HIPAA-compliant payment processing for medical services

Most physicians know they have an obligation to keep their patients’ personal, medical, and financial information safe and secure. But securing protected health information (PHI) isn’t easy.

There are strict requirements for keeping patient data safe. Mandated by the Health Insurance Portability and Accountability Act (HIPAA), these requirements include guidelines for keeping personal health information secure — whether it’s in paper, digital, or even oral form.

Everything from name, credit card number, and date of birth to things specific to the healthcare process, such as medical records and insurance information, are considered PHI. As a provider, you must protect any and all information within your control that could be used by an outside party to identify one of your patients, which is why you need HIPAA-compliant payment processing.

While many patients have healthcare coverage that pays their medical costs, most still have to pay for out-of-pocket expenses and copays. In fact, more than half of credit cardholders reported paying medical costs with a credit card at some time in their lives.

With fewer people paying with cash and check, credit cards and apps have become standard methods of payment. Here’s how to adopt HIPAA-compliant payment processing to ensure the confidentiality of patient payment information.

The link between HIPAA and credit card processing

To understand how to facilitate HIPAA-compliant credit card processing, it’s important to know whether or not HIPAA considers payment processors as business associates. If they are, the provider must have a business associate agreement (BAA) in place to protect them against a breach of PHI.

Under HIPAA regulations, a financial institution processing transactions by credit card is not acting as a business associate; instead, it’s considered to be providing its normal banking or other financial transaction services to a healthcare provider. 

In other words, the processor isn’t conducting a HIPAA-covered function or activity for — or on behalf of — the provider. That means the processor is not a business associate of the healthcare provider.

However, there’s a catch. If a processor provides other activities — such as practice management, reporting services, or medical billing services — in addition to payment processing, it’s likely to be considered a business associate under HIPAA given the fact it’s performing a function of a business associate. In that case, providers need to enter into a BAA with the processor, who will agree to implement safeguards to ensure it properly secures any PHI.

How to remain HIPAA compliant while processing credit cards 

In addition to entering into a BAA with payment processors, there are steps providers need to take to remain HIPAA compliant when processing credit card payments. Those include

  • Not providing any PHI, including details about treatment or care, when processing your patient’s card, and only providing what’s required for the payment to be processed
  • Never sending receipts via text or non-secure email — and making sure your processor doesn’t send them that way, either
  • Using the latest encryption technology for payment data security, which can include point-to-point encryption and PCI-validated point-to-point encryption (vP2PE)
  • Ensuring unencrypted sensitive payment card data isn’t stored electronically or in any other form
  • Upgrading from magnetic card readers to Europay/Mastercard/Visa (EMV) chip card technology — something that can help reduce counterfeit fraud by 76 percent 

This will help ensure that your patient’s credit card transactions and PHI are safe, secure, and kept out of the hands of cybercriminals. 

Using Square and other apps

Not everyone is on board with paying via credit card. The use of apps for payment has become much more common. However, many of them aren’t HIPAA compliant because they don’t offer a BAA. Popular options that aren’t HIPAA compliant include

  • Venmo
  • Zelle
  • PayPal
  • Facebook money transfer

One solution that is HIPAA compliant and easy to integrate with JotForm is Square, which offers a wide range of payment services. Square provides a BAA in which they commit to operating in accordance with HIPAA guidelines, agree not to use or disclose PHI in any other way than is permitted under HIPAA, and agree to comply with regulations on electronic protected health information.

Payment processing priority

Regardless of how you accept payments, making sure patient data is safe and secure should be one of your highest priorities. To ensure that you’re doing all you can in this regard, discuss compliance with your payment processing company and secure a BAA. As you take all the necessary steps, you can rest assured that your practice and payment processor are working toward HIPAA compliance — and providing secure payment options for your patients.

This article is originally published on Jun 19, 2020, and updated on Aug 07, 2020.
AUTHOR
Firm believer in personal data privacy in the age of information. Close follower of the new regulations concerning patient confidentiality & HIPAA. You can reach George through his contact form.

Send Comment:

JotForm Avatar

Comment:

Podo CommentBe the first to comment.