How to take credit card payments at your medical practice and remain HIPAA compliant


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was put into place to provide security provisions and data privacy to safeguard patients’ medical information. It sets standards for the exchange of medical data between providers, protects the privacy and security of health information and contains protocols for enforcement. For medical offices, it is also important to understand how to maintain HIPAA compliance when you accept your patients’ credit card payments.

The case for accepting credit card payments.

Although most of your patients probably have healthcare insurance coverage, the majority will still be expected to pay out-of-pocket costs such as copays. With fewer people carrying cash and checkbooks these days, credit and debit cards are becoming the standard. Accepting them can also give you a better chance of receiving the money you are owed.

Believe it or not, some credit cards such as American Express actually give healthcare businesses a break on associated fees. What’s more, having payment processing for doctor’s offices also allows you to honor patients’ health financing cards such as CareCredit, their health savings accounts or their health reimbursement accounts, all of which you can do if you have the correct classification with your payment processor. Once you have become properly set up, accepting patient credit and debit cards should be a breeze.

How to remain HIPAA compliant.

Protecting the privacy of patients’ sensitive health data is one of your top priorities; plus, it’s the law. Take the following steps to make data breaches as unlikely as possible:

  • When you process a patient’s card, do not provide any protected health information including details about treatment or care. Only furnish what is needed for the payment to be processed.
  • Do not send receipts to your patient via text or non-secured email, and don’t allow your processing company to do so.
  • Come right out and ask. Any payment processing company worth their salt will tell you if they are or not HIPAA compliant. Steer clear of them if they are not.
  • Secure all credit card data. If you have good reasons to store credit card authorizations or any other documents that contain patients’ credit card numbers, you are required by law to store them securely behind lock and key. You may also have the option to have this information secured by your payment processing company in an encrypted vault. If this option is available to you, it is in your best interest to invest in it.
  • Ask your processor about signing a business associate agreement with them. You will definitely need this if you are using your payment processor for anything in addition to simply taking credit cards. Examples include accounting tools, reporting or marketing and customer loyalty features. If you fail to do this, you may be found to be Noncompliant with HIPAA standards.
  • If you have practice management software in place, consider a payment integration solution which will enable you to accept credit card transactions via a payment terminal while automatically getting a record of the transaction (minus encrypted data) into your patient records. This eliminates the need for double-data entry and greatly reduces the likelihood of staff leaving paper records with sensitive information unsecured around the office.

Safeguarding patient data must be one of your highest priorities. To ensure that you are doing all you can in this regard, contact your payment processing company. As is the case with you, it is also in their best interest to protect all sensitive data. Once you take all the necessary steps, you can rest easy knowing that your practice is in compliance with the law.