Medical Debt Collection Laws Every Healthcare Provider and Patient Needs to Understand

The regulatory framework governing medical debt collection has changed dramatically over the past several years. New federal rules, updated credit bureau policies, and expanding state‑level protections have reshaped what collection agencies can do, when they can do it, and how it affects patients financially.

For healthcare providers, understanding this landscape is not optional. Working with a medical bill collection agency that is not current on compliance creates direct legal exposure for the provider, not just the agency. For patients, understanding their rights can prevent unnecessary credit damage, harassment, and overpayment.

This article covers the key laws and regulations governing medical debt collection in the United States as they stand today.

The Fair Debt Collection Practices Act (FDCPA) is the federal law that governs third‑party debt collectors, including medical bill collection agencies. Passed in 1977 and updated periodically since, the FDCPA sets the floor for collector behavior nationwide. State laws can be more restrictive, but no state can offer less protection than the FDCPA provides.

What the FDCPA Requires

Under the FDCPA, third‑party collectors must:

• Identify themselves in every communication and disclose that the communication is from a debt collector
  

• Send a written validation notice within five days of first contact that includes the amount owed, the name of the creditor, and instructions on how to dispute the debt
  

• Stop collection activity on a disputed account until the debt is verified and the verification is sent to the consumer
  

• Honor requests to cease contact, with limited exceptions
  

• Refrain from contacting consumers at inconvenient times (before 8 a.m. or after 9 p.m. local time)
  

• Refrain from contacting consumers at their workplace if the employer prohibits such calls
  

• Refrain from harassing, threatening, or making false statements to consumers
  

Regulation F: Modernizing the FDCPA

In 2021, the Consumer Financial Protection Bureau (CFPB) finalized Regulation F, updating FDCPA rules for the digital age. Regulation F established the first‑ever federal standards for debt collector communications through email and text message, clarified call frequency limits, and introduced the concept of a digital debt validation notice.

Under Regulation F, collectors are generally presumed to violate the FDCPA if they place more than seven telephone calls within a seven‑day period about a specific debt, or if they call within seven days after a live conversation about that debt. This “7‑in‑7” standard applies to phone calls and creates a rebuttable presumption, not an absolute safe harbor.

Any medical bill collection agency operating in 2024 and beyond must have Regulation F compliance fully implemented. Providers should verify this explicitly during vendor evaluation.

HIPAA and Medical Debt Collection

Medical collection is unique among debt collection categories because patient accounts contain protected health information (PHI). This means HIPAA rules apply in addition to FDCPA rules, creating a layered compliance environment that general commercial collection agencies often do not navigate well.

Business Associate Agreements

Under HIPAA, any vendor that receives, transmits, or stores PHI on behalf of a covered entity is a Business Associate. Medical bill collection agencies qualify. Before placing a single account, a fully executed Business Associate Agreement (BAA) must be in place. The BAA specifies how PHI can be used, what security standards apply, and what the agency must do in the event of a breach.

Healthcare providers should not assume a standard agency BAA is sufficient. Legal review is appropriate, particularly for health systems placing large volumes or handling sensitive patient populations.

Minimum Necessary Standard

HIPAA’s minimum necessary standard requires that PHI be disclosed only to the extent necessary to accomplish the intended purpose. For a collection agency, this means receiving the information needed to identify the patient and collect the balance, not the full clinical record. Providers should configure their placement files to transmit only what is operationally required.

Breach Notification

If a collection agency experiences a data breach affecting PHI, the covered entity (the healthcare provider) is the party that must notify affected patients and, in large breaches, the Department of Health and Human Services. Agencies should have documented breach response protocols and contractual obligations to notify the provider within a defined timeframe. Seventy‑two hours is a reasonable contractual standard.

The treatment of medical debt in credit reporting has undergone significant changes, with more now in place and additional implementation work underway.

2023 Credit Bureau Changes

In 2023, the three major credit bureaus (Equifax, Experian, and TransUnion) implemented voluntary policy changes that:

• Removed paid medical collection accounts from credit reports immediately upon payment

• Reduced the time before unpaid medical collections appear from 180 days to one year

• Removed all medical collection accounts under $500 from credit reports entirely
  

These changes reflected pressure from the CFPB and growing concerns that medical debt was an unreliable predictor of creditworthiness compared to other types of debt.

CFPB Rule to Remove Medical Bills from Credit Reports

In June 2024, the CFPB proposed a rule that would eliminate most medical bills from consumer credit reports. In February 2026, the CFPB finalized a rule amending Regulation V to:

• Generally prohibit consumer reporting agencies from including medical bills on consumer credit reports

• Restrict lenders from using medical debt information in credit decisions, subject to limited exceptions

As this rule is implemented, traditional credit reporting of medical collection accounts is being phased out in favor of other risk assessment tools.

Healthcare organizations and their collection agency partners need to stay current on this rulemaking and its effective dates. Agencies that continue to report medical debt to credit bureaus in a manner inconsistent with evolving regulations create liability for the providers that placed the accounts with them.

State Prohibitions on Medical Debt Credit Reporting

Several states have enacted laws that restrict or prohibit reporting medical debt to credit bureaus. Colorado, New York, and California have enacted various restrictions. Healthcare providers must ensure their collection agency partner’s reporting policy is consistent with the specific state laws that govern their patient population.

State‑level rules on medical debt credit reporting continue to evolve, so policies should be reviewed regularly for every state where patients reside.

The No Surprises Act, which took effect in January 2022, prohibits surprise medical billing in certain circumstances, particularly for out‑of‑network emergency services and certain non‑emergency services at in‑network facilities. The law also includes good faith estimate requirements that affect what can ultimately be billed and collected.

Collection agencies working hospital and health system accounts need to understand how the No Surprises Act affects the validity of the underlying debt. Billing a patient for an amount that exceeds the good faith estimate by $400 or more without providing a dispute resolution pathway may render that portion of the debt legally unenforceable.

Providers should confirm with their collection agency that accounts subject to No Surprises Act protections are flagged and handled appropriately before any collection activity begins.

Beyond federal law, a growing number of states have enacted specific protections for patients facing medical debt collection. The pace of state‑level legislation has accelerated since 2020, making state compliance one of the more complex ongoing obligations for collection agencies and providers alike.

Financial Hardship Protections

Several states require hospitals and collection agencies to complete charity care screening or financial hardship determinations before initiating collection activity. Colorado, New Mexico, and other states have enacted laws requiring hospitals to offer payment plans before referring accounts to collection. Agencies that skip these steps before placing calls or sending letters face regulatory exposure.

Waiting Periods

Some states impose minimum waiting periods before collection activity can begin on medical debt. These waiting periods give patients time to resolve insurance disputes, apply for financial assistance, or establish payment plans without the pressure of collection activity. Agencies must track account‑level waiting period requirements by state.

Income‑Based Protections

A number of states provide specific protections for patients whose income falls at or below defined thresholds relative to the federal poverty level. Some state laws prohibit wage garnishment for medical debt entirely. Others limit the assets that can be reached in a collection judgment. Agencies that are not tracking state‑level income‑based protections are a compliance liability.

Attorneys and compliance teams should assume that state‑level medical debt statutes and regulations will continue to change and build on existing protections rather than remain static.

Attorney General Enforcement

State attorneys general have become increasingly active in enforcing both state‑level medical debt laws and federal standards like the FDCPA. High‑profile enforcement actions against collection agencies in recent years have resulted in multi‑million‑dollar settlements and mandatory remediation programs. Providers whose agency partners are subject to AG enforcement face reputational and legal consequences even if they are not the named respondent.

The regulatory environment for medical debt collection is genuinely complex. It requires current knowledge of federal and state law, ongoing monitoring of regulatory developments, and documented compliance programs that can be demonstrated to providers on request.

When evaluating collection agencies, the compliance review process is not a box‑checking exercise. It is a material assessment of whether the agency can operate legally across your patient population’s geographic footprint without creating liability for your organization.

Key questions to ask include:

• What states are you currently licensed to collect in, and how do you monitor for new licensing requirements?
  

• How did you implement Regulation F, and what documentation do you have of that implementation (including your approach to the 7‑in‑7 call frequency standard)?
  

• What is your current credit bureau reporting policy, and how does it account for the 2023 industry changes and the CFPB’s 2026 final rule to remove most medical bills from credit reports?
  

• How do you handle No Surprises Act‑flagged accounts before collection activity begins?
  

• What is your financial hardship screening protocol, and how do state‑specific requirements affect that process?
  

• How many CFPB complaints did you receive in the past 12 months, and what were they about?
  

A collection agency that cannot answer these questions clearly and with supporting documentation is not prepared to protect your organization.

RCR|HUB’s collection agency vendor category includes agencies that specialize in healthcare accounts receivable and operate with the compliance infrastructure that modern medical debt collection requires. Healthcare organizations can compare agency profiles, review service scope, and issue RFPs through the platform to evaluate multiple compliant vendors simultaneously.

Given the regulatory complexity of medical debt collection, working through a structured vendor selection process with a platform built for healthcare revenue cycle evaluation is significantly more efficient than sourcing agencies through informal referrals or general web searches.