The Blueprint for a Successful Patient Payment Strategy: How to Simplify Compliance, Increase Payment Collections and Improve Patient Satisfaction

1. The Blueprint for a Successful Patient
Payment Strategy:
How to Simplify Compliance, Increase Payment Collections
and Improve Patient Satisfaction
PRESENTED BY:
JEFF FOUNTAINE, KEN BRIGGS & ASHER KAPLAN-DAILEY

2. Agenda
• Introduction
• Market Drivers Impacting Patient Payment Collections
o Discuss industry trends and changes
• Deep Dive into the Compliance Landscape
o PCI requirements
o Costs and risks of non-compliance
o Best practices for PCI compliance
• Strategies to Prevent Data Breaches
• Guide to Increase Patient Payment Collections
o Omni-channel payments
o Patient Payments in Action / Case Study Discussions

3. 3
Introduction / Speakers
Jeff Fountaine
Director of
Healthcare Strategy
Ingenico Group
North America
Ken Briggs
Vice President
of Legal Affairs
Asher Kaplan-Dailey
Director of
Product Management
Salucro Healthcare Solutions,
LLC
Salucro Healthcare Solutions,
LLC

4. 4
Market Drivers Impacting Patient Payments
J.P. Morgan’s Key Trends in Healthcare Patient
Payments Report pointed out that the rate of bad debt for
insured patients is increasing by over 30% per year at some
hospitals.
BAD DEBT
INSURANCE
DEDUCTABLES
84% of employers have increased or say they plan to
increase insurance deductibles and/or copays for their
plan participants

5. 5
Financial Landscape
Major shift in patient responsibility
Consumer payments to healthcare providers nearly doubled
from 2012 to 2015, and insurance deductibles
have increased a startling 255 percent since 2006
5

6. 6
Poll Question
Where are you, with respect to your patient payment strategy?
A. Not started
B. Under review
C. Implementation planned
D. Completed project
6

7. 7
Compliance Environment
Vulnerabilities and threats come from many internal and external sources
• Malicious (hackers, theft of computer)
• Incidental (loss of phone, misdirected email)
Laws and contractual requirements are backed with severe penalties
Compliance programs at hospitals are difficult to manage and keep current
For patient payments: Security standards are much different than traditional requirements
7

8. 8
Web Of Compliance Obligations
Regulatory
 HIPAA and state law
Industry
 PCI
Contractual
 Customer, vendor, partner requirements
8

9. 9
Risk Of Non-Compliance
Fines
• PCI: $5,000 - $500,000 for each incident
• HIPAA: Much more (millions)
Lawsuits
• Class actions
• Government enforcement actions
Reputational Damage
9

10. 10
Case Study / Southwestern Hospital System
• 3.7 million individuals notified
• “Sophisticated cyberattack"
• Hack of card processing systems that transmitted cardholder information
• Attackers gained access through infiltrating the point-of-sale systems at the system's food and
beverage outlets
• Potential access to other clinical systems
10

11. 11
PCI DSS Primer
PCI DSS is the Data Security Standard established by the Payment Card Industry
Applies to all entities that store, process, and/or transmit cardholder data
Administered by contract with banks, payment card brands, and other entities in the PCI chain
Scope can include:
• Physical possession of cards
• Point-of-sale devices (not just for clinical payments, but for food and merchandise)
• Network components that store or transmit information
11

12. 12
PCI DSS Scope Detail

13. 13
PCI DSS Scope Detail (continued)

14. 14
Poll Question
What is your level of familiarity with your organizations PCI compliance
program?
A. Very familiar
B. Somewhat familiar
C. Not familiar

15. 15
The Compliance Shift

16. 16
Compliance Path Of A Patient Payment
Example
• A patient presents to urgent care (community network of Hospital ABC) with a leg injury.
Provider sends patient to Hospital ABC’s ER.
• Patient returns the next week to affiliated physician for follow-up.
16

17. 17
Compliance Path Of A Patient Payment
Payments
• Three points of clinical interaction lead to multiple collection points:
• Co-pays, pay in advance, payment after receiving a statement, third-party collections
Vendors
• There are many vendors in payments:
• A/R companies, device companies, payment platforms, collections, PFS vendors (business associate
relationships, liability allocation, contractual obligations)
Compliance
• HIPAA touches the patient far outside of the clinical interaction. PCI starts at the point of payment interaction
with a credit/debit card (other analogous laws, requirements apply for other payment methods)
17

18. 18
Patient Payment Compliance Considerations
Administrative | Technical | Physical
Specific policies and awareness (administrative)
Accurate, updated diagrams that show the flow of patient payment information (administrative and
physical)
• Clearly defined cardholder data environment
• Specific analysis of where HIPAA and PCI compliance starts and stops
• NOTE: Many health systems focus on the clinical environment to the detriment of patient payments
(but remember—payments are one-to-one transactions with clinical interactions)
• TIP: Make a review of those diagrams part of your normal operational discussions
Aggressive scope reduction
• Technical solutions (P2PE, EMV, Revenue/Payment Platforms)
• Outsourcing expertise
• Allocating liability through contract
18

19. 19
Strategies To Prevent Data Breaches
19

20. 20
Strategies To Prevent Data Breaches
Healthcare Data Breach Stats:
• According to the HIPAA journal, 329 data breaches were reported in 2016, in which over 16 million records
were exposed
• Based on IBM’s Cost of Data Breach Study, healthcare organizations have an average cost of $355 per stolen
record
• The total cost of 2016’s data breaches at a staggering $5.6 billion
20

21. 21
Strategies To Prevent Data Breaches
What would help:
21
A more flexible approach to
streamline payment process
Enhanced payment security
and better managed PCI
Limit the amount of sensitive
payment data that goes
through the healthcare
revenue cycle (point of sale
or POS)

22. 22
Strategies To Prevent Data Breaches
How the Semi-Integrated
Architecture Works:
• Maintains a connection between the terminal and
revenue cycle system
• Provides an independent connection for
transactions to go “around” the ECR, directly to
the host
• Sensitive payment data does not enter the POS
Semi-Integrated Benefits:
• Simplifies EMV migration
• Reduces PCI scope
• Improves security
• Avoids EMV certification bottlenecks
22

23. 23
P2PE Solution
A P2PE solution protects the card holder data from the point of interaction to the
payment processor/gateway.
Benefits:
• Greatly reduces the PCI burden on the provider
• Removes the need for network segmentation
• Helps avoid potential liabilities such as audits, legal costs, fines and penalties

24. 24
P2PE Solution

25. 25
Poll Question
What aspect of an Omni-channel payment strategy is most needed next for
your organization?
A. Utilize a patient payment portal
B. Ability to accept mobile patient payments
C. Implement contactless payments
D. All of the above

26. 26
Guide To Increase
Patient Payment Collections

27. 27
Guide To Increase Patient Payments
Omni-Channel Payments
Seamless
• Healthcare Providers must transition their thinking from mailing bills to implementing technologies, just like retail,
enabling multiple points of payment across the ecosystem.
• That includes e-mail and web-based portals alerting to
financial transactions
• Includes mobile offerings like text reminders and links to
pay your bill through your phone
• Includes in-person payment technologies that accept all
forms of payment

28. 28
Guide To Increase Patient Payments
Implement Omni-Channel Payments
Mobile Experiences
28
• Can lead to increased patient collections
reducing bad debt and cost of collecting
• Differentiate your practice or health
system by meeting the patient where they
want to be met, on their phone
• Create a behavior change within
employees understanding the importance
of patient collections

29. 29
Guide To Increase Patient Payments
Omni-Channel Payments
 Personalized & Immersive
29
 How much will that treatment/visit cost?
 Do other providers nearby offer the same treatment for
less?
 What is the satisfaction or experience with that provider?
 Can I make my appointment online?
 Will the provider be delayed in seeing me?
 Tell me my financial responsibility before I make visit
 Offer me ways to pay that responsibility before, during and
after the visit.
 Be prepared to offer financial tools to help me pay larger
responsibilities.

30. 30
Midwest Healthcare Provider / Success Story
BACKGROUND / CHALLENGES / OPPORTUNITIES
 320 Merchant IDs (MIDs)
 Hundreds of applicable PCI control requirements
 Multiple lead gateways, processors & credit card devices
 < 10% end-to-end encrypted (E2EE) and tokenized card payment data in transit and storage
 Payment devices were not EMV-enabled
 11 separate data sources & unknown total cost of ownership

31. 31
Midwest Healthcare Provider / Success Story
AFTER DEPLOYING A SECURE, SIMPLIFIED &
STANDARDIZED PAYMENT SOLUTION
 160 MIDS
 Reduced applicable PCI controls
 1 lead gateway, 1 lead processor, 1 payment device provider
 100% E2EE and tokenized card payment data in transit and storage
 EMV-ready devices installed firm-wide
 2 data sources, new data analytics capabilities and KPIs

32. 32
Midwest Healthcare Provider / Success Story
RESULTS / IMPACT
 50% reduction in merchant account management
 Mitigated 100% of financial risk
 80% simplification of payment processing
 Secured 100% of in-transit patient cardholder information
 100% support for industry mandated solution
 100% standardization to support informed decision making

33. 33
Provider Impact
Overview
This study is based on results from a 130-bed health system with a total annual patient revenue of
$475M.
33

34. 34
Provider Impact
Challenges
• Inefficient online bill pay capability
• Manual patient accounting system
• Stagnant revenue growth for patient responsibility payments
• Manual payment plan management
• Heavy staff interaction to complete patient payments
• Limited payment options available
34

35. 35
Provider Impact
Solutions
• Ability to make payments on multiple accounts during one transaction
• ANSI 835 auto-posting
• Automated recurring payment plans
• Reduce staff interaction by using technology to improve your workflows
• Increase payment options
35

36. 36
Provider Impact
Results
36

37. 37
QUESTIONS?
37

38. 38
Thank You
38
Further Reading
• Compliance Today Magazine: Patient payment transactions: A confluence of
security and compliance considerations
• PCI Security Standards Council: https://www.pcisecuritystandards.org/
• Checklist – Your Guide to Choosing the Right Healthcare Payment Partner