Not all payments are created equal. Healthcare payment processing has strict legal infrastructure to follow under PCI and HIPAA compliance regulations.
This article is designed to educate healthcare providers, practices, and management about the importance and logistics surrounding healthcare payment processing.
B2C Vs. Healthcare Payments
In most industries, card payments are a simple affair—at least in the B2C exchange of payment information. The customer makes a purchase and hands over a credit or debit card to make a payment (or makes an online payment). The merchant provides the goods to the customer.
If further complications emerge (such as logistical issues), there are typically very few rules about discussing the underlying purchase. Although it might be a “best practice,” there is no need to communicate with the customer or other vendors through a secure channel. There is no need to filter information about the product or service other than for the sake of customer experience.
Nobody raises an eyebrow if a restaurant owner calls back into the kitchen: “This guy just ordered a large pizza, anchovies, and artichokes.” No one blinks if a florist texts their assistant (on a personal phone) something like, “The lady coming in today at 3:00 is picking out flowers for her daughter’s wedding.” Nobody would be upset if they received an email from their mechanic with photos of their remodeled car.
This is not the case in the healthcare industry. Discussing goods provided (e.g., prescriptions or devices) or services rendered (checkups, surgeries, consultations) over insecure channels like texts, emails, or conversations is a huge no-no (e.g., an actual legal violation).
The same applies to storing information in unsecured locations, such as an unlocked filing cabinet, or electronically in a CRM database accessible without a password.
Patient Information Is Sensitive
When patient information is shared without consent, it can compromise the patient’s dignity. It can also compromise their identity. Malicious parties can use it to commit identity fraud and even financial theft—when combined with other information or used as a lever to discover other things about the patient.
And beyond these ethical and safety concerns, it is also illegal. HIPAA compliance violations can cost anywhere from $100 to $500,000 per offense. Obviously, this is not an expense your healthcare practice wants to shoulder. But before we get into the surgical details of HIPAA-compliant payment processing, let’s talk about where it all started: it’s toga time.
Hippocrates and The Oath
Hippocrates was one of those ancient fellows wearing a bed sheet and immortalized in marble statues and busts. He is believed to be one of the first philosophers to posit that disease was attributable to natural causes rather than superstitious events or the wrath of the gods.
Although some consumers would love to pretend otherwise while consuming a KFC family meal (no offense to the Colonel), this notion is pretty much at the foundation of Western medicine: that is, not merely “you are what you eat,” but that our health-related outcomes are attributable to genetics or our own lifestyle choices.
Hippocrates is also credited with the formation of the Hippocratic Oath. A study of the oath’s original text and its changes over the years provides a fascinating study in medical ethics that is sadly beyond the scope of this article (and its parenthetical references to fried chicken). However, the basic premise is familiar to most people: first, do no harm.
The Hippocratic Oath: Do No Harm
In other words, physicians are charged to be morally upright and render healthcare to the best of their ability, in good faith. They are charged to be warm and caring (bedside manner), to admit when they do not know something, and to administer care without being particular about the patient or other agendas.
For thousands of years, the principles of the Hippocratic Oath have guided doctor-patient interactions around the world. The medical field had become a sort of sacred meeting ground where there was no strife or disagreement. When King Richard the Lionhearted fell ill during the Crusaders’ siege of Acre in the 12th century, his opponent Saladin sent his personal physician, Maimonides, to Richard, along with ice and healing fruits.
Speaking of Maimonides (the Medieval theologian, legal scholar, and doctor), not all medical institutions take the Hippocratic Oath. Of nearly 100 polled medical colleges around the United States, just 6% use the Hippocratic Oath. Meanwhile, 44% use a modified version, 30% use the Geneva Declaration, 11% use the Prayer of Maimonides, and 9% use something else.
The Hippocratic Oath: Patient Care and Dignity
No matter what oath they use, the underlying premise is the same. Doctors are supposed to be people we can trust. They are not supposed to do harm to their patients.
A significant amount of the premise “Do No Harm” has to do with keeping patient information private. And just as this is true for doctors, it is true for the companies that facilitate patient care, such as insurers and payment processors.
It’s easy for anyone to see why keeping patient information private is necessary for a secure doctor-patient bond. Both chronic diseases and temporary illnesses can change how others look at us. They can be emotionally charged topics. As they deal with our bodies and minds, sharing this information against our will can feel invasive.
Business and Financial Institutions Role in Healthcare and Patient Privacy
All of these considerations once applied only to the doctors who rendered care. In these times, doctors might receive payment from the patient directly (I’ll come back to collect that gold without my bird mask when you feel better). But these days, a number of other players facilitate patient care: businesses and financial institutions.
Sometimes, it is necessary to send information about the patient or the nature of the care. Specific rules have been established to set parameters for how and when this information can be shared.
Like most rules in this country, it was set down in writing: The Health Insurance Portability and Accountability Act, signed into law in 1996 by Bill Clinton (to be clear: he did not inhale). And yes, the acronym cleverly aligns with the Hippocratic Oath, which is arguably its most ancient legal precedent.
Before going into what HIPAA rules are all about, we’ll answer the burning question you probably are asking: does the word hypocrite come from Hippocrates? No.
Although the two words are homonyms (sounding the same), they are different. Hypocrite comes from the Greek word for “actor” (someone who thinks one thing and does another). The name Hippocrates actually comes from the Greek word for “horsepower.” Go figure.
What Is HIPAA Compliance, And What Are The HIPAA Rules?
The Health Insurance Portability and Accountability Act of 1996 regulates the flow of medical information. In a gross oversimplification of the act and its many parts, we’ll say that it mainly prevents healthcare businesses (covered entities) from sharing information about a patient with anyone without the patient’s consent.
HIPAA laws may also vary from state to state. One area where this comes into play is sharing information with family members like parents, children, and spouses. In most instances, HIPAA laws are applicable to individuals who have reached the age of majority (18). Laws may vary from state to state and vary from circumstance to circumstance.
Covered Entities
HIPAA laws apply to two types of organizations. One is “covered entities.” A covered entity collects, creates, and/or transmits healthcare data electronically. Care providers, insurance companies, and financial institutions that serve them (particularly, the clearinghouse that transmits payment between the provider and the insurer and vice versa) are all covered entities.
Keep in mind that this focus on electronically “collecting, creating, and transmitting data” is all about the provider-patient relationship. Take a doctor’s visit, for example. The doctor collects information from the patient.
They then create information by putting it into the patient’s “chart.” The data will then be transmitted to other parties like a pharmacy, a different physician (for a referral), and the insurance company for billing purposes.
Business Associates
The other type of entity is a “business associate.” Business associates are any organization that may encounter health information by way of its B2B interaction with the care provider.
The wide scope of this definition can include:
- third-party billing companies
- practice management consulting firms
- software platforms
- managed service providers
- IT services
- cloud storage companies
It can also include physical storage providers, faxing services, paper shredding companies, and even lawyers and accountants.
There are a number of HIPAA rules, and the best source for discussing them in depth is probably not this article, as we’d like to focus on the role that healthcare payment processing companies play in this picture. Suffice it to say that some rules apply only to covered entities but not business associates, and some apply to both.
For instance, the HIPAA Privacy Rule applies only to covered entities. This rule sets the standards for things like Use and Disclosure, HIPAA release forms, and Notices of Privacy Practices. For example, these rules apply to care providers because they may be responsible for forwarding patient information to another physician, sharing it with an emergency contact, or forwarding it to the insurance company.
A Brief Overview of Some HIPAA Requirements
HIPAA rules require covered entities and business associates to conduct an annual self-audit to assess any gaps in their compliance with HIPAA Privacy and Security Standards. These gaps could be administrative, technical, or even physical.
For instance, if one of the receptionists takes down credit card numbers over the phone with a pencil and leaves that information on the front desk all day, that is an administrative (and physical) gap in compliance.
Remediation Plans
HIPAA rules also require covered entities and business associates to have a remediation plan to respond to any gaps discovered in their audits. Entities must document the remediation plans and include a timetable for filling any discovered gaps. For instance, continuing the above example, the receptionist could have a plan to direct any patients on the phone to a virtual terminal and avoid collecting card numbers over the phone. This process, in turn, will eliminate the problem of writing them down and leaving them about.
