Double Trouble: PCI Compliance, the HIPAA Overlap and How to Mitigate Your Practice’s Risk

By Zena Tsarfin for Merchant Advocate

Any business that accepts credit cards needs to take precautions to protect their customers’ personal data, but that is even more important for medical and dental practices which store precious health information. Healthcare is by far the largest sector targeted by cyberthieves; according to IBM’s cost of a data breach report, the average total cost of a breach in the healthcare industry was $10.1 million in 2022.

To keep healthcare security standards current as technology evolves, two organizations have rolled out related legislation.  The U.S. Health Department issued the Health Insurance Portability and Accountability Act (better known as HIPAA), and the PCI Security Standards Council introduced Payment Card Industry Data Security Standards, or PCI DSS.

Though HIPAA compliance covers medical records and personal data, it does not cover credit card payment information—that’s where PCI DSS comes in. PCI and HIPAA both require that a business secures certain types of patient information. While the specific data they pertain to varies, there is some overlap between HIPAA and PCI in implementation. Essentially, both require policies, procedures, training, and annual assessments to uncover issues that require remediation. Patient health information and payment information represent the most sought-after data of cybercriminals.

Given the risk, medical and dental practices must remain vigilant and PCI compliance should never be ignored. Not only will the fines negatively affect your bottom line, but not becoming compliant could bankrupt your practice and ruin your reputation should there be a breach.

If a business suffers a breach while non-compliant with Payment Card Industry Data Security Standards, the business is responsible for all costs of reissuing credit cards. The practice must pay for all fraudulent credit card charges, which will likely include six to twelve months of personal credit monitoring for every affected patient. You may also be required to hire a Payment Card Industry Forensic Investigator. And all of that is on top of the fines themselves—which range from $50 to $90 per affected customer.

That’s why it is so important to be proactive and find out if your practice is compliant. Our best advice for medical professionals and office managers: Review your three most recent, consecutive statements. Most processors charge for non-PCI compliance monthly, but some charge quarterly, which is why you’ll need to check THREE consecutive statements. If you are compliant, you will probably only see one charge for PCI since processors levy a fee to access their PCI portals. If, given the high financial liability, you would prefer an outside expert ensures compliance, consider reaching out to an independent third party like Merchant Advocate.

Finally, PCI noncompliance fees and other hidden and junk fees can be siphoning as much as 5% of your total net revenue, directly from your bottom line. Instead, it is recommended that you find an independent, third party to conduct an audit to see if you are overpaying or noncompliant. Statements are complicated by design—Merchant Advocate can help you save money without switching processors and has saved clients more than $300 million in credit card processing fees. Contact us to receive a free analysis of your merchant account with just one, no-commitment phone call. Visit MerchantAdvocate.com/contact for more information.