Credit Card Processing, Medical and Dental

Credit Cards On File: Taking Credit Cards as a Doctor or Healthcare Professional

by Ben Dwyer

December 9, 2015

Even though many people have some type of health insurance, it’s likely that your patients will need to pay for some of their services out of pocket. Whether it’s a co-payment or the full cost of a visit, people like the convenience of paying by card.

Taking credit cards at your clinic may even reduce your likelihood of overdue bills, especially if you implement a credit card on file (CCOF) policy.

If you know you want to take credit cards, but it seems like a minefield, this article will tell you what you need to know about accepting credit cards at a medical practice, setting up a credit card on file solution for accounts receivable, taking FSA or HSA payments, and choosing the right HIPAA compliant credit card processing for your clinic.


Should I take credit cards?

Some practices hesitate to accept credit cards because they think it’s too expensive or aren’t sure if it will comply with HIPAA requirements. Whether you should take credit cards is a question that only you can answer for your practice, but one thing to keep in mind is that if a credit card is the difference between a client paying at the time of their visit (or setting up a payment plan via credit card on file) and mailing them a bill, you may have better payment results accepting the credit card.

No doubt your office has experienced delays and frustration as staff tries to coax payment from patients after bills have been sent and overdue notices have gone unheeded. Overdue bills can lead to lost funds and wasted staff time, and you may end up referring them to collections. If you can avoid that by taking credit cards, suddenly the costs to take those credit cards are minor in comparison.

How does credit card processing actually work?

To take credit cards, you’ll open what’s called a merchant account with a company that will handle the credit card transaction for you. That company will be your payment processor, and it’s their job to facilitate the transfer of money from your patient to your practice. That process costs money, which is where the rates and fees for processing come in.

There are three components of processing costs – interchange, assessments, and markup. Interchange and assessments are non-negotiable costs of processing. Think of them as the wholesale cost. Interchange and assessment fees are paid to the banks that issue credit cards, and the card companies themselves, like Visa and MasterCard. Your payment processor takes care of making sure everyone gets their fees. The markup is what your processor makes as their profit for handling your transaction. So when you’re looking for a processor, you’ll want to choose one that offers the lowest markup over cost.

How do you know which processor will offer you the lowest markup over cost? You can ask them directly (if they can’t or won’t tell you their markup over cost, consider another processor) or you can let CardFellow do it for you. Sign up for free to get instant quotes that clearly display the markup and the wholesale cost to process.

Is anything different for doctors and healthcare professionals?

There are a few things to know about processing credit cards in the healthcare field. Firstly, some card types (like American Express) may actually offer lower costs for healthcare businesses than they do for non-healthcare businesses. Any processor that places certified quotes through CardFellow will be able to set you up to take advantage of any lower costs available to you as a healthcare provider.

Secondly, your processor may be able to get you set up to accept health financing cards, like CareCredit.

CareCredit health financing card image

If you have patients that want to pay with health financing cards, being able to accept their payment at the time of service will be as easy as taking any other form of payment.

Additionally, doctor’s offices and clinics generally don’t need fancy equipment to process credit cards. Simple countertop terminals, or even virtual terminals (which let you take credit cards through any computer with an internet connection) are low cost ways to securely accept credit cards. In fact, taking credit cards using a computer is the primary way that you’ll process payments if you decide to implement a credit card on file policy. Your computer won’t actually store the credit card information (that’d be a violation of security practices) but you’ll be able to connect to your processor for payment using the stored card.

Lastly, businesses involved in the medical field may want to expand payment options to accept Health Savings Accounts (HSAs), Health Reimbursement Accounts (HRAs) and Flexible Spending Accounts (FSAs.)

Health Savings Account and Flexible Spending Account Payments

Some patients may want to use their health savings account (HSA), health reimbursement account (HRA), or flexible spending account (FSA) to pay. If you want to accept these card types, you’ll need the correct classification with your processor. When you set up a merchant account for credit card processing, you’ll be assigned a merchant category code (MCC), which designates your business type. You’ll only be eligible to accept HSA and FSA cards if you’re assigned a healthcare-related MCC. The following list of healthcare MCCs includes specialists and general practitioners as well as dental and optometry practices:

  • 4119 – Ambulance Services
  • 5975 – Hearing Aids-Sales, Service, Supply Stores
  • 5976 – Orthopedic Goods – Artificial Limb Stores
  • 7277 – Debt, Marriage, Personal – Counseling Service
  • 8011 – Doctors-not elsewhere classified
  • 8021 – Dentists, Orthodontists
  • 8031 – Osteopathic Physicians
  • 8041 – Chiropractors
  • 8042 – Optometrists, Ophthalmologists
  • 8043 – Opticians, Optical Goods, and Eyeglasses
  • 8049 – Chiropodists, Podiatrists
  • 8050 – Nursing and Personal Care Facilities
  • 8062 – Hospitals
  • 8071 – Dental and Medical Laboratories
  • 8099 – Health Practitioners, Medical Services-not elsewhere classified

Read more about Merchant Category Codes (MCCs)


Note that not all HSA or FSA cards will allow purchases with all healthcare businesses, even if you’re assigned the correct MCC. The cards are coded to work with particular MCCs and the cardholder should check with the plan administrator if they have questions about whether a particular practice or specialty is covered under their plan. Additionally, HSA and FSA cards can still be declined by the issuer if the patient doesn’t have enough money in their account or for other reasons, just like other cards.

Drug Stores and Pharmacies

Additional healthcare businesses like drugstores and pharmacies may be able to accept HSA and FSA cards if they have the appropriate MCC (5912, or 5122) and at least 90% of gross sales are from prescriptions and over-the-counter qualifying healthcare products. The gross sales threshold must be proven through registration with the SIGIS organization, a group involved in healthcare transactions and compliance.

Retailers that Sell Eligible Products

For businesses that don’t have medical MCCs but sell FSA or HSA-eligible products, you may still be able to accept FSA/HSA cards if you have the IIAS inventory system. The Inventory Informational Approval System (IIAS) sorts items into HSA/FSA eligible and non-eligible when the customer checks out. IIAS compliance is required if you accept FSA and HSA cards, and applies to general retailers, discounter retailers, supermarkets, and drug stores, including chains.

Not all POS systems are IIAS compliant, so if you plan to sell qualifying medical products and accept HSA or FSA cards for the purchases, be sure to check with your credit card processor and the POS provider you’re considering before you purchase a point-of-sale system.

HIPAA Compliant Credit Card Processing

Many practices are understandably concerned about using only HIPAA-compliant credit card processing companies. The good news is that basic processing generally falls outside the scope of HIPAA requirements.

When it comes to HIPAA compliance, there are two categories that a business may fall under. One is “covered entities” or the businesses directly dealing with patients’ info. The other is “business associates”, or third-party vendors that the covered entity works with, such as IT companies, and other services. A “business associate agreement” that spells out responsibilities for safeguarding information may be required between a covered entity and a business associate.

However, credit card processing companies may be exempt from the business associate agreement requirement. On the Health and Human Services website, it lists exceptions, including the following passage about credit card transactions:

When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums. When it conducts these activities, the financial institution is providing its normal banking or other financial transaction services to its customers; it is not performing a function or activity for, or on behalf of, the covered entity.
Source: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

This indicates that for healthcare purchases, the credit card processing company is providing its normal financial service to customers and is not providing a service on behalf of the covered entity/medical practice. Since the processing company is not performing a service for the covered entity (your practice) you won’t need a business associate agreement with the processor.

It’s important to note that this exemption may not apply if your processing company provides services beyond simple transaction processing, such as accounting functions, patient management, and other services.

Ryan Marshall, Manager of HIPAA Fulfillment at Securitymetrics, explains, “The primary delineation between covered and non-covered functions is whether the financial institution is performing the service for the consumer or the Covered Entity. If the financial institution is processing a payment the consumer is making for, or related to health care or health plan premiums they are not viewed as acting on behalf of the Covered Entity. Even though the payment is originating from the Covered Entity’s processing account, they are viewed as acting on behalf of the consumer and would not be a Business Associate. If the financial institution is operating an accounts payable or other back office system for a Covered Entity, they are viewed as acting on behalf of the Covered Entity and would be a Business Associate.” Be sure to clearly define what functions your processor will perform to determine if they are a business associate or not.

Another important note is that your practice should not provide protected health information (PHI) to your processing company. For example, you shouldn’t enter details about a patients’ care or treatment in comment boxes in online payment forms. Marshall reiterates that information not required to complete the transaction shouldn’t be given to a processor, saying, “It is generally accepted that the remittance advice information or an explanation of benefits are not required to conduct a funds transfer  or forward a transaction and therefore should not be disclosed.” The sample explanation of benefits form below is an example of information that should not go to a processor, as it is not information a processor needs in order to conduct a transaction for a patient.

EOB example hipaa cc processing

Additionally, your processor cannot send a receipt to patients via non-secured methods, such as by text or unencrypted email. Some companies, like Square, often have email receipts enabled by default so be sure to disable such functions.

Note that HIPAA compliance is a complex subject, and credit card processing is only one small piece. Using a credit card processor that’s exempt from HIPAA requirements doesn’t mean your practice can skip other compliance steps. If you’re unsure about whether a provider you’re considering is HIPAA compliant, be sure to ask directly.

Insurer Payouts to Your Practice

Medical practices that accept insurance need a way to receive payouts from the insurance providers. Some providers require you to accept payment by credit card (or virtual credit card) though others will pay by check or electronic funds transfer (EFT).

The American Medical Association released a statement about virtual credit cards for provider payments. The group explained that the Centers for Medicare and Medicaid Services (CMS) state that healthcare practices should not be required to accept virtual credit payments.

However, if you do accept insurance payments by credit card, keep in mind that the transaction will incur processing fees, just as you’d incur fees if the payment was from a patient.

The AMA statement linked above implies that virtual credit card payments are more expensive, but it’s important to note that there are no additional fees for virtual card payments. Rather, the expense comes in when cards are “keyed” – that is, when card data is entered manually instead of swiping a card. If your practice receives credit card details by phone, fax, or email and manually inputs the data, that’s a keyed transaction.

It’s also possible for credit card processors to add excessive markups, which can raise the total cost of processing. If you’re accepting credit cards – whether from patients or providers – be sure that you have the most competitive solution to keep your processing fees down. If you need help, get baseline pricing through the CardFellow quote tool and then give us a call.

Credit Card On File (CCOF) Policies

One thing many doctors and healthcare practices are interested in is “credit card on file” or CCOF services. With CCOF, your patient provides their credit card information for you to use at a later date, to pay their bill. The card on file can be used for copays, deductibles, non-covered services paid out of pocket, or for portions of bills not covered after insurance has paid out its portion.

You’ll still need to ensure that patients are aware of transactions, and it’s good practice to send a receipt either by mail or email for on-file credit card payments. But having cards on file makes it a little easier on on your accounts receivable staff since payment information is handy.

According to Rochelle Glassman (President and CEO of United Physician Services) in an article for Kareo, storing patients’ credit card details is not a HIPAA violation. Marshall concurs, stating, “If it is for the payment processor to promote customer convenience during future funds transfers and is not used for any other reason by the Covered Entity, I think that is defensible as a normal function of a financial transaction on the consumer’s behalf.”

However, having a credit card on file policy doesn’t mean you can just write down and file your patients’ card details; it will need to be stored securely, and preferably in an encrypted format, meeting rules of credit card compliance known as PCI. This is where credit card processing companies can help.

See Also: Kareo Practice Management Software Review.


Credit card processing companies that are accustomed to recurring payments and other situations where customers routinely use their card with a particular business offer options like card vaults. A card vault is a secure method of storing credit card information with your credit card processor, not internally, that still allows you to use the information for authorized billing. You’ll be able to choose the patient to bill without needing to enter their card details each time.

Advantages of CCOF

The biggest advantage of a credit card on file policy is that you’ll save time on collecting payments. Practice management website ManageMyPractice claims that using CCOF can bring accounts receivable times down to 32 days on average.

It can also be convenient for your patients, as they won’t need to provide details or have their card ready every time they need to make a payment.

Disadvantages of CCOF

A disadvantage to CCOF is that some patients don’t like the policy. You may get resistance from those patients, and some may even choose another provider. However, you can get around this resistance by educating patients on the security of the card storage vault or simply encouraging but not requiring a card on file.

While it’s not exactly a disadvantage, another thing to keep in mind is that storing credit cards isn’t a matter of making a photocopy and putting the information in a filing cabinet. You’ll need to comply with card storage security procedures, which can add time to your initial set up. However, as long as you work with a PCI-compliant credit card processor that offers a card storage vault/recurring payment options, it shouldn’t be an issue.

Setting Up Credit Card On File Through a Gateway

Processors that offer gateways with card storage vaults can help you set up credit cards on file while still maintaining compliance with PCI and HIPAA requirements. To find a gateway that includes a card storage vault, I suggest using CardFellow’s gateway directory, located here. Once you click that link, you’ll need to narrow down gateways by filtering for card storage vault. To do that, click the button that says more search filters.

