HIPAA and Credit Cards

July 31, 2014

coding, insurance

Note: this is a long post about untested legal issues. I may not know what I am talking about, so I welcome input!

Executive summary: if your financial services vendor does more for you than swipe your credit cards - such as storing card numbers, mailing collection letters, setting up payment schedules/budgets, confirming addresses, sending electronic invoices - then you need a BAA or are exposing yourself to millions of dollars of fines.

Earlier this year, Brandon Betancourt and I did a popular mediacast about keeping credit cards on file. The goal is to reduce personal A/R and make it easier for your patients to pay their bills by having the ability to hit your patients' credit cards easily and fairly. Some of the various payment vendors have also developed some clever patient budgeting tools, on-line bill delivery, and so forth.

All great ideas, imo. But there is an important caveat. If you are looking to implement any of these services and credit card processor is doing anything besides simply swiping the card, you need to get a Business Associates Agreement (BAA) signed right away. Using any financial service to do anything more than swipe the card falls outside the exemption created to avoid HIPAA mess.

Before I go through the details, here's why I think this is important:

most of the vendors PCC (and our clients) work with don't appear to take this issue seriously or agree with the obvious conclusion. No surprise, when you think about it: they don't want to have to do more work or be on the hook for HIPAA violations. Remember, they protect themselves first, no you.
many of PCC's clients don't think this is a big deal because they misunderstand what Protected Health Information (PHI) is or how it can be exposed. "So what if the credit card company has a patient name? It's low risk." The problem is that if your financial service has any kind of breach, your practice faces massive HIPAA fines. This isn't about the privacy of the patient in front of you but about a third-party and your HIPAA obligation.

Don't think it can happen? Play with this awesome site and see that breaches happen every day.

[Update: check out this informative site detailing the largest breaches YTD 2017!]

Don't think there's much to worry about if it does happen? "Civil monetary penalties after HITECH now range anywhere from $50,000 to $1.5 million per violation per calendar year."

What triggered this blog post? An email one of my clients shared with a very large, well known financial services company that made a couple of, well, crazy statements. First, our client asked:

We have additional privacy obligations by federal law as a medical practice. Do you have a HIPPA Business Associate contract we can sign?

Their reply:

You can remain HIPAA compliant however by not submitting to us any information that is covered by HIPAA, which is what many large and well-known medical companies who use XXXX do.

...and then went on to say:

Since XXXX only processes payments, we only receive payment information and don't have access to protected health information (PHI) as defined in HIPAA and because financial processing by a financial institution (such as our partner YYYY) is excluded from definition of business associates. Since we don't have access to PHI, our services don't need to be HIPAA-compliant.

It is, by any measure, impossible to perform a credit card transaction without sharing PHI. You've got a patient name (or patient family name) and the name of the practice. That's PHI, period. That some of these large vendors don't understand this scares me. What scares me more is that this vendor may be right about not needing a BAA here, but for the wrong reasons!

"But, wait?! I need a BAA with my credit card company?" No, you don't necessarily need a BAA at all. As long as the vendor is only processing your payments directly, you are all set. The reasoning is sensible and clear: the Feds knew that if they required BAAs between every practice and credit card company, things would grind to a halt. So they created a specific EXEMPTION for the sole purpose of processing payments referred to as "Sec. 1179." Here's the Fed's summary of their view:

When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.

So, the vendor above is right: if they are only processing payments, no BAA is needed...but because there is a specific federal exemption, NOT because the data being transferred isn't protected!

However, to make matters worse, here's how the financial institute interpreted the Fed's language:

HIPAA also provides an exemption under the business associate definition for financial services companies that are providing "normal banking or other financial transactions... for, or on behalf of, the covered entity..."

Wait, wait, wait, wait. We're on the right track - there's a reference to the exemption - but the vendor has totally misinterpreted the Fed's language. There isn't an exemption for financial services companies, there's an exemption for specific services that they might provide. That's a subtle, but enormous, difference. With millions of dollars of fines at stake, these differences matter.

What services fall outside the exemption and require a BAA? As I mention up top, they include storing card numbers, mailing collection letters, setting up payment schedules/budgets, confirming addresses, sending electronic invoices, and much more. That's right - if you are using Square or PayPal or Swipe and send electronic invoices or receipts...you need a BAA. Don't take my word for it. Here's what some experts say:

http://www.personcenteredtech.com/2014/01/banks-and-hipaa-checks-credit-cards-vs-receipts-invoices/

http://www.physicianspractice.com/blog/does-financial-institution-qualify-hipaa-business-associate

http://www.healthcarelawmatters.com/compliance/the-convergence-of-health-care-and-banking/

http://www.vorys.com/publications-1114.html

Here it is directly from the experts: Square and friends are not HIPAA compliant unless you turn off a lot of their services.

Still don't see the problem? Here it is: there are data breaches of financial service vendors every day of the week. Your practice is exposed in a way that Target isn't, though: you are on the hook for HIPAA. So if your business partner has a breach, and you don't have a BAA in place, YOU are the one paying the fines and making the news. This has nothing to do with the risk of accidentally sharing data about the patient in front of you. Or any of your patients, really.

6 Comments

Chip's Next Appearance

11/10/23

Pediatric CEO Intensive

Do you own your practice or does your practice own you?
You own and run a super busy pediatric practice but you know you haven’t reached your maximum potential. You know you need to invest in yourself so you can continue to grow your practice and as a professional. You own a multimillion dollar business, after all.

Enter Pediatric CEO Intensive.

We’ve done the work for you to bring all the best business minds together at this first-of-its-kind event to help you level up your frame of mind. Instead of spending tens of thousands of dollars and countless hours chasing down the solutions, we’ve assembled exactly what you need in one perfect weekend…

Register Here
05/10/23

Children's Community Physicians Association Annual Meeting

Off to Chicago to have a blast with Heidi from PedsOne and that goofball I used to do a podcast with, Brandon Betancourt.

Register Here
05/23/23

AL AAP 2023 Spring Meeting & Fall Pediatric Update

Alabama Chapter-AAP members and other pediatric healthcare providers, join the Chapter for its signature event, the Spring Meeting & Pediatric Update! In 2023, we are delighted to host pediatricians from throughout the state and region once again at The Lodge at Gulf State Park in Gulf Shores, AL, this time on Memorial Day weekend!

Register Here
04/17/23

FCAAP Forum Series

The 2023 series will offer four focus areas over the course of the year: Practice Culture, Immunizations, Professional Development, and Advocacy. Speakers for the series include Dr. Brandon Chatani, Dr. Sandy Chung, Dr. Nola Ernest, Dr. Shannon Fox-Levine, Mr. Chip Hart, Dr. Akshata Hopkins, Dr. Joanna Perdomo, Dr. Toni Richards-Rowley, Mr. Tim Rushford, Dr. Katie Schafer, Dr. Robin Warner, Dr. Melinda Williams-Willingham, and Dr. Mariam Zeini.

Register Here
09/01/23

The Future of Pediatric Practice 2023

The Future of Pediatric Practice (FPP) is the annual conference of the Florida Chapter of American Academy of Pediatrics. Hosted over Labor Day weekend each year, the conference attracts pediatric health care professionals from around the state of Florida and across the country. This will be my 10th year presenting!

Register Here
10/20/23

AAP National Conference

Mark your calendars for the 2023 AAP National Conference & Exhibition, October 20-24, in Washington, DC. Don’t miss out on this opportunity to connect with colleagues, engage in thought-provoking education sessions, and visit the world’s largest pediatric exhibit hall.

I'll have 2 or 3 presentations, including what should be another fascinating Section H lineup about insurance negotiation.

Register Here

HIPAA and Credit Cards

Comments

Subscribe to Chip's Blog