Healthcare Debt Collection: A Practical Guide to Compliance and Recovery

Medical debt is different from every other type of debt you will collect on. The person on the other end of the phone did not choose to take on this obligation the way someone signs up for a credit card or finances a car. They got sick, or their child got sick, or they had an accident. That context shapes everything about how healthcare collections should work.

It also means the regulatory environment is more complex. You are not just dealing with the FDCPA and state collection laws. You are operating under HIPAA, navigating the No Surprises Act, accounting for charity care obligations, and working within a system where the consumer often had no idea what things would cost before they received care.

This guide covers what healthcare collectors need to know in 2026 and how to build a compliant, effective collections operation for medical debt.

HIPAA and Collections: What You Actually Need to Know

HIPAA is the law that keeps most collection agencies up at night when they start taking on healthcare accounts. The good news is that the rules are clear once you understand them. The bad news is that violations are expensive and reputational damage is severe.

The Basics

When a healthcare provider assigns or sells a medical debt to a collection agency, that agency becomes a “business associate” under HIPAA. This means you are legally bound to protect the patient’s protected health information (PHI) with the same standards as the provider itself.

PHI in a collections context includes:

• Patient name linked to medical treatment information
• Dates of service
• Diagnosis or procedure codes
• The name of the treating provider or facility
• Any clinical information included in the account documentation

What You Can and Cannot Disclose

This is where agencies get into trouble. When you contact a patient about a medical debt, you can confirm:

• That a debt exists
• The amount owed
• The name of the creditor (the provider or facility)

You cannot disclose to third parties — including family members who answer the phone, employers, or anyone else — any details about the medical treatment, diagnosis, or clinical reason for the debt. This sounds straightforward, but it gets tricky in practice.

Common scenario: You call a patient’s home number. Their spouse answers and says, “What’s this about?” You cannot say, “Your husband owes $3,200 for his knee surgery at St. Mary’s.” You can say you are calling about a financial matter and need to speak with the patient directly.

Another scenario: A patient disputes a balance and asks you to send documentation. Any itemized statement you send must be transmitted securely. Emailing an unencrypted PDF with diagnosis codes is a HIPAA violation.

Business Associate Agreements

Before you collect on a single healthcare account, you need a signed Business Associate Agreement (BAA) with every provider client. This is not optional. The BAA spells out your obligations for protecting PHI, how you will handle breaches, and what happens to the data when the relationship ends.

Review your BAAs annually. Make sure they reflect current regulations and that your internal practices match what the agreement says you are doing.

Practical Safeguards

HIPAA compliance is not just about what collectors say on the phone. It is about your entire operation:

• Access controls: Not every employee needs access to medical account details. Role-based permissions should limit who can see PHI.
• Secure communications: Any patient-facing portal, email communication, or document transfer involving PHI must be encrypted. This is where purpose-built collection software matters — tools like Catchpole provide secure debtor portals and encrypted communications that satisfy HIPAA requirements without requiring you to build the infrastructure yourself.
• Audit trails: You need to be able to demonstrate who accessed what PHI and when. If a breach occurs, or if HHS comes asking, “we don’t have logs” is not an acceptable answer.
• Training: Every employee who touches healthcare accounts needs annual HIPAA training. Document it. Keep records of completion.
• Breach notification: If PHI is exposed, you have 60 days to notify affected individuals and HHS. For breaches affecting 500 or more people, you must also notify media outlets. Have an incident response plan before you need one.

The No Surprises Act and Its Impact on Collections

The No Surprises Act, which took effect in January 2022, fundamentally changed the economics of healthcare billing and, by extension, healthcare collections.

What Changed

The law protects patients from surprise bills in two main situations:

• Emergency services: Patients cannot be balance-billed for emergency care, regardless of whether the provider was in-network.
• Non-emergency services at in-network facilities: If a patient goes to an in-network hospital but is treated by an out-of-network provider (the classic surprise bill scenario), the patient’s cost-sharing is limited to the in-network rate.

