The Blueprint for a Successful Patient Payment Strategy
1. The Blueprint for a Successful Patient
Payment Strategy:
How to Simplify Compliance, Increase Payment Collections
and Improve Patient Satisfaction
PRESENTED BY:
JEFF FOUNTAINE, KEN BRIGGS & ASHER KAPLAN-DAILEY
2. Agenda
• Introduction
• Market Drivers Impacting Patient Payment Collections
o Discuss industry trends and changes
• Deep Dive into the Compliance Landscape
o PCI requirements
o Costs and risks of non-compliance
o Best practices for PCI compliance
• Strategies to Prevent Data Breaches
• Guide to Increase Patient Payment Collections
o Omni-channel payments
o Patient Payments in Action / Case Study Discussions
3. 3
Introduction / Speakers
Jeff Fountaine
Director of
Healthcare Strategy
Ingenico Group
North America
Ken Briggs
Vice President
of Legal Affairs
Asher Kaplan-Dailey
Director of
Product Management
Salucro Healthcare Solutions,
LLC
Salucro Healthcare Solutions,
LLC
4. 4
Market Drivers Impacting Patient Payments
J.P. Morgan’s Key Trends in Healthcare Patient
Payments Report pointed out that the rate of bad debt for
insured patients is increasing by over 30% per year at some
hospitals.
BAD DEBT
INSURANCE
DEDUCTABLES
84% of employers have increased or say they plan to
increase insurance deductibles and/or copays for their
plan participants
5. 5
Financial Landscape
Major shift in patient responsibility
Consumer payments to healthcare providers nearly doubled
from 2012 to 2015, and insurance deductibles
have increased a startling 255 percent since 2006
5
6. 6
Poll Question
Where are you, with respect to your patient payment strategy?
A. Not started
B. Under review
C. Implementation planned
D. Completed project
6
7. 7
Compliance Environment
Vulnerabilities and threats come from many internal and external sources
• Malicious (hackers, theft of computer)
• Incidental (loss of phone, misdirected email)
Laws and contractual requirements are backed with severe penalties
Compliance programs at hospitals are difficult to manage and keep current
For patient payments: Security standards are much different than traditional requirements
7
8. 8
Web Of Compliance Obligations
Regulatory
HIPAA and state law
Industry
PCI
Contractual
Customer, vendor, partner requirements
8
9. 9
Risk Of Non-Compliance
Fines
• PCI: $5,000 - $500,000 for each incident
• HIPAA: Much more (millions)
Lawsuits
• Class actions
• Government enforcement actions
Reputational Damage
9
10. 10
Case Study / Southwestern Hospital System
• 3.7 million individuals notified
• “Sophisticated cyberattack"
• Hack of card processing systems that transmitted cardholder information
• Attackers gained access through infiltrating the point-of-sale systems at the system's food and
beverage outlets
• Potential access to other clinical systems
10
11. 11
PCI DSS Primer
PCI DSS is the Data Security Standard established by the Payment Card Industry
Applies to all entities that store, process, and/or transmit cardholder data
Administered by contract with banks, payment card brands, and other entities in the PCI chain
Scope can include:
• Physical possession of cards
• Point-of-sale devices (not just for clinical payments, but for food and merchandise)
• Network components that store or transmit information
11
14. 14
Poll Question
What is your level of familiarity with your organizations PCI compliance
program?
A. Very familiar
B. Somewhat familiar
C. Not familiar
16. 16
Compliance Path Of A Patient Payment
Example
• A patient presents to urgent care (community network of Hospital ABC) with a leg injury.
Provider sends patient to Hospital ABC’s ER.
• Patient returns the next week to affiliated physician for follow-up.
