HME Patient Credit Card Payments

• By Jay Williams
• Oct 01, 2008

Big changes in the way payments are accepted are coming January 1, 2009 — are you ready?

While the HME industry focuses on competitive bidding and accreditation, two of the biggest changes in accepting patient credit card payments could hit the HME industry like a freight train on January 1, 2009. These two issues are the Payment Card Industry Data Security Standard (PCI DSS) and the Inventory Information Approval System (IIAS).

Payment Card Industry Data Security Standards
How many times in the last year have you heard on the news where some hacker has gained access to a large business’ servers where patient credit card information is stored and then sold that information? In response, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International formed the PCI Security Standards Council (PCI SSC) back in 2006.

The PCI SSC developed and implemented the Payment Card Industry Data Security Standard (PCI DSS). The 12 PCI DSS standards are:
1.    Install and maintain a firewall configuration to protect cardholder data.
2.    Do not use vendor-supplied defaults for system passwords and other security parameters.
3.    Protect stored cardholder data.
4.    Encrypt transmission of cardholder data across open, public networks.
5.    Use and regularly update anti-virus software.
6.    Develop and maintain secure systems and applications.
7.    Restrict access to cardholder data by business need-to-know.
8.    Assign a unique ID to each person with computer access.
9.    Restrict physical access to cardholder data.
10.    Track and monitor all access to network resources and cardholder data.
11.    Regularly test security systems and processes.
12.    Maintain a policy that addresses information.

These standards apply to all credit card network members, merchants and service providers (this includes HME dealers and retail pharmacies that accept credit or debit cards as payment) that store, process or transmit credit or debit card data. These apply to manual or computerized credit card transactions. The most comprehensive and demanding standards apply to e-commerce websites and computerized retail Point-Of-Sale (POS) systems.
You will find additional information about PCI DSS at either of the following websites:
• www.pcisecuritystandards.org
• www.pcicomplianceguide.org

Inventory Information Approval System
Through payment transactions, you probably have encountered FSA Flexible Spending Account (FSA) or Health Savings Account (HSA) credit/debit cards. These look like any other credit/debit cards but they operate very differently.

A growing number of employers are offering their employees these FSA or HSA options for their insurance. When employees participate in one of these programs, the money is subtracted from their check PRE tax. Depending on an employee’s tax bracket, the employee gets 11 percent to 43 percent more money to spend on healthcare. Because of this added spending power, more and more businesses are offering FSA or HSA as an option in their total insurance packages.

The IRS requires that these pre-tax dollars be spent only on health care items — HME equipment or supplies, prescription drugs, over the counter drugs, doctor office visits, etc. The problem, however, is when someone goes into a department store with a pharmacy and purchases a non-covered item using their FSA or HSA credit/debit card. This appears to their insurer as an expensive, covered item. To address this the IRS has mandated that to accept a FSA or HSA credit/debit card, the item must be approved by an IRS-approved agency.
The IIAS guidelines are being implemented by the Special Interest Group for IIAS Standards (SIGIS). SIGIS comprises retailers (HME businesses and pharmacies), card issuers, third-party plan administrators, merchant acquirers, processors, financial institutions, trade association groups, software vendors and payment card networks. HME manufacturers, drug manufacturers, manufacturers of over the counter health items, etc. must submit to SIGIS their list of items with their UPC/GTIN that are approved by the IRS for use with FSA or HSA accounts.

For an HME business or pharmacy to be fully certified to accept FSA or HSA credit/debit cards they must comply with three items:
1.    The business must use a computerized POS system and retail credit card processor that is approved by SIGIS. You will not be able to process FSA or HSA credit/debit cards with standard credit card machine.
2.    The business must complete and have a self-assessment approved by SIGIS.
3.    The business must have executed its membership agreement with SIGIS and have received notification by SIGIS that their membership has been approved.
The above certification includes the completion of a Merchant Self-Assessment Questionnaire, a technical processing certification, the completion of the User Registration Form, Membership Registration Agreement and arrangements to support transaction data retention and retrieval.

Be Prepared
The bottom line is that if you want to continue to take a growing number FSA or HSA credit/debit cards you need to invest in a SIGIS-approved computerized POS software program and go through the SIGIS-certification process before January 1, 2009 (www.sig-is.org.)

This article originally appeared in the October 2008 issue of HME Business.