What This Means for Collectors

If you are collecting on a balance that originated from a surprise billing situation, that balance may not be legally collectible. Before pursuing any account, verify:

• Was the service an emergency?
• Was the patient treated by an out-of-network provider at an in-network facility?
• Has the provider gone through the independent dispute resolution (IDR) process with the insurer?

Collecting on a balance that the No Surprises Act prohibits exposes both you and your provider client to regulatory action and lawsuits. It is worth the upfront effort to validate every account.

Good Faith Estimates

The No Surprises Act also requires providers to give uninsured or self-pay patients a good faith estimate (GFE) of expected charges before scheduled services. If the final bill exceeds the GFE by $400 or more, the patient can dispute it through a patient-provider dispute resolution process.

When you receive an account for collection, ask your provider client:

• Was a GFE provided?
• Does the billed amount align with the estimate?
• Has the patient already initiated a dispute?

Collecting on an account that is in active dispute under the GFE process is a waste of your resources and creates legal risk.

Patient Financial Responsibility Trends

The collections landscape for medical debt has shifted significantly over the past several years, and understanding these trends helps you calibrate your approach.

Rising Out-of-Pocket Costs

High-deductible health plans now cover a majority of employer-sponsored insurance enrollees. The average individual deductible has climbed past $1,700, and family deductibles routinely exceed $3,500. This means more patients owe more money directly to providers, and a larger share of healthcare revenue depends on patient collections.

For collection agencies, this translates to higher volume of accounts with moderate balances. You are less likely to be collecting on a single catastrophic bill and more likely to be working accounts in the $500 to $5,000 range where patients had insurance but could not cover their share.

Credit Reporting Changes

The three major credit bureaus made significant changes to medical debt reporting starting in 2023. Medical debts under $500 are no longer reported, and paid medical collections are removed from credit reports. Some states have gone further, restricting medical debt reporting entirely.

This reduces one of the traditional leverage points in collections — the threat of credit damage. Your collection strategy needs to account for this. For smaller medical balances, the credit report is no longer the motivator it once was. Recovery on these accounts depends on making it easy and low-friction for patients to pay.

State-Level Protections

A growing number of states have enacted their own medical debt protections. These range from extended timeframes before accounts can go to collections, to restrictions on wage garnishment for medical debt, to requirements that providers screen patients for financial assistance before referring accounts. Know the rules in every state where you operate.

Charity Care and Financial Assistance Policies

Nonprofit hospitals are required to have charity care policies under IRS rules. Many for-profit systems have adopted similar programs voluntarily. As a collection agency working healthcare accounts, you need to understand how these programs affect the accounts you receive.

Before You Collect, Ask

For every healthcare client, get clear answers to these questions:

• What is their financial assistance policy?
• What income thresholds qualify patients for charity care or discounted care?
• Has the patient been screened for financial assistance eligibility?
• Was the patient notified about the financial assistance program before the account was referred to collections?

Collecting on an account where the patient qualifies for charity care but was never informed about it is a reputational and legal risk. Several states now require providers to complete financial assistance screening before referring accounts. Even where it is not required by law, it is the right practice.

Integrating Screening Into Your Process

Some agencies handle financial assistance screening on behalf of their provider clients. If you offer this, build it into your workflow from the start. When a patient says they cannot pay, the first question should be whether they qualify for the provider’s assistance program — not what payment plan you can set up.

This approach actually improves recovery rates. Accounts where the patient genuinely cannot pay get resolved through charity care or write-offs, freeing your collectors to focus on accounts with realistic recovery potential.

Communicating With Empathy About Medical Debt

The tone of your communications matters more with medical debt than with any other account type. These are people who were sick or injured. Many are still dealing with health issues. A heavy-handed approach does not just feel wrong — it performs worse.

First Contact

Your first communication should acknowledge the situation without being patronizing. The patient likely already feels stressed about the bill. Lead with information, not demands:

• Clearly identify the provider and the service dates
• State the balance
• Explain their options: pay in full, set up a payment plan, apply for financial assistance, or dispute the balance
• Provide a clear, easy way to respond

Avoid language that implies urgency or consequences in early communications. “Failure to respond may result in further collection activity” is technically accurate and entirely counterproductive on a first notice for a medical bill.

Payment Plan Design for Medical Debt

Medical debt payment plans should be flexible. Patients dealing with health issues often have variable income and unpredictable expenses. Offer:

• Longer terms: A 24-month plan with low payments recovers more than a 6-month plan the patient defaults on after two payments.
• Adjustable payments: Allow patients to modify payment amounts if their situation changes, rather than defaulting the plan.
• Multiple payment channels: Online portals, autopay, phone payments. The easier it is to pay, the more likely they will.

Handling Disputes

Medical billing is complicated and errors are common. When a patient disputes a balance, take it seriously. Common legitimate issues include:

• Insurance was not billed correctly
• A secondary insurance was not filed
• The patient was not credited for payments already made
• The balance reflects services covered by the No Surprises Act
• The patient qualifies for financial assistance

Work with your provider client to resolve disputes quickly. A disputed account that sits for months is unlikely to result in payment regardless of who is right.

Building a Compliant Healthcare Collections Operation

Putting all of this together requires the right combination of processes, training, and technology.

Standard Operating Procedures

Document everything. Your SOPs for healthcare accounts should cover:

• HIPAA-compliant communication protocols
• PHI handling and storage requirements
• No Surprises Act verification steps
• Financial assistance screening procedures
• Dispute resolution workflows
• State-specific requirements for medical debt

Technology Requirements

Collecting on healthcare accounts with generic tools or, worse, with spreadsheets and email is a compliance incident waiting to happen. You need:

• Encrypted debtor communication channels that satisfy HIPAA requirements
• Complete audit trails showing every action taken on every account, who took it, and when
• Role-based access controls so PHI is only visible to authorized personnel
• Secure document exchange for sending and receiving itemized statements and other PHI

Catchpole was built with these requirements in mind. The platform’s secure debtor portal, comprehensive audit logging, and encrypted communications provide the compliance infrastructure healthcare collectors need without the overhead of building custom solutions.

Staff Training

Healthcare collections training should cover:

• HIPAA fundamentals and your specific obligations as a business associate
• The No Surprises Act and how to verify account validity
• Your provider clients’ charity care policies
• Empathetic communication techniques for patients dealing with medical issues
• State-specific medical debt protections
• How to use your collection software’s HIPAA-compliant features

Train at onboarding and retrain annually. Document everything.

Regular Compliance Audits

Conduct internal audits quarterly. Review:

• Are BAAs current with all provider clients?
• Is PHI being stored and transmitted securely?
• Are audit logs complete?
• Are collectors following communication protocols?
• Are disputed accounts being handled within required timeframes?

An internal audit that catches a problem is dramatically cheaper than an HHS investigation or a lawsuit that finds one.

Looking Ahead

Healthcare collections is getting more regulated, not less. State legislatures continue to pass medical debt protections. Federal agencies are increasingly scrutinizing how medical debt is collected. Consumer expectations around medical billing transparency continue to rise.

Agencies that treat healthcare collections as just another account type will struggle. The ones that build genuine expertise in healthcare compliance, invest in the right technology, and train their teams to communicate with empathy about medical debt will find that this segment rewards specialization.

The fundamentals are clear: protect patient information, verify that every account is legally collectible, offer realistic payment options, and make it easy for patients to resolve their balances. Get these right, and healthcare collections can be both ethical and profitable.

Getting Started

If your agency is collecting on healthcare accounts — or considering it — the first step is an honest assessment of your current compliance posture. Review your BAAs, audit your PHI handling, and evaluate whether your technology stack meets HIPAA requirements.

Catchpole offers the secure communication channels, audit trails, and compliance infrastructure that healthcare collectors need, with pay-as-you-go pricing that makes it accessible whether you are handling a hundred healthcare accounts or ten thousand. Start a free trial and see how the platform supports compliant healthcare collections from day one.