The Path to Paperless

Know the PCI Data Security Standards

By Peter J. Polack, MD, FACS

Just as medical practices are wrapping their brains around HIPAA (Health Insurance Portability and Accountability Act) standards, now they have to be worried about new PCI-DSS (Payment Card Industry Data Security Standards). Or do they?

First, a little background on PCI-DSS. What exactly is PCI and who started it? The PCI Security Standards Council was founded by major credit vendors, including American Express, MasterCard Worldwide and Visa, to create consistent data security measures. With recent legislation regarding individuals’ financial privacy rights, this has spilled over into the domain of healthcare, as PCI breaches will now be considered HIPAA breaches.

The reason that this is important is because, as Cindy Schwerdtfeger of Allina Health System puts it, “PCI's bite is actually far worse than its bark,” with potentially high financial penalties. So what does this have to do with doctors?

If You Accept Credit Cards

If yours is like most practices, you accept credit cards for patient charges—and this classifies your practice as a merchant. In the typical scenario, a patient checking out will have his or her card swiped using a credit card terminal. Your receptionist will then enter the information into the computer billing system manually, which will result in money being deposited into your practice's checking account. The patient receives a receipt of the transaction. All of these transactions are then reconciled within the practice billing and management system.

Meeting the Standards

The PCI standards consist of 12 key requirements for merchants (and numerous sub-requirements under each of those) related to security of personal credit card information. Most of these are quite technical in nature and would be especially onerous for medical practices if all of them were applicable. The real issue then is whether they all apply to the typical practice, since most of these concern large retailers that handle millions of transactions.

Some of the standards include installing and maintaining a firewall configuration to protect cardholder data, using and regularly updating anti-virus software, and restricting access to cardholder data by business need-to-know.

Other PCI standards recommend assigning a unique ID to each person with computer access, restricting physical access to cardholder data, tracking and monitoring all access to network resources and cardholder data, regularly testing security systems and processes and maintaining a policy that addresses information security.

Getting in PCI Compliance

Much of this would be covered by having a good information security policy in place. As in coding compliance, much of your defense is having the proper documentation and processes in place. But since it is prudent not to leave this to chance, PCI has some tools to help ensure that you are in compliance.

There are four merchant levels of PCI compliance, depending on the manner in which the credit card information is handled and stored. Since most medical practices typically use a card vendor-supplied point-of-service or card-swipe terminal, and not an open public network, they will fall into the “imprint-only” level (SAQ B). If you use a Web-based virtual terminal instead of a card-swipe terminal, things can get a bit more complicated.

So, what exactly does a small-to-medium-sized merchant need to do to be in compliance? The PCI Security Standards Council has resources on its Web site that can be accessed at www.pcisecuritystandards.org, including a flowchart to determine which SAQ (self-assessment questionnaire) level corresponds to your situation.

Once you have determined your SAQ level, then you can download the SAQ and AOC (attestation of compliance). It will walk you through the process as you fill out the checklist, much like an EZ-tax return form.

Be Cautious With PCI Consultants

Since this is new territory for medical practices, numerous companies and consultants are jumping into the PCI advisory business. Just beware about signing up for monthly services that promise to take care of everything. It's okay to get their recommendations, but ultimately you are responsible for ensuring that your practice is in compliance. OM

Peter J. Polack, MD, FACS, is co-managing partner for Ocala Eye, a multisubspecialty ophthalmology practice located in Ocala, Fla. He is also founder of Emedikon, an online practice management resource for physicians and administrators.