Can healthcare providers share PHI with debt collectors?

Yes, healthcare providers can share protected health information (PHI) with debt collectors under specific circumstances without violating HIPAA. Debt collection is considered a payment activity under HIPAA, so sharing necessary information with debt collectors is permitted.

What is the Fair Debt Collection Practices Act (FDCPA)?

HIPAA and the Fair Debt Collection Practices Act (FDCPA) intersect when medical debt collection is involved. HIPAA restricts the direct sharing of patients' health information with debt collectors. Still, the FDCPA establishes guidelines and restrictions for how debt collectors can communicate with debtors (including patients), such as: 

• Debt collectors are forbidden from using abusive language, threats, or harassment to collect debts. 
• Debt collectors can't contact debtors at inconvenient times, such as before 8 a.m. or after 9 p.m.
• Debt collectors must provide debtors with information about the debt, including the amount owed, the creditor's name, and the process to dispute the debt.
• Debt collectors cannot misrepresent the amount or legal status of the debt, make false statements, or use deceptive means to collect debts.
• If a debtor requests in writing that a debt collector stop contacting them, the collector must cease communication except to inform the debtor of specific actions.
• Debt collectors must provide verification or validation of the debt if the debtor disputes it in writing within 30 days of receiving the initial notice.

Related: HIPAA Compliant Email: The Definitive Guide

How to ensure compliance with the FDCPA and HIPAA 

• Adherence to minimum necessary standards: Ensure that any disclosures of PHI to debt collectors are limited to the minimum necessary for debt collection purposes.
• Ensure secure communication: Ensure that the collection agency as a business associate implements secure communication channels, such as HIPAA compliant email, so that any exchange of PHI with the healthcare provider and patients is protected.  
• Documentation and record-keeping: Maintain records of debt collection activities and communications to verify compliance with FDCPA and HIPAA, including consent for sharing PHI when necessary.
• Business associate agreements: Establish business associate agreements with collection agencies that outline the responsibilities and expectations concerning PHI handling.
• Clear communication and patient rights: Clearly communicate patient rights, including the right to request privacy protections and restrictions on the use or disclosure of their health information, ensuring their requests are respected during debt collection processes.