HIPAA and Credit Card Processing
    • 20 Feb 2024
    • 1 Minute to read

    HIPAA and Credit Card Processing


    Article Summary

    HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a United States law that sets standards for the protection of personal health information. Healthcare providers, health plans, and health care clearinghouses that store or transmit personal health information fall within the scope of HIPAA and must therefore meet its compliance standards.

    As a credit card processor, Helcim frequently receives inquiries from healthcare providers about HIPAA compliance. The US Department of Health and Human Services (hss.gov) has stated that credit card processing does not fall within the scope of HIPAA. Rather, Helcim is considered a “Business Associate” under HIPAA guidance. A Business Associate is a third party not directly conducting the business of Covered Entities, but that may assist Covered Entities with various business activities, providing they provide “satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the [HIPAA] Privacy Rule”.

    Helcim’s Privacy and Security Standards

    Helcim, like other credit card processors, must adhere to the Payment Card Industry Data Security Standards (PCI-DSS) for protecting cardholder data. Helcim meets and goes above those standards, and is listed as a PCI Level-1 compliant service provider. For more information about how Helcim safeguards your information, see our security resources here. For more information about Helcim’s Privacy Management Program, please see our Privacy Policy and associated resources here.

    Business Associate Agreement (“BAA”)

    Health and Human Services has provided a template BAA that Covered Entities may use to obtain additional comfort and assurances that their service providers will help the Covered Entity comply with its duties under HIPAA.2 If your organization requires a BAA, please send an email request to our Compliance team at complianceteam@helcim.com with the subject line “Business Associate Agreement”.

    If you have additional questions about Helcim’s compliance program, please contact our Support team.


    References

    1. “Business Associates”. OCR HIPAA Privacy. Revised April 2003.

    2. “Business Associate Contracts”. US HSS. January 2013.



    Was this article helpful?