With rising premiums and the pop- ularity of employer-sponsored health savings accounts (HSAs),
patients are facing higher out-of-pocket
costs that could threaten their access to care.
Increasingly, medical practices and hospitals
are searching for methods to make it easier
for patients to pay their out-of-pocket
healthcare obligations. This has
resulted in many healthcare enti-
ties implementing credit card on file
(CCOF) processes to increase their
revenue/cash by making it easier for
patients to pay their out-of-pocket
costs (e.g., copayments, co-insurance,
deductibles, recurring payments).
A CCOF program provides a secure
format to maintain the patient credit card
information and affords the provider per-
mission (from the patient) to charge the card
on file after an insurance payer has pro-
cessed and paid the claim. The remaining
balance can then be processed for payment
via secure format with the patient’s credit
This article reviews the necessary compliance steps a medical practice needs to
take to ensure that credit card processing is
secure and patients’ credit card information
Healthcare providers and practices must
comply with the industry standards used by
companies that process payments with credit,
debit, or cash cards.
Payment Card Industry Data Security
The Payment Card Industry Data Security
Standard (PCI DSS) is a set of security rules
designed to ensure all businesses that accept,
process, store, or transmit credit information remain in a secure environment. CCOF
processing should be set up with a PCI
DSS-certified vendor and adhere to the set
of policies and procedures developed to
protect credit, debit, and cash card transactions and prevent the misuse of cardholders’
by Debbie Kiehl, FACMPE, CRCR
Credit card on file program
» Due to increasing out-of-pocket expenses for patients, healthcare entities are exploring a “credit card on file” option to
make patient payments more timely and efficient.
» Credit card on file programs should use a certified PCI-DSS vendor to ensure the healthcare entity meets the credit
card data security standard.
» Develop policies and procedures for practice staff to follow, including a financial policy for the patients to review, and
require patients to provide signed authorization for payments.
» Penalties for non-compliance and/or a breach are maintained by the industry PCI Standards Council (can range from
$2,000-$100,000 per month).
» Penalties are levied on banks and credit card institutions and can be filtered down to the healthcare practice if credit
card data is compromised.
Debbie Kiehl ( email@example.com) is a Senior Manager with Coker Group
in Alpharetta, GA.