Hospitals That Take Plastic Must Comply with PCI

At a high level, a basic strategy hospitals should take to reduce their risks, Herold says, include the following:

• Assign a position or person to be responsible for ensuring the security of credit card information, and appropriate controls for using credit cards
• Implement policies and procedures covering how credit cards can, and cannot, be used, in addition to how the related information may be used, shared, stored, destroyed, and generally safeguarded
• Implement technological, operational and administrative controls to protect digital credit card data, as well as hard copy data, and even credit cards themselves that may be obtained
• Provide regular training and ongoing awareness communications to personnel who collect, process, store, and otherwise have access to credit card information
• Consistently enforce and sanction non-compliance, along with having strong executive support for the policies and related actions.

Further, Herold says, take these specific actions to reduce risks:

• Make sure only those who have responsibilities for credit card payments can access credit card information
• Make sure personnel who have possession of credit cards keep those cards from others, and maintain control and security for them at all times
• Do not throw away hard copy credit card slips without finely shredding them, or putting into secured trash receptacles
• Do not allow non-personnel and others without responsibilities for credit card payments to be able to access the payments systems. This includes keeping stations that access such payment systems well-secured and locked when no-one authorized is around.
• Do not keep credit card payment information within patient files, or with patient papers posted in or outside of patient rooms