HIPAA-Compliant Debt Collection Checklist
Vendor evaluation framework for medical providers. The 12 questions every healthcare client should ask before placing PHI with a collection agency.
Why This Matters
If your collection agency handles Protected Health Information (PHI), they're a Business Associate under HIPAA. A non-compliant agency exposes your covered entity to HIPAA penalties, breach notification obligations, and reputational damage that can far exceed any uncollected balance.
The 12-Point HIPAA Vendor Checklist
1. Business Associate Agreement (BAA)
Does the agency execute a HIPAA-compliant BAA at onboarding? The BAA must address permitted uses of PHI, safeguard requirements, subcontractor obligations, breach notification, and termination provisions.
2. Encryption at Rest and in Transit
Is PHI encrypted both when stored (at rest) and when transmitted (in transit)? AES-256 at rest and TLS 1.2+ in transit are standard.
3. Access Controls
Are access controls role-based? Does the agency use the principle of least privilege so that only personnel with a business need access PHI?
4. Audit Logging
Does the agency log access to PHI? Are logs retained for an appropriate period and reviewed for anomalies?
5. Workforce Training
Are all employees who handle PHI trained on HIPAA, including annual refreshers? Is training documented?
6. Minimum Necessary
Does the agency apply the minimum-necessary standard to PHI disclosures? Outbound communications to debtors should disclose only what's required for collection — not the full clinical context.
7. Physical Safeguards
Are workstations, devices, and physical access points secured? Are personally-owned devices restricted from accessing PHI without controls?
8. Subcontractor Management
If the agency uses subcontractors that touch PHI (collection software, hosting, document destruction, mailing services), does the agency execute BAAs with each subcontractor?
9. Breach Notification Procedures
Does the agency have a documented breach response and notification process aligned with HIPAA's 60-day notification requirement?
10. Risk Assessment
Has the agency conducted a documented HIPAA Security Rule risk assessment within the past 12 months? Is the risk assessment available for review?
11. SOC Report or Equivalent
Has the agency completed a SOC 2 Type II report, HITRUST certification, or equivalent independent attestation? (Vegas Valley note: many smaller agencies don't have SOC 2; ask for the specific attestations and risk assessment documentation that's available.)
12. Termination and Data Return
What happens to PHI at the end of the engagement? Is data returned or securely destroyed? Is destruction documented?
How Vegas Valley Handles HIPAA
- BAA execution at onboarding — Every medical client signs a HIPAA-compliant BAA
- Encrypted data transmission — SFTP, secure file transfer, encrypted email channels
- Role-based access — Personnel access limited to business need
- Minimum-necessary disclosure — Outbound communications limited to collection-necessary information
- Annual workforce training — HIPAA training for all personnel handling PHI
- Documented incident response — Procedures for incident detection, containment, and notification
Talk to a Nevada-Licensed Specialist
Have a follow-up question, or ready to talk about your portfolio? Reach out — we respond during business hours, typically within 2 business hours.