Most practices today accept credit or debit cards in one way or another, but they might not be aware of the need for security protocols surrounding them.
The overriding rule when dealing with card information from patients is to be sure it is not retained in your system or office where it could be compromised. For many years, billing statements included the option for patients to write their charge card number on the stub and mail it to the practice or its revenue cycle management vendor. Office team members might ask for card information on the phone and jot it down on a notepad to be entered later by the billing department.
Both of these situations create a paper record of the information that then has to be secured or destroyed. This opens up the possibility of loss, misplacement, or even fraud within the practice and should be avoided.
The use of in-house registration and billing systems creates another problem for practices that are trying to use electronic payments to be as efficient as possible. Those systems have the ability to store a patient's charge card information for later use, providing an additional piece of information susceptible to potential hackers or, again, possible fraud from within the practice.
The best advice for practices is to use a system that completely separates the practice from the charge card information. Ideally, the practice's registration system will incorporate the use of a patient portal. This will allow patients to review their accounts with the practice, showing charges, insurance payments, and their own balance and payments.
The portal will also offer a secure method for patients to make payments online. The best systems also offer the ability for patients to set up a payment plan that will automatically charge their card monthly until the balance is settled.
For those practices interested in learning more about the security of patient charge card processing, the Payment Card Industry (PCI) Security Standards Council is the best source of information. The PCI Council was formed by the major payment card vendors, such as Visa, Mastercard, and American Express, to establish standards to protect cardholders' information.
Protocols
One document details the requirements and protocols that should be followed if your practice decides to continue accepting charge card information by phone, which is allowed under the PCI standards.
Generally, as long as the operator directly keys the information into the computer system, there is no compliance issue (assuming the system being used meets security criteria). However, if the call is recorded or the operator takes written notes, then additional safeguards have to be in place.
The first step toward charge card data security is to understand whether your practice is retaining any such sensitive data, either on paper or in a computer system. If you are, then steps should be taken to evaluate your practice's exposure and mitigate the situation. The use of a patient portal or a third-party payment processing vendor is recommended.
Make the availability of online payments for your patients a high priority, which will go a long way toward ensuring their satisfaction with your practice, and be sure to take steps to offer this option safely and securely.
Sandy Coffta is vice president of client services at Healthcare Administrative Partners.
This column first ran on AuntMinnie.com.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.