Chris Willis, Stefanie Jackman, and Brent Hoard take a close look at the world of medical debt collection.
In this episode of The Consumer Finance Podcast, Chris Willis is joined by Troutman Pepper Locke Partners Stefanie Jackman and Brent Hoard to take a close look at the world of medical debt collection. The discussion covers how HIPAA applies to medical debt, what it really means to be a "business associate," and common privacy challenges that can turn routine collection efforts into regulatory headaches. They also focus on key federal and state debt collection regimes, including the FDCPA, the No Surprises Act, and increasingly complex credit reporting requirements. The group provides insight on collection strategies for health care providers and third-party collectors that are both compliant and workable in practice. For anyone handling medical-related receivables, this episode serves as a practical guide to safeguarding patient information, maintaining tax-exempt status, and enhancing collections while staying within regulatory boundaries.
The Consumer Finance Podcast – Charting a Course for Collections: Diagnosing Compliance and Privacy Risks in Medical Debt
Host: Chris Willis
Guests: Stefanie Jackman and Brent Hoard
Air Date: April 30, 2026
Chris Willis (00:05):
Welcome to The Consumer Finance Podcast. I'm Chris Willis, the co-leader of Troutman Pepper Locke's Consumer Financial Services Regulatory Practice. And today we're gonna be talking about all the considerations under both federal debt collection and federal privacy laws with collecting medical-related debt. But before we jump into that topic, let me remind you to visit and subscribe to our blogs, TroutmanFinancialServices.com and ConsumerFinancialServicesLawMonitor.com. And of course, please check out our other podcasts, the FCRA Focus, Payments Pros, Moving the Metal, and The Crypto Exchange. All of those are available on all popular podcast platforms. And speaking of those platforms, if you like this podcast, let us know. Leave us a review on your podcast platform of choice and tell us how we're doing. Now, as I said, today we're gonna be talking about an issue that's gotten a whole lot of attention both from regulators and state legislatures over recent years, and that is the collection of medical debt. And joining me to talk about this are two people who are perfect to share their expertise on this area. My partner, Stefanie Jackman, who's a partner in our Consumer Financial Services group, and our partner Brent Hoard, who's a partner in our Privacy + Cyber group, who has an especial concentration on giving privacy advice to companies that operate in the medical industry.
Chris Willis (01:21):
So, Stefanie, Brent, thanks for being here today.
Stefanie Jackman (01:23):
Thanks for having us, Chris.
Brent Hoard (01:24):
Thanks, Chris. Great to be here.
Chris Willis (01:25):
And you know just say at the beginning, and frequent listeners of the podcast know this already, but I love having the opportunity to showcase to the world how the different practice groups at Troutman Pepper Locke come together to advise clients on areas that touch more than one of our practice areas. And this episode's gonna be a perfect example and why I'm so glad that you're here, Brent. So let's kick things off with you. There are various considerations associated with medical debt that come out of a privacy law called HIPAA. And no one knows what HIPAA actually stands for. Well, somebody, you probably know, but I don't know. But let's kick things off by you giving the audience a high-level overview of HIPAA. What are some initial considerations for parties involved in medical debt collection when we're thinking about HIPAA? And bonus points if you know what it stands for.
Brent Hoard (02:09):
Yes, it is the Health Insurance Portability and Accountability Act of 1996. And it has been amended, most recently in 2009. And it regulates, among other things, the use and disclosure of what's called protected health information, and that is information that relates to healthcare and is identifiable to an individual. So when you're talking about medical debt collection, you usually need to know who owes money, and it usually involves some type of healthcare service. HIPAA is there to protect and limit uses and disclosures of that information. It has some security requirements for electronic protected health information, so things that are stored digitally and transferred digitally, and then also provides requirements for breach notification that we're all familiar by now with those letters that you get in the mail. And if it's healthcare-related, it is probably a result of the HIPAA breach notification rule. That is HIPAA in a nutshell. I think one of the things that is important when we're looking at medical debt collection particularly, or any kind of transaction involving health information and healthcare providers in most cases, is to figure out, does HIPAA apply? In most cases, if you're dealing with a provider, it will. But there are two components to making a healthcare provider subject to HIPAA.
Brent Hoard (03:48):
The first is that it's some type of medical service that's in a long list of different types of services that are covered. Most of your typical practitioners will be part of that list. The second component that sometimes gets lost in the analysis is that there needs to be some type of electronic transaction related to typically billing insurance. So if it's Medicare, Medicaid, private payers, you need to have the healthcare provider engaging in that second transaction that brings the provider in scope for HIPAA. In most cases like I said, it's going to apply. However, this could be medical debt collection for, say, a med spa that doesn't bill insurance at all, it's cash pay, or you have concierge medical practices that also don't bill insurance. So the starting point is, is HIPAA in scope? Most of the times, yes, sometimes, no. And I think the other important thing is that in most cases, HIPAA is very restrictive about selling protected health information. So in the course of typical day-to-day debt collection transactions, a wholesale sale of debt is going to be very difficult without getting individual authorization. Meaning the person who's subject to that information says, "Yes, it's okay to share my information with the debt collector." Most people are probably not gonna do that. However, the arrangement that typically is used, there's a thing called a business associate, and that is an entity that provides services on behalf of that covered entity healthcare provider. And a debt collector can be a business associate and is performing services on behalf of that covered entity through debt collection. So that is what I would call the typical contractual arrangement that we will almost always see for these types of arrangements.
Chris Willis (05:56):
So, Brent, that's a great segue into my next question. So leaving aside the kind of business associates that we hear about in gangster movies, I assume this is a different kind of business associate. What exactly does it mean to be a business associate under HIPAA? And is that a big hurdle for a new entrant in the healthcare space or the medical debt collection space to be a business associate?
Brent Hoard (06:16):
No, it's not. It might sound daunting. It is not from the gangster movies, although the people from which you're collecting might think differently. But being a business associate is really administrative. So there's the contractual component to it where you enter into a business associate agreement with the covered entity, contractual piece. The second piece is really setting up a HIPAA program for a business associate. It doesn't cover everything. A HIPAA program is typically like 80% administrative, meaning policies and procedures and a risk analysis and understanding how your organization handles PHI that it's going to get from that covered entity, there's training, there is potential reporting of a breach, incident response, those types of things. For most companies today, they're already doing a lot of these things. A lot of it can be, particularly business associates are heavy on the security side. So if there is an existing security program, extending that to HIPAA, there are definitely some additional things that you need to do and think about when you're receiving PHI but it's not a huge operational or organizational hurdle. It can be done pretty quickly, and it's a great opportunity. It opens doors basically to all of the healthcare industry.
Chris Willis (07:43):
That's a pleasant surprise, I have to say. But I'm sure there are some unpleasant surprises that sometimes people get into in connection with HIPAA and medical debt collection. So would you mind, Brent, telling us what are some potential HIPAA issues that are commonly encountered in the medical debt collection arena?
Brent Hoard (08:02):
Yes, definitely. What I see often, that business associate agreement that I mentioned earlier, people sometimes forget about that. And even the covered entities, when they're sharing the data, they just don't think about it. And particularly you're dealing with, if it's smaller practices, they don't have the resources to deal with all of these compliance issues. You want to make sure there's a business associate agreement, primary responsibility is on the covered entity. But as a business associate, you shouldn't really be receiving protected health information if that agreement's not in place. So it protects everybody and especially those individuals who have their PHI that's going to you. So make sure that there is a business associate agreement in place. One of the other components to the sharing of data is called minimum necessary under HIPAA. And what that basically means is that you should only receive and use the minimum necessary protected health information that you need to in order to accomplish whatever task that is. In this case, we're talking about debt collection. So that would be things like name, address, maybe amounts owed, some basic billing information. You wouldn't need to receive detailed clinical information or a copy of a medical record or things like that in order to accomplish the debt collection.
Brent Hoard (09:27):
From a risk standpoint, you wouldn't want that information either. The less personal information, particularly when it's regulated like this, the better. So look to minimize that information that you get. It's helpful in a breach scenario, and it's also very important for compliance under HIPAA. I think the other piece would be thinking about the collection process itself. These are kind of like the big three. When there is communication about collecting that debt, it needs to go to the individual, not family members, not employers, not other people that might know this person. So it's important to have good contact information that you should be getting from the provider, but not reaching out to potential other parties. When you're using protected health information in this way, it's from the practice, so you don't want to contact these other people. That could actually be a breach because you're disclosing protected health information to somebody that was really not entitled to have it. So I would say be aware of that process and avoid the temptation. Just stick to that individual and make sure that it's really on point for that communication.
Chris Willis (10:51):
Okay, understood. And honestly, that idea of not making disclosures to third parties evokes a long time-honored concept under the Fair Debt Collection Practices Act, which Stefanie will no doubt mention here in a moment. Because, Stefanie, now I'm gonna turn the spotlight over to you. Brent, thank you very much for those comments. But Stefanie, you know a whole lot about this area, and I feel like medical debt collection has been very much in the news and in the spotlight of regulators and legislatures for the past few years. Let's just start off at a general level. What kind of considerations do hospitals and other nonprofit healthcare providers have to think about when attempting to collect from their patients?
Stefanie Jackman (11:29):
Yeah, it really has been. And I think that your question is a good one, Chris, because it depends on who you are and how you're encountering the different laws that can come into play here. To use collection terms, a creditor collecting your own debt, which for many healthcare providers, they don't think of themselves as creditors traditionally. They're healthcare providers. But under some of these state laws, they can actually be considered a creditor, even though they may not view the providing of medical services and then billing of a patient for, say, a self-pay portion or something like that that the patient needs to pay as an extension of credit. But it can be a debt that makes them a debt collector as a creditor in some states. Then there's a whole 'nother world of third-party collectors. And within that, these can be entities that are acting on behalf of a healthcare provider or a company that's providing financing for healthcare-related expenses, because there's a chunk of state laws coming up in that context as well, although it is less significant than the number of laws that impact providers in the medical debt space.
Stefanie Jackman (12:38):
But these are outside companies that may assist a provider or a financing company in obtaining payment, following up with patients. Some may start from the get-go. Some may be involved as early as when the patient is admitted for services. Some can start at some other point in the relationship between the provider and the patient. And some can be very late-stage after the provider has given up on collecting and sent this to an outside collection agency or sent it to a debt buyer or something like that. So depending on who you are, there's a panoply of different rules that may apply, but healthcare providers need to know about them even if they aren't directly subject to them, they may have oversight responsibilities. For instance, with the Fair Debt Collection Practices Act, which a third-party debt collector or a debt buyer will be subject to, and healthcare providers need to understand that law and what it requires in order to execute any oversight or kind of compliance management-related requirements that may exist as to its use of those types of third parties. Some other federal acts that can come into play here, and then we can talk later, Chris, about the state laws, but the No Surprises Act at the federal level, these are some state laws that are similar. It took effect on January 1st of 2022, and its goal is to protect patients from private health insurance-related costs that are arising from unexpected balance bills in both an emergent and non-emergent healthcare context. The idea here is that somebody provided you services and you didn't know that they were out-of-network or not covered by your insurance, and you end up with a big bill, so there are restrictions and other requirements that are imposed on hospitals to ensure compliance, and that can result in non-compliance that results in some sort of surprise bill within the act not being collectible. And then there's 501(r), which is a provision, as I understand it, of the tax code. And it's the provision that gives a tax-exempt status for a number of nonprofit healthcare providers, usually hospitals. Most hospitals are probably going to have a tax-exempt status. So then 501(r) talks about before you engage in what's called an extraordinary collection activity or an ECA, to use the healthcare collections lingo, there are certain things that have to be done and there are certain requirements and if you don't abide by them, you risk losing your tax-exempt status and other things.
Stefanie Jackman (15:06):
What's an extraordinary collection action? Putting an account with an outside collection agency, selling an account, initiating litigation on an account, and other things. And Brent, I don't know if you have anything you want to add to the federal world, but these laws come in and impact collections in the space.
Brent Hoard (15:22):
Yes, I think HIPAA is going to underlie all of that. So in most cases, whether it's the 501(r) arrangement, the HIPAA component to that, assuming we have covered entities involved, is going to run in parallel with all of those laws. So it's another consideration when you're thinking through all of this.
Chris Willis (15:43):
Thanks, Brent. Back to you, Stefanie. You teased the issue of state laws, and I really think we should talk about those now because there's been a whole lot of legislation at the state level about medical debt collection. So what have those laws been, and what are the considerations under state law associated with medical debt collection today?
Stefanie Jackman (16:02):
So the first thing is, again, going back to what I said, who are you, and how are you situated? If you're just a hospital collecting your own self-pay portions from patients directly using your own people, you are not going to be subject to the FDCPA at the federal level. But in a few states, you might be surprised to find out you are because, as I said earlier, you can be considered a debt collector even when you're collecting your own accounts in-house using your own patient billing staff. States that have incorporated into their state mini FDCPAs, if you will, or their state generally applicable collection laws, like California and Maryland, have incorporated the entire FDCPA. A number of other states have incorporated parts of the FDCPA. In all, there's around 25 states plus New York City and D.C. that have creditor-applicable state collection laws to varying degrees. Some of those go further than the FDCPA, some are just different, and some are more light-touch, it depends. Those acting on your behalf can be subject to those laws. Those acting on your behalf may have to get licensing in some states, which can increase the number of laws that they're subject to from a collections perspective.