Policies and Procedures in Writing
HIPAA rules also require covered entities and business associates to have policies and procedures in place in writing. Entities must update these policies and procedures annually to accommodate organizational changes. Staff must undergo annual training on how to execute these procedures, and there should be documentation verifying their understanding and commitment to following them.
Both covered entities and business associates must have a procedure in place for Incident Management. Patients will need to be notified about a data breach, for instance. Notifying the patient is crucial because patients will need to reach out to their financial institutions to change card numbers and take proactive steps to monitor the profile of their identity against fraud.
This may involve credit monitoring or identity theft monitoring, which many organizations like AAA, AARP, and credit reporting bureaus such as Equifax, Transunion, and Experian provide.
What Are Business Associate Agreements?
Covered entities and business associates must document their sharing of patient health information, encompassing all methods through which they share information. The relationship between the covered entity and the business associate must be formalized in a Business Associate Agreement or BAA.
The two parties must have a BAA in place before they exchange any information. If not, the HHS (Department of Health and Human Services) and OCC (Office for Civil Rights) will consider this a HIPAA violation.
They must update the BA annually to reflect any organizational changes within either party. A lawyer or law firm specializing in HIPAA law is the best source for creating appropriate BAA agreements for each type of relationship.
It can be easy to overlook the necessity of a BAA for certain types of entity-associate relationships. Remember that any party involved in the exchange of health information needs a BAA in place. This can even include a shredding company that frees up storage space or eliminates outdated charts (for instance, as a practice migrates to cloud storage).
What is Protected Health Information?
Protective Health Information or PHI is any information that can identify a patient. This can include medical records, financial information, and personal information. It can even include a photograph (and medical records might include visual information such as MRI scans, x-rays, and ultrasounds).
Any information stored or shared digitally is ePHI or electronic PHI. When the HIPAA Act was first passed, digital information was not a prevalent concern. Most information was still exchanged via paper mail or fax. But since then, the vast majority of patient information has been exchanged electronically.
How Do You Do HIPAA Payment Processing?
To follow are a few pointers (in broad strokes) about HIPAA-compliant credit card processing. Healthcare payment processors will have more detailed information about each of these points and additional factors in healthcare credit card processing.
Only Incorporating Relevant Payment Information
Healthcare payment processing can only include what is necessary to run the transaction. That will include name, card number, billing address, and possibly other details like the card expiration date and CVV (security code). If it’s an ACH transaction, that will include the bank account and routing number.
Processing the payment information for a patient should never include PHI (protective health information). PHI-related details might include information about their condition, treatment, and care. A payment portal that would violate these PHI standards might ask, for instance, the patient to select the reason for their visit.
There is no reason to request this information to process the payment. It’s true that on the back end, you will need this information for reconciling the 837 EDI you send to the insurance company with the 835 ERA they send back. On these forms, you will need to specify the disease and the treatments involved.
However, there is no need for the involvement of this private information in processing payments. If there is some reason you need to match up the payments with the insurance paperwork for accounting purposes, that is something you will need to do on the back end. Better yet, if your payment processor integrates with your medical biller, you can automate your accounting.
Discreet and Secure Tendering of Receipts
Receipts must be provided securely for the patient. You can hand a patient a paper receipt, and then it is their responsibility to keep it secure. However, you cannot deliver electronic receipts via unsecured channels like text or non-secure email.
Obtaining Consent
By non-secure email, we mean email consumer email providers like Google and Yahoo. The caveat is that you can send the patient email receipts if you obtain their consent.
If you do not obtain their consent, you must electronically deliver receipts (and communication with the patient in general) through secure channels. Exchanges of information done outside these parameters risk a HIPAA violation.
This means, for example, that you could not just casually text a patient the results from their lab work or even email them the name of a prescription you’d like them to take.
And in regard to receipts, you cannot even text or email a record of their payment (unless you specifically obtain their consent). You may be wondering how you can effectively provide care outside of office visits if the rules are so tight about texting and emailing patients.
Practice Portal Solutions
Many practitioners get around this issue by providing patients access to a practice portal. These portals have messaging platforms where patients and caregivers can exchange messages. Practice portals can also send records of payment for services rendered.
Payment Processors
You will also need to make sure your payment processor does not communicate with patients through non-secure channels. This is one of the reasons why doctors cannot work with companies like Square, Stripe, and PayPal. These payment processors often allow paying customers to choose texted or emailed receipts.