Credit Card On File Gateways

You’ll see a grey box with more search options appear. Click the arrow next to “Category” and then choose “Gateways.” Click the green button that says “Apply filters.”

Credit Card On File Search

Once you click that button, you’ll see the results. The results that appear are the gateways that include a card storage vault, meaning you’d be able to set up secure credit card on file procedures for your practice.

Credit Card On File Gateway results

You can browse through the list, clicking on the names of the gateways for full details and explanations of the features and services.

What about EMV chip cards? Can I put a chip card on file?

The EMV chip cards are simply an advanced-security credit card. Instead of “swiping” a traditional card, you “dip” a chip card into the special chip reader slot. EMV chip cards don’t affect credit card on file procedures. Your patients can put a chip card on file with your practice the same as a traditional magnetic strip card.

To take EMV chip cards in person instead of putting them on file, you need a chip card-capable reader, either a countertop model or one that connects to your computer. Equipment manufacturer MagTek offers an EMV reader for computers.

If you don’t have a chip card reader but a customer wants to pay with a chip card, you can still accept the card by swiping it using the traditional magnetic stripe on the back, but the transaction will not benefit from the advanced security, and you may be liable if that transaction is fraudulent. For security at your practice and for your cardholders, it’s best to use a chip-capable machine if you’re running cards in person.

Can I charge more to cover the costs of accepting credit cards?

Some practices wonder if doctors can charge a fee to customers who want to use credit cards. The answer is: Maybe.

Charging clients a fee to use their credit card is referred to as “surcharging.” As of 2023, there are only 2 states that prohibit surcharging credit cards: Connecticut and Massachusetts. If your practice operates in one of those states, you may not add a fee for customers who pay using a credit card.

state surcharge ban map

 

Outside of those states, you may be able to surcharge credit cards. Note that debit cards can never be surcharged, even if “run as credit.” If surcharging is permitted in your state and you’d like to do it, there are a number of rules you’ll need to follow, including informing the card companies, informing customers prior to charging, and more. There are also caps on fee that you can charge.

Related article: Charging Customers a Credit Card Fee at Checkout.


Charging a Fee for HSA or FSA Cards

HSA and FSA cards can not be surcharged in any state.

The cards are considered debit cards, and adding a fee for customers paying by debit card is never permitted, even if the card is “run as credit” or the customer authorizes with a signature instead of a PIN. However, debit cards are often lower cost to process, so the fees you pay to accept them may not be as large as the fees you pay to accept credit cards.

How do I figure out which HIPAA compliant processor I should use?

We’ve made it easy. Take 3 minutes to sign up for a free, private account with CardFellow to get instant quotes from processors that can help your practice. In fact, one of the processors who places certified quotes through CardFellow is endorsed by the American Medical Association as an MVP service.

Quotes you get through the CardFellow marketplace are among the most competitive you’ll ever receive thanks to our strict requirements that benefit offices just like yours. We require a lifetime rate lock so your rate will never increase, and there’s no cancellation fee if you decide you don’t want to take cards anymore.

The average business saves 40% on their credit card processing costs when they choose a processor through CardFellow. You can also work with processors to set up CCOF policies with card storage vaults. Sign up today to see how much you could save and how to start putting cards on file.

Integrating with Practice Management Software

If you’re already using practice management software like Kareo or CureMD, you may be able to integrate credit card processing. In some cases, software companies have exclusive contracts with particular payment processors, but some companies allow your choice of processor.

If your preferred practice management software only offers integration with one processing company, you’ll have the choice of working with that company (possibly at a higher cost) or utilizing another processing company but manually importing your data for reconciliation. If you need help assessing your options, contact us today.

I already take credit cards, but it seems expensive. Can I lower my costs?

It’s very likely!

Many healthcare providers are overpaying for credit card processing due to complicated pricing models and deceptive tactics. You can get free no-obligation quotes through CardFellow even if you’re already processing. To find out if you can save, sign up to see what pricing you’re eligible for and, once you’ve received your quotes, send us your statement and we’ll walk you through your options.

If it doesn’t make sense for you to switch, we’ll tell you that, too! You want to focus on helping your patients, not on figuring out your credit card processing, and we can help you do just that. Try it now..

See also:
Credit Card Processing for Dentists

About The Author

FOUND THIS USEFUL? SHARE THIS!
TwitterFacebookLinkedIn

Credit Card Processing exposed

Use the secrets that credit card processors don't want
you to know to drastically lower your credit card
processing fees.

Read Now!
 

You might also like…

View all articles..