4 Rules When Accepting Credit Card Payments to Ensure HIPAA Compliance

Rich McIver
Rich McIver

Guest post by Rich McIver, founder, MerchantNegotiators.com.

In January of this year, Anthem, Inc. a managed care provider, learned of a cyber attack to their IT system. This attack, which occurred over several weeks beginning in December, 2014, compromised the identities over 80 million customers. The breach, in which the healthcare information of millions were compromised, constitutes a serious HIPAA violation, exposing the provider to potentially devastating legal liability.

Unfortunately, this sort of breach perpetrated against healthcare providers is becoming ever more common. The Ponemon Institute, along with ID Experts, issued a report in May this year that showcased healthcare data breaches. The Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data calculates a 125 percent growth in healthcare cyber attacks over the past five years. Although employee negligence and lost or stolen devices still result in many data breaches, a shift is occurring from accidental loss to intentional targeting of data that reveals individuals’ names, Social Security numbers, and other personal information.

The reason that healthcare providers are being targeted is that the information they maintain to provide care for their patients is often substantial enough that cyber criminals can use the data from a single healthcare provider to engage in identity theft. Moreover, cyber criminals target healthcare data because they recognize that many healthcare facilities, including insurance companies, don’t have the resources or technologies to prevent or to detect attacks.

Anthem is a large corporate entity that can afford and use the technology required to protect HIPAA sensitive data, and yet the breach still occurred. What can other healthcare businesses do to prevent or detect a cyber attack on HIPAA sensitive data?

Meeting Standards, Avoiding Fines
The growing use of electronic health records and electronic protected health information (ePHI) accounts for the need to protect information contained in these records. But while these records are often well secured, an often overlooked vulnerability point is credit card processing. Payment Card Industry Data Security Standard (PCI DSS) and HIPAA rules require entities to maintain reasonable and appropriate safeguards for protecting credit card payments. What this actually translates into actionable steps, however, is less clear. To that end, here are four rules to follow when accepting credit card payments to ensure that you’re meeting HIPAA/PCI mandated or suggested compliance guidelines:

  1. Ensure Your Processor Doesn’t Send SMS Credit Card Receipts: Some credit card processors, like Square, send electronic receipts to your customers via text or SMS. Because these receipts contain “protected health information” they must only be transmitted over secure technologies, which SMS is not. Therefore, if you want to provide receipts, either make sure they are delivered via secured email, or are exclusively provided in paper form.
  2. Obtain a Business Associate Agreement With Your Processor: If your credit card processor only provides credit card processing, there is an exception in HIPAA that means you don’t need a typical Business Associate Agreement with your credit card processor. That exception, however, is very narrow and only applies to actual credit card processing. That means that if they are providing account analysis, reporting, or any of the ancillary services that processors offer like creating gift cards, etc. you likely need a Business Associate Agreement. That means you have two choices: either limit the services that your merchant account services provider gives you, or obtain a valid Business Associate Agreement with them.
  3. Any Physically Stored Card Numbers Must Be Secured: All businesses, not just healthcare entities, must comply with PCI DSS. Visa, MasterCard, Discover, American Express, and JCB mandate this compliance to protect the customer’s data against theft and fraud. One of the most basic requirements is that if you’re going to keep a written copy of a credit card authorization that lists the customer’s credit card number, that it always be secured under lock and key.
  4. Secure Your Swiping Hardware: Traditionally, credit card payments were swiped via a countertop terminal. Those come off the shelf very secure, so the only concern there is ensuring that the internet connection that terminal uses to communicate is PCI compliant. But if you’re using a new type of swiper like the Clover Station, that converts existing hardware like an iPad or your cellphone into a card accepting device, then that hardware must be made secure.

If your healthcare organization isn’t following the above guidelines, don’t feel alone. In fact, the Ponemon Institute study estimates that less than half of all healthcare organizations and their business associates fully comply with either PCI DSS or HIPAA. The fact that other healthcare providers aren’t fully compliant, however, shouldn’t discourage action on your part. Since 91 percent of healthcare operations and 59 percent of business associates experienced a data breach within the past five years, it’s not if, but when, it will happen to you and your patients.


5 comments on “4 Rules When Accepting Credit Card Payments to Ensure HIPAA Compliance”

Its amazing to think how basically every interaction and every integration of more and more technology in the healthcare model is just another opportunity for the malicious to attempt to take advantage of security vulnerabilities.

Great tips for keeping your medical practice secure. You should also make sure that no sensitive data is stored on the website when you take credit card payments online. Unfortunately most web designers don’t understand HIPAA, or don’t take the time to know what is safe and what is not safe. When I build sites that take online payments I always make sure the credit card data is not stored on the backend, in fact it doesn’t even have to be stored on the doctor’s website at all.

Toby I store credit card Info on my virtual terminal and run it when my clients come in and run it when their deductible hit on insurance. They gave me a baa. I have researched it and have been told this complies with hippa I have a BAA from them. The cc processeor is pci level 1. Does this comply with hippa in your opinion

Thanks for this. Interesting. I am an LCSW in NJ. I do have a HIPPA compliant email system and my notes/ invoice program is HIPPA compliant. However, I use ELAVON (like square – but cheaper) to take CC. The CC machine is not connected to note/ invoice program. Does ELAVON have to be HIPPA compliant? If so, I guess my next question is – why? How is bank information PHI? Sorry if this is silly question – it’s just not obvious to me? Jessica

Write a Comment

Your email address will not be published. Required fields are marked *