HIPAA & PCI Compliance | Checklist
5 Critical Questions You Should Be Able to Answer as a Medical Billing Collection Professional
Written by Michael Wise
Healthcare providers, medical billing offices, and the vendors providing the collection software and payment applications that take, store and send payment information for processing, all should look at this recent breach as an opportunity to reassess their data security.
Here’s five questions you should be asking (yourself or your collection software or online payment vendor) about the information and payment data you’re collecting. This includes any system where credit card and personal information gets entered, gets stored, or is used to pass that information to another end point.
The recent data breach took place on an internally developed payment application. Are you currently taking payments through collection software or a payment site you manage, and does it include P2PE certified solutions? If so, have you ever conducted a cost analysis/risk assessment to determine whether maintaining complete data liability exposure makes financial sense?
These agencies, regulations, and court rulings have the power and authority to fine, legally prosecute, or even incarcerate if data is breached or consumer protections are violated.
If using a third party service, is your collection or billing software storing or passing through credit card data? Is it a P2PE certified solution? In either case, that data must be encrypted. For example, if you’re able to see or export stored credit card data in clear text, that data is not encrypted and you (and your clients) could be held liable in the event of a data breach.
How was this information confirmed? Can your vendor provide PCI documentation (like completion of a 3rd-party PCI audits) that you can provide as assurance to your clients (or in the unfortunate case of a data breach)?
What’s the difference? For your business and the clients you serve, it’s the difference between an insurance card and an active insurance policy. Or, a promise that the check is in the mail vs. the deposit is in the bank.
Did this article raise any questions?
Whether you’re looking to reassess your level of data exposure or wish to move to a 100% PCI-Certified solution provider, we can help!
Resources & Articles For Managing Your Finances On Your Own
Letting debtors pay online, or “self-resolve” their accounts through a payment portal, are good for all parties. However, as recent litigation has revealed, payment pages and payment portals have now become major targets for FDCPA-related lawsuits.
P2PE devices are PCI-validated technology that keeps cardholder data secure and can take your business network out of scope for a PCI audit and protect your customer’s credit card data.
PCI-validated P2PE solutions encrypt cardholder data and can take a merchant’s network out of PCI scope.
Many providers are finding out too late that the traditional patient billing process is not working on higher balances and significantly more needed revenue is speeding its way towards third-party collections—the last stop before bad debt.