I was somewhat surprised – and disappointed – to see how a question on Kaiser Health News was answered.
Michelle Andrews writes:
Q. After signing up for a gold level plan on the health insurance marketplace, my physician, who is part of my plan, asked for $75 up front. My copayment is $25. His office also wants to keep a credit card on file. Is this legal?
A. In general, the contracts that physicians sign with insurers in order to be included in a plan’s provider network include “hold harmless” provisions that prohibit doctors from charging members more than a copayment or other specified cost-sharing amount for covered services. In addition, many states have laws prohibiting providers from “balance billing” health plan members for amounts over what the insurer paid on a claim.
It doesn’t matter where you buy your coverage, the same rules apply. “To the extent that there are state restrictions or contracts, they’re the same in qualified health plans on the marketplaces and other plans,” says Sabrina Corlette, project director at Georgetown University’s Center on Health Insurance Reforms.
Some policy experts note, though, that given the sometimes chaotic marketplace enrollment process to date, it may be difficult for providers to ascertain which patients are in network and when their insurance becomes effective, potentially leading to confusion over how much patients owe.
Some physicians operate “boutique” practices that promise extra services or more personal attention for an additional fee. But it doesn’t sound as if the $75 charge was related to any particular service or type of care that you received, and even if it were, you should have been informed about it in advance.
Providers frequently ask to keep credit card information on file in case there are additional uncovered charges or you owe more than anticipated because you haven’t met your deductible, for example. But “patients have to sign an authorization agreeing to that in advance, says Reid Blackwelder, president of the American Academy of Family Physicians, “or they can opt not to do so.”
My comments:
Regardless of whether it might be legal on a state level or not, retaining or storing patients’ credit card information is putting a bullseye on your database for hackers and other criminals. Don’t do it. And while we’re at it, are you collecting and storing Social Security numbers? If so, do you really need them and are you encrypting them with strong encryption?
And have you removed old/inactive patients’ information from your database to secure offline storage?
If you are the patient and are asked if the doctor or provider can store your credit card information, say no. And see if you can get your Social Security number removed from their files.
Some problems really are preventable, but it’s on savvy health care providers and patients to avoid them by not engaging in risky behaviors.
Retaining or storing patients’ credit card information not only puts a bulls-eye on a physician’s database for hackers and other criminals, it also subjects them to Payment Card Industry Data Security Standard (PCI-DSS) compliance. The levels of PCI-DSS compliance vary based on the methods used to process and store credit card information (i.e. a processing device with a modem versus Internet-based processing). If, for example, a physician’s office is using credit card readers that are attached to the side of their monitor and connect to the Internet, the compliance with PCI-DSS can be very challenging. The PCI-DSS standards, as I understand them, are much more prescriptive than HIPAA. (More information can be found at https://www.pcisecuritystandards.org/security_standards/).
I agree with the last paragraph – patients should protect themselves by saying “no” to providing their SSN and allowing their credit card information to be stored.