HIPAA & FCRA Compliance in Medical Debt Collection

Medical collection agency, Medical bills on credit report

The Fair Credit Reporting Act (FCRA) and the Health Insurance Portability and Accountability Act (HIPAA) generally allow to report medical debts to consumer reporting agencies, though some restrictions apply.

Policies of the CRAs also impact what information can be reported regarding medical debts.

The FCRA permits health service providers and their agents to furnish information about medical debts to consumer reporting agencies (CRA). However, the Act requires furnishers to encrypt certain information to protect the consumer’s privacy. Likewise, HIPAA allows medical providers or their debt collector to report medical debts to the CRA provided that the information used is limited to the minimum amount necessary. The CRAs themselves also have certain policies that impact the furnishing of medical information.

I will now provide an overview of the requirements for furnishing information on medical debts under the FCRA, HIPAA and the CRA policies.


The FCRA (Fair Credit Reporting Act) allows to report information arising from the receipt of medical services, products or devices. However, the name, address, and telephone number of any medical information furnisher may not be included in a consumer report unless the information is coded in such a manner that the name of the provider and the nature of the services cannot be inferred by a person other than the consumer

Medical information is defined under the FCRA as:

Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to—(A) the past, present, or future physical, mental, or behavioral health or condition of an individual; (B) the provision of health care to an individual; or (C) the payment for the provision of health care to an individual.

The FCRA establishes a class of data furnishers termed “medical information furnishers.” A medical information furnisher is defined as “a person whose primary business is providing medical services, products, or devices, or the person’s agent or assignee, who furnishes information to a consumer reporting agency [CRA] on a consumer.”5 Examples include doctors, dentists, hospitals and their agents (such as a health care debt collector) that furnish information about consumers to a CRA. Medical service providers and their agents must register as a medical information furnished with each CRA to which they report medical debts.

Time Period for Reporting Medical Debts

Similar to most other consumer debts, medical debts may generally be reported for a period of seven years, unless state law provides for a different time period. The seven-year reporting period begins to run 180 days after the date of delinquency. The date of delinquency is the month and year of the commencement of the delinquency on the account that immediately preceded collection activity or the account being charged to profit and loss



HIPAA permits medical providers to share information with their agents for any purpose that the Department of Health and Human Services (HHS) has deemed permissible without authorization under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HHS has stated that HIPAA regulations permit the disclosure of medical information for the purpose of obtaining payment on medical goods and services, including reporting medical information to a CRA. 15 Thus, health care providers and their agents are able to report medical debts to CRAs without violating HIPAA. According to HHS:

The Privacy Rule permits a collection agency, as a business associate of a covered health care provider, to use and disclose protected health information as necessary to obtain reimbursement for health care services, which could include disclosures of certain protected health information to a credit reporting agency, or as part of collection litigation.

The HHS Office for Civil Rights also provided the following question and answer on the HHS website:

Question: Does the HIPAA Privacy Rule prevent reporting to consumer credit reporting agencies?

Answer: No. The Privacy Rule’s definition of “payment” includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following protected health information about the individual: name and address; date of birth; social security number; payment history; and account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The covered entity may perform this payment activity directly, or may carry out this function through a third party, such as a collection agency, under a business associate arrangement. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by the Fair Credit Reporting Act (FCRA) or other law. Therefore, the Department does not believe there is a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.

It should also be noted that the Privacy Rule generally requires that medical information that is used by a medical provider or its business associate should be limited to the minimum amount necessary for the purpose of the use or disclosure.

Medical collection agency


Please give us a call:

Or send us a message: