HIPAA & PCI Compliance | Checklist

5 Critical Questions You Should Be Able to Answer as a Medical Billing Collection Professional

Written by Michael Wise

Written by Michael Wise
LabCorp, Quest Diagnostics data breach a wake up call to medical collections industry
The massive data breach experienced by LabCorp and Quest Diagnostics appears to have exposed the personal and financial data of between 8 million and 12 million patients. As two Democratic state attorneys launch a formal investigation into how this could happen, the aftermath of the breach is certain to draw increased focus on the data security practices of companies that provide billing collection services to healthcare organizations.

Healthcare providers, medical billing offices, and the vendors providing the collection software and payment applications that take, store and send payment information for processing, all should look at this recent breach as an opportunity to reassess their data security.

Here’s five questions you should be asking (yourself or your collection software or online payment vendor) about the information and payment data you’re collecting. This includes any system where credit card and personal information gets entered, gets stored, or is used to pass that information to another end point.

1.  Is hosting and managing payment data yourself worth the risk?

The recent data breach took place on an internally developed payment application. Are you currently taking payments through collection software or a payment site you manage, and does it include P2PE certified solutions? If so, have you ever conducted a cost analysis/risk assessment to determine whether maintaining complete data liability exposure makes financial sense?  

These agencies, regulations, and court rulings have the power and authority to fine, legally prosecute, or even incarcerate if data is breached or consumer protections are violated.


As part of your internal risk assessment, make a data flow diagram that includes all technology, people, and processes where a consumer’s personal and financial data may be exposed.
2. How confident are you in your payment and software vendors?

If using a third party service, is your collection or billing software storing or passing through credit card data? Is it a P2PE certified solution? In either case, that data must be encrypted. For example, if you’re able to see or export stored credit card data in clear text, that data is not encrypted and you (and your clients) could be held liable in the event of a data breach.

Outdated encryption methods like RC2 / RC4 and MD2/ MD4 /MD5 have already been successfully hacked, and should no longer be used. Instead, choose vendors who use modern encryption methods like AES or RSA. Or, preferably, those who immediately tokenize payment information.
3. If you or a third-party vendor are storing credit card data, is it being encrypted during all three data stages?
If your collection software or payment site vendor is storing card data (for recurring payments), credit card data must be encrypted at the point of entry, whenever it’s being moved between systems, when it’s being sent to process, and while it’s being stored? Because of this increased exposure risk, it’s important to verify encryption throughout your entire data flow?
The states of data are: data at rest, data in motion, and data in use. A PCI compliant solution has a unique encryption process for each.
4. Have you actually verified your payment application or software vendor’s PCI compliance?
As a merchant, you’ve already completed some version of a PCI Attestation of Compliance form where you’ve declared that you know and have “confirmed” with your payment application vendor how credit card data is stored and sent.

How was this information confirmed? Can your vendor provide PCI documentation (like completion of a 3rd-party PCI audits) that you can provide as assurance to your clients (or in the unfortunate case of a data breach)?

The PCI Attestation of Compliance Form requires merchants to acknowledge that they have verified that third-party software and payment applications are PCI compliant.
5. How did your collection software or payment site vendor achieve PCI compliance?
Did your collection software or payment site vendor achieve PCI compliance by checking boxes on a form, or did they actually undergo a third-party PCI audit conducted by QSA professionals?

What’s the difference? For your business and the clients you serve, it’s the difference between an insurance card and an active insurance policy. Or, a promise that the check is in the mail vs.  the deposit is in the bank.

Just because PCI guidelines are not “laws,” doesn’t meaning the consequences of not following them aren’t real. If a data breach occurs, a business can be shut down immediately through a cease and desist order filed by the affected parties.

Did this article raise any questions?

Whether you’re looking to reassess your level of data exposure or wish to move to a 100% PCI-Certified solution provider, we can help!


Resources & Articles For Managing Your  Finances On Your Own

Understanding Regulation F’s Model Validation Notice

Understanding Regulation F’s Model Validation Notice

With tax refund season about to be in full swing, we want to make sure your agency isn’t leaving any money on the table! Check to see if the system you’re using to manage Reg F has the ability to track contacts and communications by account or creditor. If not, we can help!