16
17. 17
Compliance Path Of A Patient Payment
Payments
• Three points of clinical interaction lead to multiple collection points:
• Co-pays, pay in advance, payment after receiving a statement, third-party collections
Vendors
• There are many vendors in payments:
• A/R companies, device companies, payment platforms, collections, PFS vendors (business associate
relationships, liability allocation, contractual obligations)
Compliance
• HIPAA touches the patient far outside of the clinical interaction. PCI starts at the point of payment interaction
with a credit/debit card (other analogous laws, requirements apply for other payment methods)
17
18. 18
Patient Payment Compliance Considerations
Administrative | Technical | Physical
Specific policies and awareness (administrative)
Accurate, updated diagrams that show the flow of patient payment information (administrative and
physical)
• Clearly defined cardholder data environment
• Specific analysis of where HIPAA and PCI compliance starts and stops
• NOTE: Many health systems focus on the clinical environment to the detriment of patient payments
(but remember—payments are one-to-one transactions with clinical interactions)
• TIP: Make a review of those diagrams part of your normal operational discussions
Aggressive scope reduction
• Technical solutions (P2PE, EMV, Revenue/Payment Platforms)
• Outsourcing expertise
• Allocating liability through contract
18
20. 20
Strategies To Prevent Data Breaches
Healthcare Data Breach Stats:
• According to the HIPAA journal, 329 data breaches were reported in 2016, in which over 16 million records
were exposed
• Based on IBM’s Cost of Data Breach Study, healthcare organizations have an average cost of $355 per stolen
record
• The total cost of 2016’s data breaches at a staggering $5.6 billion
20
21. 21
Strategies To Prevent Data Breaches
What would help:
21
A more flexible approach to
streamline payment process
Enhanced payment security
and better managed PCI
Limit the amount of sensitive
payment data that goes
through the healthcare
revenue cycle (point of sale
or POS)
22. 22
Strategies To Prevent Data Breaches
How the Semi-Integrated
Architecture Works:
• Maintains a connection between the terminal and
revenue cycle system
• Provides an independent connection for
transactions to go “around” the ECR, directly to
the host
• Sensitive payment data does not enter the POS
Semi-Integrated Benefits:
• Simplifies EMV migration
• Reduces PCI scope
• Improves security
• Avoids EMV certification bottlenecks
22
23. 23
P2PE Solution
A P2PE solution protects the card holder data from the point of interaction to the
payment processor/gateway.
Benefits:
• Greatly reduces the PCI burden on the provider
• Removes the need for network segmentation
• Helps avoid potential liabilities such as audits, legal costs, fines and penalties
25. 25
Poll Question
What aspect of an Omni-channel payment strategy is most needed next for
your organization?
A. Utilize a patient payment portal
B. Ability to accept mobile patient payments
C. Implement contactless payments
D. All of the above
27. 27
Guide To Increase Patient Payments
Omni-Channel Payments
Seamless
• Healthcare Providers must transition their thinking from mailing bills to implementing technologies, just like retail,
enabling multiple points of payment across the ecosystem.
• That includes e-mail and web-based portals alerting to
financial transactions
• Includes mobile offerings like text reminders and links to
pay your bill through your phone
• Includes in-person payment technologies that accept all
forms of payment
28. 28
Guide To Increase Patient Payments
Implement Omni-Channel Payments
Mobile Experiences
28
• Can lead to increased patient collections
reducing bad debt and cost of collecting
• Differentiate your practice or health
system by meeting the patient where they
want to be met, on their phone
• Create a behavior change within
employees understanding the importance
of patient collections
29. 29
Guide To Increase Patient Payments
Omni-Channel Payments
Personalized & Immersive
29
How much will that treatment/visit cost?
Do other providers nearby offer the same treatment for
less?
What is the satisfaction or experience with that provider?
Can I make my appointment online?
Will the provider be delayed in seeing me?
Tell me my financial responsibility before I make visit
Offer me ways to pay that responsibility before, during and
after the visit.
Be prepared to offer financial tools to help me pay larger
responsibilities.
30. 30
Midwest Healthcare Provider / Success Story
BACKGROUND / CHALLENGES / OPPORTUNITIES
320 Merchant IDs (MIDs)
Hundreds of applicable PCI control requirements
Multiple lead gateways, processors & credit card devices
< 10% end-to-end encrypted (E2EE) and tokenized card payment data in transit and storage
Payment devices were not EMV-enabled
11 separate data sources & unknown total cost of ownership
31. 31
Midwest Healthcare Provider / Success Story
AFTER DEPLOYING A SECURE, SIMPLIFIED &
STANDARDIZED PAYMENT SOLUTION
160 MIDS
Reduced applicable PCI controls
1 lead gateway, 1 lead processor, 1 payment device provider
100% E2EE and tokenized card payment data in transit and storage
EMV-ready devices installed firm-wide
2 data sources, new data analytics capabilities and KPIs
32. 32
Midwest Healthcare Provider / Success Story
RESULTS / IMPACT
50% reduction in merchant account management
Mitigated 100% of financial risk
80% simplification of payment processing
Secured 100% of in-transit patient cardholder information
100% support for industry mandated solution
100% standardization to support informed decision making
34. 34
Provider Impact
Challenges
• Inefficient online bill pay capability
• Manual patient accounting system
• Stagnant revenue growth for patient responsibility payments
• Manual payment plan management
• Heavy staff interaction to complete patient payments
• Limited payment options available
34
35. 35
Provider Impact
Solutions
• Ability to make payments on multiple accounts during one transaction
• ANSI 835 auto-posting
• Automated recurring payment plans
• Reduce staff interaction by using technology to improve your workflows
• Increase payment options
35
38. 38
Thank You
38
Further Reading
• Compliance Today Magazine: Patient payment transactions: A confluence of
security and compliance considerations
• PCI Security Standards Council: https://www.pcisecuritystandards.org/
• Checklist – Your Guide to Choosing the Right Healthcare Payment Partner