About HIPAA and Medical Verification

The most common question we get about Life Over Debt is this: "Does asking a member to provide a doctor’s note confirming their cancer diagnosis violate HIPAA?"

The short answer: NO, it does not.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) was created to protect member’s private health information from being shared without their consent.

But it’s important to understand who HIPAA applies to and who it doesn’t.

HIPAA Only Applies to “Covered Entities”

HIPAA rules apply to:

  • Health care providers (like doctors or hospitals)

  • Health plans (like insurance companies)

  • Health care clearinghouses (like billing services)

Credit unions are not considered covered entities under HIPAA. That means HIPAA does not directly regulate how credit unions interact with medical information that members voluntarily provide.

What Members Can Do Under HIPAA

If a member asks their doctor to write a brief letter confirming a cancer diagnosis, and then gives that letter to the credit union as part of the Life Over Debt program, that is not a HIPAA violation.

HIPAA protects member medical information from being shared without their consent. It does not restrict what the member can do with their own health information.

Members are always free to request documentation and share it with others, like the credit union, if it helps them get the support they need.

Diagnosis Verification Options

Participating credit unions may choose one of three HIPAA-safe methods to verify a member’s cancer diagnosis:

Member Interview by a Designated Agent

  • A trained staff member (often called a “Cancer Care Agent”) speaks directly with the member to confirm diagnosis and hardship

  • No medical documents are collected or stored; eligibility is assessed solely through the conversation

Document Review with Secure Retention

  • The member submits a doctor’s note confirming their diagnosis

  • The credit union reviews and then retains a copy of that note in a locked, offline safe or similarly secured location

  • A simple eligibility flag (e.g., “LOD-qualified”) is added to the member record

Document Review with Return to Member

  • The member submits a doctor’s note confirming their diagnosis

  • A designated reviewer checks it for eligibility, adds a “LOD-qualified” flag in the system, and returns the original note to the member

  • No medical documentation is retained by the credit union

  • This option offers minimal privacy risk (no PHI is ever stored), a clear audit trail (only date and reviewer’s name/initials are recorded), and member confidence (their sensitive documents never leave their control)

All three approaches are HIPAA-safe because:

  • Members voluntarily provide their own medical information

  • Credit unions are not HIPAA covered entities

  • Any retained information is either non-medical (a simple eligibility flag) or stored under strict security

Legal Disclaimer

This page is for informational purposes only and does not constitute legal advice. Life Over Debt encourages participating credit unions to consult with their own legal and compliance teams to ensure alignment with applicable laws and internal policies.