I went to the doctor a while back and noticed that they have the full PAN on the merchant copy when I paid my co-payment.

My assumption is they physically secure the merchant copies.

Does anyone have any insight into providing PCI remediation and assessments for doctor offices who by chance may be level 1 merchants because they're members of a larger medical group?

I wonder how much over-lap of the PCI validation there is with the HIPAA requirements...

Thanks,

~ jds

That's an excellent question. The definition of Personal Health Information (PHI) does include payment information that can be linked to individual. To my knowledge there is no prohibition under the Card Brand rules on printing the full PAN on the merchant copy. However, HIPAA can be interpreted to include credit card information under its privacy rule. This rule requires protection of all patient PHI, which includes treatment history as well as payment history.

Unfortunately, HIPAA has amounted to a bit of a tempest in a teacup. There was a lot of noise about it, but very little enforcement.

As to overlap, I think as with most regulations, if an organization is following industry best practice for securing information they will find a lot of overlap in the practice, although the target of the protections may differ (Cardholder data, patient history, accounting data, etc).

I think it's a really big stretch to use HIPAA as a rationale for cardholder data protection compliance.

First, most of the clinics and hospitals I've been in, the credit card data has no relationship to the patient's health care records because they appear to use Verifone or similar credit card units that are separate from their clinic systems. So the cardholder data never comes in contact with anything related to a patient's health care records. Therefore, no HIPAA implication on that count.

Secondly, there is no relationship in the sense of how health care information is defined in HIPAA that even comes close to an explicit definition, related to how a patient pays for health care services outside of their insurance coverage and the protection of that information. As defined, HIPAA clearly delineates what health care records are and I don't see anything related to 'cash' payments, only to on-going care, diagnosis, insurance coverage and other relevant medical information. From what I've read in HIPAA, if a patient is paying for their health care via cash, check or credit card, that is different from the definition provided for protection of insurance coverage information. Last I knew, the card brands were not considered health care insurers.

As an aside, the reason HIPAA has no teeth is that Congress neglected to put anyone in charge of ensuring compliance. It's been assumed that that role falls to the Department of Health and Human Services, but that was not explicitly stated in HIPAA. So, unlike the financial institution industry that has regulatory agencies coming out of every orifice with explicit mandates, the health care industry has none of that definition.

First, most of the clinics and hospitals I've been in, the credit card data has no relationship to the patient's health care records because they appear to use Verifone or similar credit card units that are separate from their clinic systems. So the cardholder data never comes in contact with anything related to a patient's health care records. Therefore, no HIPAA implication on that count.

Jeff,
To the casual observer, it appears that most use standalone credit card machines and the process would end there. However, a good amount of hospitals use imaging systems, so those payments slips you send in (including hospitals in our neck of the woods) can get tied to patient information; they shouldn't be scanning full PANs with CVV2 info, but they do. Self dispensing medication vending machines, get tied to patient information with credit card information. There are a number of places on the back end that this information can get tied to customer information. Many of the situations it does not need to be and we help redefine their process.

So, you got me to contact some of my 'old' friends in the health care community in the Midwest.

Two of them confirmed that their organizations deliberately did NOT integrate credit card information with patient records for the very reasons of security and not having to have their patient record systems fall under both HIPAA and PCI.

Three admitted to integrating credit card information with patient records. They also admitted that all of their organizations regretted that decision as it has lead to control issues and too much lost time due to compliance assessments.

One of the three is actually in the process of going back and segregating cardholder information from their patient records to get better control of their cardholder data.

So, while some clinics and hospitals went down this road, not everyone bought into total integration.