Reduce HIPAA Online Payment Processing Violation Penalties

Share: Share on Facebook Share on Twitter Share on LinkedIn

Reduce HIPAA Online Payment Processing Violation Penalties

Share: Share on Facebook Share on Twitter Share on LinkedIn
hipaa compliant payment processing

If your patient walks out the door without paying the amount they owe, your ability to collect decreases by 50%.  The good news is there are several online payment options available to you that can make paying easy for your patients, and reduce your risk of violating HIPAA compliant payment processing rules.

Making a mistake when choosing how your practice collects electronic payments can be a costly. HIPAA violation penalties can be as high as $50,000 per incident. To ensure HIPAA compliant payment processing, the regulation requires you to ensure two key elements when choosing an electronic payment method:

  1. To be reasonably confident that the technology you implement includes sufficient “administrative, technical, and physical safeguards for protecting e-PHI.”
  2. To enter into a compliant HIPAA Business Associate Agreement with the vendor (when applicable).

The most common and simple to use payment apps your patients may ask about include PayPal, Venmo and Zelle.  Signing up to offer these payment services is relatively quick and easy.  In just a few clicks you can be a provider. However, you must proceed with caution before integrating these options into your practice.

PayPal HIPAA Breakdown

If you go onto PayPal’s website, they have multiple pages that describe how they’ll protect your patient’s data.  They use buzz words like encryption, protection, and security. However, nowhere does it say that they provide HIPAA compliant payment processing, because they don’t. Although PayPal will adequately protect your patients’ information, they also collect and sell the data for advertising purposes.

Bottom line: As a healthcare provider, you cannot legally utilize PayPal as a viable payment method. Doing so would most likely result in a breach of HIPAA compliance and make you subject to disciplinary actions and penalties.

Venmo Compliance Rundown

The Venmo business web page will provide you with much of the same data security sales language as PayPal. However don’t be fooled. Buried on the Venmo site, there is specific language in their Terms of Use that forbids their software to be used for healthcare payments.

So, is Venmo HIPAA compliant? There are two reasons why not:

  1. They do not enter into Business Associate Agreements with healthcare providers; and
  2. They share purchaser data with their parent company, PayPal, who then sells it for advertising purposes.

Is Zelle HIPAA Compliant?

Zelle was introduced through banks several years ago as an more accessible way to transfer payments directly from one account to another. The service is easy-to-use, and most importantly for frontline users, it’s free.

Just like PayPal and Venmo, Zelle has a robust security page. Unfortunately, once again, this service does not provide HIPAA compliant payment processing.

The authentication and monitoring utilized by Zelle to protect your patients’ data actually meets HIPAA Security Rule requirements. However, the company does not sign Business Associate Agreements, which means utilizing the service would likely put out at risk of violating HIPAA rules.

HIPAA Compliant Payment Processing

The challenge you are facing is to make it as easy as possible for your patients to pay their bill before they walk out the door, and to be certain that you’ve implemented HIPAA compliant payment processing. To start, it’s important for you to understand when a payment service is HIPAA compliant.

On the US Department of Health and Human Services (HHS) Business Associates web page, the agency spells out “Other Situations in Which a Business Associate Contract is Not Required.” One of the bullets reads as follows (bold added for emphasis):

“When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.”

Based on HHS’s description above, you might wonder why Zelle’s lack of signing Business Associate Agreements makes them noncompliant with HIPAA. The big difference is that Zelle is not considered to be a financial institution.  The service is merely a program that makes it easy for your patients to transfer money between their bank and your practice.

To resolve this issue there are several HIPAA compliant payment processing options you can employ:

1. Online Billing Software: There are several available HIPAA compliant online billing software packages available. There is no one “right” answer. Each package has unique features (i.e. specialty specificity, scheduling, reporting, pricing, etc.). Therefore, you should carefully review each service to determine which is right for you. Here are several HIPAA compliant online services to get you started:

a. KAREO Billing
b. RXNT Medical Billing and Scheduling
c. EZclaim Medical Billing
d. NueMD cloud-based software
e. InstaMed Online for Providers

2. Online Payment Processing: You could choose to go directly to a processing company and become a merchant. However, it is important that you limit your use of these services to only receiving payments. Anything more would put them into the category of being a Business Associate and would require that you have a signed Business Associate agreement with them. Two examples of online payment processing companies include Stripe and Square.

3. Accept Credit Cards. You probably already are authorized to accept credit card payments. One important note, however, is that the terms of your agreements with these companies is negotiable. Especially after you’ve been with them for a while. So, if you have a strong record with one or more of these companies consider asking for a reduction in your merchant fees. The big three credit card merchant accounts include:

a. American Express
c. Mastercard

HIPAA regulations are confusing, which makes the risk of violating them even more likely. However, you can reduce your risk of violating HIPAA rules, being audited, and getting hit with massive penalties without ever leaving your practice. Healthcare Training Leader’s online HIPAA training provides you with access to industry experts who will walk you through exactly how to comply with these complex and confusing rules.

Disclaimer: Healthcare Training Leader (HTL), its employees, consultants, writers, or contractors did not accept any payment for including these companies in this post. HTL is not responsible for any positive or negative outcomes you may experience from working with these or any other companies.  These companies were only included in this post as examples, and you should do your own due diligence before entering into any type of business relationship with these or any other companies.

Expert Contributors: Healthcare attorneys Daphne L. Kackloudis, JD and Kevin M. Cripe, JD from Brennan, Manna and Diamond law firm.

Subscribe to Healthcare Practice Advisor
Get actionable advice to help improve your practice’s
reimbursement, compliance, and success in this weekly eNewsletter.
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden