A POS system sitting on the counter of a retail store with a product scanner right next to it.

What you should know about HIPPAA compliant payment processing

Sunday, December 06, 2015

Ensuring safe and secure transactions at your healthcare business

When it comes to patients at your healthcare business, privacy is paramount. While you are already doing all you can to protect their medical records and other sensitive health information, are you doing the same with their payment information? It’s important you protect their card information as closely as their medical information, especially as more and more patients expect to use a variety of payment methods to pay what they owe medical providers after insurance claims. In this article, we’ll look at HIPAA – from what it is to how it affects your practice’s ability to take credit card payments. First, let’s define HIPAA.

What is HIPAA?

If you’re not familiar with HIPAA, it stands for the Health Insurance Portability and Accountability Act. Congress passed this law in 1996 to give more protections to patients. HIPAA does the following:

  • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs
  • Helps to reduce health care fraud and abuse
  • Mandates industry-wide standards for health care information on electronic billing and other processes
  • Requires the protection and confidential handling of protected health information (PHI)

The most relevant part of this law when it comes to payment processing is the protection and confidential handling of PHI. There are strict regulations and guidelines that your company must follow in regard to keeping patient data safe and secure, no matter if it’s in paper, digital, or verbal form.

PHI can include a variety of information, including a patient’s name, date of birth, credit card number, or anything specific to the healthcare portion of the business, like medical records or insurance information. PHI essentially includes any information within your control that a bad actor could use to identify one of your patients. And that’s why you should ensure you have a HIPAA compliant payment processing solution. Now that you know more about HIPAA, let’s take a closer look at who is involved in a credit card transaction.

Who are the key parties in a credit card transaction?

Before learning about the intersection of credit card processing and HIPAA, it’s important to understand who is who in the credit card processing cycle.

  • The cardholder: Often the patient or a guardian of the patient, this is the person who uses their credit card to make the payment.
  • Credit card issuer: This is a financial institution, like a bank or a credit union, that issues a credit card to the consumer. Examples of an issuer include Citibank, Chase, and Wells Fargo.
  • The merchant: This is the business that accepts the credit card payment. In healthcare, it’s the healthcare provider. Merchants can choose which credit cards to accept.
  • Credit card brands: These are the credit card companies like Mastercard, Visa, Discover, and American Express. They allow transactions to occur between merchants and card issuers.

So, how does a payment processor fit into this equation? Well, a payment processor is a facilitator, helping connect these parties by transmitting data between them. Credit card processors can also provide businesses with point of sale (POS) systems or payment terminals. This helps a merchant accept card payments. To accept credit or debit cards, your business needs a merchant account. A merchant account is a way to get the funds from your sales from your customers back into your business’s bank account.

Your business can work with a bank to get your own merchant account or a payment processor to utilize their merchant account. In today’s landscape, these systems have to be able to read Europay/Mastercard/Visa (EMV) chip-enabled cards. As you can see, this process can be complex, with lots of information moving between parties. That’s why security is paramount when you’re accepting credit card payments at your healthcare business.

What’s the link between HIPAA and credit card processing?

So, how do you make sure that you’re following all of the rules and regulations of HIPAA compliance when it comes to payment processing? It starts with knowing if payment processors are seen as business associates in the eyes of HIPAA. If a payment processor is acting as a business associate, they must have a business associate agreement (BAA) with the healthcare provider to protect against a breach of PHI.

However, HIPAA determined that an institution that processes credit card transactions isn’t a business associate, but instead provides the necessary and normal banking or transaction services. Therefore, the payment processor is not a business associate of the healthcare provider.

But, that’s not the whole story. In fact, there are some circumstances where a payment processor could be a business associate. These circumstances happen when a payment processor provides additional services on top of credit card processing. If your payment processing partner provides services or business integration for practice management, invoicing, reporting, or even medical billing, it will most likely fall under the business associate delegation. If that happens, a medical provider would then need to enter into a BAA with the processor to implement specific safeguards to ensure that they secure any PHI. Now, let’s take a look at some best practices for ensuring your business maintains HIPAA compliance.

Maintaining HIPAA compliant credit card processing practices

There are a few steps you can take to ensure that you’re upholding HIPAA requirements when it comes to processing your patients’ credit card information. Here’s what you can do:

  • DO NOT include any patient information when processing patient payment information. This includes any details about treatments or care that they received from your business.
  • DO NOT send receipts for payment via text or unencrypted email. Also, make sure that your processor doesn’t send them that way.
  • DO NOT store unencrypted, sensitive payment card data electronically or in any other form. This makes it easy for bad actors to hack in and steal usable payment data from your customers.
  • DO ensure that your healthcare payment processing company is payment card industry (PCI) compliant. The payment card industry data security standards (PCI DSS) are the best practices to follow to protect your customers and your business. The PCI DSS includes guidelines around erasure of authentication data, limiting the amount of retained data, response to breaches, secure payment card apps, controlling access to the data, and encryption.
  • DO use the latest encryption technology to help protect payment data. These technologies can include point-to-point encryption and PCI-validated point-to-point encryption (also known as vP2PE). This encryption type secures the data as soon as a card gets swiped or dipped. Therefore, cybersecurity criminals aren’t able to copy it before it reaches the payment gateway. While they may be able to get data, the encryption will ensure they won’t be able to decipher or use the data. This encryption type can help ensure security at every stage of the payment process.
  • DO ensure that your payment card readers are EMV chip card compatible. Thanks to the EMV liability shift, it’s now a requirement from card brands that your business utilizes this technology. If you take payment without EMV chip technology and a fraudulent transaction occurs at your business due to swiping a credit card instead of dipping it, you could be held responsible instead of the card networks. That’s why it’s so important to ensure you’re utilizing an EMV chip enabled card reader.

What about using payment apps?

Some businesses may not want to accept credit cards due to the processing fees. While these fees are unavoidable and a cost of doing business, you may wonder if there’s a way to accept payments with other methods, like a payment app. Payment apps are popular and include Venmo, Zelle, PayPal, and Facebook Money. While you may think these are great ways to avoid credit card processing fees, many are not compliant with HIPAA regulations. Therefore, you’ll need to find another way to accept these types of payments that are HIPAA compliant.

As you can see, medical offices and healthcare providers have a harder decision than most when it comes to accepting payments. You’ll have to add an extra step for HIPAA compliance as well as to decipher if your payment processor needs to be HIPAA compliant. While serving your patients is your responsibility, you also want to make sure you can get paid for the services you provide. Therefore, after reading this article, you should have a better understanding of how to protect your patients in payment transactions while also keeping your business moving.

Ready to work with a payment processor who can help you ensure safe and secure transactions?

Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us.