Pros and cons of keeping patient credit cards on file

Today’s health insurance policies have patients paying more of their medical costs. That, in turn, creates financial challenges for many physicians.

Consider this statistic: 73% of physicians say it typically takes at least one month to collect payments from patients, with 12% of patients waiting more than three months to pay, according to the most recent Trends in Healthcare Payments from healthcare payments network InstaMed. 

In response, some physicians opt to keep their patients’ credit card information on file so that they can more quickly collect the money they’re owed, says Pam Jodock, senior director of health business solutions for the Healthcare Information and Management Systems Society (HIMSS), a nonprofit organization promoting the use of information technology in healthcare. 

“About 35% of provider revenue now comes from patient pay, so it becomes more and more critical to improve collections,” Jodock says.

Keeping credit card information on file can ensure patients pay their bills and that those payments come through promptly, according to consultants and health IT experts. However, they stress that keeping credit card data on file comes with risks. And some say the drawbacks aren’t worth the benefits.

Industry changes fuel demand

Changes in insurance policies are among the biggest drivers behind physician interest in keeping patients’ credit cards on file.

For starters, more patients are covered by high-deductible health insurance plans, which puts more of the payment responsibility on individuals. America’s Health Insurance Plans, a trade organization for commercial payers, says in its February 2017 report that enrollment in high-deductible health plans was 20.2 million in 2016, up from 19.7 million in 2015 and a dramatic spike from about 1 million in 2005.

At the same time, insurance plans have become increasingly complex in their coverage criteria, which again leaves patients with more cost-sharing responsibilities. For example, plans that don’t require copayments for annual preventative visits do require copayments if additional services are provided during those visits. 

Many physicians need to repeatedly bill patients to collect those kinds of payments  because patients often don’t pay after the first reminders. This is administrative work that can be both costly and inefficient by draining staff time and creating lags in cash flow.

“The doctor shouldn’t be the one extending credit all the time. But that’s the situation we have today,” says Susanne Madden, MBA, president and chief executive officer of the Verden Group, a practice management consulting firm in Nyack, New York. “We have practices that are stretched really thin because they’re extending all this credit.” 

Vault technology 

Proponents of keeping card information on file acknowledge that security is a major concern among physicians. They also point out that some practices don’t even realize the level of safeguards required when handling credit card information.

Madden says she’s helping a medical practice revamp its credit card procedures. The office has a computer file containing patients’ names and credit card information stored in its own IT systems-a practice that leaves the data vulnerable to theft by cyber criminals and staffers alike who, if skilled and motivated, could bypass or hack the security measures typically used by practices.

As risky as that setup is, Madden says it’s not the worst she’s seen: “The worst is to have someone fill out paper forms and store it in a drawer. That’s just an embezzlement waiting to happen,” she says.

Experts agree that physicians who want to keep credit cards on file should not keep the data in their computer systems, whether onsite or in the cloud. Instead, they should contract with credit card processing vendors who have vault technology specifically designed to store the data for such purposes.

Establishing procedures

Implementing the right credit card storage and processing technology is just one step in what should be a comprehensive approach to a credit card-on-file policy.

Some credit card technologies are integrated with electronic health records (EHRs), billing systems and other practice technologies. This allows practices to automate much of their credit card billing, thereby minimizing the amount of work required by practice staff members. “The best way is that the patient swipes the credit card once, and it’s in the system and you’re done,” Madden says.

Experts say physicians who keep credit cards on file should also address how and when the patients’ credit cards will be charged, how much of the process can be automated and how best to communicate those policies with patients.

Be aware, Madden adds, that physicians can’t require patients to share their credit card information to receive medical care. And even if patients share credit card information at one point, physicians can’t keep or charge credit cards without a patient’s consent to do so for subsequent use.

Jodock advises physicians to be sure they obtain written consent from patients. “If you’re going to have this kind of arrangement, it’s critical to have documentation that says the patient agrees to have their credit card on file,” she says.

Madden agrees, noting that she tells her physician clients to be upfront and clear about their reasons for keeping credit cards on file and how billing will work.

She suggests practices implement policies as to when credit cards will be charged-for example, 30 days after billing. This allows time for patients to make other payment arrangements if they want. She advises physicians to establish how patients will be notified about both their bills and the charges made to stored credit cards. Then she tells physicians to draft a letter to patients that states in plain English how this new process will work. 

Madden notes that physicians generally have patients sign documents stating that they are ultimately responsible for bill payments, so physicians could amend that standard form to include details on the credit-card-on-file policy.

Credit card concerns 

J. Stefan Walker, MD, a primary care physician with Corpus Christi Medical Associates PA, in Corpus Christi, Texas, says he and his four colleagues discussed whether to keep patient credit card information on file. They decided against it.

“We came to the overwhelming conclusion that it would be a terrible idea,” he says.

The risk of a data breach was one strike against the policy, Walker says, adding that they questioned whether existing IT systems are secure enough to support a credit card-on-file policy to balance the increased consequences should a data breach occur.

Walker says he and his colleagues also felt that such a policy could negatively impact their patients.

“There are reasons people don’t pay,” he says. “I was going through my aged accounts and there are some people I chose to write off. I know their personal situations, or they weathered the hurricane, and I’m not going to send those people to collections when they don’t have a roof over their heads.” 

He adds: “You have to have those considerations when you’re dealing with patients; that’s part of being a physician. I would never want to be completely removed from the ability to treat people on a humanitarian level. Sometimes if you have these systems that are locked in, there’s no room for individualization or for them [patients] to come in and make payment arrangements.”

Although many experts say physicians could maintain flexibility on how and when to bill those stored credit cards, others share Walker’s concerns. Nick Fabrizio, PhD, a principal consultant with the Medical Group Management Association Health Care Consulting Group, says some physicians believe that keeping credit cards on file could improve cash flow and practice efficiency. But Fabrizio doubts they would see enough benefits to make it worthwhile.

Most physicians collect copays when patients check in, so there’s no need to keep credit cards on file to guarantee those payments, Fabrizio says. Furthermore, if physicians are going to use stored credit card data to bill patients for additional costs, physicians should alert them to the impending charge.

Selecting a vendor

Madden suggests physicians start their selection process by talking with their EHR vendor as well as the vendor they use to process point-of-sale credit card transactions. Physicians should ask if they offer vault technology as part of the credit card processing system that the physician already is using. Many offer technology as part of the existing contract or for additional fees.

DJ McArthur, a board member with the Information Systems Security Association, says physicians should next ask whether the vendor complies with the Payment Card Industry Data Security Standard, a set of policies and procedures designed to promote security. It’s even better if they’re registered with the PCI Security Standards Council. 

Registration shows that the vendor has had independent experts evaluate their systems to determine that they’re meeting established security policies and procedures. 

Physicians should check to make sure a vendor offers auditing capabilities that record who requests access to and charges the stored credit card data, says Barry S. Herrin, JD, with Herrin Health Law P.C. in Atlanta.

Don’t forget to ask about fees. “You want to understand what are the monthly fees, per-transaction fees and percentages that you’re being charged. Do some comparison shopping so you can choose the vendor that’s best for you,” Madden says. 

Laws and regulations 

Laws govern the responsibilities and liability of merchants when they hold personal information and in case of security breaches. Physicians are considered merchants under such laws, experts say, so they need to understand and adhere to the relevant legal requirements. In short, these laws mean physicians who hold patient credit card data in their own systems could be liable for unauthorized charges, breach notifications and other costs should a breach occur.

“If the data record is stolen from your practice and the merchant bank has to make good on a bunch of charges because the data is stolen, most of the merchant banks will reach down into your pockets to pay out claims,” Herrin says, adding that he advocates using vault technology because it shifts the risk to the vendor. 

Herrin notes that a breach of credit card data is also considered a violation under the federal Health Insurance Portability and Accountability Act (HIPAA).

Although using vault technology puts the risks and responsibilities on the vault technology vendor, Madden advises physicians to sign a HIPAA business associate agreement with their vendor. She and others say that this agreement establishes a contract for the vendor to protect data in accordance with HIPAA guidelines and should be drawn up with the physician’s lawyer to ensure it addresses the legal requirements.

Physicians who opt to keep credit cards on file should put the responsibility for processing and securing the data on vendors. 

As Jodock says, “We would never encourage the provider to take this risk on directly.”