Best practices for secure payment processing

Tyler Olson/Shutterstock

Most physicians understand they have a serious obligation to safeguard their patients’ personal, medical, and financial information. Some might even call it the new HIPAA-cratic oath. But even for physicians with the best of intentions, securing patient data is not an easy task.

Under the HIPAA Privacy and Security Rules, protected health information (PHI) is defined as “individually identifiable information relating to the health status of an individual; the provision of healthcare; or individually identifiable information that is created, collected, or transmitted by a HIPAA-covered entity in relation to payment for healthcare services.”

More specifically, HIPAA specifies 18 different data elements that could be used to identify an individual. Most items on the list are self-explanatory (name, address, social security number, phone numbers, photos); some are specific to the healthcare process (medical record number, insurance info); and a few are more esoteric (fingerprints, retinal scans, web URLs, and IP addresses).

The bottom line is that you must protect any and all information within your control that a third party could use to identify one of your patients.

But even more worrisome than retinal scans is an activity that occurs every day in every medical practice: payment processing. One reason payment processing represents a far greater potential security vulnerability is a general misunderstanding of the so-called payment exception under HIPAA. The payment exception only allows physicians to disclose PHI to third parties, such as insurance companies or other providers, for the purpose of collecting a payment for provided health services. In other words, the exception does not excuse physicians from otherwise protecting PHIs.

In fact, both HIPAA and the Payment Card Industry’s Data Security Standards (PCI DSS) require health providers to maintain reasonable and appropriate safeguards to protect credit card information. Failing to do so can involve significant penalties, including large fines, potential legal liabilities, and, in extreme cases, a suspension from accepting credit card payments.

Despite the risks, credit card processing has become so ubiquitous in retail settings and online that office staff may assume security protections are automatically built in or not their responsibility. Indeed, many physicians may also be unaware that not all payment devices are alike.

There are significant differences in security and fraud protections across the spectrum of payment types, methods, and vendors. Here are four best practices for accepting payment cards in healthcare environments, regardless of payment method.

Avoid storing unencrypted sensitive payment card data in electronic form (or any form for that matter).

Card numbers in the clear, or those that are unencrypted and readable by sight, are not only visible to employees but often find their way onto internet browsers, emails, paper statements, and sticky notes. There are software platforms that allow healthcare practices to process card payments without storing the information. Do your due diligence to protect your patients-and yourself.

Upgrade to payment terminals that support EMV chip card technology for point-of-sale or point-of-care transactions.

EMV is an acronym for Europay/Mastercard/Visa, the three card companies that created a more secure method for storing data on payment cards by adding a computer chip, the little shiny square on the front of the card, in addition to the magnetic stripe on the back. You use EMV technology when you insert your card into a payment device instead of swiping it.

While using EMV is not mandatory, as of Oct. 1, 2015, the liability for payment card fraud shifted from the card comopanies to merchants, or in this case, medical practices. EMV capable card readers may be more expensive, but payment fraud is ultimately costlier both in dollars and reputational damage. There is already compelling proof of EMV’s effectiveness. Visa Inc. reported that from December 2015 to September 2017, the number of merchants accepting EMV rose to 2.7 million. During that time, in-store credit card fraud dropped 70 percent.

Know that not all encryption methods are alike.

The gold standard in payment data security is PCI validated point-to-point encryption (vP2PE). The vP2PE standard requires sensitive card data to be encrypted immediately upon swipe, dip, or tap (otherwise known as near-field communications). That way, the card number is encrypted throughout its path to the payment gateway. As the encrypted data passes through the medical practice’s workstations, servers, or networks, the card number is undecipherable even if intercepted or copied.

This method avoids the issue that Marriott’s Starwood hotel reservation system recently experienced. Hackers, or state actors, compromised the database and pilfered a treasure trove of personally identifiable data, including encrypted credit card numbers. Unfortunately, Marriott was not able to rule out that the hackers may have also stolen the de-encryption keys.

Ask your payment card merchant services provider to sign a HIPAA Business Associate (BA) agreement.

It may seem like a belt and suspenders approach, but ask anyway. Many merchants will push back, claiming the HIPAA payment exception. But that only applies specifically to actual card processing. There are often other ancillary services that your vendor provides, such as reporting, that require them to access and transmit PHI.

Dan Berger is the national director of healthcare for AxiaMed, a provider of flexible and secure healthcare payment solutions that are in use at hundreds of hospitals and thousands of ambulatory practices throughout the United States.