October 14, 2015

Credit Card Processing & HIPAA

Mohan Balachandran
Mohan Balachandran

Datica Alumni — Former Co-Founder

Credit card processing is one of the most common payment methods in healthcare, especially as the American economy becomes growingly paperless. The information transmitted when processing a credit card is often unconsidered, as well as the potential repercussions of a privacy breach, because many are unaware that this data is protected health information (PHI). The data components in this transaction include the processor’s information (primary care giver), name of credit card owner (patient), and specified time of transaction. Knowing just this much could allow data hackers to target specific patients, therefore classifying credit card data as ePHI (electronic protected health information).

Credit Card Processors and Business Associate Agreements (BAAs)

Many wonder if they need a business associate agreement with payment providers and services to comply with HIPAA. Although processing payments through a credit-card processor generates PHI, Health and Human Services (HHS) has stated that this process is specifically excluded from certain HIPAA mandates, as well as BAA requirements - the key word here being ‘certain’.

Just like many of the convoluted directives of HIPAA, the compliance solution is not black or white. So although simple credit card processing may not mandate an enacted BAA, if the card processor being utilized also offers services like gift cards, reporting, analysis, account balance, accounts receivable, etc. then a BAA must be put in place to achieve HIPAA compliance. So when deciding on how you plan to receive credit card payments when pertaining to healthcare transactions, you must first decide what services you want. If the extra services are beneficial to your business, find a processor that is willing to sign a BAA. If not, a simple credit card processor is exempt from the HIPAA BAA requirements but, as a word of caution, remain conscious of the PCI regulations that are strictly enforced and consequences of non compliance could result in some hefty fines and loss in reputation.

For further reading, check out these other posts:

  1. BAA isn’t a Checkbox for HIPAA Compliance
  2. Top 5 Things You Find In An Ideal Business Associate Agreement
  3. If a vendor won’t sign a BAA, they aren’t “HIPAA Compliant”

If you want to read what the healthcare industry thought leaders have to say about healthcare innovation, you can check out our annual report that looks at the most sweeping insights going in this ever evolving industry.



The Importance of Business Associate Agreements (BAAs)

Mohan Balachandran


Simply put, a Business Associate Agreement (BAA) defines responsibility, and thus liability, with respect to the handling of PHI data.

event-note December 11, 2014

3 Common Misconceptions About Business Associate Agreements

Laleh Hassibi

Vice President of Marketing

HIPAA outlines the types of entities that are covered but the further down the line a subcontractor gets from a covered entity, the more confusion there is.

event-note June 2, 2017

What is the cost of a HIPAA audit?

Travis Good, MD

Co-founder & Chief Technology Officer

The cost of a HIPAA audit depends on audit type – HIPAA gap assessment, full HIPAA audit, or validated HITRUST assessment – and indirect costs like time.

event-note January 23, 2019

How long to keep medical records under HIPAA?

Travis Good, MD

Co-founder & Chief Technology Officer

Guess what? HIPAA doesn't say how long you have to keep medical records. This is a common misconception of HIPAA data retention policy.

event-note April 17, 2014