A recent survey report regarding healthcare payment patterns reveals that, out of total patient payments, 73 percent of payments took almost a months’ time. While 12 percent of patients’ outstanding took more than 3 months to get paid. The same survey report also suggested that about 35 percent of provider revenue comes from patient pay.
To improve collections, some providers opt to keep their patients’ credit card information on file so that they can more quickly collect the payments. Keeping patients’ credit card information on file can ensure prompt payments however it comes with the stress of keeping confidential credit card data on file.
No federal or state laws prohibit businesses from storing consumers’ credit card information, however, practices are legally obligated to have safeguards in place to protect sensitive information and limit liability exposures. In this blog, we discussed the overall approach to keeping patient credit card details safe.
Steps in Keeping Patient Credit Card Details Safe
Create CCOF policy.
Create a Credit Card On File (CCOF) policy that outlines your practice’s credit card procedures, including when credit cards will be charged and under what circumstances, how patients will be notified, and how credit card information will be stored. The card on file can be used for co-pays, deductibles, non-covered services paid out of pocket, or for portions of bills not covered after insurance has paid out its portion.
You’ll still need to ensure that patients are aware of transactions, and its good practice to send a receipt either by mail or email for on-file credit card payments. However, having a credit card on file policy doesn’t mean you can just write down and file your patients’ card details; it will need to be stored securely, and preferably in an encrypted format, meeting rules of credit card compliance known as Payment Card Industry (PCI).
Store patient information securely.
Most medical practices write down their patients’ credit card information and store it in the patient’s medical record, or they use an online service to store it electronically.
Online services usually provide a higher level of protection than the patient’s medical record. Ensure that electronic data that includes credit card numbers is robustly encrypted, or that paper records are locked in a secure place, such as in a safe or file drawer that requires a combination lock.
Payment Card Industry (PCI) regulations prohibit storing a credit card’s security code. This code is used to allow merchants to verify whether a customer authorizing a transaction over the phone or via the internet physically possesses the card.
Understand all federal and state laws and regulations.
If your practice collects patient billing information, you are considered a ‘merchant’ and are subject to federal and state laws and regulations that protect consumer credit card information.
These laws and regulations include Health Insurance Portability and Accountability Act (HIPAA); Federal Trade Commission Act (FTCA); and Payment Card Industry Data Security Standard (PCI DSS), which was not devised by the federal or state government.
Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws require providers to implement ‘reasonable’ security measures to protect payment information. Because HIPAA does not define ‘reasonable,’ providers have freedom in determining which security measures to implement.
Locking the information in a file cabinet and locking the room where the file cabinet is kept or using HIPAA-compliant encrypted storage programs (for electronic storage) are examples of ‘reasonable’ security measures.
Federal Trade Commission Act (FTCA) requires businesses to use ’appropriate’ and ‘reasonable’ security measures to protect credit card information. Federal law requires all businesses to delete a card’s expiration date and shorten the account information to include no more than the last 5 digits of the card number that is printed on all sales receipts.
FTCA also requires businesses to get prior authorization from individuals before charging their credit cards. For example, if a patient previously used a credit card to pay for a session, the psychiatrist cannot later use the credit card to charge for a missed appointment without notifying the patient and getting their authorization.
Payment Card Industry Data Security Standard (PCI DSS) applies to entities that store, process, and/or transmit cardholder data. Examples of the PCI DSS rules include using firewalls to protect cardholder data and restricting access to cardholder data to a ‘need-to-know’ basis.
Businesses that do not comply with PCI DSS can be subjected to fines and/or have their contracts terminated by credit card companies.
Medical Billers and Coders (MBC) is a leading outsourcing medical billing company providing complete revenue cycle management services. For provider education, we share the latest billing news and useful information in form of articles. For the latest medical billing and coding resources, visit our blogs page.
FAQs:
1. What is a Credit Card On File (CCOF) policy?
A CCOF policy outlines how a medical practice will handle patient credit card information, including charging procedures and notification methods.
2. Why is it important to store credit card information securely?
Secure storage protects sensitive patient information from unauthorized access and helps comply with regulations like HIPAA and PCI DSS.
3. What are the key laws affecting credit card information storage?
Providers must comply with HIPAA, FTC regulations, and PCI DSS, which set standards for protecting patient financial information.
4. Can I keep the security code of a credit card on file?
No, PCI regulations prohibit storing the security code, as it’s essential for verifying transactions and protecting cardholder data.
5. What happens if a practice fails to comply with credit card regulations?
Non-compliance can lead to fines, legal issues, and potential termination of contracts with credit card companies.