The 2014 requirements of the Centers for Medicare and Medicaid Services (CMS) Electronic Health Record (EHR) Incentive Program – often referred to as “Meaningful Use” – federally mandated that healthcare providers have a patient portal. According to HIMSS, a successful patient portal is one that contains the information patients want and is easy for patients to use. Many patient portals today incorporate convenient features that make patients want to log in and use them, such as e-visits, self-check-in, immunization and medication history, test results, health and fitness data and more.
However, to have a truly useful and feature-rich portal, you need to incorporate payment functionality, too. Advances in payment technology have enabled a lot of convenient payment features, such as storing payment information on file, automating payments, creating customizable payment plans and setting up payment notifications.
As a healthcare provider, when you integrate payment functionality into your patient portal, you give patients more conveniences like easily accessing balance information, managing payment preferences and making payments. But, wait – how is that patient payment information stored?
The healthcare industry is at greater risk of security breaches than ever before. With targeted criminal hacks, software bugs, phishing scams and more all affecting the healthcare industry, healthcare organizations need to do more to protect themselves and their patients’ data from a breach.
What options are available for protecting sensitive payment data in your patient portal? One option is for your IT team to segment out your networks to limit the exposure of payment data to your servers, thus reducing PCI scope. However, this type of project can cost tens of thousands to millions of dollars, especially for large, complex organizations.
Another option is to remove payment functionality from the patient portal and send patients to a separate secure website for payment. This is a great way to ensure sensitive payment data doesn’t touch your servers. However, this takes away from that convenient experience you want to deliver within your branded portal.
A third option is to accept the risks of having cardholder data on your servers; but, not only does this greatly increase the risk of a breach, it also means a grueling and costly PCI compliance effort on an ongoing basis.
The reality is that with any of these options, your organization has to make some kind of tradeoff.
But, there is another option. Healthcare organizations can leverage tokenization to keep cardholder data off of their servers. Tokenization works by replacing sensitive payment data with a unique identification – or, token – that represents the payment data without compromising its security.
Tokenization is a great way to improve the security of your patient portal, but now there is a new kind of tokenization that improves the patient experience, too. With this new tokenization, healthcare organizations can use an additional token to enable patients to enjoy the convenience of accessing a digital wallet for future payments. Plus, leveraging single sign-on (SSO) and two-factor-authentication, patients only need to log in once to make payments securely. As a result, your patients can have a completely seamless payment experience within your existing patient portal, using any device, with cardholder data never touching your organization’s servers. You and your team can rest easy knowing payment data is secure and that you’ve reduced your PCI scope by up to 90 percent. See how it works: