Payment modernization, patient experience, and revenue protection in health care

As physician practices continue to modernize their operations, payments have quietly become one of the most complex—and risky—parts of running a business. Online portals, digital invoices, contactless payments, and telehealth-friendly billing options have made it easier for patients to pay, but they’ve also introduced new vulnerabilities that many practices were never designed to manage. Confusion over what patients are paying for, when payments are due, and how insurance fits into the equation can quickly turn into chargebacks, revenue loss, or allegations of fraud.

At the same time, physician owners face a difficult balancing act. They want to protect their practices from increasingly sophisticated fraud schemes without creating friction that frustrates patients or burdens front-office staff. Smaller and mid-sized practices, in particular, may lack the resources or visibility to recognize fraud risks early, leaving them exposed to costly card testing attacks, refund scams, or “friendly fraud” tied to misunderstood services.

Medical Economics spoke with Stephanie O’Connor, director of merchant experience at Wind River Payments, to break down how payment modernization intersects with patient experience, fraud prevention, and revenue protection.

Medical Economics: Many medical practices are relying on technology more than ever for things like scheduling and payments. But sometimes that technology can lead to confusion for patients, which can result in chargebacks or even fraud. How do situations like that happen?

O’Connor: That’s a great question, because it happens far too easily, and it’s something that’s really important for businesses to focus on. I’ll get into the details, but I want to start by saying that every business should have a clear payment strategy.

That strategy should answer questions like: What do you want your patient experience to be when they make a payment? How does that experience help avoid confusion around when they’re paying and how they’re paying?

On the flip side, many businesses focus heavily on how much they’re paying to accept payments. That matters, of course, but they should also be asking what they’re doing to ensure those costs stay as low as possible by preventing fraud and by meeting patients where they are in terms of payment preferences. As patient expectations around payment acceptance evolve, practices need to think holistically about both experience and protection.

Medical Economics: Are there common mistakes practices make that allow fraud to happen? And what can they do to prevent it?

O’Connor: In the payment world, there are many options for how a business can accept payments from patients. One of the biggest mistakes I see—and something we help merchants with every day—is that practices see something trending in the industry and want to implement it immediately.

They’ll add a new payment option to their website or make it available in person because it’s popular or new, but they don’t take the time to think through what else needs to be considered to make that experience seamless for patients and safe for the business.

A good example comes from the healthcare space during COVID. Before that, online payments and multiple payment options available 24/7 weren’t as common in healthcare as they were in retail. Patients weren’t necessarily asking for them. They waited for their bill and paid through the channels that were available.

When COVID hit, many healthcare practices quickly turned on alternative payment channels because patients needed them. But in doing so, many practices left themselves susceptible to fraud because they didn’t have the protections in place to support those new channels.

Two major issues emerged. One is card testing. That happens when a fraudster uses an online payment channel to hit a website hundreds or even thousands of times to validate stolen card information. They’re not trying to steal services from the practice; they’re using the practice’s website as a testing ground to see which cards are valid so they can use them elsewhere.

That matters because it’s expensive. If your website is hit thousands of times in minutes—which happens all the time—the transaction costs add up quickly, and the business is left absorbing that expense. Not protecting an online payment portal, invoice link, or website is one way businesses become vulnerable.

The other issue is what we call friendly fraud. That can happen when a patient says they didn’t receive the service that was rendered, or they were confused about what they were paying for, or they paid a copay too far in advance. They may file a chargeback or claim fraud because they didn’t fully understand the payment experience.

Both of these scenarios are common in the industry and can cost a business far more money than people realize if the right mitigation practices aren’t in place.

Medical Economics: So who should a physician owner talk to about this? Their IT team? Their payment processor? How do they actually stop this from happening?

O’Connor: It really needs to be a joint effort, and it depends on how the practice is set up. At Wind River, we partner closely with software providers, including practice management software companies. In those cases, we work with the software provider upfront to put safeguards in place, and then we work with the merchant to make sure they’re choosing the best options for their specific environment.

If you’re a healthcare provider accepting payments through a software platform, I would start there. Then I would make sure you’re working with payment experts who understand healthcare and can help you evaluate the tools available to protect your business.

Medical Economics: Payments are often integrated into the patient portal or linked from it. Are there vulnerabilities specific to portals? And how do practices address those without ruining the patient experience that people rely on?

O’Connor: It’s absolutely a delicate balance. You want to provide the best possible experience for patients while still managing fraud effectively.

This is where AI has played a very important role. Many fraud mitigation tools now work behind the scenes, so patients aren’t met with a series of hurdles just to prove they’re human or validate their identity. AI can automatically analyze multiple data points in real time—something no individual could realistically do—to determine what kind of activity is happening on the portal.

