The massive fines and multimillion-dollar settlements associated with data breaches have made hospitals and health systems fully aware of their obligations to protect patients’ personal health information (PHI). But those same organizations often overlook similar obligations related to their legal status as merchants—entities that are able to process credit cards. With higher deductibles and higher copayments forcing patients to use credit to pay for their health care, hospitals and health systems must take steps to protect that data. In particular, it’s critical that decision makers learn how the payment solution they select can change their organizations’ internal security and compliance obligations.

One way to meet these security challenges is to follow the data security standards set by the Payment Card Industry (PCI) Security Standards Council, the body dedicated to protecting credit card data internationally. The council assigns organizations to different classifications, each of which carries a requirement for the completion of a specific audit. These audits are of various lengths, ranging from about 20 questions to well over 300. Most hospitals today are simply not complying or protecting the data. If they are complying, it is typically at an unnecessarily high level of PCI audit scope (the 300+-question audit) due to the transmission of card data to their network

Learning Objectives

1. Gather information on the interest/commitment level of hospital decision makers to protect patient card data

2. Determine the role of PCI compliance in their overall security strategy, and what steps (hire consultants, self-assess, other?) do they take on a annual basis to ensure compliance?

3. Identify who in the organization is responsible for making decisions regarding payment security and compliance

David King, CTO, OnPlan Health