HIT Think

Why it’s important to boost security in the payment process

Register now

The Dept. of Health and Human Services has a website devoted to health information privacy. It is a repository of information for individuals and providers alike. Just about anything you want to know about patient health information (PHI) privacy is there, including how to file a complaint if your rights have been violated.

One aspect of the website that impressed me was the training information offered. Material can be found to educate healthcare providers and state attorney generals on privacy, policies and procedures. Administrators can read up on rules. Physicians can learn how to get continuing medical education credits. And patients can understand about those forms they must sign before seeing a doctor.

As terrific as the site is, it underscores the fact that the healthcare industry won’t do anything for the healthcare consumer unless somebody, usually the government, forces them into it.

The Council on Affordable Quality Healthcare (CAQH), an alliance of healthcare insurers, conducts an annual assessment of the growth of electronic transactions between payers and providers. CAQH noted in its 2014 Index, the latest available, that the shift from manual to electronic transactions was improving “modestly.” If these institutions appear satisfied with merely a modest move to electronic transactions, it would appear the industry, overall, is not under pressure to change, so why bother?

Here’s why you should bother and it’s the best reason possible—the patient, your customer. We are in an age of consumer-driven healthcare in which customer-patients have a voice, and it’s getting louder now that about half the cost of their medical treatment comes out of their pockets.

Even though it’s their money, the healthcare industry is unbelievably cavalier when it comes to protecting it. I accept that health matters involving my daughter cannot be shared with me when she turns 18, but I cannot tolerate the blind eye providers turn toward protecting the information associated with the credit card I’ll use to pay her bill.

CEOs, CFOs and the heads of operations and patient engagement need to find out what PCI level is held by the vendors handling their institutions’ credit and debit card transactions; and do so before the government requires it.

Not sure what PCI is? That’s completely understandable since nearly all your bills are sent in paper form, which usually results in a check being remitted by the patient. Paper begets paper. But realize that the demand for electronic bills from your customer-patients is already high. Most consumer surveys note the preference is 70 percent or more for electronic bill presentment and payment.

Looking at how things are today, more providers are beginning to ask for payment at the point of service (POS). There isn’t a hospital or group practice executive who doesn’t want more payments when patients arrive or finish their appointments. A payment, even a partial one, helps to keep cash flow going in the right direction. Is the transaction PCI compliant? If so, is the compliance of the highest level?

PCI is an acronym for Payment Card Industry. It is an alliance of Mastercard, VISA, American Express, Discover and JCB. The group’s Security Standards Council established and updates criteria for security of cardholder data. The premise is if standards are in place and enforced, the potential for data breaches and other issues will be reduced.

The council does not have any legal authority, and each card company applies the Data Security Standard (DSS) in its own way. However, businesses that do process credit or debit card transactions must adhere to the standards, or their ability to accept credit cards will be revoked. In addition, there are state and, in some cases, federal fines that can be substantial.

The PCI group has tiered the level of compliance into four levels. To an extent, it reflects the volume of transactions that are processed each year. More importantly, though, it requires each level to employ progressively more stringent security practices, with Level 4 being the most basic and Level 1 the strictest.

Even if your healthcare organization sends paper bills, you still must be PCI compliant. For example, if you imprint or take card numbers on paper, you or your revenue cycle management service provider needs to keep the accounting data secure and locked away.

In fairness, it makes no sense to take the easiest path when it involves your customer-patients’ money. A Level 1 PCI compliance endorsement says security is important to the company and that it will go the extra mile to achieve and maintain it. It must cover all steps from Level 4 to 2, plus have a Qualified Security Assessor do an annual on-site evaluation as well as an Attestation of Compliance verified by an authorized third party. It’s the equivalent of having the IRS conduct a deep and wide audit of your electronic transaction activity and the security around it.

The probability is high that you’re involved in outsourcing card transaction management. When it comes to the electronic transference of your customer-patients’ money, out-of-sight does not obviate your responsibility to protect their financial health, too.

Next time you hear a pitch for from a merchant services outfit, an RCM firm or a patient payments company, do your organization’s reputational and operational well-being a big favor and ask if they’re PCI Level 1 compliant. If not, cut the meeting short.

For reprint and licensing requests for this article, click here.