by Mario Fucinari •
DC, CPCO, CPPM, CIC •
In recent years, we have increasingly embraced the convenience and efficiency of credit card payments. With the widespread adoption of portable credit card terminals, such as Square, and a societal shift toward cashless payments, it seems inevitable that healthcare providers will offer credit card payment plans to ease the financial burden on patients. While this shift improves patient access and satisfaction, it also introduces significant regulatory responsibilities that many providers may not fully understand—particularly regarding the security of credit card information and HIPAA compliance.
The Push Toward Cashless Payments
Consumers today expect fast, seamless, and flexible payment options in nearly every sector, including healthcare. From paying for gas and ordering fast through the drive-thru, credit card payments are commonplace. Due to high-deductible insurance plans and plans with inadequate coverage, a legal medical discount plan makes chiropractic care affordable and convenient. Many families live paycheck to paycheck. They appreciate the value of competent chiropractic care with the convenience of budgeted payments. Most practices offer payment plans, automated billing, and even online portals for recurring credit card payments to accommodate this demand.
This evolution makes sense from both a customer service and a revenue cycle perspective. However, with convenience comes risk and responsibility.
Credit Card Data and HIPAA: A Common Misconception
Every provider must have Corporate and HIPAA compliance plans in place. Your policies and procedures must be documented to protect you and your corporation. We know that it is ethically and legally incumbent upon all of us to protect patient health information. However, many providers are unaware that credit card information is considered protected health information (PHI) and, therefore, falls under the scope of HIPAA (Health Insurance Portability and Accountability Act). The processes safeguarding credit card information depend on how and where the payment is processed.
If a healthcare provider is processing credit card payments through a third-party vendor not directly involved in providing healthcare services, and that vendor processes payments independently (such as a bank or payment processor), then HIPAA may not apply to the credit card transaction itself.
However, this does not mean that providers are exempt from responsibility. If any part of the payment process involves Protected Health Information (PHI), such as the reason for the charge, treatment codes, or identifiable health information, then HIPAA regulations apply. Storing credit card information is a crucial factor in protecting credit card data. Credit card information, including the entire number, security code, and expiration date, should not be visible to any outside entity or anyone in the office. Proper safeguards, such as encryption, must be used when storing the information. A breach of this information could result in serious violations and fines.
Common Risk Areas
Here are a few key areas where providers may inadvertently expose themselves to HIPAA violations:
- Storing Card Information Improperly: Some practices store credit card data on local systems or paper to facilitate recurring payments. If these systems are not encrypted, access-controlled, and HIPAA-compliant, they represent a serious security risk.
- Unsecured Communication Channels: Emailing invoices or payment links without encryption or secure messaging can expose PHI and financial data.
- Inadequate Business Associate Agreements (BAAs): If your payment processor has access to PHI (e.g., through a practice management system), they are considered a business associate and must sign a BAA. Many providers overlook this step.
- Poor Staff Training: Front desk staff may not be aware that how they collect and handle payment information, especially if it’s tied to patient health data, is regulated under HIPAA regulations
Best Practices for Compliance
To stay on the right side of both HIPAA and PCI-DSS (Payment Card Industry Data Security Standard) regulations, healthcare providers should adopt the following best practices:
- Use HIPAA-Compliant Payment Solutions: Contact your credit card terminal company and ask how to encrypt the patient’s card information.
- Select vendors who understand the unique requirements of healthcare and are willing to sign a Business Associate Agreement (BAA) if they have access to Protected Health Information (PHI).
- Separate Financial and Clinical Systems: Avoid including treatment details in payment systems unless necessary. Control access to the patient financial information and clinical data without encryption. One way to control access is to ensure that every employee and provider has their own unique, strong password with access controls.
- Encrypt and Secure All Stored Data: Never store card information in unsecured formats or systems.
- Training and Education: Ensure everyone handling patient payments understands the importance of protecting financial and health information. Contact your state association, discount medical plan organization, or a certified compliance consultant when in doubt.
- Review Policies Regularly: As your payment systems evolve, revisit your privacy and security policies to ensure they meet current standards.
Conclusion
Electronic storage of health and financial records is efficient and the best practice for security. The future of healthcare payments is undeniably digital, and offering credit card payment plans and legal medical discount plans can significantly enhance the patient experience. But with this convenience comes the obligation to protect sensitive data. Healthcare providers can offer modern payment options without compromising patient privacy or incurring costly penalties by understanding how HIPAA applies to credit card security and implementing robust compliance measures.
Now more than ever, it pays to know the rules.
About the author: Dr. Mario Fucinari is a Certified Professional Compliance Officer, Certified Physician Practice Manager, Certified Insurance Consultant, and a Medicare Carrier Advisory Committee member. As a ChiroHealthUSA Speaker’s Bureau member, Dr. Fucinari travels throughout the year, speaking to audiences nationwide and sharing his chiropractic expertise and insights into using best practices for documentation, compliance, billing, and coding. To have Dr. Fucinari speak at conventions or webinars, contact him at doc@askmario.com or call ChiroHealthUSA for availability.
▶︎ 
Why is the Discount Challenge prize amount $15,024? Because that is the average “per-occurrence” fine for Medicare inducements. That’s not $15,024 per patient, that’s not per provider, that’s PER VISIT. Stinks, doesn’t it? To us, the prize amount is worth the investment if we can help our profession better understand proper discounting.