HIPAA and Credit Card Processing

  • Updated on Apr 8, 2024
  • Published on Aug 30, 2022
  • 1 minute(s) read
Prev Next

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a United States law that sets standards for the protection of personal health information. Healthcare providers, health plans, and health care clearinghouses that store or transmit personal health information fall within the scope of HIPAA and must therefore meet its compliance standards.

As a credit card processor, Helcim frequently receives inquiries from healthcare providers about HIPAA compliance. The US Department of Health and Human Services (hss.gov) has stated that credit card processing does not fall within the scope of HIPAA. Rather, Helcim is considered a “Business Associate” under HIPAA guidance. A Business Associate is a third party not directly conducting the business of Covered Entities, but that may assist Covered Entities with various business activities, providing they provide “satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the [HIPAA] Privacy Rule”.

Helcim’s Privacy and Security Standards

Helcim, like other credit card processors, must adhere to the Payment Card Industry Data Security Standards (PCI-DSS) for protecting cardholder data. Helcim meets and goes above those standards, and is listed as a PCI Level-1 compliant service provider. For more information about how Helcim safeguards your information, see our security resources here. For more information about Helcim’s Privacy Management Program, please see our Privacy Policy and associated resources here.

Business Associate Agreement (“BAA”)

Health and Human Services has provided a template BAA that Covered Entities may use to obtain additional comfort and assurances that their service providers will help the Covered Entity comply with its duties under HIPAA.2 If your organization requires a BAA, please send an email request to our Compliance team at privacy@helcim.com with the subject line “Business Associate Agreement”.

If you have additional questions about Helcim’s compliance program, please contact our Support team.


References

1. “Business Associates”. OCR HIPAA Privacy. Revised April 2003.

2. “Business Associate Contracts”. US HSS. January 2013.