What You Should Know About Credit Card Processing and HIPAA Compliance
It’s not unusual for health and medical businesses to question their security obligations. After all, any company that deals with patient data or processes credit card fees must be compliant. But these two areas don’t always overlap when it comes to the standards that govern them. If you run a healthcare business, here’s what you should know about credit card processing and HIPAA compliance.
What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) defines how patient data and other medical information must be managed and kept safe.
The main reason this legislation exists is to ensure the privacy of individual health records. And it achieves this by requiring every business handling, storing, or transmitting protected health information (PHI) to meet certain standards.
- run a medical office,
- provide healthcare services, or
- operate a business that supports those who do,
there’s a good chance you are (or should be) HIPAA compliant.
To avoid being penalized for failure to comply, it’s important that you become familiar with and follow the regulations and security measures surrounding patient transactions.
Compliance in Credit Card Processing
Health, medical, and wellness businesses that process credit card payments have an added level of responsibility in terms of ensuring security: the protection of their clients’ financial information.
Fortunately, credit card processors like First Data (the largest processor in the world) must adhere to Payment Card Industry Data Security Standards (PCI-DSS) for protecting cardholder data. In fact, First Data not only meets the requirements for these Standards, they go above and beyond them to ensure your payment data is safe.
Data breaches geared toward identity theft are on the rise among healthcare providers. So if you use credit card processing for small medical business-related transactions, it’s more important than ever that you work with a reputable payment partner like Beacon.
Not only does Beacon specialize in payment gateways and solutions for the health and wellness community, they only work with PCI Level-1 compliant service providers like First Data.
Do Credit Cards and HIPAA Share Common Ground?
Some 70% of healthcare organizations aren’t currently HIPAA compliant. But given the potential security threat this poses, there’s clearly good reason to ensure you’re not one of them.
When it comes to HIPAA compliant credit card processing, for example, PCI-DSS Standards and HIPAA regulations require that those providing health services take suitable and reasonable precautions to protect client credit card payments.
What that means in terms of actionable steps, however, is a little less clear. Which may explain why, as a credit card processor, First Data claims they frequently hear from healthcare providers with questions about HIPAA compliance.
Here’s what you should know about credit card processing and HIPAA compliance.
According to the US Department of Health and Human Services (HHS.gov), credit card processing does not fall within the scope of HIPAA.
Because no health record information is being stored – only credit card payment information.
There is, however, an important point to take note of. This exemption regarding the relationship between HIPAA and credit card processing applies only to the actual card processing services. So it’s vital that your business never use its merchant account to:
- store health records,
- enter data related to medical procedures, or
- insert invoice line items or transaction comments that reflect protected health information
Healthcare payment processing companies like Beacon don’t handle patient information – and processors like First Data do not store or transmit ePHI (electronic protected health information) accounts. So, if your business engages with them to perform such activities, you risk violating their Terms of Service.
HIPAA regulations can be complex and confusing for the small business owner. In the end, if you’re experiencing payment challenges – or have questions regarding PCI-DSS Standards, or your payment partner’s role in terms of HIPAA compliance – you should contact your service provider.