Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

Hospitals That Take Plastic Must Comply with PCI

Dom Nicastro, for HealthLeaders Media, April 19, 2011

At a high level, a basic strategy hospitals should take to reduce their risks, Herold says, include the following:

  • Assign a position or person to be responsible for ensuring the security of credit card information, and appropriate controls for using credit cards
  • Implement policies and procedures covering how credit cards can, and cannot, be used, in addition to how the related information may be used, shared, stored, destroyed, and generally safeguarded
  • Implement technological, operational and administrative controls to protect digital credit card data, as well as hard copy data, and even credit cards themselves that may be obtained
  • Provide regular training and ongoing awareness communications to personnel who collect, process, store, and otherwise have access to credit card information
  • Consistently enforce and sanction non-compliance, along with having strong executive support for the policies and related actions.

Further, Herold says, take these specific actions to reduce risks:

  • Make sure only those who have responsibilities for credit card payments can access credit card information
  • Make sure personnel who have possession of credit cards keep those cards from others, and maintain control and security for them at all times
  • Do not throw away hard copy credit card slips without finely shredding them, or putting into secured trash receptacles
  • Do not allow non-personnel and others without responsibilities for credit card payments to be able to access the payments systems. This includes keeping stations that access such payment systems well-secured and locked when no-one authorized is around.
  • Do not keep credit card payment information within patient files, or with patient papers posted in or outside of patient rooms


Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
1 | 2 | 3

Comments are moderated. Please be patient.