In medical practices, HIPAA compliance is a common term. While there may be many misconceptions about what actually is covered by HIPAA, nearly everyone in the healthcare industry has heard of it. With so many breaches of patient data being reported on a daily basis, protecting patient data has become extremely important. But what about patient payment information such as credit card data? This is why the Payment Card Industry Data Security Standard (PCI-DSS) was created. The Payment Card Industry (PCI) is composed of credit card processing and issuing companies. The industry created the Data Security Standard (DSS) to protect the payment information of credit and debit card users. The standard is for merchants and those who take credit cards as payment. PCI compliance was created to help merchants to protect this data. The DSS provides a framework to help merchants to do that. PCI compliance isn’t something most small practices have ever heard of but the penalties for non-compliance can be severe. Read on to see how you can create a compliance system for your practice.

In the United States, the Federal Trade Commission has oversight for credit card processing. PCI compliance isn’t government regulations but rather an industry standard. The PCI Counsel created and administers the DSS. However, a court case in 2015 established that the FTC could require merchants to adhere to the PCI-DSS for the protection of consumers. Stolen credit card information is a booming business. And with medical practices, hackers get a 2 for 1 special by also getting patient medical data.

What are the penalties for not being PCI compliant?

For smaller merchants, the fines start at $30-50 per month. But Once a merchant suffers a breach and is determined to be non-compliant, then the fines can increase to $5,000 to $10,000 per month, depending on the size of the non-compliant merchant. The fine amount increases every 3 months until the merchant produces proof of PCI compliance. It takes time, sometimes as long as several months, to become compliant. Because of that, fines can become crippling to small practices. If a practice were to remain out of compliance, their ability to take and process credit card payments could be revoked.

The only way to avoid these penalties is to ensure your practice is PCI compliant.

How can a small practice achieve PCI compliance?

The good news for small practices is that most of the items for HIPAA compliance are applicable to PCI as well. In general, both want you to protect the data that is in your care. Both standards overlap a great deal. Here are some examples:

• Both require firewalls for network security
• Keeping systems patched and up to date
• Having anti-malware protection installed on all computers
• Using encryption to protect sensitive data (in HIPAA, this is addressable)
• Limiting employee access to only the data that is required for their tasks
• Ongoing checks to ensure you are remaining in compliance

This means that if you have set up a HIPAA compliance program for your practice, you are most of the way to being PCI compliant as well. From there, you need to run a network vulnerability scan. This will check all of the computers and devices on your network for any potential issues. If anything is found, address them. If you process credit card payments on your website, make you also run a vulnerability scan on your website. Scans must be performed by an Approved Scanning Vendor (ASV).

From there, download and complete the PCI-DSS Self-Assessment Questionaire. This must be updated yearly and this is the most common reason that businesses and practices are fined. Filling out these are straight forward. This means that your practice has no reason not to do them and protect yourself.

Specific ways to protect your data

Don’t store sensitive cardholder information on your network – ever. There really isn’t a good reason for any practice to have ongoing access to their patient’s credit card information. If you use a sin office point of sale device to process payments, don’t also keep a copy of the card on file. Don’t write down this information either. If it is truly necessary, destroy it afterward.

Make sure your practice has a firewall. This will also fulfill one of your obligations under HIPAA. Firewalls work by shielding your entire network from the Internet. They will absorb a great many of the attacks that your practice could suffer. Most, but not all.

Make sure you check your credit card processing devices (PIN pads, computers, etc.) to ensure that someone hasn’t installed a skimmer. A skimmer is a device that will allow your terminal to work normally but also collects the patient’s credit card information. These have become very common at self-pay gas pumps and ATMs.

Practice good password hygiene. This means using strong passwords for each website or account. It also means never using the same password on more than one site. Humans aren’t meant to remember many strong passwords and because of this, we create one password and use it for everything. This is a big mistake. Instead, use a password manager like LastPass. LastPass will create strong and unique passwords for all of your accounts. Then you won’t need to remember them. You can learn how to use LastPass for your practice here.

How can you get more information about PCI compliance?

Unlike HIPAA regulations, the PCI Council has created a wealth of information for merchants to help them become compliant. Your first stop should be to download the PCI-DSS Quick Reference Guide. This outlines the 12 compliance requirements and sub-requirements. The guide will provide you all the information you need to understand what needs to be done to protect cardholder information.

Achieving PCI compliance is no only required, its the right thing to do for your practice. Protecting your patient’s personal information is critical. And with possible fines for not doing so, there really isn’t a good reason not to do it. Most practices aren’t aware of PCI at all. But unfortunately, that won’t protect them if there is a breach and patient payment data is stolen. This article outlines a path for any practice to get into compliance.