Compliance · Healthcare · Updated 8 May 2026
HIPAA-compliant invoice follow-up for healthcare practices
HIPAA does not block you from calling patients about unpaid bills. It limits what you can say, where you can leave it, and how much detail goes through any one channel. This page is the working reference for how Syntharra applies 45 CFR Part 164 to medical, dental, chiropractic, and other covered-entity AR follow-up.
Plain-language summary, not legal advice. Statute citations let you verify each claim against the source text directly.
Payment is one of the three TPO purposes
45 CFR § 164.506(c) authorizes a covered entity to use and disclose protected health information for treatment, payment, and health care operations — the three TPO purposes — without obtaining additional patient authorization. Billing for services rendered, generating statements, and following up on overdue balances are squarely within payment. You do not need a separate HIPAA authorization to call a patient about an unpaid bill.
The constraint that does apply is the minimum-necessary rule at 45 CFR § 164.502(b) and § 164.514(d). When you use or disclose PHI for payment, you may only use or disclose the minimum amount reasonably needed to accomplish the purpose. For a follow-up call, that usually means the patient’s name, the practice name, the balance owed, and the due date — not the diagnosis, the procedure code, the prescribed medication, or the clinical context behind the visit.
What you can and cannot leave in a voicemail
Voicemails get a tighter standard than live calls because anyone with access to the answering machine can overhear them. HHS guidance and most counsel converge on a conservative voicemail floor.
Generally OK to leave
- Practice name (“This is Smith Dental”)
- A neutral callback request
- One callback number
- A non-clinical reason such as “about your account”
Avoid in a voicemail
- Diagnosis or condition
- Procedure or treatment name
- Medication, prescription, or refill detail
- Itemized financial detail (specific dollar amounts, date of service, CPT codes)
- Lab or test results
- Any reference to the clinical reason for the visit
Live conversations are different. Once the patient answers and identifies themselves, you can discuss the balance, the date of service in general terms, and a payment plan — the minimum-necessary rule still applies, but you have a verified recipient. The harder question is who else might be on the line, which is why patient communication preferences captured at intake matter.
Patient communication preferences
45 CFR § 164.522(b) gives patients the right to request that communications be made by alternative means or at alternative locations. Covered entities must accommodate reasonable requests. Best practice is to capture preferences at intake and refresh annually.
Useful intake fields for billing follow-up:
- Preferred phone number for billing matters (cell, landline, work)
- Whether voicemails are permitted on that number
- If voicemails are permitted, whether detailed messages are allowed
- Whether a spouse, partner, parent, or caregiver may receive billing messages on the patient’s behalf
- Preferred channel for written statements (mailed, emailed, patient portal only)
When the practice runs an AI calling vendor, those preferences feed straight into the call routing. Syntharra honors any flag the practice sets at the patient record — for example, “voicemail OK”, “detailed message allowed”, or “spouse may take a message” — and the call cannot proceed in a more permissive mode than the patient has authorized.
Business Associate Agreement — required, not optional
Any third party that handles PHI on a covered entity’s behalf is a business associate under 45 CFR § 160.103. A billing service, a collection agency, an AI calling vendor that touches patient records — each is a business associate. The covered entity must execute a Business Associate Agreement before any PHI flows.
The BAA pushes HIPAA obligations down to the vendor. Among other things, the BAA requires the vendor to use PHI only for the agreed purpose, apply the same minimum-necessary rule, report breaches, and return or destroy PHI at termination. Without a signed BAA, sharing PHI with a vendor is a HIPAA violation by the covered entity.
Syntharra signs a BAA with every healthcare client before any integration goes live. The BAA covers all PHI flowing through the QuickBooks, Square, Xero, Zoho, FreshBooks, or Jobber connections, plus the call audio and transcripts the system generates.
State medical-debt protections
Several states impose extra restrictions on medical-debt collection, layered on top of HIPAA. The pattern across these statutes is consistent: itemized billing required before collection, financial-assistance screening for nonprofits, no credit reporting during active dispute, and limits on attaching medical debt to credit reports altogether.
- California (Hospital Fair Pricing Act, AB 1020): hospitals must screen patients for financial assistance before sending to collections; no medical debt under $500 may be reported to credit bureaus by hospitals.
- New York (Surprise Billing Law, 2022): limits emergency-care debt collection on out-of-network charges and prohibits placing liens on a patient’s primary residence for medical debt.
