By: Bill Marvin
The rise of consumer-directed healthcare and health plan deductibles has led to a dramatic increase in patient payments and the use of payment cards such as credit/debit and cards attached to health savings accounts (HSAs) and flexible spending accounts (FSAs). Historically, the healthcare industry had processed relatively small quantities of payment cards. As recently as 2007, healthcare payment card transactions accounted for less than $150 billion of the $4.5 trillion in total payment card spending. However, as a result of rising payment card processing in healthcare, the industry is now receiving greater scrutiny for payment card compliance.
While other industries are prepared and acknowledge the importance of securing payment card data, the healthcare industry is just beginning to realize the importance of payment card security. Understanding and complying with payment security standards can help protect your billing service, your clients and their patients from data breaches. Compliance excellence begins with a functional knowledge of the Payment Card Industry (PCI) Security Standards Council and an understanding of how to mitigate the risks of a data breach.
PCI Security Standards Council Overview
Within the healthcare industry, we know that HIPAA sets the standards for securing PHI. Similarly, the PCI Security Standards Council was founded in 2006 to develop industry-wide technical data security standards for payment cards. Governed by the payment card networks, VISA, MasterCard, AMEX, Discover and JCB, the PCI Data Security Standard (PCI-DSS)* defines the requirements and best practices in order to reduce fraud and security breaches. PCI
compliance is required in order to process payment cards, primarily because the consequences of data breaches are significant.
A Look at Data Breaches
With the increase in patient payments and a lack of card security, payment card data in the healthcare industry has become a target for theft. This situation may cause a significant financial risk for you and your clients. Consider the latest figures on data breaches:
- The average cost of a data breach is $202 per record
- In 2008, more than 280 million payment card records were breached
- In 2009, payment data breaches represented 98% of all data breaches
Payment card data breaches not only have financial impacts on your clients, but may impact your billing service directly. Potential outcomes of data breaches include:
- Financial impact up to $2.5 million per month for your billing service
- Loss of your clients
- Bad publicity for your billing service
- Fines from the payment card networks
- Legal fees for lawsuits and settlements
- Increased merchant processing fees
- Cancellation of Merchant Account
How Should Billing Services Implement and Adhere to PCI Compliance?
PCI compliance, in a practical sense, starts with a merchant agreement. A merchant agreement occurs between your client – also known as a merchant – and the merchant acquirer (e.g. a bank that is a member of Visa and/or MasterCard). The contractual requirements in the agreement enable your clients to accept payment cards in compliance with PCI-DSS. The following are some important aspects of these security standards for your billing service:
- Do not collect payments into your bank account and then disburse them to your client
Your clients that process payment cards are also considered merchants. Every unique client must have its own merchant agreement, which allows funds to move directly from a patient’s bank account to your client’s bank account. Taking patient payments and depositing them into your bank account and then disbursing them to your clients is not permissible by PCI. Your clients are becoming aware of the risks and will eventually require quicker disbursement of the funds. Do not risk losing clients due to non-compliant activities.
- Never copy or store payment card data
You cannot copy card numbers onto a form and then fax or scan that form. The risks of storing payment card data are serious, including fraud from inside personnel, or even a data breach.
- Maintain IT security measures within your network
Safeguard your billing service from malicious spyware by maintaining a secure network with vulnerability detection programs to protect cardholder data. It is also necessary to implement strong access control measures, regularly monitor and test networks, and ensure the maintenance of information security policies.
- Monitor Third-Party compliance status
If you use any Third-Party service providers or applications where payment card data is transmitted or stored, as the merchant, it is your responsibility to monitor their compliance status. Most importantly, remember that the use of a validated Third Party does not exempt billing services from PCI compliance requirements.
- Increase data security for cardholders
If you offer Point of Sale (POS) collection capabilities to your clients, for greater defense against a data breach, end-to-end encryption devices, such as MagTek’s Centurion Secure Card Reader Authenticator, are available to protect a patient’s card data when it is swiped at a doctor’s office.
- Continue to educate your employees
Seventy percent of all breaches are a result of theft which is generally due to employee carelessness. Be sure to assert proper security policies for data storage and revisit employee training to prevent unintentional breaches from lost or stolen storage devices (such as, laptops or PDAs).
Opportunities as a PCI compliant billing service
Payment card breaches are real and there are serious costs associated with them. It is vital to your business, your clients and their patients to ensure that your billing service is compliant. Adhering to PCI requirements will allow you and your clients to see considerable revenue gains through increased patient collections as patient payments continue to rise.
By staying up-to-date with the latest PCI compliance information and maintaining a high level of
security for payment card data, you can build lasting trust with your clients while enhancing and
safeguarding your business, your clients and your reputation.
*The PCI-DSS can be found at: https://www.pcisecuritystandards.org/security_standards/index.php
Federal Reserve Payments Study 2007
Ponemon Institute, 2008 Annual Study: Cost of a Data Breach
Verizon 2009 Data Breach Investigations Report
Trustwave Global Security Report 2010
This article was published in HBMA’s Billing Journal, January – February, Volume 16, Issue 1.
Click here for more information on HBMA.