top of page
  • Writer's pictureFair Capital

HIPAA & FCRA Compliance in Medical Debt Collection

Updated: Sep 8, 2023

The Fair Credit Reporting Act (FCRA) and the Health Insurance Portability and Accountability Act (HIPAA) generally allow to report medical debts to consumer reporting agencies, though some restrictions apply.

Policies of the CRAs also impact what information can be reported regarding medical debts.

HIPAA Compliance in Medical Debt Collection

Medical providers and their debt collection agencies are allowed under the FCRA to report medical debt information to consumer reporting agencies (CRAs), commonly known as credit bureaus. However, the Act requires that furnishers encrypt specific details to safeguard consumer privacy. Similarly, under HIPAA, medical providers or their debt collectors can report medical debts to CRAs as long as the information is restricted to the minimum necessary. The CRAs also maintain certain policies that influence the provision of medical information.

The following will provide an overview of some requirements when furnishing medical accounts under the FCRA, HIPAA and CRA policies.


The FCRA (Fair Credit Reporting Act) allows the reporting of information arising from the receipt of medical services, products or devices. However, the name, address, and telephone number of any medical data furnisher may not be included in the report unless the data is coded in such a manner that the name of the provider and the nature of the services cannot be inferred by a person other than the consumer.


Medical information is defined under the FCRA as: Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to—(A) the past, present, or future physical, mental, or behavioral health or condition of an individual; (B) the provision of health care to an individual; or (C) the payment for the provision of health care to an individual.

The FCRA establishes a class of data furnishers termed “medical information furnishers.” A medical information furnisher is “a person whose primary business is providing medical services, products, or devices, or the person’s agent or assignee, who furnishes information to a consumer reporting agency (CRA) on a consumer.” Examples include doctors, dentists, hospitals and their agents (such as a health care debt collector) that furnish information about consumers to a CRA. Medical service providers and their agents must register as a medical information furnished with each CRA to which they report medical debts.

Coding of Medical Information

Once a health service provider or its agent has registered as a medical information furnisher, the CRA must cease including the furnisher’s name and address in the consumer report, unless “such name, address, and telephone number are restricted or reported using codes that do not identify, or provide information sufficient to infer, the specific provider or the nature of such services, products, or devices to a person other than the consumer.”

As a result of the encryption requirements and the special designation of the medical information furnisher, medical providers and their agents can report to the credit bureaus while maintaining the patient's privacy.

The Metro 2® Format includes a "Creditor Classification" field labeled "02", which signifies that the report pertains to Medical/Health Care. At Fair Capital, we utilize this classification, ensuring our compliance with the FCRA's coding guidelines. As per the CDIA’s Credit Reporting Resource Guide®, companies reporting medical debts or returned checks for medical reasons must use the Creditor Classification "02" which indicates "Medical/Health Care."

Time period for reporting medical debt

Similar to most other consumer debts, medical debt may be reported for seven years unless state law provides a different time limit. The seven-year reporting period is calculated based on the delinquency date. The date of delinquency is the month and year of the commencement of the delinquency on the account that immediately preceded collection activity or the account being charged to profit and loss.



Under HIPAA, medical providers are allowed to share information with their agents for any purpose that the Department of Health and Human Services (HHS) has deemed permissible without authorization under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HHS has stated that HIPAA regulations permit the disclosure of medical information for the purpose of obtaining payment on medical goods and services, including reporting medical information to a CRA. Thus, health care providers and their collection agencies are able to report medical debts to CRAs without violating HIPAA regulations.

The Privacy Rule permits a collection agency, as a business associate of a covered health care provider, to use and disclose protected health information as necessary to obtain reimbursement for health care services, which could include disclosures of certain protected health information to a credit reporting agency, or as part of collection litigation.

The HHS Office for Civil Rights also provided the following question and answer on the HHS website:

Question: Does the HIPAA Privacy Rule prevent reporting to consumer credit reporting agencies?

Answer: No. The Privacy Rule’s definition of “payment” includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following protected health information about the individual: name and address; date of birth; social security number; payment history; and account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The covered entity may perform this payment activity directly, or may carry out this function through a third party, such as a collection agency, under a business associate arrangement. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by the Fair Credit Reporting Act (FCRA) or other law. Therefore, the Department does not believe there is a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.

Consumer Reporting Agency Rules

In addition to following federal laws like the Fair Credit Reporting Act (FCRA) and the Health Insurance Portability and Accountability Act (HIPAA), medical debt collectors also have to meet standards set by individual Consumer Reporting Agencies (CRAs). After reaching a settlement with some state attorney generals, the three major CRAs—Experian, Equifax, and TransUnion—introduced the National Consumer Assistance Plan (NCAP).

The NCAP has several new rules that affect how medical debt is reported. For example, medical debts can't be reported until they are at least a year old, counting from the first missed payment with the original creditor. Also, once a medical debt is fully paid, it will be removed from the person's credit report. Additionally, the CRAs will no longer show medical debts on credit reports if the owed amount is $500 or less.

In Conclusion:

In the intricate world of medical debt collection, partnering with the right agency is paramount. With Fair Capital, you're choosing the nation's leading medical debt collection agency, ensuring compliance and optimal results.

Ready for unparalleled service? Contact Fair Capital today and get your free quote. Your peace of mind awaits. Please give us a call: 855-505-5669

A+ BBB rated medical debt collection agency


Disclaimer: Any and all information is not intended to be, nor is it, legal advice. Please consult your attorney for information concerning allowable rates of interest.

bottom of page