Skip to content

Compliance

Compliance Corner: An Apple a Day Isn't Keeping Changes to Laws Affecting Medical Debt Away

← All articles
Filed under Compliance

While the August 12, 2024 deadline for comments on the proposed rules published by the Consumer Financial Protection Bureau ("CFPB") is quickly approaching, the landscape for vendors of all sorts working on the revenue cycle side of healthcare continues to change. A key priority in Washington, D.C. has been to address the issue of roughly one third of working age Americans struggling with both medical debt and navigating the complexities of health insurance.

State lawmakers are also laser-focused on providing Americans with relief from burdens of medical debt. The states are approaching these challenges in a variety of ways. Some states are expanding the time from date of service to date debts are credit reported while others are banning medical debt credit reporting altogether.

Some states are requiring healthcare providers and their billing and collection vendors to continuously evaluate patients for financial assistance or other repayment plans to fit their budgets while others are outlawing the sale of medical debt.

2024 has been an extremely busy year for state lawmakers and various versions of a medical debt protection law are being enacted or given serious consideration throughout the states. As the summer starts to wind down, here are some of the key things you may want to consider as you set the course for your Q3 and Q4 compliance strategies.

Submitting Comments to the CFPB on its Proposed Restriction of Medical Debt Credit Reporting

The CFPB is looking for your comments and feedback on its proposed rulemaking. As you no doubt know from all the media, the CFPB has authority to issue rules under the Fair Credit Reporting Act and is choosing to exercise this authority by issuing regulations related to medical debt and credit reporting.

If this is a topic of importance to you, you may want to share your thoughts about this with the CFPB by filing comments. ACA International, the international association of credit and collections professionals has compiled resources to assist you in following all the steps to do this. You can access ACA's resources explaining how to approach this right in ACA International's medical debt rule summary.

Updating Your Health Breach Notification Policies and Procedures

Busy at work updating its data security regulations, the Federal Trade Commission's ("FTC") updates to its Health Breach Notification Rule ("HBNR") took effect July 29, 2024. Last year for the first time, the FTC used its authority under the HBNR to take regulatory action regarding the online data use practices of GoodRx, constituted unauthorized uses and subsequently disclosures, In a novel investigation of a company's digital strategies, the FTC reviewed disclosures provided to consumers and consents received from them and determined that in instances where uses and disclosures were not clearly authorized by consumers, a health breach had occurred - which the FTC felt should be reported Just over a year later, the FTC codified its analysis, its 2021 Commission Policy Statement, and interpretation by updating its HBNR with a modified definition of breach.

In addition, the FTC has clarified that the HBNR applies to health apps, connected devices, and any other online services that fall outside of the scope of HIPAA.

What constitutes a "breach of security" under the HBNR and is now reportable includes a traditional data breach and now also an "unauthorized disclosure" of information the HBNR covers. The FTC has clarified that this may mean "dark patterns" that manipulate or deceive consumers do not allow for consumers to make meaningful choices and could also constitute reportable breaches under the HBNR. More details on the final HBNR can be found in the Federal Register text of the medical debt rule

Number of States Banning Medical Credit Reporting Grows

Since Colorado enacted a law banning medical credit reporting last year, additional states have enacted similar laws - all taking effect now or in the coming year. The states that have followed Colorado's lead include New Jersey, Virginia, Rhode Island, New York, Illinois, Minnesota and Connecticut.

Healthcare providers and healthcare collection agencies who are furnishing data to consumer reporting agencies about medical debts may want to take a look at the effective dates of these laws and take steps to modify any credit reporting practices.

Shrinking Statutes of Limitations

In this year's legislative terms, many states reexamined the length of their statutes of limitations for medical debts. States like Florida have reduced their statute of limitations to three years. Another key compliance update may need to be a review and reexamination of the applicable statutes of limitations for any states in which you conduct collections activities.

Proliferation of Medical Debt Protection Laws

The National Consumer Law Center ("NCLC") has lobbied all states with its proposed consumer-centric solutions to medical debts. Since 2019, dozens of states have enacted all or a portion of the NCLC's uniform medical debt protection law which may include features such as these: (i) review of patients' financial means throughout the revenue cycle to determine whether any of a variety of types of assistance should be offered; (ii) ban medical credit reporting; (iii) protect consumers' assets should they be subject to legal collections; (iv) bans on sales of medical debt.²

Conclusion

Not only is it important to track key state laws and regulations related to any required licenses, bonds, or other certifications in the states or state-specific letter disclosures - but it is also important to keep an eye on laws and regulations the states are considering and enacting that may have a significant impact on the manner in which you do business. Fortunately, key industry associations like ACA International and the National Creditors Bar Association or state associations regularly engaged in conversations with state and federal lawmakers.

Any can be effective resources for information to help you keep up with change in this dynamic time.

  1. https://www.eversheds-sutherland.com/en/united-states/insights/ftc-diagnoses-common-digital-practices-as-both-udap-and-breach
  2. https://www.nclc.org/resources/model-medical-debt-protection-act/

Found This Useful? Let's Get You Set Up.

Start an application and an expert will tailor the next steps to your situation.

Related reading

15 Licensing Application Process Facts That Delay Approvals

Compliance

15 Licensing Application Process Facts That Delay Approvals

Most licensing delays come from small misses. A payment method that does not work, a stale certificate, the wrong signature, a missing ownership detail. These are the things that slow down filings, trigger deficiencies, and force teams to redo work they thought was finished. We pulled these from the webinar because they came up naturally [...]

California Delete Act: DROP Deadline and Data Broker Rules

Compliance

California Delete Act: DROP Deadline and Data Broker Rules

Property managers in Maryland are running into a question that is getting more attention and creating real operational risk. Does collecting rent, especially when a tenant is past due, trigger Maryland's collection agency licensing requirements?

The Changing Compliance Landscape for Consumer Lenders

Compliance

The Changing Compliance Landscape for Consumer Lenders

Explore evolving compliance rules for consumer lenders, CFPB updates, and strategies to stay compliant in 2025 and beyond.

Compliance Corner: No Place Like Home? Fine-Tuning Your Remote Work Strategies

Compliance

Compliance Corner: No Place Like Home? Fine-Tuning Your Remote Work Strategies

Unbelievably it has been almost five years since the world undertook one of the largest work-from-home experiments ever. Ready or not, in the days and weeks following the World Health Organization's March 2020 declaration that COVID-19 was a pandemic, employers throughout the world grappled with how to securely and productively have their workforces work remotely. [...]

Compliance Corner: Updates to FTC's Safeguards Rule

Compliance

Compliance Corner: Updates to FTC's Safeguards Rule

The FTC has now updated its Safeguards Rule to add breach notification requirements. It plans to host a new public database of instances in which consumers' nonpublic information has been subjected to unauthorized access. Effective May 13, 2024 Key features Financial institutions subject to the FTC's jurisdiction, which include mortgage lenders, payday lenders, collection agencies, [...]

Debt Collection & Buying

Compliance Corner: What Regulators May Expect You To Know About the AI Tools You're Using in Your Collection Agency

AI keeps reshaping financial services, and collection agencies are adding AI tools to streamline operations, strengthen compliance, and improve consumer engagement. With that innovation comes responsibility and a growing need for clarity on legal, ethical, and regulatory questions. Emerging technology like AI is top of mind for state financial services regulators, who increasingly ask how licensees use these tools.

Browse the full insights library, meet our editorial team, or download our whitepapers.

Insights

Found This Useful? Let's Get You Set Up.

An expert will respond within one business day.