Datica Blog

October 14, 2015

Credit Card Processing & HIPAA

Datica Team

Editorial Staff

Credit card processing is one of the most common payment methods in healthcare, especially as the American economy becomes growingly paperless. The information transmitted when processing a credit card is often unconsidered, as well as the potential repercussions of a privacy breach, because many are unaware that this data is protected health information (PHI). The data components in this transaction include the processor’s information (primary care giver), name of credit card owner (patient), and specified time of transaction. Knowing just this much could allow data hackers to target specific patients, therefore classifying credit card data as ePHI (electronic protected health information).

Credit Card Processors and Business Associate Agreements (BAAs)

Many wonder if they need a business associate agreement with payment providers and services to comply with HIPAA. Although processing payments through a credit-card processor generates PHI, Health and Human Services (HHS) has stated that this process is specifically excluded from certain HIPAA mandates, as well as BAA requirements - the key word here being ‘certain’.

Just like many of the convoluted directives of HIPAA, the compliance solution is not black or white. So although simple credit card processing may not mandate an enacted BAA, if the card processor being utilized also offers services like gift cards, reporting, analysis, account balance, accounts receivable, etc. then a BAA must be put in place to achieve HIPAA compliance. So when deciding on how you plan to receive credit card payments when pertaining to healthcare transactions, you must first decide what services you want. If the extra services are beneficial to your business, find a processor that is willing to sign a BAA. If not, a simple credit card processor is exempt from the HIPAA BAA requirements but, as a word of caution, remain conscious of the PCI regulations that are strictly enforced and consequences of non compliance could result in some hefty fines and loss in reputation.

For further reading, check out these other posts:

  1. BAA isn’t a Checkbox for HIPAA Compliance
  2. Top 5 Things You Find In An Ideal Business Associate Agreement
  3. If a vendor won’t sign a BAA, they aren’t “HIPAA Compliant”

If you want to read what the healthcare industry thought leaders have to say about healthcare innovation, you can check out our annual report that looks at the most sweeping insights going in this ever evolving industry.

This guide to GDPR for the healthcare industry will prepare you to do business in the EU and understand how to handle PHI of EU citizens. With Datica, you’ll be ready when GDPR takes effect on May 25, 2018.

Related Reading

Lyniate Acquires Integrate from Datica