Is It a HIPAA Violation to Send to Collections?
It is not a HIPAA violation to send to collections provided the minimum necessary Protected Health Information is disclosed and – if using an external collection agency – a Business Associate Agreement is in place with the collection agency. However, before sending medical bills to collections, it is important to consider state and local laws relating to medical debt relief.
The HIPAA Privacy Rule stipulates when uses and disclosures of Protected Health Information (PHI) are required, permitted, require consent, or require authorization. Permitted uses and disclosures of PHI include “Treatment, Payment, or Healthcare Operations” (§164.506). This section of the Privacy Rule states: “A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations”.
By reviewing how TPO in HIPAA is defined – particularly how the word payment is defined – it is possible to determine if it is a HIPAA violation to send to collections. §2(iii) of the definition of payment includes “Billing, claims management, collection activities, obtaining payment under a contract for reinsurance including stop-loss insurance, and related health care data processing”. (“collection activities” italicized for emphasis).
Other HIPAA Compliance Considerations when Sending to Collections
The inclusion of “collection activities” confirms that sending an unpaid medical bill to collections is not a HIPAA violation. However, when sending to collections, there are other HIPAA compliance considerations. These include, but may not be limited to, complying with the minimum necessary standard and complying with the limitations on what PHI can be disclosed to consumer reporting agencies (see Definition of Payment §2(vi)).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In addition, if using an external collection agency to recover funds owing from unpaid medical bills, it is also necessary to enter into a HIPAA Business Associate Agreement with the collection agency before any PHI is disclosed to the agency. As with inhouse collections, only the minimum necessary PHI required for the agency to perform its collection services for the healthcare provider must be shared by the healthcare provider.
State and Local Laws Relating to Medical Debt Relief
Although it is not a HIPAA violation to send to collections, there are circumstances in which sending an unpaid medical bill to collections could violate a state or local law. In addition, there is activity at federal level that may complicate the collections process or that may offer medical debt relief to eligible individuals. (The Department of Veterans Affairs has already helped more than 10,000 veterans save more than $10 million in copay debt).
Among the measures introduced at state and local level, Colorado has prohibited debt collection by or on behalf of any hospital that does not display its prices. The Centennial State is also one of several states that have capped eligible individuals’ medical bills to multipliers of the Federal Poverty Level. Some smaller jurisdictions have placed upper limits on the amount of medical debt healthcare providers can take from a family’s budget.
With many federal, state, and local medical debt relief initiatives still in the pipeline, healthcare organizations should keep an eye on developing legislation as well as avoiding any compliance issues that might make it a HIPAA violation to send to collections. Healthcare organizations unaware of developing legislation in their jurisdictions are advised to seek independent compliance advice.
