Many healthcare practices underestimate the need for HIPAA compliance in their payment systems. The main reason for that is that payment processing is exempt from HIPAA. However, your payment workflow may still include protected health information (PHI), and misusing this information can lead to a variety of so-called silent HIPAA violations.
Want to ensure that your healthcare practice will remain HIPAA-compliant? Here’s what this process involves and what you can do to maintain compliance!
What Is HIPAA Compliance?
Established in 1996, the Healthcare Insurance and Portability and Accountability Act (HIPAA) provides regulations for a variety of healthcare-related activities. It’s particularly noteworthy for its stringent privacy rules, which prevent healthcare providers from disclosing patients’ healthcare information to a third party without their permission.
This rule creates major compliance requirements for both healthcare practices and anyone who qualifies as their business associate, such as software providers or accountants. Any business associates exposed to PHI must sign business associate agreements (BAA).
The Influence of HIPAA on Credit Card Processing
Most of the time, a healthcare practice using a third-party payment processor doesn’t trigger HIPAA protection. However, if that payment processor is using an intermediary, their exemption from HIPAA regulations may be negated. A payment processor that offers additional services to a healthcare practice, such as billing, may also need to comply with HIPAA.
Keep in mind that most payment processors constantly evolve their services, adding a variety of ancillary features to their products. This is why healthcare practices need to remain vigilant about the possibility of inadvertently receiving non-HIPAA-compliant services.
Best Practices for HIPAA-Compliant Payment Processing
Fortunately, there are plenty of things you can do to ensure your payment processing is HIPAA-compliant. Some key examples include:
1. Reduce PHI in the Payment Process
You should only collect the information you need to bill appropriately. For example, your credit card forms don’t need to include diagnosis codes. If necessary, use encounter IDs or payment account numbers instead of names. The more PHI runs through your payment process, the larger your HIPAA footprint becomes.
2. Clarify Business Associate Agreements
If you’re working with a vendor that can see, store, and access PHI, make sure they sign a BAA. This agreement should clarify breach notification protocols, safeguards, and subcontractor obligations. Your goal is to leave no room for guesswork on HIPAA compliance.
3. Train Your Employees and Keep Proof
Your customer-facing staff should have clear guidelines on how to keep data HIPAA-secure. This includes things like sending superbills through encrypted channels and not discussing a balance before confirming identity. You should also run security training on an annual basis and retain training records for at least six years.