2010 Volume 2 Issue 7

September 21, 2010
Issue No. 1
In This Issue
Credit Card Processing Security Risks
How the PCI Standards Affect Your Office
Returned Refunds
Newsletter Archive
Want to read a back issue of IPC's newsletter?
 Click here! 
Healthpac Scheduler Update
A new scheduler software update is available and will be completed the evening of 9/21/10. The update will help improve performance and fix minor bugs. Please report any scheduler malfunctions to IPC immediately so we can track and follow up on current issues as well as reduce future problems.

This issue is full of helpful information regarding credit card security and returned refunds. Please let us know if you have any questions.

Credit Card Processing Security Risks
Most providers give little notice to how patient credit card information is handled and stored in their offices. Our eyes were opened last week when IPC Partner Mary Ellen Duffy attended a security conference for billing companies that strongly warned of the risks to both us and our clients if we fail to implement PCI (Payment Cards Industry) standards. Failure to comply could result in large fines and lawsuits if credit card information is breached. As a results, we believe we have no choice but to implement a new process to handle patient credit card information.

Currently, our staff takes patient credit card payment information over the phone. We write the cardholder's name, credit card number and security code on a form that we send to your office for processing (via fax or courier). That information is also on patient statement stubs sent to your offices for processing. However, the PCI standards say:
  • Storage and retention of card data must be kept to the absolute minimum required for the business, as documented in a data retention policy you maintain (requirement 3.1).
  •  Never, ever write down the card verification code (the 3 or 4 digit code) (requirement 3.2.2).
  • Never send card holder data by an insecure mechanism (courier can be considered secure if a secure, sealed package is delivered and detailed audit log is maintained) (requirement 4.2).
  • The paper must be stored and processed in a locked, restricted area with many strict access control mechanisms, including visitor log and camera (requirement 9.1, 9.7, 9.8, and 9.9). Most likely your fax machine is not a secure location.
  • The paper must immediately be destroyed by being shredded (requirement 9.10).
To fully comply with PCI standards, IPC has decided to implement the use of a secure portal to process credit card payment information. Your office will be receiving a fax this week with more information regarding the secure solution. Please respond to the fax as soon as possible!

How the PCI Standards Affect Your Office
The PCI standards described in our feature article also affect your office. Now is the time to do a risk audit regarding how your office handles credit card information. Be sure that patients' complete credit card numbers and security codes are not kept in any format (paper or digitally). Your office's credit card machine should print a receipt with only the last four digits of a credit card number. If your machine is still printing all digits of a patient's credit card number, contact your vendor to have this updated immediately! Be sure to shred all credit card payment forms sent to you by IPC. If in the past you have kept payment documentation in patient files, purge this information from the files and shred. Take time to analyze your process for other potential risks.

Returned  Refunds
Please remember that Michigan refund checks that are refused by the payer or patient refunds that are undeliverable fall under the domain of the Unclaimed Property statute. You must send that money to the Unclaimed Property Division of the Michigan Department of Treasury. If you are still holding monies of $50.00 or more that haven't been turned over to the State yet, you are required to file a verified annual report. Your accountant will have the details.
About Us
If you have any questions regarding this newsletter, you can contact us at:

         Mary Ellen Duffy
         Patricia Nevala pat@ipcbilling.com

or call us at 616-459-6867 or 800-606-1455

Please feel free to forward this newsletter to your staff and peers.

Forward to a Friend

Innovative Practice Concepts, LLC -- A full service medical billing company
Your Bottom Line is our Top Priority!