What to know about HIPAA Compliant Payment Methods

Saturday, January 03, 2015

Taking secure payments at your practice

With the evolution of payment technology over the past few years, consumers have more options than ever. Pair the growth of payment technology with the telehealth boom, in which providers seek to meet the needs of their patients by online visits. If you’re a provider, it can be challenging to ensure that the payment options you offer comply with healthcare industry regulations. In this article, we’ll tackle healthcare payment methods, focusing specifically on those that meet HIPAA regulations. To start, let’s define HIPAA.

What is HIPAA?

To refresh your memory, HIPAA stands for the Health Insurance Portability and Accountability Act. Congress enacted this law in 1996 to provide more protection to patients. Here are a few of the highlights from HIPAA:

  • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs
  • Helps to reduce health care fraud and abuse
  • Mandates industry-wide standards for health care information on electronic billing and other processes
  • Requires the protection and confidential handling of protected health information (PHI)

It’s important to understand the implications of these provisions to ensure you’re doing enough to protect your customers’ personal information. PHI is a sensitive issue, and patient data must be kept safe and secure, no matter if it’s in paper, digital or verbal form. Sometimes, you’ll see the term electronic protected health information (ePHI), which is just the digital records of a patient. Let’s take a look at what PHI includes in the next section.

What constitutes PHI?

Protected health information can include a whole host of information—a patient’s name, date of birth, credit card number(s) or anything specific to the healthcare portion of the business, like medical record or insurance information. PHI essentially includes any information within your control that a bad actor could use to identify one of your patients. And that’s why you should ensure you accept HIPAA compliance payment methods. Now that you know more about HIPAA and PHI, let’s take a closer look at the challenges of HIPAA compliant payment methods.

What makes HIPAA compliant payments unique?

Unlike other industries that have less regulations, the medical field institutes a hefty fine for businesses that break patient data rules. Therefore, it’s paramount that your practice is doing everything it can to protect PHI.

While payment processing companies are not bound by HIPAA compliance if they are performing their normal duties, many payment service providers do more than just process payments. These circumstances happen when a payment processor provides additional services on top of credit card processing. If your payment processing partner provides services or business integration for practice management, invoicing, reporting, or even medical billing, it will most likely fall under the business associate delegation. If that happens, the medical provider would then need to enter into a business associate agreement (BAA) with the processor to implement specific safeguards to ensure that they secure any PHI.

Some industries can accept payments for their goods and services with peer-to-peer payment apps. However, medical providers need to avoid these apps. That’s because these payment apps can leave a digital trail of protected health information that may inadvertently violate HIPAA practices. Therefore, it’s best to look to traditional payment processing providers to meet your practice’s needs. Let’s look at the various methods that are HIPAA compliant.

What types of payments are HIPAA compliant?

There are a variety of payment methods that are HIPAA compliant, including:

Credit cards

One of the most popular ways to pay for medical expenses is through credit cards. They provide customers with an easy way to pay and have security measures that can make them suitable for HIPAA compliance. We’ll look at HIPAA compliant credit card processing in the next section.

ACH transfers

Automated Clearing House payments are another way for consumers to pay. The National Automated Clearing House Association (NACHA) manages the network. The Healthcare Electronic Funds Transfer (EFT) standard supports HIPAA-compliant transactions between health plans and providers, making it possible for customers to pay using ACH. In this Healthcare EFT standard, the required information travels with the payment, simplifying accounting procedures and reducing administrative costs.


While this is not as common of a payment method, some providers do take cash payments for their services. While the cash transaction itself is HIPAA compliant because no data is being passed, you should still take precautions to ensure safe recordkeeping.


Another payment method that’s HIPAA compliant is paper checks, as long as the check doesn’t contain any protected health information.

Now, let’s take a closer look at the intersection between credit card processing and HIPAA compliance.

Who are the key parties in a credit card transaction?

Understanding the parties involved in a credit card transaction is essential to understanding how credit card processing fits HIPAA compliance.

  • The cardholder: Often the patient or a guardian of the patient, this is the person who uses their credit card to make the payment.
  • Credit card issuer: This is a financial institution, like a bank or a credit union, that issues a credit card to the consumer. Examples of an issuer include Citibank, Chase, and Wells Fargo.
  • The merchant: This is the business that accepts the credit card payment. In healthcare, it’s the healthcare provider. Merchants can choose which credit cards to accept.
  • Credit card brands: These are the credit card companies like Mastercard, Visa, Discover, and American Express. They allow transactions to occur between merchants and card issuers.

So, how does a payment processor fit into this equation? Well, a payment processor is a facilitator, helping connect these parties by transmitting data between them. Credit card processors can also provide businesses with point of sale (POS) systems or payment terminals. This helps a merchant accept card payments. To accept credit or debit cards, your business needs a merchant account. A merchant account is a way to get the funds from your sales from your customers back into your business’s bank account.

Your business can work with a bank to get your merchant account or a payment processor to utilize their merchant account. In today’s landscape, these systems have to be able to read Europay/Mastercard/Visa (EMV) chip-enabled cards. As you can see, this process can be complex, with lots of information moving between parties. That’s why security is paramount when you’re accepting credit card payments at your healthcare business.

Let’s see what your business can do to ensure you’re maintaining HIPAA requirements, no matter which payment methods you accept at your business.

Maintaining HIPAA compliant practices

You can take a few steps to ensure that you’re upholding HIPAA requirements when it comes to processing your patients’ payments, including taking their credit card information. Here’s what you can do:

  • DO NOT include any patient information when processing patient payment information. This includes any details about treatments or care that they received from your business.
  • DO NOT send receipts for payment via text or unencrypted email. Also, make sure that your processing partner doesn’t send them that way.
  • DO NOT store unencrypted, sensitive payment card data electronically or in any other form. This makes it easy for bad actors to hack in and steal usable payment data from your customers.
  • DO ensure that your healthcare payment processing company is payment card industry (PCI) compliant. The payment card industry data security standards (PCI DSS) are the best practices to follow to protect your customers and your business. The PCI DSS includes guidelines around the erasure of authentication data, limiting the amount of retained data, response to data breaches, secure payment card apps, controlling access to the data, and encryption.
  • DO use the latest encryption technology to help protect payment data. These technologies can include point-to-point encryption and PCI-validated point-to-point encryption (also known as vP2PE). This encryption type secures the data as soon as a card gets swiped or dipped. Therefore, cybersecurity criminals aren’t able to copy it before it reaches the payment gateway. While they may be able to get data, the encryption will ensure they won’t be able to decipher or use the data. This encryption type can help ensure security at every stage of the payment process.
  • DO ensure that your payment card readers are EMV chip card compatible. Thanks to the EMV liability shift, it’s now a requirement from card brands that your business utilizes this technology. If you take payment without EMV chip technology and a fraudulent transaction occurs at your business due to swiping a credit card instead of dipping it, you could be held responsible instead of the card networks. That’s why it’s so important to ensure you’re utilizing an EMV chip enabled card reader.

As you continue to grow your healthcare practice, making sure you’re taking payments that fit fit your customers' needs while maintaining HIPAA compliance should be at the top of your to-do list. So, for small businesses like yours, you’ll want to make sure you have the tools you need to accept a wide variety of payments. For credit card payments, that means working with a payment processing company that takes security seriously – from PCI compliance to maintaining HIPAA compliance.

Ready to work with a payment processor who can help your small business?

Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us.