A notice submitted by the Consumer Financial Protection Bureau states, “After a medical debt has been placed by the creditor in collections status because the debt has been unpaid for a period of time, the medical debt may be furnished as a collections tradeline to consumer reporting agencies by a debt collector, including a debt collector who collects on behalf of the original creditor for a fee, as well as a debt collector who purchases overdue accounts outright from the original creditor (also known as a debt buyer).”
HIPAA applies only when protected health information (PHI) is involved in the debt collection process, and covered entities and their partners must balance effective communication tactics with strict confidentiality and legal requirements at every step. Suppose a collection agency works for a healthcare provider and accesses medical billing details or any information that can identify a patient in connection with their care.
When a collector becomes a business associate, it must follow HIPAA’s Privacy and Security Rules. That includes limiting information to what is necessary and putting safeguards in place to prevent unauthorized disclosure. At the same time, the communication strategy used in collections matters.
What HIPAA covers in debt collection
The above mentioned study provides, “The Health Insurance Portability and Accountability Act of 1996 (HIPAA)259 and the Department of Health and Human Services’ implementing regulations,260 also limit or regulate the use, collection, and sharing of certain health information.”
HIPAA’s debt-collection rules primarily fall under Title II, which outlines the privacy and security standards for PHI. The Privacy Rule limits how covered entities, like healthcare providers and insurers, and their business associates can use or disclose protected health information.
That includes debt collectors whenever they access information tied to a patient’s care or billing. In these situations, agencies can use PHI only for permitted purposes such as payment and must stick to the “minimum necessary” standard, meaning only the information needed to pursue the debt can be shared. Anything beyond that typically requires the patient’s authorization.
The Security Rule requires policies, staff training, and risk reviews, along with protections for physical files and digital systems. In practice, that means restricting who can access PHI, securing devices and paper records, and using technical controls like access logs and secure transmission tools. If PHI is mishandled, the Enforcement Rule allows federal penalties, reinforcing that patient confidentiality still applies even when a bill goes unpaid.
HIPAA only comes into play when collection efforts involve PHI tied to a patient’s identity and healthcare. If a debt collector receives only general financial data with no health information attached, they fall outside HIPAA. But once health-related billing details are linked to a named individual, the law applies fully, and debt collectors must treat that data with the same care as a hospital or health plan.
When healthcare providers can share PHI with debt collectors
The Privacy Rule gives healthcare providers room to share patient information when it is needed for payment purposes, and that includes collecting unpaid medical bills. The law, at 45 CFR §164.506, defines payment broadly, covering billing, claims processing, and debt collection activities. In other words, providers are allowed to share certain patient details with a collection agency to recover what they are owed.
As ‘Privacy protections to encourage use of health-relevant digital data in a learning health system’ notes, “Moving toward a rapid learning system to solve intractable problems in health demands a balance between protecting patients and making data available to improve health and health care.” That same tension exists in healthcare billing. Organizations need enough data to manage patient accounts and pursue legitimate debts, yet they must do so in a way that respects patient privacy and maintains public trust.
When a debt collector receives PHI from a healthcare provider, they become a business associate under HIPAA. That triggers additional responsibilities. Before any information is shared, the provider must have a business associate agreement (BAA) in place. The agreement confirms that the collector understands its privacy obligations and will take steps to protect the data. Those steps usually include encryption, access controls, secure communication practices, and staff training to prevent mishandling or unauthorized access.
What PHI debt collectors can access
The information shared in these situations is typically limited to basics. A patient’s name, contact information, account or invoice number, dates of service, and the balance owed. Detailed clinical notes or sensitive medical details are not necessary for collections and should not be released.
As the Working Paper ‘Access to credit and financial health: Evaluating the impact of debt collection’ notes, “close to 14% of American consumers have at least one account in third-party collection,” and lower-credit borrowers may average up to four accounts in collections. The researchers emphasize that debt recovery is embedded in the financial ecosystem and quote that “debt collection is a $13.7 billion industry with over 6,000 firms in operation in the United States.”
Striking this balance protects patient privacy while still allowing providers to pursue unpaid accounts. If a collector or provider strays outside these rules, the penalties under HIPAA’s Enforcement Rule can be steep.
HIPAA vs the Fair Debt Collection Practices Act
HIPAA is designed to protect the privacy and security of patients’ health information. The FDCPA serves a different purpose. It is a consumer protection law that governs how debt collectors behave, regardless of whether the debt is medical or not. Its focus is on preventing harassment, deception, and other unfair practices when collectors contact consumers.
A paper ‘How do consumers fare when dealing with debt collectors? Evidence from out-of-court settlements’ provides, “the Fair Debt Collection Practices Act (FDCPA) of 1977 limits when third-party collectors can contact a consumer, prohibits misrepresentation, lies, and deception, and prohibits the collection of amounts greater than the amount owed, which the collector must provide written notification of in a timely fashion. Several individual states have also enacted laws that provide protections that go beyond the FDCPA”.
It gives patients the right to dispute debts and restricts when and how collectors can reach out. Unlike HIPAA, the FDCPA does not deal with the privacy of medical information, it regulates conduct, not data security. Together, the two laws work in different ways to protect patients. HIPAA safeguards their health information, while the FDCPA protects them from abusive collection practices.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
Can a business associate use PHI for its own purposes?
No, business associates may only use PHI for the tasks permitted under their agreement.
Are business associates directly liable for HIPAA violations?
Yes, business associates face direct enforcement and penalties for failing to follow HIPAA.
Do subcontractors of business associates need BAAs?
Yes, subcontractors that handle PHI must also sign BAAs and comply with HIPAA.
Kirsten Peremore
%20-%202025-01-06T184023.623.jpg)