- Maryland (HB 565, 2021): hospitals may not file civil suits for unpaid medical debt against patients with household incomes below 200% of federal poverty.
- Colorado (HB 23-1126): medical debt removed from consumer credit reports as of 2023; collectors may not report it.
- Federal (CFPB rule, 2024): medical-debt collection tradelines were proposed to be removed from consumer credit reports nationwide; rule status is in flux. Syntharra does not furnish to credit bureaus on healthcare accounts.
State medical-debt rules change frequently. Verify with counsel before relying on a specific provision; we update this page when statutes change but it is not a substitute for current legal advice.
What this looks like in practice
For a dental, chiropractic, or specialty-medical practice using Syntharra, the call flow honors HIPAA at every step:
- Practice connects QuickBooks (or another supported accounting system) once. Patient names, balances, and contact preferences sync from the system; clinical PHI does not leave the practice management system.
- The compliance layer pulls only the fields needed for the call: name, balance, due date, contact preferences. CPT codes, diagnoses, and procedure detail are never available to the LLM.
- Voicemails default to the conservative floor: practice name, neutral callback request, one callback number. If the patient’s record permits a more detailed message, the system uses the more permissive setting; otherwise it stays minimal.
- Live calls open with the recording disclosure and AI identification, then proceed to balance, date in general terms, and payment options. The LLM cannot generate dollar amounts — those come from the practice’s accounting system.
- Any opt-out, dispute, or request to communicate by another channel routes immediately to the practice. Calls stop on the patient’s number across every Syntharra client.
Healthcare compliance FAQ
Is calling a patient about an unpaid bill a HIPAA violation?
No. Billing communication is one of the three TPO purposes (treatment, payment, operations) under 45 CFR § 164.506(c). A covered entity may use and disclose PHI for payment activities without obtaining additional patient authorization. The minimum-necessary rule still applies: only disclose what is needed to collect on the bill.
What can I leave in a voicemail about an unpaid medical bill?
Practice name, your callback number, and a neutral request to call back. HHS guidance is conservative: avoid the diagnosis, the procedure, the medication, or detailed financial figures in a voicemail because anyone with access to the answering machine could overhear it. “This is Smith Dental, please call us back at 555-0100” is fine. “This is Smith Dental about your $874 root-canal balance” is not.
Does HIPAA apply if a third-party agency calls on my behalf?
Yes. Any third-party that handles PHI on a covered entity's behalf is a business associate under 45 CFR § 160.103 and must sign a Business Associate Agreement (BAA). The BAA carries HIPAA obligations through to the agency. Syntharra signs a BAA with every healthcare client and operates under those obligations.
Can I leave a message with a spouse or family member?
Generally no, unless the patient has agreed at intake. 45 CFR § 164.510(b) lets a covered entity disclose PHI to a person involved in the patient's care if the patient has had a chance to object. Best practice: capture communication preferences at intake, including who else may receive billing messages, and update those preferences annually.
Are there state laws that add to HIPAA for healthcare collections?
Yes. Several states (California, New York, Massachusetts, Texas, Florida) have medical-debt protection statutes that limit what providers can do during a billing dispute, require itemized statements before collection, or mandate financial-assistance screening for nonprofit hospitals. State law applies in addition to HIPAA, never instead of it.
Does the FDCPA apply to a dental or medical practice calling its own patients?
No. The FDCPA regulates third-party debt collectors. A practice calling its own patients about its own bills is a first-party creditor and is outside the FDCPA. State analogs like California's Rosenthal Act extend FDCPA-style restrictions to first-party creditors, however, so the conservative posture is to follow FDCPA rules anyway.
Can Syntharra call patients about overdue medical bills?
Yes, under a signed BAA. Syntharra calls in the practice's name (first-party), enforces the HIPAA minimum-necessary rule on every voicemail, applies the conservative call window (9am to 8pm in the patient's local timezone, no weekends), and instantly suppresses any patient who opts out. The system never volunteers diagnosis, procedure, medication, or itemized treatment information on a call.
Related
- Compliance overview — TCPA, FDCPA, state call windows, recording consent.
- Dental invoice collection — how Syntharra fits a dental practice’s AR workflow.
- Chiropractic invoice collection — the same workflow, chiropractic-specific.
- Is AI invoice calling legal — the federal-statute view, healthcare-agnostic.
- First-party vs third-party collections — why a practice calling its own patients is not under FDCPA.
- What counts as collection harassment — FDCPA § 1692d explained.
HIPAA or BAA questions? compliance@syntharra.com