We’ve all seen early fraud mitigation tools like reCAPTCHA, where you’re asked to identify images or type distorted letters. Those tools still exist and serve a purpose, but there are more advanced options now that accomplish the same goals with far less friction for the patient.

We typically start with the most basic protections and work our way up depending on the type of portal and the experience the practice wants to deliver.

Medical Economics: I’ll admit, about 25% of the time reCAPTCHAs don’t believe I’m human because I can’t pick out the bicycle in the right image. So avoiding those is appealing.

O’Connor: Absolutely. reCAPTCHA was one of the first tools designed specifically to address card testing, and it’s still useful. But today, there are tools that are much more targeted.

Card testing involves a website being hit hundreds or thousands of times in minutes, often by automated scripts. The goal of these tools is to slow that activity just enough so that those scripts can’t run effectively, while legitimate users barely notice anything happening.

Medical Economics: What about chargebacks? Are there certain types you see more often in medical practices, and can they be minimized?

O’Connor: Healthcare is different from industries like retail because patients aren’t receiving a physical item. They’re paying for a service, often in advance.

The most common chargeback we see in healthcare is for services not rendered. That can happen for several reasons and is often tied to friendly fraud. The patient is asserting that what they paid for wasn’t delivered.

This can be especially impactful in telemedicine or counseling services, where expectations may differ compared to an in-person visit. Someone may feel differently about a phone or video encounter than an office visit, which can increase chargeback risk.

Another common category is card-not-present fraud, especially when patients pay over the phone or through a portal. There can be confusion about what they paid for versus what insurance covers or what will be due later.

Clear communication is critical. Practices need to make it very clear what portion of the service the patient is paying for at that moment and what they may still owe later.

Medical Economics: Are there red flags front office or billing staff should be trained to recognize that could indicate fraud or chargeback risk?

O’Connor: Yes, absolutely. If someone is rushing through a payment or unwilling to provide basic information, that should raise concerns.

Multiple declines across several cards is a big red flag. It happens occasionally, but more than once should prompt additional questions.

Refund requests are another major area to watch, especially in healthcare. We’ve seen refund scams where someone calls in, validates a payment, and then asks for a refund to a different card. Best practice across the industry is to refund to the original card whenever possible, and healthcare has been targeted by these scams.

Medical Economics: Do these fraud risks come from large criminal organizations overseas, or could it be the innocent-looking patient in the office?

O’Connor: We rarely know the exact source. What we do see is that card testing often involves cards with foreign bank identification numbers, meaning the issuing banks are outside the U.S. That doesn’t necessarily tell us who is running the fraud.

Friendly fraud tends to be more localized, but even then, the individual is often hiding behind a computer. It’s rare that we can identify the actual source.

Medical Economics: Are certain practice sizes or specialties more vulnerable, or is everyone a target?

O’Connor: Everyone is vulnerable, but size does matter in terms of the type of fraud. Small to mid-sized practices are often more susceptible because they may not have advanced fraud protections in place or may not recognize what’s happening as quickly as larger organizations.

Fraudsters will often test smaller businesses to see what protections exist before scaling up their efforts.

Medical Economics: Does protecting against fraud mean sacrificing the patient experience? Are practices forced to choose between security and convenience?

O’Connor: They shouldn’t have to. In 2025—and certainly going into 2026—businesses should not have to compromise patient experience to protect against fraud.

There are always trade-offs depending on how aggressively you deploy fraud tools, which is why it’s so important to work with experts who can help weigh the pros and cons. There are tools available today that don’t impact the patient experience at all while still protecting the business.

Medical Economics: What questions should practices ask their current payment processor—or a new one—to make sure they’re getting the best technology?

O’Connor: They should start by asking what types of fraud the technology protects against. It’s not a one-size-fits-all solution.

If you ask that question and get an answer that clearly aligns with your business, that’s a good sign. You want to avoid situations where a processor says they have fraud tools, but can’t explain whether those tools protect against chargebacks, card testing, or both.

Another key question is how the technology will impact the patient experience and payment workflow. A provider should be able to walk through every step of the process and explain how it interacts with the patient.

Medical Economics: Looking at 2026, what trends should practices be paying attention to?

O’Connor: Fraud isn’t going away. The top fraud types haven’t changed much over the years, but fraud itself continues to increase. That tells us this is an ongoing issue that needs consistent attention.

The other major trend is AI. Healthcare has focused heavily on AI for claims and data security, but AI in payments shouldn’t be ignored. Payment and fraud protection tools are incredibly advanced now and can do a lot to protect businesses without affecting patient experience.

If you haven’t looked at AI-driven fraud protection yet, 2026 is the year to do it.