In December 2019, a ransomware attack targeted an accounting firm — and hackers took advantage of the breach for three days. But they didn’t simply steal financial data.
The accounting firm’s clients included Community Care Physicians, which means much of the stolen data was considered protected health information (PHI). One of the patients impacted by this breach filed suit against the firm, citing a lack of adequate security measures. If an investigation reveals that the accounting firm had inadequate security, then it has broken both state law and Health Insurance Portability and Accountability Act (HIPAA) regulations.
When most people think of PHI, they might assume that it only relates to medical records or lab results. However, HIPAA also covers financial information used to pay for healthcare. That means your organization needs to protect this data as fiercely as it protects your patients’ health records. But what does HIPAA require for payment processing, and how can you keep your payment methods secure?
HIPAA protects all of your patients’ personal data
HIPAA classifies 18 different identifiers as PHI. These include financial information such as account numbers, Social Security numbers, and health plan beneficiary numbers. Healthcare organizations often store these identifiers to process payments and for other accounting purposes.
HIPAA requires that you protect this financial information just like you’d protect other types of medical data. Failing to do so can lead to expensive fines, legal trouble, and a bad reputation for your business.
While HIPAA doesn’t lay out specific guidelines for how to protect financial data, other industry standards do. For instance, the Payment Card Industry Data Security Standard (PCI DSS), an industry standard established by major credit card companies, sets out requirements for companies that process credit card payments. Complying with these basic standards is a great first step toward being HIPAA compliant.
However, this is just a start to becoming legally compliant. What steps can you take to help keep your payment systems HIPAA compliant?
How to keep your payment systems HIPAA compliant
Companies are continually developing safer ways for consumers to pay, but it’s up to you to take advantage of these methods by upgrading your payment processing. Using the following methods can help you make your payment systems safer:
- Collect financial information securely. Use HIPAA-compliant forms to gather the financial information you need for billing and payment processing.
- Keep stored financial data secure and encrypted. Your organization should keep all physical copies under lock and key. Make sure that electronic data remains encrypted during every stage of the payment process.
- Install security features on hardware. While credit card readers have built-in security, payment methods that use mobile devices often require you to add security features to your devices.
- Upgrade to EMV chip card technology. Chip cards are a more secure way of paying since the card creates a unique, one-time identifier for each new transaction.
- Disable SMS receipts. Some credit card processors automatically send credit card receipts to customers over SMS or text. These channels aren’t secure and don’t allow encrypted messages, so you can’t send a receipt that will include PHI. If you would like to send receipts, use a secured email or paper receipt instead.
- Know who is considered a business associate and who isn’t. HIPAA requires that you sign a business associate agreement (BAA) with many of the organizations you do business with because the contract lays out what they can and can’t do with your PHI. Financial institutions that only process payments for healthcare organizations aren’t considered business associates, so you don’t need to sign BAAs with them. However, if they do any other type of financial services for your organization, such as financial reports or invoices, then they become business associates, and you must sign BAAs with them.
- Follow PCI DSS requirements. This includes having firewalls, encrypting all data transmissions, and using antivirus software. You also need to restrict access to cardholder data and monitor network resources.
Following these simple steps can prevent hackers and data breaches from impacting your patients’ data. It also protects your business from the legal and financial problems that a HIPAA violation can create.
The accounting firm mentioned earlier faced a huge problem when their clients’ PHI was stolen, but you don’t have to make the same mistake. By using basic security methods, you can carry out your financial transactions easily and remotely without worrying about theft. But how can you collect the information you need to process payments?