Datica Blog

Credit Card Processing & HIPAA

Mohan Balachandran

Mohan Balachandran

Co-Founder

October 14, 2015   API

Credit card processing is one of the most common payment methods in healthcare, especially as the American economy becomes growingly paperless. The information transmitted when processing a credit card is often unconsidered, as well as the potential repercussions of a privacy breach, because many are unaware that this data is protected health information (PHI). The data components in this transaction include the processor’s information (primary care giver), name of credit card owner (patient), and specified time of transaction. Knowing just this much could allow data hackers to target specific patients, therefore classifying credit card data as ePHI (electronic protected health information).

Credit Card Processors and Business Associate Agreements (BAAs)

Many wonder if they need a business associate agreement with payment providers and services to comply with HIPAA. Although processing payments through a credit-card processor generates PHI, Health and Human Services (HHS) has stated that this process is specifically excluded from certain HIPAA mandates, as well as BAA requirements - the key word here being ‘certain’.

Just like many of the convoluted directives of HIPAA, the compliance solution is not black or white. So although simple credit card processing may not mandate an enacted BAA, if the card processor being utilized also offers services like gift cards, reporting, analysis, account balance, accounts receivable, etc. then a BAA must be put in place to achieve HIPAA compliance. So when deciding on how you plan to receive credit card payments when pertaining to healthcare transactions, you must first decide what services you want. If the extra services are beneficial to your business, find a processor that is willing to sign a BAA. If not, a simple credit card processor is exempt from the HIPAA BAA requirements but, as a word of caution, remain conscious of the PCI regulations that are strictly enforced and consequences of non compliance could result in some hefty fines and loss in reputation.

For further reading, check out these other posts:

  1. BAA isn’t a Checkbox for HIPAA Compliance
  2. Top 5 Things You Find In An Ideal Business Associate Agreement
  3. If a vendor won’t sign a BAA, they aren’t “HIPAA Compliant”

If you want to read what the healthcare industry thought leaders have to say about healthcare innovation, you can check out our annual report that looks at the most sweeping insights going in this ever evolving industry.

Earlier

HL7 ACK/NACK

HL7 message senders should get an HL7 ACK message in return. This article explains what ACK NACK means and the requirements for ACK and NACK messages.

Next Post

Open APIs Solve Lack of EHR Interoperability

There is a lot of discontent with current EHRs, mainly due to limited features and overly complicated processes. But, what are the proposed solutions?