Skip to Main Content

CFPB Cautions That No Surprises Act Violations Can Implicate Fair Lending Laws

Payment Matters

The Fair Debt Collection Practices Act (FDCPA) prohibits debt collectors from using abusive, unfair, or deceptive practices when collecting consumer debts. The Consumer Financial Protection Bureau (CFPB) enforces the FDCPA and in a in a 2014 study, the CFPB determined that more than 43 million Americans have overdue medical debt reported on their credit reports. Since the 2014 study, the CFPB has closely monitored the health care industry, the policies and practices of health care providers, and the practices that debt collectors use when attempting to collect medical debt. Although health care providers are considered "creditors" and not "debt collectors," courts have found creditors may be held vicariously liable for FDCPA violations committed by debt collectors acting on their behalf.

Health care providers, therefore, may be liable for significant financial penalties imposed by the CFPB for FDCPA violations. Moreover, the CFPB is working with the U.S. Department of Health and Human Services (HHS) and other agencies to ensure that patients are not coerced into paying bills that are more than what is actually due. Thus, it is critical for health care providers to not only understand the obligations imposed by the FDCPA, but to understand the ways in which the FDCPA interacts with other health laws and regulations.

For instance, in January 2022, Congress passed the No Surprises Act (NSA), which protects participants, beneficiaries, and enrollees in group health plans and individual health insurance coverage, from "surprise medical bills," which are typically generated when an individual with health insurance receives care from an out-of-network hospital, doctor, or other provider they did not choose. The NSA, in part, prohibits separate out-of-network cost sharing, including out-of-network coinsurance or copayments, for all emergency and some non-emergency services. It also prohibits separate out-of-network charges by providers that work at an in-network facility for supplemental care, such as radiology or anesthesiology. This includes the elimination of "balance billing" which occurs when the out-of-network provider or facility bills consumers for the difference between the billed charge and the amount paid by the consumer's healthcare plan. Instead, health care providers must ensure that patient cost-sharing, such as coinsurance or a deductible, is not higher than if the service was provided by an in-network provider and such costs must count toward any in-network deductible and out-of-pocket maximum.

The NSA has also established rules outlining the need for providers to establish an independent dispute resolution process to determine out-of-network payment amounts between providers or facilities and health plans; submit good faith estimates of medical items or services; establish a patient-provider dispute resolution process for uninsured individuals; and to provide a way to appeal certain health plan decisions.

The CFPB issued a 2022 bulletin reminding debt collectors that attempting to collect a debt from a charge that exceeds the amount permitted by the NSA could violate the FDCPA. The FDCPA's implementing Regulation F prohibits the use of "any false, deceptive, or misleading representation or means in connection with the collection of any debt," including, for example, any false representation of "the character, amount, or legal status of any debt." The FDCPA and Regulation F also prohibit the use of "unfair or unconscionable means to collect or attempt to collect any debt," including, for example, the "collection of any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law."

A debt collector would violate the FDCPA should they represent that a consumer owes charges exceeding the amount permitted by the NSA for a debt arising from out-of-network charges for emergency services. In such a situation, the health care provider that generated an invoice that violates the NSA could also be held liable for the actions of the debt collectors acting on the health provider's behalf.

This is significant because the CFPB has authority to bring administrative enforcement proceedings or civil actions after finding violations during regularly scheduled examinations of debt collectors, Target Reviews (which usually involve a single entity with a significant volume of consumer complaints or a specific concern that has come to the CFPB's attention) or Horizontal Reviews (which involve the examination of multiple entities). The CFPB can obtain "any appropriate legal or equitable relief with respect to a violation of Federal consumer financial law," including, but not limited to:

  • Rescission or reformation of contracts
  • Refund of money or return of real property
  • Restitution
  • Disgorgement or compensation for unjust enrichment
  • Payment of damages or other monetary relief
  • Public notification regarding the violation
  • Limits on the activities or functions of the person against whom the action is brought
  • Civil monetary penalties (which can go either to victims or to financial education).

These penalties can also apply to health care providers, should they be found to be vicariously liable for the debt collectors' actions. The CFPB can also take the step of notifying other government agencies, such as HHS and Centers for Medicare & Medicaid Services (CMS), that certain health care providers have been attempting to collect debts, which violate the NSA. Health care providers might also be named in lawsuits brought by consumers for FDCPA violations. Consumers have one year from the date on which the violation occurred to sue debt collectors for FDCPA violations in any appropriate U.S. district court or other court of competent jurisdiction. A debt collector found to have violated the FDCPA can be liable for:

  • Any actual damages sustained because of that failure
  • Punitive damages as allowed by the court in an individual action, up to $1,000
  • In a class action, up to $1,000 for each named plaintiff and an award to be divided among all members of the class of an amount up to $500,000 or 1 percent of the debt collector's net worth, whichever is less
  • Costs and a reasonable attorney's fee in any such action.

The CFPB also enforces the Fair Credit Reporting Act (FCRA), which prohibits the furnishing of inaccurate information to any consumer reporting agency after receiving notice from a consumer that the information is inaccurate. Debt collectors can also violate the FCRA if they report that a consumer must pay a debt from a charge that exceeds the amount permitted by the NSA. FCRA violations can subject a debt collector to statutory damages of $100 -$1,000 per violation. Again, if health care providers generate invoices that violate the NSA and send those invoices to debt collectors, health care providers may also be held vicariously liable for FCRA violations or the CFPB could alert other federal agencies of the health care provider's violation of the NSA.

Ultimately, attempting to collect medical debts, which exceed the amounts permitted by the NSA could subject a debt collector and providers to enforcement action for violations of the FDCPA. Similarly, debt collectors and providers could violate the FCRA and Regulation V for reporting that a consumer owes a medical debt for an amount exceeding the NSA. Health care providers should ensure that they comply with the NSA and are aware of the practices used by debt collectors retained on their behalf.

For more information, please contact any member of Baker Donelson's Health Law team.

Subscribe to

Related Industry

Have Questions?
Let's Talk!

To discuss how this topic could affect
your company, click above to email us.

Click here to read articles from Baker Donelson's Payment Matters newsletter

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept