At a high level, a basic strategy hospitals should take to reduce their risks, Herold says, include the following:
- Assign a position or person to be responsible for ensuring the security of credit card information, and appropriate controls for using credit cards
- Implement policies and procedures covering how credit cards can, and cannot, be used, in addition to how the related information may be used, shared, stored, destroyed, and generally safeguarded
- Implement technological, operational and administrative controls to protect digital credit card data, as well as hard copy data, and even credit cards themselves that may be obtained
- Provide regular training and ongoing awareness communications to personnel who collect, process, store, and otherwise have access to credit card information
- Consistently enforce and sanction non-compliance, along with having strong executive support for the policies and related actions.
Further, Herold says, take these specific actions to reduce risks:
- Make sure only those who have responsibilities for credit card payments can access credit card information
- Make sure personnel who have possession of credit cards keep those cards from others, and maintain control and security for them at all times
- Do not throw away hard copy credit card slips without finely shredding them, or putting into secured trash receptacles
- Do not allow non-personnel and others without responsibilities for credit card payments to be able to access the payments systems. This includes keeping stations that access such payment systems well-secured and locked when no-one authorized is around.
- Do not keep credit card payment information within patient files, or with patient papers posted in or outside of patient rooms
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.