HIPAA Compliant Credit Card Processing
HIPAA compliant credit card processing is rarely an issue for HIPAA covered entities because financial institutions and entities processing payments on their behalf are exempt from complying with the HIPAA Administrative Simplification Regulations. However, there are some scenarios in which HIPAA compliance can be a factor.
When Congress passed HIPAA in 1996, Title II the Act added multiple sections to the Social Security Act. One of the new sections related to payment processing by financial institutions and effectively negated the issue of HIPAA compliant credit card processing for most HIPAA covered entities. The section – now codified in 42 USC §1320d-8 – states:
“To the extent that an entity is engaged in activities of a financial institution […] or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part [the HIPAA Administrative Simplification Regulations] and any standard adopted under this part, shall not apply to the entity with respect to such activities.”
The standard goes on to state the exemption applies to “the use or disclosure of information by the entity for authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care, where such payment is made by any means, including a credit, debit, or other payment card, an account, check, or electronic funds transfer”.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HIPAA Compliance when Accepting Credit Card Payments
For most HIPAA covered entities, this section of the Social Security Act means they do not have to be concerned about HIPAA compliance when accepting credit card payments. Provided the POS terminal, app, or online portal used to accept payments has been provided by a financial institution or an entity acting on a financial institution’s behalf, the financial institution or entity is responsible for the security of data from the point at which data enters the payment gateway.
In most cases, the financial institution will be required to comply with the Payment Card Industry Data Security Standard (PCI DSS) with regards to the security of data at rest and in transit, and the Safeguards Rule of the Gramm-Leach-Bliley Act when exchanging customer information to authorize payments. Other financial regulations concern relationships between institutions and customers, and HIPAA compliance does not enter into these relationships.
Exceptions to the HIPAA Compliant Credit Card Processing Exemption
Despite financial institutions being exempted from the HIPAA Administrative Simplification Regulations, there are some scenarios in which exceptions to the HIPAA compliant credit card processing exemption exists. These apply when a covered entity uses an intermediary in the processing process, or when an entity providing processing services on behalf of a financial institution provides secondary services to the covered entity in addition to payment processing.
Examples of when a covered entity might use an intermediary in the “processing process” include when an online payment portal is self-developed – rather than being a plug-in provided by the payment processor – and Protected Health Information (PHI) is transmitted from the self-developed payment portal to a payment processor via a service provided by a third party (i.e. Amazon Web Services). If no PHI is transmitted, HIPAA does not apply to the transaction.
A second example of when a covered entity might use an intermediary in the “processing process” is if a healthcare provider loses access to their POS terminal. This could happen for a number of reasons; and, if it is not possible to organize payment by an alternative method, it may be necessary for the covered entity to use a third party’s POS terminal to accept payment. In such circumstances, any PHI disclosed to the third party must be protected by HIPAA.
When a Business Associate Agreement is Required for Card Processing
When PHI is disclosed in both the above examples, or when an entity providing processing services on behalf of a financial institution provides secondary services to the covered entity in addition to payment processing (i.e., invoicing or billing services), it is necessary to enter into a Business Associate Agreement with the third party. This applies even if the use of a third party’s POS terminal is a one-off event because of – for example – a power cut or Internet outage.
However, because financial institutions and entities processing payments on their behalf are exempt from complying with the HIPAA Administrative Simplification Regulations, it is not necessary to enter into a Business Associate Agreement under normal circumstances. Covered entities who are unsure about when the requirements for HIPAA compliant credit card processing apply are advised to seek advice from an independent compliance professional.
