• Fair Capital

HIPAA & FCRA Compliance in Medical Debt Collection

The Fair Credit Reporting Act (FCRA) and the Health Insurance Portability and Accountability Act (HIPAA) generally allow to report medical debts to consumer reporting agencies, though some restrictions apply.

Policies of the CRAs also impact what information can be reported regarding medical debts.

Medical collection agency, Medical bills on credit report

The FCRA permits health service providers and their agents to furnish information relating to medical debt to consumer reporting agencies (CRA). However, the Act requires furnishers to encrypt certain details to protect the consumer’s privacy. Likewise, under HIPAA, medical providers or their debt collectors may report medical debts to the CRA, provided that the information used is limited to the minimum necessary. The CRAs themselves also have certain policies that impact the furnishing of medical information.

The following will provide an overview of some requirements when furnishing medical accounts under the FCRA, HIPAA and CRA policies.


The FCRA (Fair Credit Reporting Act) allows the reporting of information arising from the receipt of medical services, products or devices. However, the name, address, and telephone number of any medical information furnisher may not be included in the report unless the data is coded in such a manner that the name of the provider and the nature of the services cannot be inferred by a person other than the consumer.

Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to—(A) the past, present, or future physical, mental, or behavioral health or condition of an individual; (B) the provision of health care to an individual; or (C) the payment for the provision of health care to an individual.


The FCRA establishes a class of data furnishers termed “medical information furnishers.” A medical information furnisher is “a person whose primary business is providing medical services, products, or devices, or the person’s agent or assignee, who furnishes information to a consumer reporting agency (CRA) on a consumer.”

Examples include doctors, dentists, hospitals and their agents (such as a health care debt collector) that furnish information about consumers to a CRA. Medical service providers and their agents must register as a medical information furnished with each CRA to which they report medical debts.

Time period for reporting medical debt

Similar to most other consumer debts, medical debt may be reported for seven years unless state law provides a different time limit. The seven-year reporting period is calculated based on the delinquency date. The date of delinquency is the month and year of the commencement of the delinquency on the account that immediately preceded collection activity or the account being charged to profit and loss.



Under HIPAA, medical providers are allowed to share information with their agents for any purpose that the Department of Health and Human Services (HHS) has deemed permissible without authorization under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HHS has stated that HIPAA regulations permit the disclosure of medical information for the purpose of obtaining payment on medical goods and services, including reporting medical information to a CRA. Thus, health care providers and their agents are able to report medical debts to CRAs without violating HIPAA regulations.

The Privacy Rule permits a collection agency, as a business associate of a covered health care provider, to use and disclose protected health information as necessary to obtain reimbursement for health care services, which could include disclosures of certain protected health information to a credit reporting agency, or as part of collection litigation.

The HHS Office for Civil Rights also provided the following question and answer on the HHS website:

Question: Does the HIPAA Privacy Rule prevent reporting to consumer credit reporting agencies?

Answer: No. The Privacy Rule’s definition of “payment” includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following protected health information about the individual: name and address; date of birth; social security number; payment history; and account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The covered entity may perform this payment activity directly, or may carry out this function through a third party, such as a collection agency, under a business associate arrangement. The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by the Fair Credit Reporting Act (FCRA) or other law. Therefore, the Department does not believe there is a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.

Medical collection agency


Please give us a call:

Or send us a message: