Yes. You're exercising rights granted by federal law (FDCPA Section 809 + HIPAA Privacy Rule). Both laws explicitly grant consumers the right to demand validation and proper handling of PHI.

Will this work for original creditor (hospital) debt?

No — this letter is for third-party collectors only. For hospital-direct debt, use charity care application + negotiation instead. See the full medical debt tactic guide.

How long does it take to work?

Collectors must respond within 30 days. Most either drop the debt within 60 days OR stop responding (which constitutes implicit dropping). Some take longer if they actually try to gather documentation.

What if the collector says they're HIPAA-exempt?

Some try this. They're wrong. The HHS Office for Civil Rights has clarified that debt collectors handling medical debt ARE business associates and ARE subject to HIPAA. Cite this in your follow-up if needed.

Should I get a lawyer?

Not for the initial letter — sending it yourself is straightforward and free. Get a lawyer if: (a) you're sued for the debt, (b) the collector violates FDCPA after your letter (sue them), (c) the debt is large enough to warrant professional negotiation. Most consumer protection attorneys take FDCPA cases on contingency (no upfront cost).

HIPAA Letter for Medical Debt (Template)

When medical debt goes to a third-party collector, your protected health information goes with it. HIPAA requires authorization for that. The HIPAA letter forces collectors to prove they have it ÃÂ¢ÃÂÃÂ and most can't. Template below.

Get my free action plan ÃÂ¢ÃÂÃÂ

This is the single most powerful tactic against medical debt collectors and the one almost no consumer knows exists. Medical debt is unique because it includes protected health information (PHI) ÃÂ¢ÃÂÃÂ diagnosis codes, treatment dates, provider names. When a hospital sells your debt to a third party, that PHI is sold with it. HIPAA strictly regulates who can access PHI and requires patient authorization. If the collector can't prove HIPAA-compliant handling of your PHI, they have major legal exposure and often drop the collection entirely.

When this letter works (and when it doesn't)

Works for:

Medical debt that's been sold to a third-party collector (NOT the original hospital)
Debts that involved PHI sharing ÃÂ¢ÃÂÃÂ almost all medical debts qualify
Combined with a debt validation letter for maximum effect

Does NOT work for:

Debt still owed directly to the hospital (use charity care or negotiation instead)
Non-medical debt (use standard validation letter)
Pre-2003 debts (HIPAA Privacy Rule effective date)

Why it works

HIPAA Privacy Rule (45 CFR ÃÂÃÂ§ 164) requires:

Patient authorization for any disclosure of PHI beyond treatment, payment, or operations
Business Associate Agreements (BAAs) for any vendor that handles PHI
Audit logs of all PHI access
Designated HIPAA Privacy Officer at any organization handling PHI

When a hospital sells your debt:

The buyer becomes a "downstream business associate" ÃÂ¢ÃÂÃÂ must have BAA with seller
Buyer becomes a HIPAA-covered entity for that PHI
Buyer must have designated Privacy Officer who reviewed/approved acquisition
Buyer must maintain access logs for who has seen your PHI

Most third-party debt collectors do not have proper BAAs, do not have designated Privacy Officers reviewing each account, and cannot produce audit logs. This is a legal liability they don't want exposed.

Reported success rates: 50-70% of HIPAA letters result in collectors dropping the debt rather than risk litigation.

The HIPAA letter template

Send via certified mail with return receipt. Keep a copy. Send WITHIN 30 DAYS of first contact for maximum FDCPA leverage. This combines HIPAA + FDCPA validation in one letter:

