HIPAA usually ensures health information remains private, but different rules apply when it comes to credit card payments because it does not deal with health-related data.
HIPAA and the credit card exemption
HIPAA imposes compliance standards on entities that handle health records. However, a notable exemption within HIPAA exists concerning credit card processing services. Credit card processing services are explicitly excluded from the requirements of HIPAA. This exemption is based on the understanding that credit card processing services deal exclusively with card payment information and do not involve the storage, handling, or transmission of health records or electronic protected health information (ePHI).
See also: What is the HIPAA treatment exception?
What does this mean for healthcare organizations?
For healthcare organizations, the HIPAA credit card exemption means they must be aware of the specific boundaries between their responsibilities for safeguarding health information and financial transactions.
- Maintain separation: Healthcare organizations should clearly separate their health information handling and financial transactions, including credit card processing. They should not use credit card processing services to store or manage health records, as it goes against the terms of those services.
- Compliance continues: Healthcare organizations must adhere to strict HIPAA regulations when it comes to protecting ePHI. HIPAA compliance remains a priority when handling health records.
- No business associate agreements: Since credit card processors, as per the exemption, are not considered business associates under HIPAA, healthcare organizations shouldn't expect to sign business associate agreements with these service providers.
Can a credit card payment service be HIPAA compliant?
A credit card payment service does not typically fall under the scope of HIPAA compliance because it deals exclusively with financial transactions, specifically card payment information.
In practice, while the credit card payment service itself might not be subject to HIPAA, healthcare organizations and professionals should be diligent in maintaining a clear separation between financial transactions (credit card payments) and the handling of health records to ensure compliance. They should not use credit card processing services to store or manage health records. This is not about making the credit card service HIPAA compliant but about how healthcare organizations and professionals handle their data responsibly.
How to remain HIPAA compliant when using credit card services
- Data segregation: Maintain a clear separation between financial transactions and health records. Do not use credit card payment services to store or handle health information, including ePHI. Ensure that staff and healthcare professionals understand this distinction.
- HIPAA training: Provide HIPAA training and awareness to your team. Make sure they are aware of the limitations of credit card payment services and understand the importance of keeping health information separate.
- Service provider terms: Adhere to the terms and conditions set by the credit card payment service provider. Typically, these terms state that their services should not be used for health record storage. Violating these terms can lead to non-compliance.
- Data security: Even though credit card payment services are not subject to HIPAA, maintain strong data security practices. Ensure that payment processes are secure and protect cardholder data according to industry standards like the Payment Card Industry Data Security Standard (PCI DSS).
- HIPAA compliant email: If you need to exchange ePHI via email, use a HIPAA compliant email service that ensures the secure transmission and storage of sensitive health information. Implement encryption and access controls for email communication as well.
See also: Guide to online payment options & HIPAA compliance