Do collection agency efforts violate HIPAA – it depends

April 6, 2015

CDA Practice Support recently received a call from a dentist about a disgruntled patient who was accusing the dentist of violating the patient’s HIPAA privacy rights because of a past-due bill.

Specifically, the patient claimed that they received a letter from a collection agency and the fact that the collection agency had their information was a violation of the Health Insurance Portability and Accountability Act (HIPAA). CDA confirmed that this is not a violation of HIPAA as long as the dentist took the proper steps to inform patients how the practice uses patient information and to provide to the collection agency only the minimum necessary information for the agency to perform its work.

“A notice of privacy practices typically includes a statement that patient information is used or disclosed to obtain payment for treatment,” said CDA Practice Support Analyst Teresa Pichay. “The use of a collection agency is recognized as part of a covered entity’s efforts to obtain payment. The notice of privacy practices, however, is simply a notice. It is not a consent form or an agreement.”

When using a collection agency, a dental practice must have a HIPAA business associate agreement with the agency. In the agreement, the collection agency must agree not to disclose further (typically to a credit bureau) the patient information provided by the dental practice. This provision is to comply with California’s Confidentiality of Medical Information Act, which requires explicit written authorization from a patient to release information. Information provided by the practice to the collection agency should be limited to the patient’s name, contact information, date treatment was provided with amount incurred, amount and dates of payments made (if any) and the current amount due. The practice may not provide treatment details or purpose of treatment information to the collection agency.

“To further limit issues related to collections, CDA recommends dental practices have patients sign financial agreement forms that clearly state a patient’s payment obligations,” Pichay said.

Sample financial agreement forms are available on

Congress passed HIPAA in 1996 to simplify, and thereby reduce the cost of, the administration of health care. HIPAA does this by encouraging the use of electronic transactions between health care providers and payers, thereby reducing paperwork. Congress deemed that if the electronic transmission of patient health information was to be encouraged by the legislation, there needed to be means to protect the confidentiality of that information, and thus, the HIPAA Security Rule was created.


Was this resource helpful?