How to make remote payments safer

New online payment tools and peer-to-peer payment apps make it easier than ever to transfer money from person to person. However, if you’re a health care provider looking to collect payments from patients remotely, you must consider platforms that not only minimize fraud risk to your business but also comply with relevant state and federal health-care privacy regulations.

Here are some factors to consider when selecting an electronic payment app for your practice:

Generally, if you’re using a payment processing company solely to collect credit card payments, it won’t jeopardize your compliance with the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA regulations, payment processors that provide normal banking and financial operations are not considered to be a business associate (BA) (PDF, 281KB)—an organization or person outside of your practice who handles your patients’ protected health information (PHI).

Nonetheless, there are steps you can take to keep your practice compliant:

• Ask the payment processor how they meet HIPAA compliancy regulations and if they provide a business associate agreement (BAA). [We will be publishing reviews of three remote payment processors that can be used in a HIPAA-compliant manner in the next installment of Let’s Get Technical.]
• Ask the payment processor if they’re using the latest encryption technology for payment data security. This technology includes point-to-point encryption, along with payment card industry-validated point-to-point encryption (vP2PE).
• Be certain that transactions through a payment processor do not generate any exchange of private information through unsecure channels such as an auto-generated email or text receipt for services. If auto-generated receipts are an optional feature, be sure to turn that feature off.
• When processing a patient’s credit card, only provide the information needed for the payment—omit any PHI or details about treatment.
• If you use a magnetic card reader, upgrade it to a Eurocard, Mastercard, Visa chip card reader for any in-office transactions. (Credit card fraud has declined with increased usage of these machines.)
• If you intend to keep patient card information on file, store that information securely. Ask your payment processor if they offer encrypted storage for that purpose.

If you plan to use your payment processor for any additional business services such billing, accounting, reporting, or marketing, by HIPAA standards, this will make that company a business associate. To remain HIPAA-compliant, you’ll need a signed BAA with the processor. Under a BAA, the processor must agree to implement safeguards to ensure it properly secures the protected health information it maintains.

And if you’re already using practice management software, consider asking that provider for their recommendation on payment processing integration. It is likely that you will be able to link a payment solution that will enable you to automatically add documentation of the payment transaction to your patient records. This can save time and reduce your practice’s physical paper trail containing sensitive information.

Peer-to-peer payment apps, such as Venmo and PayPal, are easy to use and hugely popular. However, using them to collect payments for your practice is problematic from both data- and financial-security standpoints.

Because these apps have built the sale of user data into their business model, they may jeopardize your compliance with HIPAA’s requirements by sharing patient PHI—even if unintentional. Additionally, peer-to-peer payment apps generally don’t include the same fraud protection found with credit cards. If a payment doesn’t go through, you may have no recourse for collecting.

Finally, the user agreements for some payment apps (e.g. Venmo) state that they are not intended for business use. So you may be violating the app’s user agreement by using it for your practice.

Remember that HIPAA requirements cannot be waived by informed consent because the compliance obligation falls on you the provider (or other covered entity or business associate), not the patient. So, if your patients request to pay you with these types of apps, it’s a good idea to have a simple and thoughtful response explaining why you choose to accept certain payment forms and not others.

There are countless payment processing companies from which to choose, and many of them can fit your business needs while keeping your practice and patients’ data safe. Reach out to them and ask directly about how they handle data privacy and HIPAA compliance. The best options for your practice will be able to answer all your questions and demonstrate an understanding of your specific needs.