Best HIPAA Compliant Credit Card Processing Practices
What Parties are Involved in a Credit Card Transaction?
To understand the concept of best HIPAA compliant healthcare credit card processing practices, it is first necessary to have background knowledge about credit card processing in general. The key players in a credit card transaction are:
- The cardholder/patient: The patient possesses the credit card, after card issuance is approved.
- Credit card issuer: The credit card issuer is a financial institution, such as a bank or credit union, that issues cards to cardholders. Examples of credit card issuers include banks such as Citibank, Chase, and Wells Fargo.
- The merchant/healthcare provider: The merchant, which for HIPAA purposes is the healthcare provider, is the entity that accepts credit card payments from the patient. Merchants accept credit card payments under an agreement that the merchant has with a credit card brand.
- Credit card brands: Credit card brands include Visa, MasterCard, Discover, and American Express. Each of these brands is part of a credit card network.
- Credit card network: The credit card network is the entity that enables transactions between merchants and card issuers.
A payment processor selected by the provider then processes the provider’s credit card transactions.
How are Payments Actually Processed?
The credit card payment process starts when the patient begins a transaction (which in PCI parlance, is called a “request”), by swiping or dipping their card for payment at the healthcare provider’s location. “Dipping” is inserting a credit card into a reader in an ATM or EMV point of sale terminal. An EMV transaction is a transaction using a card that contains a computer chip. “Swiping” is an older form of technology, in which the cardholder slides a magnetic stripe on the back of the card through a magnetic stripe reader (EMV card usage in the U.S. began in the last decade. U.S. law does not require the use of EMV chips cards. However, EMV chips store and process significantly more data than do card magnetic stripes, and as a result, EMV cards are harder to counterfeit).
As soon as the card is swiped or dipped, the provider’s point-of-sale (POS) system forwards the details of the transaction to the provider’s payment processor. The processor, in turn, sends the transaction request to the appropriate credit card network. Once the card network receives the request, the network sends the request to the card issuer. It is the card issuer that ultimately approves or declines the transaction. If the cardholder has insufficient funds for the transaction, the issuer will deny the transaction.
Other reasons why a transaction may be declined include:
- The card has been reported lost or stolen; or
- The cardholder’s account is not in good standing.
Once the transaction has been approved by the issuer, the issuer sends that approval to the card network. The network then relays the approval to the processor. Finally, the processor sends approval to the provider.
Best HIPAA Compliant Credit Card Processing Practices: Selecting the Right Processor
Credit card information can be intercepted or hacked during these back-and-forth exchanges, so safe credit card processing for healthcare organizations is crucial.
To ensure patient payment information is protected during the credit card transaction process, the healthcare provider must select an appropriate processor. An appropriate processor is one that offers security features necessary to keep confidential information, including credit card numbers and time of transaction, safe from unauthorized access.
Healthcare providers should select a processor that adheres to Payment Card Industry Data Security Standards (PCI DSS).
Broadly speaking, the phrase “Payment Card Industry,” abbreviated as “PCI,” refers to debit, credit, prepaid, ATM, and point-of service cards, as well as the businesses that use, issue, or accept these cards for payment. A number of the prominent credit companies, including American Express, Discover, MasterCard, and Visa, formed an entity known as the Payment Card Security Standards Council in the mid-2000s. The council then developed a series of security standards referred to as the Payment Card Industry Data Security Standards, referred to as PCI DSS.
What are the Payment Card Industry Data Security Standards?
PCI compliance consists of following the data security standards. The data security standards consist of security directives against which merchants can measure their own payment card security compliance. The security standards address:
- The removal of authentication data from network storage devices and limiting the amount of retained data.
- The protection of access points for systems and networks and responding to system breaches.
- The securing of payment card applications in application controls, servers, and processes.
- The monitoring and controlling of authorized access.
- The protection of stored data with key protection mechanisms.
Selecting a processor that adheres to PCI DSS helps to secure patient payment information confidentiality. This confidentiality, along with compliance with HIPAA, work together to deter cybercriminal activity.
Cyberthieves are hungry for credit card information and healthcare data. Credit card information has been sought after by cybercriminals for decades. In more recent years, cybercriminals have launched targeted attacks against healthcare providers, as providers have converted to electronic health records (EHR) systems. EHRs contain the proverbial “best of all worlds” for a cyber criminal – these records contain both healthcare data – including a patient’s medical history, diagnoses, medications, treatment plans, immunization dates, allergies, radiology images, and laboratory and test results – as well as billing data and patient information such as address, and mother’s maiden name. PCI compliance and HIPAA compliance act to keep all of this sensitive information out of the hands of cyberthieves.
What is the Link Between Credit Card Processing and HIPAA?
When a financial institution processes consumer-conducted financial transactions by credit card, is it acting as a business associate? Under the HIPAA regulations, the answer is “no.” When a processor conducts these activities, the processor is deemed to be providing its normal banking or other financial transaction services to a provider; the processor is not performing a HIPAA covered function or activity for, or on behalf of, the provider. Therefore, the processor is not a business associate of the healthcare provider.
Business associate functions and activities include, among other activities, practice management and medical billing services. Therefore, a processor that provides these services in addition to payment processing services, is likely to be a business associate under HIPAA, because it is performing a business associate function. Providers should enter into business associate agreements with processors who provide these extra services. Under a business associate agreement, the processor must agree to implement safeguards to ensure it properly secures the PHI it maintains.
Additional measures providers should take to ensure payment information is kept secure include:
- Ensuring unencrypted sensitive payment card data is not stored in electronic or any other form.
- Upgrading from magnetic card readers to EMV chip card readers for point-of-sale transactions. As more businesses have adopted EMV chip card technology, the incidence of credit card fraud has declined.
- Using the latest encryption technology for payment data security. This technology includes point-to-point encryption, and PCI-validated point-to-point encryption (vP2PE).