[Your Name] [Your Address] [Date] [Collection Agency Name] [Collection Agency Address] Re: Account # [account number from collector's letter] Disputed Medical Account To Whom It May Concern, This letter is in response to your recent communication regarding the above-referenced medical account. I am exercising my rights under the Fair Debt Collection Practices Act (FDCPA), 15 U.S.C. ÃÂÃÂ§ 1692g, and the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. ÃÂÃÂ§ 164. I dispute this debt in full and request the following documentation within 30 days: UNDER FDCPA SECTION 809: 1. The name and address of the original creditor (medical provider) 2. The original account number 3. An itemized accounting of all charges, payments, fees, and adjustments 4. Documentation of the chain of assignment from the original creditor 5. Verification this debt is within the statute of limitations in [your state] 6. Proof your agency is licensed to collect debts in [your state] UNDER HIPAA PRIVACY RULE (45 C.F.R. ÃÂÃÂ§ 164): 1. A copy of the signed authorization permitting the original medical provider to disclose my Protected Health Information (PHI) to your agency 2. The name and contact information of the HIPAA-compliant Privacy Officer at your agency who reviewed this account 3. A copy of the executed Business Associate Agreement (BAA) between your agency and the original creditor regarding the handling of my PHI 4. The audit log identifying every individual at your agency who has accessed my PHI, the date of access, and the business purpose 5. Documentation of your agency's HIPAA compliance training program for personnel who handle PHI 6. Verification that any subsequent transfer of my account complied with HIPAA requirements Until the requested validation and HIPAA documentation are provided, I dispute this debt and request that all collection activities cease immediately. Pursuant to FDCPA Section 809(b), you must cease collection activities until validation is complete. I do not authorize disclosure of my PHI to any party other than as required for the limited purpose of responding to this letter. Any further use, disclosure, or sharing of my PHI without my explicit written authorization will be considered a HIPAA violation. If your agency cannot produce the requested HIPAA documentation, I request immediate written confirmation that your agency will: (a) Cease all collection efforts on this account, (b) Not report this account to any consumer reporting agency, and (c) Return or destroy all PHI in your agency's possession related to this account. Please direct all future correspondence to me in writing only. Do not contact me by phone. Sincerely, [Your Signature] [Your Printed Name] Sent via Certified Mail, Return Receipt Requested Tracking #: [tracking number] CC: HHS Office for Civil Rights (HIPAA enforcement)

What happens after you send

Collector must cease collection during validation period (FDCPA requirement)
Collector evaluates HIPAA exposure. Most agencies don't have proper BAAs and audit logs; producing them creates discoverable evidence of compliance gaps.
Common outcomes:
- (50-70%): Collector drops the debt and confirms in writing that they'll cease collection and not report to credit bureaus
- (15-25%): Collector produces partial documentation; you can challenge what's incomplete
- (10-15%): Collector ignores the letter (FDCPA violation; you can sue for $1,000+attorney fees)
- (5-10%): Collector produces full documentation; pursue other tactics (settlement, statute of limitations defense)

What to include with your letter

Certified mail receipt ÃÂ¢ÃÂÃÂ proves they received it
Return receipt requested ÃÂ¢ÃÂÃÂ proves a person signed for it
Copy of their original collection letter ÃÂ¢ÃÂÃÂ establishes the disputed debt
Nothing else ÃÂ¢ÃÂÃÂ don't volunteer information, payments, or admissions

What to do if they ignore you

Document the violations (continued calls/letters during validation period)
File complaint with the CFPB at consumerfinance.gov/complaint
File complaint with your state attorney general's office
File HIPAA complaint at hhs.gov/hipaa/filing-a-complaint
Contact a consumer protection attorney ÃÂ¢ÃÂÃÂ FDCPA/HIPAA lawsuits typically settle for $1,000-$5,000 per violation plus attorney fees paid by the collector

Get a personalized debt-removal plan in 2 minutes

Free tool. Describe your debts. Get a prioritized action plan + ready-to-send letter templates (debt validation, HIPAA, settlement, dispute) tailored to your situation.

Try the action plan tool ÃÂ¢ÃÂÃÂ

Frequently Asked Questions

Is this legal?: Yes. You're exercising rights granted by federal law (FDCPA Section 809 + HIPAA Privacy Rule). Both laws explicitly grant consumers the right to demand validation and proper handling of PHI.
Will this work for original creditor (hospital) debt?: No ÃÂ¢ÃÂÃÂ this letter is for third-party collectors only. For hospital-direct debt, use charity care application + negotiation instead. See the full medical debt tactic guide.
How long does it take to work?: Collectors must respond within 30 days. Most either drop the debt within 60 days OR stop responding (which constitutes implicit dropping). Some take longer if they actually try to gather documentation.
What if the collector says they're HIPAA-exempt?: Some try this. They're wrong. The HHS Office for Civil Rights has clarified that debt collectors handling medical debt ARE business associates and ARE subject to HIPAA. Cite this in your follow-up if needed.
Should I get a lawyer?: Not for the initial letter ÃÂ¢ÃÂÃÂ sending it yourself is straightforward and free. Get a lawyer if: (a) you're sued for the debt, (b) the collector violates FDCPA after your letter (sue them), (c) the debt is large enough to warrant professional negotiation. Most consumer protection attorneys take FDCPA cases on contingency (no upfront cost).

Related guides

Educational only ÃÂ¢ÃÂÃÂ not legal or financial advice. Debt-collection laws vary by state and federal jurisdiction. Consult a consumer-protection attorney for your specific situation, especially before responding to a lawsuit or signing any settlement agreement.