance

• Confirm whether the service is protected from balance billing; do not disclose or pursue amounts barred by law.
• Coordinate with the plan’s explanation of benefits to avoid quoting unsupported figures.
• When providing estimates, state that patient responsibility may change after adjudication and reflect any Good Faith Estimate provided.

Workflow safeguards

• Check network status and service category before outreach.
• Flag No Surprises Act‑protected encounters and apply tailored scripts and statement templates.
• Escalate disputes or complaints through your compliance channel before additional disclosures or collection actions.

Conclusion

Determining who you can tell a patient’s balance requires aligning HIPAA’s Payment Disclosure rules, the Minimum Necessary Rule, and state and federal Balance Billing Regulations. Share only what’s needed, document non‑TPO disclosures, and keep your Notice of Privacy Practices and workflows aligned.

By verifying recipients, honoring patient choices, and incorporating No Surprises Act protections, you can communicate balances confidently while safeguarding privacy and trust.

FAQs.

Does HIPAA allow sharing patient account balances without consent?

Yes. HIPAA permits Covered Entities to disclose PHI for payment and healthcare operations without patient authorization. You may share limited balance information with health plans, business associates under agreement, and individuals involved in payment when the patient does not object or when professional judgment supports it. Apply the Minimum Necessary Rule and honor any patient‑requested restrictions, including those tied to fully self‑paid services.

What documentation is required when disclosing patient financial information?

For routine payment disclosures, maintain policies, role‑based access, identity verification records, and business associate agreements. When a patient authorization is used, retain the signed authorization and any revocation. Log disclosures that require an Accounting of Disclosures (i.e., non‑TPO or non‑exempt), capturing date, recipient, description, purpose, and the Minimum Necessary determination. Keep your Notice of Privacy Practices and acknowledgment on file to support transparency.

How do state laws affect balance billing disclosures?

State Balance Billing Regulations may prohibit or limit out‑of‑network balance billing and impose notice, timing, and content requirements. Because state law can be more protective than HIPAA, confirm service type and network status before communicating a balance, tailor scripts and statements to state rules, and pause outreach when protections apply or eligibility is unclear.