As mentioned, this is not a HIPPA-compliant practice. Moreover, these types of companies send automated messages to enrolled customers. For instance, when a customer subscribes to a phone-based application, PayPal and/or Apple (or Android) will send them a monthly notification that a payment has been made for such an application. This type of message could compromise the patient’s privacy (and dignity) if the wrong person reads such an email.
Encrypting Payment Data
A HIPAA-compliant electronic payment will also use the latest technology to secure payments. One of the main components of this particular rule is encryption and/or tokenization. Encryption entails scrambling information that requires decoding. In the case of making payments, only the financial institutions involved have the “decoder” to unscramble the information into something relevant.
Tokenization is a similar practice. In broad terms, it involves swapping information out for a “token.” The token can then be presented to access the desired information. Tokenization and encryption can be used together for real-time payments and storing payment information long-term.
The storage of payment information long term is an important consideration in terms of credit card processing for medical practices. Patients are essentially recurring customers who will most likely make a repeat visit. Storing payment information allows for easy payment processing without asking patients to pay each time they visit. That is, the practice can remind the patient that they have a certain card “on file’ and ask if they would like to pay with it.
Encryption and tokenization are essential for securely storing this information long term. Moreover, other tools, such as firewalls, should accompany these practices. Healthcare practices, more often than not, fall into the small to midsize business category. Small and midsize businesses are targeted for data breaches.
For instance, small businesses are subject to social engineering attacks 350% more often than larger enterprises. Social engineering involves some “Trojan Horse” like manipulation. A fraudulent email phishing for information can be all it takes to hack into a database and steal payment information, such as credit card numbers, names, and addresses.
Accepting Payments With the Latest Hardware
Practitioners accepting in-person payments must also use the latest POS systems. The latest point-of-sale terminals have security features that older terminals do not have. One of these features is the ability to take contactless payments and EMV chip payments.
Both contactless payments and EMV chip payments use encryption and/or tokenization (discussed earlier) to complete the payment. This means that every transaction is garbled, randomized, and useless to anyone else. If you’re wondering who that “someone else” could be, it’s card skimmers.
Card skimming works by installing devices on card readers to scoop up information from swiped magnetic strips. Unlike EMV chips and contactless chips, card stripes hold static, ever-present information that does not change, such as card numbers, CVV codes, and customer names. A card skimming device is nearly undetectable to the naked eye and can scoop this information up very easily.
Typically, card skimming occurs at accessible, unsupervised locations such as gas stations. However, it’s not unheard of for it to occur in other places. It’s also important to consider that there has been a recent boom of walk-in clinics in retail settings, such as malls, big-box stores, department stores, and grocery stores.
These locations have longer hours than a typical doctor’s office, have high volumes of foot traffic, and would provide some ripe fruit for card skimmers to pick. However, using contactless and chip payment terminals at these locations eliminates this problem. In fact, this consideration is why Visa and Mastercard will phase out the magstripe by 2033.
Is HIPAA Compliance The Same As PCI DSS?
HIPAA compliance is not the same as PCI DSS, but some considerations may overlap. Visa and Mastercard created the Payment Card Industry Data Security Standards or PCI DSS are regulations for all types of businesses to securely process transactions and store payment information. However, it is not unique to healthcare-related businesses.
Business owners must unavoidably participate in some PCI DSS Standards. An example would be using secure Wi-Fi networks. But others (such as storing credit card info) are, more often than not, cost-prohibitive and best outsourced to a company specializing in payment processing solutions.
Similarly, the care provider cannot avoid some aspects of HIPAA compliance. Examples would include policies and procedures for collecting payments. However, providers can outsource other components, such as storing patient payment data or patient medical data, to a third-party tech company—like an HRM (healthcare relationship management) platform or a payment processing company.
HIPAA Compliant Payment Processing Wrap-Up
HIPAA compliance is a must-do for healthcare providers. Fines are steep (up to $500,000 per offense). Not only that, but they can create reputational setbacks and ethical violations that doctors and care providers swore to uphold.
Contact ECS to learn more about HIPAA-compliant POS hardware and payment processing solutions for your practice. Call us to discuss the matter in person, or fill out the contact form below.
