Legal Issues in Keeping Patients’ Credit Card Information on File

Many physicians find credit cards to be the easiest way of accepting payment, and some will even keep their patient’s credit card information on file in case a patient fails to pay their bill. What many of these physicians do not realize, however, is that electronically storing a patient’s credit card information opens them up to a litany of legal issues. While not meant to be exhaustive, this article will briefly run through three issues physicians may face when they retain their patient’s credit card information.
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
Credit card information is considered protected health information, or “PHI”, under HIPAA and its implementing regulations when it is stored by a healthcare provider. Specifically, the electronic storage of credit card information by a physician practice raises several legal issues under HIPAA, including issues under both the Privacy Rule and Security Rule. While there are no bright line requirements that physicians must follow to guarantee compliance with HIPAA in the storage of patient credit card information, the Security Rule emphasizes the “reasonableness” of the security measures in place while also setting forth minimum security standards that a healthcare provider must follow. Every practice should already employ HIPAA compliant security measures to protect their electronic PHI, and should make sure that it uses at least equivalent measures to protect electronically stored credit card information so that it satisfies its HIPAA obligations with respect to such information.
Payment Card Industry Data Security Standards
In addition to HIPAA, storing patient’s credit card information will likely trigger Payment Card Industry Data Security Standards (“PCI DSS”). PCI DSS consists of a minimum set of security standards necessary to protect cardholder data. These standards are not issued by a governmental entity but instead apply to businesses pursuant to their contracts with the individual card schemes (e.g. Visa, American Express, Mastercard).
The PCI DSS divides businesses into four tiers depending on the volume and type of transaction processed and imposes different standards on each tier. In addition to the tiered approach, the PCI DSS imposes minimum standards on all businesses that store and process card data electronically, including the installation of a firewall configuration to protect data and the prohibition on the use of vendor supplied default passwords, just to name a few. Businesses that do not comply with these standards can be fined by one of the various card schemes or have their contract canceled.
The Federal Trade Commission Act (“FTCA”)
Physicians who store their patients’ credit card information on file could also potentially be subject to Section 5 of FTCA and analogous state laws. While the FTCA does not explicitly prohibit physicians from storing their patients’ credit card information, Section 5(a) of the FTCA would subject them to liability if the information becomes compromised in certain circumstances. Courts have interpreted Section 5(a) to require companies “employ reasonable and appropriate security measures to protect personal information and files.” Similar to the HIPAA standard, the question of whether a set of security measures is “reasonable and appropriate” is not always clear.
In addition to the security measures requirement, Section 5 of the FTCA has been interpreted to prohibit an entity from charging an individual’s credit card without first receiving their authorization. Section 5 of the FTCA also requires businesses to disclose, or at the very least not obscure, material changes to their billing practices. Thus, physicians who previously accepted payment by credit cards but who now wish to retain a patient’s credit card information for future billings should notify the patient of the change in billing practices and be sure to obtain the patient’s authorization before billing their credit card.