HAP has long advised our clients and blog readers to utilize technology to enhance the revenue cycle process. Our article The Importance of Accepting Electronic Payments at Your Radiology Practice is the most recent, but electronic transactions have also been highlighted in our Best Practices in Radiology Patient Billing article. Most practices today accept credit or debit cards in one way or another, but they might not be aware of the need for security protocols surrounding them.
The overriding rule when dealing with patients’ card information is to be sure it is not retained in your system or office where it could be compromised. For many years billing statements included the option for patients to write their charge card number on the stub and mail it to the practice or its RCM vendor. Office staff members might ask for card information on the phone and jot it on a note pad to be entered later by the billing department. Both of these situations create a paper record of the information that then has to be secured or destroyed. This opens up the possibility of loss, misplacement or even fraud within the practice and should be avoided.
The use of in-house registration and billing systems creates another problem for practices that are trying to use electronic payments to be as efficient as possible. Those systems have the ability to store a patient’s charge card information for later use, providing an additional piece of information available to potential hackers or, again, possible fraud from within the practice.
The best advice for medical practices, then, is to utilize a system that completely separates the practice from the charge card information. Ideally, the practice’s registration system will incorporate the use of a Patient Portal. This will allow patients to review their accounts with the practice, showing charges, insurance payments, and their own balance and payments. The portal will also offer a secure method for the patient to make payment online. The best systems also offer the ability for the patient to set up a periodic payment plan that will automatically charge their card monthly until the balance is settled. If your own system does not offer a built-in portal, there are third party vendors, such as InstaMed, that can integrate with many practice registration and billing systems.
For those practices interested in learning more about the security of patient charge card processing, the Payment Card Industry (PCI) Security Standards Council is the best source of information. The PCI Council was formed by the major payment card vendors, such as Visa, MasterCard, American Express, etc., to establish standards to protect payment cardholders’ information. One document details the requirements and protocols that should be followed if your practice decides to continue to accept charge card information by phone, which is not prohibited under the PCI standards. Generally, as long as the operator directly keys the information into the computer system there is no compliance issue (assuming the system being used meets security criteria). However, if the call is recorded or if the operator takes written notes then additional safeguards have to be in place.
The first step toward charge card data security is to understand whether or not your practice is retaining any such sensitive data, either on paper or in a computer system. If you are, then steps should be taken to evaluate your practice’s exposure and mitigate the situation. The use of a patient portal or a third party payment processing vendor is recommended.
Make the availability of online payments for your patients a high priority, which will go a long way toward ensuring their satisfaction with your practice, and be sure to take steps to offer this option safely and securely. Subscribe to this blog for more articles like this one.
Sandy Coffta is the Vice President of Client Services at Healthcare Administrative Partners.