The importance of HIPAA-compliant credit card processing in telehealth services.

By: Jereme Sanborn


Although telemedicine has been in existence for decades, the coronavirus pandemic has caused its adoption by providers and their patients to skyrocket. If you are considering incorporating virtual visits into your practice, it is important to understand the advantages of doing so. Just as essential, you must get a grasp on how taking this step relates to the security of the sensitive patient information you store and communicate to other professionals.

Important definitions.

Before we dive in, let’s get our terminology straight. Telemedicine refers to the use of technology to practice medicine at a distance. Visits can take place online or over the phone and may or may not feature video viewing. Even though patients do not come in person to the doctor’s office, they are generally still expected to pay for part or all of the cost of the visit.

Telemedicine software is the platform that allows practitioners and patients to communicate with each other. It often also provides enhancements such as a virtual waiting room, the ability for all parties to correspond and chat with each other, and automated notifications. Perhaps most important, it offers a secure way for information, including payment and medical details, to be transmitted.

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) became law. This legislation is designed to protect the privacy and security of patients’ healthcare data. All entities covered under this statute must create policies to secure data, ensure compliance accountability, limit access to and safeguard Protected Health Information (PHI), and conduct staff training. Although the technological parameters of telemedicine have changed significantly since the law’s passing, maintaining its data protection standards is more important than ever for today’s medical practices.

How secure payment processing solutions protect patients’ data.

As the headlines show all too clearly, data breaches are a concern in numerous sectors of our society. However, nowhere can security vulnerabilities result in graver consequences than when it comes to the sharing, storing, and transferring of patient-specific medical or payment details. Failure to comply with HIPAA requirements bears significant penalties that can extend as far as financial cost, license loss, and legal ramifications. Consequently, any entity that runs a medical office, provides telemedicine services, assists a provider institution with services such as maintenance, or stores PHI for any reason must comply with HIPAA requirements.

As a direct result of the coronavirus pandemic, insurance companies markedly increased the scope of the telehealth services they would cover. The CARES Act, which was passed into law in March of 2020, suddenly required insurance providers to include an additional 85 services under the telemedicine umbrella. Interestingly, many of these categories are not pandemic-specific, suggesting that they will remain covered even after the worst of the virus’s consequences subside.

The changes brought about by the CARES Act led to a huge increase in the sheer volume of medical data being stored and exchanged. Always on the lookout for vulnerabilities to exploit, cybercriminals zeroed in on this potentially lucrative source of revenue.

Since fraudsters are relentless in their exploitation of security vulnerabilities, entities that are entrusted with sensitive private data must be equally vigilant. For example, providers must make it a priority to remain HIPAA compliant when they set up their systems to process patients’ credit cards. This is in spite of the fact that no health record information is being stored, rendering these transactions technically outside the statute. Even so, the practice should make it a point to only choose a HIPAA-compliant merchant account provider that will not receive, store or process any PHI details. This includes data such as the patient's legal name, date of birth, credit card number, CVV, and all medical and insurance information.

Furthermore, the telemedicine payment platform you choose should adhere to the Payment Card Industry Data Security Standard (PCI DSS). This system of requirements was developed by the card companies and is enforced by the Payment Card Industry Security Standards Council. It is designed to protect vital cardholder data from hackers by requiring all entities that store, manage, or transmit this sensitive information to safeguard it via specific practices, tools, and technologies.

Types of HIPAA-compliant telemedicine payments.

There are several methods that providers are using to securely accept money from their patients in exchange for remote medical services. They include the following.

  • Phone payments. The patient provides their payment information to one of your representatives over the phone. Your staff then keys it into your processing software via a remote terminal. HIPAA prevents you from recording patients’ medical information anywhere else other than in the online system. Ultimately, there is a higher potential for human data entry errors, and the temptation to jot down sensitive information on paper for later electronic entry can be difficult to resist. This is an express HIPAA violation that can compromise data, hurt your patients, and damage your practice financially.
  • Integrated telemedicine software. This method enables the patient to log in securely into an online portal that is PCI DSS compliant. Once they have verified their credentials, they enter their financial information into a form, and the payment is processed securely. Generally, a receipt is immediately emailed to the patient for their records.
  • Direct payment. This secure payment gateway allows you to customize your form and send it right to the patient. Additionally, it allows you to choose among various payment providers.

Whichever strategy you ultimately decide to adopt, it is important to maintain the privacy and security of your patients’ health information at all times. To that end, many practice administrators opt to invest in voluntary HIPAA compliance auditing that can detect vulnerabilities or flaws in protocol and recommend solutions that can be implemented proactively.

Tips for maintaining HIPAA-compliant credit card processing in your practice.

With ransomware and other forms of data breach continuing to pose very real dangers for merchants and telehealth providers alike, the importance of exercising care when initiating and maintaining your telemedicine payments portal cannot be overstated. The following tips can provide you and your patients with trust and peace of mind.

  • Don’t use conventional payment platforms such as PayPal or Stripe. Again, the system you choose must be HIPAA compliant.
  • Make sure that patients’ credit card data is stored in an encrypted vault instead of through other written or recorded means.
  • Sign a business associate agreement with the third-party entity you hire to process payments.
  • Use payment data security encryption technology to keep payment information safe during transmission.
  • If possible, avoid taking payments over the phone.
  • Never send receipts or any other health-related correspondence via text message or unsecured email, and make sure no third-party company you hire does either.

Telemedicine allows you to increase the quality and extent of the care you provide, augment your clinic hours, and serve patients who are unable to get to your physical office. However, all of these benefits will fall by the wayside if you cannot assure patients that you can keep their health-related information safe and secure. Maintaining HIPAA-compliant credit card payment processing is a small yet important component in fostering this trust. Take steps to ensure it, and your telehealth practice can flourish!