Sending a patient account to a debt collection agency is not a HIPAA violation when the disclosure is permitted for payment under the HIPAA Privacy Rule, limited to information that supports the collection activity under the HIPAA Minimum Necessary Rule, and governed by a compliant vendor relationship and safeguards when a business associate is involved.
A HIPAA Covered Entity may use and disclose protected health information for payment activities, which includes billing and collection efforts for healthcare services. When a covered entity uses an external collection agency to collect a debt on its behalf, the collection agency usually performs a function that involves protected health information and is treated as a Business Associate for HIPAA purposes. That arrangement calls for a written business associate agreement that describes permitted uses and disclosures, requires safeguards, and sets breach reporting and subcontractor controls.
The disclosure to a collection agency must be limited to the minimum necessary information to accomplish the collection purpose. Collection activity typically requires identifying and contact information, account balance, dates of service, and limited claim or billing details. Disclosing diagnosis details, clinical notes, images, or the full medical record is outside the scope of most collection needs and increases compliance exposure.
A common compliance failure involves disclosing information to a collector that is not acting on behalf of the covered entity or that is not bound by a business associate agreement when one is required. Another failure involves over-disclosure through account notes, itemized statements that reveal sensitive service types, or free-text comments copied from clinical systems. Technical and administrative controls support compliance, including standardized data fields for collection exports, restricted access to collection reports, and review processes that remove unnecessary clinical detail.
Patient rights and restrictions can affect collections disclosures. A patient request for confidential communications can require alternative mailing or contact methods. A restriction request related to a service paid in full out of pocket can limit disclosures of information about that service to a health plan, and organizations should coordinate billing and collection workflows to prevent unintended disclosures that conflict with accepted restrictions.
A disclosure connected to collections becomes a HIPAA problem when it lacks a permitted payment basis, exceeds minimum necessary limits, uses a vendor relationship that does not meet Business Associate requirements, or results in an impermissible disclosure such as a misdirected account file or public posting of protected health information by a collector.