A laboratory client asked us today — “Is Stripe HIPAA compliant?”
Many laboratories accept payments for laboratory testing by credit card. Credit Cards may be used for up-front payments, paying a co-pay, or a patient paying the balance after insurance pays for a laboratory test.
There are several electronic providers that make credit card processing easy and reliable.
Each vendor provides APIs and clearing house services that aggregate and connect the payment requests to the backend merchant bank processing services.
A laboratory can readily embed the services into their website or take patient credit card information over the phone. Typically a laboratory pays a flat fee for each transaction plus a percentage of the amount charged.
So… Does a laboratory need a Business Associate Agreement (BAA) with these providers? What about the payment service’s HIPAA compliance? What about the patient names and credit card numbers I’m sending?
The Patient Name and Credit Card Number are Protected Health Information (PHI) that the laboratory needs to protect. However, as clarified by Health and Human Services (HHS):
Processing payments through a credit-card processor or service that facilitates credit-card processing is specifically excluded from certain HIPAA and BAA requirements. In the HIPAA law, Title II, Part C, Section 1179 addresses the processing of payment transactions by financial institutions. Following the addition of HITECH and Omnibus Final Rule requirements, this section still applies, and HHS provided additional comments.
- Companies that facilitate transfer of funds by debit, credit, payment card, checks, or ETF for compensation for health care are not business associates and are NOT acting on behalf of laboratories as their Business Associate.
- When a financial company faciliates a consumer-conducted payment transaction, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
- A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider or health plan being paid.
- Covered entities that initiate such payment activities must still meet the minimum necessary disclosure requirements described in the preamble to 45 CFR § 164.514.
When a BAA is Required
However, banks and payment companies often provide additional services to laboratories. Laboratories must therefore be be aware of the following:
1) If a service (like Stripe, Square, or your Bank) is providing any “Back Office”, “Account Balance,” “Data Aggregation” or “Accounts Receivable” functions — they then in most cases become a Business Associate, must have a BAA in place, and must comply with HIPAA.
2) If the payment institution provides any other additional services “above and beyond” payment services — such as automatically sending electronic receipts via e-mail — that may also make them a Business Associate so you may want to consider NOT enabling such additional services. Based on the guidance, only services that are “solely” processing payments for covered entities operate outside the BAA requirement.
Laboratories must meet additional requirements beyond HIPAA if they are keeping any credit card information on file, and/or receiving credit card numbers on paper or online.
All credit card information that laboratories transmit and store is subject both to HIPAA and PCI compliance rules; specifically PCI-DSS 2.0 – Payment Security Industry data security standards requirements.
Anyone that takes (or processes) a credit card for payment – both the laboratory and the credit card payment service company must be PCI compliant and meet the following:
1) Laboratories must NEVER store “Sensitive Card Holder Data” online or on paper:
Sensitive Card Holder Data is formally defined as the CAV2/CVC/CVV2 (3-digit) or CID (4-digit) codes.
While some payment processors will give a discount for asking for a CVV, and it can prevent fraud, the risk of fraud for payment of lab tests is often lower than other commerce activities and you may be well advised to avoid CVV altogether.
2) A Primary Account Number (PAN) also known as the “Credit Card Number” can be stored — but it MUST be encrypted. Better and easier to not keep this either and send it right off to Stripe or Cybersource directly through a web-service call.
3) Significant network and security protections come into play and are required by PCI-DSS such as transmission encryption, encryption of data at rest, and security monitoring depending on the volume of credit transactions processed.
Additional Compliance Considerations
In addition, credit card information should be considered in the laboratory’s security risk analysis.
If there is a security breach or loss of the information is reported to the laboratory, it is a disclosure and the laboratory’s disclosure tracking, breach risk analysis and breach notification procedures may apply.
Double-Helix is available to answer additional questions about integrations with payment services, security best practices, and the regulatory requirements surrounding PII and PHI information.
By leveraging providers of payment services and not storing any credit card data, laboratories can transfer the PCI burden to the credit card processing services and take one more security and compliance risk off their plate.