HIPAA and Credit Card Processing

HIPAA (Health Insurance Portability and Accountability Act of 1996) is US legislation that sets standards for protection of medical information. Its primary purpose is to protect the privacy of an individual's health records. Healthcare providers, medical offices, and service providers that store or transmit health information fall within the scope of HIPAA and must therefore meet its compliance standards.

As a credit card processor, Helcim frequently receives inquiries from healthcare providers about HIPAA compliance. The US Department of Health and Human Services (HSS.gov) has stated that credit card processing does not fall within the scope of HIPAA as no health record information is being stored - only card payment information.

Card Processing Security Standards

Helcim, like other credit card processors, must adhere to the Payment Card Industry Data Security Standards (PCI-DSS) for protecting cardholder data. Helcim meets and goes above those standards, and is listed as a PCI Level-1 compliant service provider: https://www.helcim.com/security/

Exemption - Please Note

The exemption for HIPAA and credit card processing only applies to the actual credit card processing services. Therefore, Helcim's merchant services should not be used by healthcare professionals to store health records, such as entering medical procedure information in invoice line items or in the comment sections of transactions. This would be a violation of Helcim's Terms of Service. Since Helcim's credit card processing services are exempt from HIPAA, Helcim does not provide signed Business Associate Agreements as it does not store or transmit electronic protected health information (ePHI) accounts.

For further questions, please contact our support team.

References

https://questions.cms.gov/faq.php?id=5005&faqId=1821 

https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html 

http://electronichealthreporter.com/4-rules-when-accepting-credit-card-payments-to-ensure-hipaa-compliance/