Stefanie Jackman (17:17):
A number of state collection licensing regulations incorporate the FDCPA. You have to think about state statute of limitations. If the statute of limitations has run, the debt is now too old to be sued on, which means you also can't threaten to sue on it, to take any other legal action like trying to do a garnishment through a court in at least two states. And if you've sold the debt, there's a third state. But in at least two, Mississippi and Wisconsin, the running of the statute of limitations basically extinguishes the debt.
Stefanie Jackman (17:47):
You have to think about state wage garnishment laws. If you have to think about, if you're trying to assert a lien against a residence, you have to think about state homestead and exemption protections. You also have to think about state unfair and deceptive practices laws, the state UDAP laws. They can sometimes come in and declare certain activities in the collection of account generally problematic in some way. And all of those can be broad enough to include medical debt. That's just the collection side of the house, Chris. There's also a bunch of state healthcare-specific laws where these things come up. Do you want me to get into those too?
Chris Willis (18:25):
No, I think probably in the interest of time we shouldn't do that, just mentioning them. But we also should mention state medical debt credit reporting laws too. Not in depth, but people should know they're out there.
Stefanie Jackman (18:35):
Well, so a lot of those are actually coming up under these state healthcare-specific laws, although not all, but we're seeing intersections with those. Those are state laws that are specific to medical debt and require certain things like evaluation of a patient for any financial assistance programs that may be offered by a hospital before doing certain things on the account to collect it. They may require pricing transparency related disclosures so patients know how much services cost. They have some of their no surprise billing at the state law sort of mirroring the federal law. And they also have patient bill of rights. If you don't comply with these, it can restrict or forbid your ability to do certain things like collect the account, credit report the account, foreclose, or take a lien on property relating to the account. And then to your point, Chris, some states have said they're just going to independently forbid credit reporting of a medical debt, forbid placing a lien on a principal residence, forbid garnishing above certain levels that may or may not align with other garnishment limits under state law specific to medical debt. And at this point, we're well over, I'm trying to remember, we're well over 25 states that have these types of laws to varying degrees. So that adds a lot of complexity to the process of attempting to collect a debt that arose from the providing of healthcare services for hospitals, other financing entities, and everybody working on their behalf at the state level.
Chris Willis (20:09):
Certainly sounds like it. So let's close out with one final question. We love to be practical with clients because we give legal advice in the practical real world of business. So, Stefanie, I mean, what does all this complexity mean in terms of healthcare collections going forward?
Stefanie Jackman (20:25):
It means you have to start by understanding first who you are within this complex matrix of federal and state laws. How are you situated? How do you encounter these laws? And then you need to build your strategies to ensure compliance with that in mind because failing to do so not only could expose you to harm, but it could render the debt, if you're a provider, uncollectible by anybody else and really limit your ability to recoup the cost of services, which we can all understand will hit the bottom line. And in a time when healthcare is getting more expensive and less accessible, rising AR that results in uncollectible balances in one form or another or inefficient collections doesn't help anyone.
Chris Willis (21:10):
Yep, good point. So Stefanie, thanks for being here. Those are very insightful and helpful answers. And Brent, thank you for being here as well. We greatly value our collaboration with our colleagues in the Privacy + Cyber group and especially your expertise in the area of healthcare privacy. And of course, thanks to our audience for listening to today's episode as well. As I said at the top of the show, don't forget to visit and subscribe to our blogs, TroutmanFinancialServices.com and ConsumerFinancialServicesLawMonitor.com. And while you're at it, why not visit us on the web at Troutman.com and add yourself to our Consumer Financial Services email list? That way we can send you copies of our alerts and advisories and the invitations to our occasional industry-only webinars. And of course, stay tuned for a great new episode of this podcast hitting your feed every Thursday afternoon. Thank you all for listening.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.
---------------------------------------------------------------------------
DISCLAIMER: This transcript was generated using artificial intelligence technology and may contain inaccuracies or errors. The transcript is provided “as is,” with no warranty as to the accuracy or reliability. Please listen to the podcast for complete and accurate content. You may contact us to ask questions or to provide feedback if you believe that something is inaccurately transcribed.