Medical professionals should be aware of a scam currently being perpetrated by unethical merchant account providers. Outbound calls are being placed to medical practices accepting credit cards claiming that they must reprogram their credit card terminal to be HIPAA compliant.
Vantage has received numerous calls over the last few days from our healthcare clients inquiring about these calls and asking, “Are credit card transactions covered under HIPAA?”
According to the U.S. Department of Health and Human Services website, transactions conducted between subscribers or patients and health plans or health care providers are not transactions for which the Secretary of Health and Human Services has adopted standards.
If an individual (i.e., a subscriber or a patient) uses his or her credit or debit card to pay for premiums, deductibles and/or co-payments, is that “transaction” considered a HIPAA standard, and must it be in a HIPAA compliant format with HIPAA compliant content?
The HIPAA standards do not apply to individuals, unless they are acting in some capacity on behalf of a covered entity, and not on behalf of themselves as, for example, subscribers or patients. An individual, acting on behalf of himself or herself, is not a covered entity, and is therefore not subject to the HIPAA standards. Therefore, if an individual uses a personal credit card or debit card to pay either a premium, co-payment and/or deductible to a health plan or a health care provider, the individuals are not covered entities, they are not conducting covered transactions, and the transactions being conducted need not be in the standard format.
It is very important that all medical offices warn their office staff and provide best practices to prevent reprogramming payment card terminals or other POS systems under these conditions.
If you are unsure of calls you receive regarding your merchant account, please call Vantage first at 800-397-2380 before taking action.