Credit Card Processors and Business Associate Agreements (BAAs)
Many wonder if they need a business associate agreement with payment providers and services to comply with HIPAA. Although processing payments through a credit-card processor generates PHI, Health and Human Services (HHS) has stated that this process is specifically excluded from certain HIPAA mandates, as well as BAA requirements - the key word here being ‘certain’.
Just like many of the convoluted directives of HIPAA, the compliance solution is not black or white. So although simple credit card processing may not mandate an enacted BAA, if the card processor being utilized also offers services like gift cards, reporting, analysis, account balance, accounts receivable, etc. then a BAA must be put in place to achieve HIPAA compliance. So when deciding on how you plan to receive credit card payments when pertaining to healthcare transactions, you must first decide what services you want. If the extra services are beneficial to your business, find a processor that is willing to sign a BAA. If not, a simple credit card processor is exempt from the HIPAA BAA requirements but, as a word of caution, remain conscious of the PCI regulations that are strictly enforced and consequences of non compliance could result in some hefty fines and loss in reputation.
For further reading, check out these other posts:
- BAA isn’t a Checkbox for HIPAA Compliance
- Top 5 Things You Find In An Ideal Business Associate Agreement
- If a vendor won’t sign a BAA, they aren’t “HIPAA Compliant”
If you want to read what the healthcare industry thought leaders have to say about healthcare innovation, you can check out our annual report that looks at the most sweeping insights going in this ever evolving industry.