Is It a HIPAA Violation to Send to Collections?

by

It is not a HIPAA violation to send to collections because the HIPAA Privacy Rule permits disclosures of this nature provided the amount of information sent to collections complies with the minimum necessary standard and provided the disclosure of Protected Health Information is covered by a Business Associate Agreement if collections are conducted by an external agency.

The relevant sections of the HIPAA Privacy Rule that answer the question is it a HIPAA violation to send to collections are §164.506 (“Uses and disclosures to carry out treatment, payment, and health care operations”) and §164.501 (“Definitions”). §164.506 permits covered entities to use and disclose Protected Health Information for activities related to payments, while the definition of Payment in §164.501 includes “[for] collection activities”.

However, these are not the only HIPAA compliance factors to take into account when sending medical bills to collections. Nearly all non-treatment uses and disclosures of Protected Health Information (PHI) permitted by §164.506 are subject to the minimum necessary standard. This means that covered entities are only permitted to use or disclose the minimum amount of PHI necessary to achieve the purpose of the use or disclosure.

In addition, when collection activities are conducted by an external agency, it is essential a Business Associate Agreement is in place between the healthcare provider and the external agency. The external agency is only permitted to use any PHI disclosed by the healthcare provider for the purposes it was provided, and must return the PHI to the healthcare provider (or destroy the PHI) once collection activities are completed.

Other Considerations before Sending to Collections

In 2021, the Census Bureau published its Survey of Income and Program Participation report. The report revealed that millions of individuals had significant medical debts totaling more than $220 billion nationwide. The scale of the medical debts was not only affecting individuals who lacked the funds to pay for healthcare treatments and services, but also increasing the cost of healthcare treatments and services for everyone else.

To address these issues, when Congress passed the American Rescue Plan Act, it included disbursements for jurisdictions with problematic debt issues. These disbursements have been taken advantage of by many states, counties, and cities to implement measures that impact medical billing and collections. Examples of these measures include:

  • In Arizona, medical debt collectors cannot use wage garnishment to take any amount from a worker with a paycheck up to one and one-half times the minimum wage. For workers with higher wages, wage garnishment cannot exceed 10% of a worker’s paycheck.
  • In Delaware, a recently enacted law prohibits all forms of wage garnishment, home foreclosure, and bank account seizures for medical debt. The state also caps repayment plans for medical debts of $500 or more at 5% of an individual’s monthly income.
  • In New Orleans, Pittsburgh, and Toledo, schemes have been introduced that limit the amount a healthcare provider or collection agency can recover in repayments to 20% of a family’s net budget, with further income-based discounts as necessary.

Conclusion: Is It a HIPAA Violation to Send to Collections?

Although there are circumstance in which it could be a HIPAA violation to send to collections, it is more likely that compliance issues will occur with regards to state, county, and city laws. Some state laws are cross-border inasmuch as they apply to citizens of the state regardless of the location of the healthcare provider. Healthcare providers who are uncertain about which state, county, or state laws they are required to comply with should seek professional healthcare compliance advice.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]