HIPAA & PCI Compliance | Checklist

5 Critical Questions You Should Be Able to Answer as a Medical Billing Collection Professional

Written by Michael Wise

LabCorp, Quest Diagnostics data breach a wake up call to medical collections industry

The massive data breach experienced by LabCorp and Quest Diagnostics appears to have exposed the personal and financial data of between 8 million and 12 million patients. As two Democratic state attorneys launch a formal investigation into how this could happen, the aftermath of the breach is certain to draw increased focus on the data security practices of companies that provide billing collection services to healthcare organizations.

Healthcare providers, medical billing offices, and the vendors providing the collection software and payment applications that take, store and send payment information for processing, all should look at this recent breach as an opportunity to reassess their data security.

Here’s five questions you should be asking (yourself or your collection software or online payment vendor) about the information and payment data you’re collecting. This includes any system where credit card and personal information gets entered, gets stored, or is used to pass that information to another end point.

1. Is hosting and managing payment data yourself worth the risk?

The recent data breach took place on an internally developed payment application. Are you currently taking payments through collection software or a payment site you manage, and does it include P2PE certified solutions? If so, have you ever conducted a cost analysis/risk assessment to determine whether maintaining complete data liability exposure makes financial sense?

These agencies, regulations, and court rulings have the power and authority to fine, legally prosecute, or even incarcerate if data is breached or consumer protections are violated.

As part of your internal risk assessment, make a data flow diagram that includes all technology, people, and processes where a consumer’s personal and financial data may be exposed.

2. How confident are you in your payment and software vendors?

If using a third party service, is your collection or billing software storing or passing through credit card data? Is it a P2PE certified solution? In either case, that data must be encrypted. For example, if you’re able to see or export stored credit card data in clear text, that data is not encrypted and you (and your clients) could be held liable in the event of a data breach.

Outdated encryption methods like RC2 / RC4 and MD2/ MD4 /MD5 have already been successfully hacked, and should no longer be used. Instead, choose vendors who use modern encryption methods like AES or RSA. Or, preferably, those who immediately tokenize payment information.

3. If you or a third-party vendor are storing credit card data, is it being encrypted during all three data stages?

If your collection software or payment site vendor is storing card data (for recurring payments), credit card data must be encrypted at the point of entry, whenever it’s being moved between systems, when it’s being sent to process, and while it’s being stored? Because of this increased exposure risk, it’s important to verify encryption throughout your entire data flow?

The states of data are: data at rest, data in motion, and data in use. A PCI compliant solution has a unique encryption process for each.

4. Have you actually verified your payment application or software vendor’s PCI compliance?

As a merchant, you’ve already completed some version of a PCI Attestation of Compliance form where you’ve declared that you know and have “confirmed” with your payment application vendor how credit card data is stored and sent.

How was this information confirmed? Can your vendor provide PCI documentation (like completion of a 3rd-party PCI audits) that you can provide as assurance to your clients (or in the unfortunate case of a data breach)?

The PCI Attestation of Compliance Form requires merchants to acknowledge that they have verified that third-party software and payment applications are PCI compliant.

5. How did your collection software or payment site vendor achieve PCI compliance?

Did your collection software or payment site vendor achieve PCI compliance by checking boxes on a form, or did they actually undergo a third-party PCI audit conducted by QSA professionals?

What’s the difference? For your business and the clients you serve, it’s the difference between an insurance card and an active insurance policy. Or, a promise that the check is in the mail vs. the deposit is in the bank.

Just because PCI guidelines are not “laws,” doesn’t meaning the consequences of not following them aren’t real. If a data breach occurs, a business can be shut down immediately through a cease and desist order filed by the affected parties.

Did this article raise any questions?

Whether you’re looking to reassess your level of data exposure or wish to move to a 100% PCI-Certified solution provider, we can help!

Resources

Resources & Articles For Managing Your Finances On Your Own

Why Siloed Systems Are Costing You: The Case for Platform Consolidation

Discover how siloed communication and payment platforms can lead to inefficiencies, missed revenue, and compliance issues. This article explains why modern agencies need to consolidate operations and manage the entire consumer journey within one unified platform. Intelligent Contacts’ integrated solution combines a Hosted Contact Center and a self-service payment portal to streamline operations, maintain compliance, and improve ROI. Learn how to stay ahead in 2025 by embracing an integrated, consumer-centric approach to communication and collections.”

What the ARM Industry Needs to Know as Federal Student Loan Collections Resume

After a multi-year pause initiated during the COVID-19 pandemic, the U.S. Department of Education has confirmed that collections on defaulted federal student loans will resume on May 5, 2025. This shift carries significant implications for the ARM industry — especially those engaged in debt recovery for educational and government portfolios. With nearly 10 million borrowers expected to be in default and only 38% of borrowers currently in active repayment, the market is poised for a large-scale operational resurgence.

CFPB Revokes Controversial Medical Debt Advisory Opinion in Response to Industry Pushback

In a major win for the accounts receivable and collections industry, the Consumer Financial Protection Bureau (CFPB) announced that it will revoke its controversial advisory opinion on medical debt collection, originally slated to go into effect in January 2025. The decision comes after significant legal challenges and lobbying efforts led by ACA International and other stakeholders.