Keeping Patient Credit Card and Payment Information on File
Abstract
Accepting credit card payments from patients comes with legal obligations you need to follow to protect you and your practice.
Office workers in physician outpatient practices often ask patients to provide their payment information upfront, which is typically in the form of a credit card. Although this procedure may simplify payments for services provided, missed appointments, copays, and so on, requesting and storing a patient’s credit card information entails risk. Thus, practices need to have safeguards in place to protect the confidential information entrusted to them and reduce liability exposures. Additionally, practices that collect patient billing information are considered “merchants” and, therefore, are subject to state and federal laws protecting consumer credit card information.
Moira Wertheimer, J.D., R.N., C.P.H.R.M., is assistant vice president of the Healthcare and Psychiatry Group of AWAC Services Company, a member company of Allied World.
To manage risk, practices need a payment policy, which must outline the practice’s credit card procedures, including when credit cards will be charged (for example, 30 days after billing), under what circumstances (for example, missed appointments, services rendered), and how patients will be notified. Psychiatrists should distribute a copy of the practice’s payment policy and review it with patients at their first appointment and anytime the policy is modified thereafter. It also is important to obtain patient consent to store and use credit card information.
Medical practices generally store patient payment information either by (1) photocopying or writing down the credit card information and storing it in the patient’s medical record (paper or electronic) or (2) storing the information electronically using an online service. Data-security experts agree that using an online service provides a greater level of protection than storing the information on the practice’s server, in the Cloud, or in the patient record (paper or electronic).
As merchants, psychiatrists also need to comply with state and federal laws and regulations governing credit card use and storage of patient payment information. These include the following:
The Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws
Payment Card Industry Data Security Standard (PCI DSS)
Federal Trade Commission Act (FTCA)
With respect to HIPAA and state privacy laws, psychiatrists are obligated to adopt “reasonable” security measures to protect payment information, regardless of how the information is stored (in hard copy or electronically). HIPAA does not define “reasonable.” However, an example of a “reasonable” security measure could be to lock the information in a file cabinet and lock the room where the cabinet is kept for extra security. For electronically stored information, “reasonable” measures could include using a HIPAA-compliant storage program and having a business associate agreement in place with the electronic storage provider.
In addition to HIPAA, PCI DSS also may apply. PCI DSS, which is not issued by the government, is designed to protect cardholder data and applies to businesses through their contracts with the various credit card companies. Businesses that do not comply with PCI DSS can be fined or have their contract with the credit card company canceled. One example of a PCI DSS standard is a prohibition against storing a cardholder’s three- or four-digit security code, often located on the back of the credit card, for use with recurring transactions.
Practices that store patient payment information also may have to comply with the FTCA and similar state laws. The FTCA mission is to prevent unfair competition methods and unfair or deceptive acts that may affect business commerce. While the FTCA does not prohibit storing patient payment information, it does require businesses to use “reasonable” and “appropriate” security measures to protect the information, similar to HIPAA. As with HIPAA, the FTCA does not define “reasonable” or “appropriate.” Importantly, the FTCA does prohibit businesses from charging an individual’s credit card without receiving prior authorization. For example, if a patient previously used a credit card for a copay, the psychiatrist cannot use the credit card later to charge for a missed appointment without first notifying the patient and receiving authorization.
Securing a patient’s payment information is subject to numerous standards and regulations. It is important that psychiatrists review proposed payment policies with their attorneys prior to implementing them to ensure compliance with all relevant state and federal laws. ■
This information is provided as a risk management resource and should not be construed as legal, technical, or clinical advice. This information may refer to specific local regulatory or legal issues that may not be relevant to you. Consult your professional advisors or legal counsel for guidance on issues specific to you. This material may not be reproduced or distributed without the express, written permission of Allied World Assurance Company Holdings, GmbH, a Fairfax company (“Allied World”). Risk management services are provided by or arranged through AWAC Services Company, a member company of Allied World.
