Credit Card on File: Benefit or Liability?
Think twice before asking patients for a credit card number to keep on file.
Compliant patient that I am, I see my dermatologist each summer for a skin check, and while I am used to filling out forms before the visit, I was somewhat taken aback by the latest addition to the already thick pile of papers.
Apparently, my doctor now needs/wants a credit card on file for all patients—similar to the way hotels insist upon a credit card for “incidentals” upon check-in. I filled out the form and dutifully provided my digits, as I have something akin to white coat deference, meaning if a doctor says “Jump,” I ask “How high?” Still, it seemed odd and even wrong, but apparently asking for a credit card on file is increasingly commonplace. This practice may have some benefits, but it can also be risky business, according to a cadre of practice management experts Practical Dermatology® spoke with.
“It is commonplace to leave a credit card on file for practices that have patients on packages, patients on monthly routine programs, and/or for autoship retail skincare sales,” explains Jay A. Shorr, BA, MBM-C, CAC XII, founder and managing partner of Shorr Solutions, with offices in Florida. Another reason for this practice is to ensure that after an initial credit card deposit for a procedure, the final balances can and will be paid, he says.
Credit card numbers can be used to hold an appointment. The practice can then charge the card if the patient neither cancels within the practice’s stated cancellation policy (ex. 24 hours prior to the appointment) nor attends the visit, as long as the patient is informed in advance about the cancellation policy and charge amount, says Juli Y. Geldner, JD, LLM, Legal Counsel/Chief Operating Officer of The Geldner Center in Chicago and Hinsdale, IL.
In this sense, the practice of capturing a credit card number can reduce no shows. But, she stresses, it is not common place to leave the number on file. “There is a risk of the number being used nefariously, unless you have very robust layers of security,” Ms. Geldner says. Her advice? Ask for the card number to hold an appointment but do not keep the number on file. “Providers’ time is very valuable and a practice wants the highest ROI possible; if the schedule is filled with ‘no show’ gaps it can cause a revenue issue,” she says.
If you decide to collect credit card data other than at the point of service:
• Truncate credit card information to reduce risk.
• Do not store data.
• Review cyber insurance policy to make sure stored credit card data is covered.
• Educate staff on proper data handling; Limit access to data.
More Liability Issues
“The credit card on file, if not truncated (the last 4 digits of the card), can be compromised by anyone in the practice, which may lead to security concerns and/or theft,” Mr. Shorr adds.
New York City-based practice marketing consultant Wendy Lewis says the risks of this practice far outweigh any potential benefits. “Due to frequent changes among front desk staff and the new privacy regulations and incidents of hacking and data breaches, I would advise against it,” she says. “There is also the possibility of the patient’s financial information being compromised, which is just not worth the risk to most practices,” Ms. Lewis counsels. “The onus is on the practice to protect this sensitive information, and if there is a breach, you could be held responsible, if only in the patient’s eyes.”
There are some regulatory hurdles to overcome when storing credit card information, adds Michael J. Sacopulos, JD, a lawyer in Terre Haute, IN. “Payment Card Industry (PCI) compliance is more rigorous when a practice stores credit card data,” he says. “Practices also need to be aware that this activity could change their risk profile for insurance carriers.”
Review your cyber insurance policy to make sure stored credit card information is covered. “The practice may also need fidelity bonds in the event that credit card data is manipulated inappropriately by a staff member,” Mr. Sacopulos says.