Medical Billers and Coders Logo
Medical Billing Services

Keeping Patient Credit Card Details Safe

A recent survey report regarding healthcare payment patterns reveals that, out of total patient payments, 73 percent of payments took almost a months’ time. While 12 percent of patients’ outstanding took more than 3 months to get paid. The same survey report also suggested that about 35 percent of provider revenue comes from patient pay. To improve collections, some providers opt to keep their patients’ credit card information on file so that they can more quickly collect the payments. Keeping patients’ credit card information on file can ensure prompt payments however it comes with the stress of keeping confidential credit card data on file. No federal or state laws prohibit businesses from storing consumers’ credit card information, however, practices are legally obligated to have safeguards in place to protect sensitive information and limit liability exposures. In this blog, we discussed the overall approach to keeping patient credit card details safe. 

Steps in Keeping Patient Credit Card Details Safe

Create CCOF policy. 

Create a Credit Card On File (CCOF) policy that outlines your practice’s credit card procedures, including when credit cards will be charged and under what circumstances, how patients will be notified, and how credit card information will be stored. The card on file can be used for co-pays, deductibles, non-covered services paid out of pocket, or for portions of bills not covered after insurance has paid out its portion. You’ll still need to ensure that patients are aware of transactions, and its good practice to send a receipt either by mail or email for on-file credit card payments. However, having a credit card on file policy doesn’t mean you can just write down and file your patients’ card details; it will need to be stored securely, and preferably in an encrypted format, meeting rules of credit card compliance known as Payment Card Industry (PCI). 

Store patient information securely.

Most medical practices write down their patients’ credit card information and store it in the patient’s medical record, or they use an online service to store it electronically. Online services usually provide a higher level of protection than the patient’s medical record. Ensure that electronic data that includes credit card numbers is robustly encrypted, or that paper records are locked in a secure place, such as in a safe or file drawer that requires a combination lock. Payment Card Industry (PCI) regulations prohibit storing a credit card’s security code. This code is used to allow merchants to verify whether a customer authorizing a transaction over the phone or via the internet physically possesses the card. 

Understand all federal and state laws and regulations.

If your practice collects patient billing information, you are considered a ‘merchant’ and are subject to federal and state laws and regulations that protect consumer credit card information. These laws and regulations include Health Insurance Portability and Accountability Act (HIPAA); Federal Trade Commission Act (FTCA); and Payment Card Industry Data Security Standard (PCI DSS), which was not devised by the federal or state government.

Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws require providers to implement ‘reasonable’ security measures to protect payment information. Because HIPAA does not define ‘reasonable,’ providers have freedom in determining which security measures to implement. Locking the information in a file cabinet and locking the room where the file cabinet is kept or using HIPAA-compliant encrypted storage programs (for electronic storage) are examples of ‘reasonable’ security measures.

Federal Trade Commission Act (FTCA) requires businesses to use ’appropriate’ and ‘reasonable’ security measures to protect credit card information. Federal law requires all businesses to delete a card’s expiration date and shorten the account information to include no more than the last 5 digits of the card number that is printed on all sales receipts. FTCA also requires businesses to get prior authorization from individuals before charging their credit cards. For example, if a patient previously used a credit card to pay for a session, the psychiatrist cannot later use the credit card to charge for a missed appointment without notifying the patient and getting their authorization.

Payment Card Industry Data Security Standard (PCI DSS) applies to entities that store, process, and/or transmit cardholder data. Examples of the PCI DSS rules include using firewalls to protect cardholder data and restricting access to cardholder data to a ‘need-to-know’ basis. Businesses that do not comply with PCI DSS can be subjected to fines and/or have their contracts terminated by credit card companies.

MedicalBillersandCoders (MBC) is a leading outsourcing medical billing company providing complete revenue cycle management services. For provider education, we share the latest billing news and useful information in form of articles. For the latest medical billing and coding resources, visit our blogs page.


Medical Billers and Coders

Catering to more than 40 specialties, Medical Billers and Coders (MBC) is proficient in handling services that range from revenue cycle management to ICD-10 testing solutions. The main goal of our organization is to assist physicians looking for billers and coders, at the same time help billing specialists looking for jobs, reach the right place.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *