Health care providers are certainly no stranger to data privacy and security standards related to protected health information (PHI). Although these providers and their respective organizations are well versed in rules, policies and requirements of HIPAA, few are aware that the PCI-DSS rules apply to their businesses and even fewer are compliant. When HIPAA compliancy mandates were looming, health care providers seriously performed “gap analyses” to understand risks and then developed policies, instituted practices and acquired technologies.
However, since Medicare reimbursement is not at risk with PCI-DSS compliancy, it has been virtually ignored. It doesn’t help that major health care publications are openly misinterpreting the PCI-DSS standards for health care providers, with statements such as: “[Providers] do not have to worry about compliance with PCI standards… they aren’t storing any card numbers.”
Health care businesses across the country must be aware that the PCI standards are concerned with three primary aspects of card security: storing, processing, and transmitting. Simply put, if you take a credit card (regardless of how, when, why or where), you must be PCI compliant. Although highly publicized cardholder information breaches primarily involve large merchants and organizations, the vast majority of security breaches occur at much smaller organizations. Almost 70 percent of all security breaches involve small merchants, and 32 percent of all security breaches occur at companies with less than 100 employees.
We live in a plastic world. From pay-at-the-pump gas stations to soda machines with card swipes, credit cards are recognized as a convenient form of payment and are virtually everywhere. The proliferation of credit cards throughout the country has led to many business efficiencies over the past decade, but these efficiencies have not come without a price. Over this time period, the massive databases which store personal information have become targets of a new breed of thieves.
In 2009, virtually all health care providers take credit cards – and virtually none of them are PCI compliant. Obviously, providers care about each of their patients’ security and are certainly no strangers to data privacy and security standards in general. So why is it that the majority of health care providers in this country are not PCI compliant? As CFO of a health care IT company, I get the chance to interact with the nation’s best providers on a daily basis. The top five reasons I have encountered for non-compliancy with PCI are (in no particular order):
Reason #1: “I have no incentive”
Since Medicare reimbursement is not at risk with PCI-DSS compliancy, it has all but been ignored.
My input: The world’s largest processors are now strictly enforcing PCI compliancy and will continue to do so. In many markets, if you are not compliant with the standards by the end of 2009, you cannot process credit card transactions. Period.
Reason #2: “It’s too expensive”
With declining reimbursements and increasing numbers of under or un-insured patients, physicians are fighting for money harder than ever.
My input: I applaud health care providers for being cost conscious and encourage them to shop around for PCI Compliancy services. Health care providers can use many web-based PCI compliancy services from qualified security assessors for around $150 dollars a year or less.
Reason #3: “This doesn’t apply to me… I only process a few credit cards”
A common misconception is that small merchants who do not process a large volume of credit card transactions are not required to comply with PCI-DSS. The PCI-DSS requirements must still be met even if a company only processes a single credit transaction.
My input: Providers should treat the PCI-DSS just like HIPAA. Take it seriously and do not underestimate the cost of a data breach. The fines levied by VISA alone can be as much as $500,000 per incident and for some merchants, there can be additional fines of $25,000 per month of non-compliance even if there have been no data breaches. Also, refuse to conduct business with any companies that help you store, process, or transmit credit cards who are not PCI Compliant.
Reason #4: “We are secure; after all we are HIPAA compliant”
Health care is likely one of the most secure and confidential physical and technology sectors in the U.S. due primarily to HIPAA which mandates the protection and security of protected health information. Health care providers understand the need for privacy and security and readily adopt new workflow practices, but they routinely misinterpret HIPAA compliancy with security in unrelated realms.
My input: My experiences suggest that the lackadaisical billing processes and uncomfortable (sometimes legally difficult) nature of asking for payment prior to giving care represent a significant risk of a data breach for health care providers in the near future. PCI-DSS and the accompanying self-assessment questionnaire identify these risks and clearly identify the process gaps. The increasing adoption of health savings accounts and flexible spending accounts tied to debit cards only add fuel to the firestorm of risk.
Reason #5: “What is PCI?!”
Within the health care industry the implications of PCI-DSS have not received sufficient commentary. Frankly, few experts exist and the implications this regulation will have to the provider community shadows the attention given to HIPAA.
My input: A simple awareness survey within the health care industry would likely demonstrate a stunning lack of awareness. Before we caution health care providers not to just check-the-boxes, we need to inform this growing class of merchants of proper processes.
Jim Lacy is the chief financial officer of ZirMed, which delivers revenue cycle management solutions to health care providers. He can be reached at email@example.com.