HIPAA and the EMV Card Transition

HIPAA and the EMV Card Transition

Posted on 05.20.2016 by Eugene O'Rourke under Compliance, Security

America’s entire financial sector is experiencing an upgrade as the country switches to EMV chip cards. The EMV chip is touted to be the newest layer of card security and will eventually replace the magnetic strip on the back of every credit and debit card. Every merchant that accepts cards for payment for goods or services, including medical goods and services, will be using EMV chip cards exclusively in the very near future.

However, like much of today’s advanced technology, this transition promises to disrupt current finance management systems. Like so many other “new” technologies, adding this payment option may require modification of existing processes, including those that ensure HIPAA security compliance. This concern has caused many medical offices to delay installing chip-reading devices until the full HIPAA impact of the transition is known. Being found in non-compliance with HIPAA can cause much more difficulty for the physician than issues connected with payments activities.

EMV Technology

The “EMV” stands for “Euro-Mastercard-Visa,” after the entity, EMVCo, that embedded the computer chips into over 3.4 billion financial cards around the world. The chip is designed to reduce card-present fraud caused by counterfeit, stolen or lost credit and debit cards. The chip also provides users with access to the global card payment infrastructure, so they can use their cards on any chip-enabled payment terminal in the world.

EMV Enhanced Security

The chip provides three security measures to the card holder:

  • Authentication – Each on- or off-line card transaction requires validation by the user through encryption or terminal-based authentication. Additionally, each transaction creates unique transaction data that cannot be used to complete any other transaction.
  • Cardholder Verification – The chip ensures that the person using the card is authorized to use it. The card issuer offers four verification methods based on the relative risk of the transaction. Users must accept the method assigned to their card.
  • Transaction Authorization – These authorizations are dependent on whether the card is present (off-line) or not (on-line). Authentication of on-line transactions follows the same process used for authentication of magnetic card transactions. The vendor sends the data to the issuer for acceptance or denial. For off-line transactions, the card and the terminal communicate to verify the transaction.

EMV Technology Should be Installed But Not For the Obvious Reasons

Simply put, a chip-embedded card does not provide HIPAA-quality security for a user’s financial information. The card does, however, offer other benefits for both the user and the vendor, which outweigh the cost of the transition:

For the User:

In most situations, the EMV chip helps its holder user by preventing other people from gaining access to the card’s protected information. Because each transaction carries unique encryption, obtaining the data from a single transaction doesn’t allow access to every other transaction. In countries that have adopted the technology, consumer fraud has fallen by as much as 73 percent.

For the Vendor/Medical Office:

There is no legal mandate to transition to the new technology, so failing to adopt it will not cause fines or other sanctions. However, as of October 15, 2015, merchants that do not offer chip-reading technology for their customers will be held fully liable for damages if the magnetically swiped card is fraudulent. Because of the increased level of liability exposure, it is prudent to add chip readers in every medical office as quickly as possible.

EMV Cards Do Not Replace HIPAA-Compliant Financial Data Security Measures

HIPAA requires every medical service’s provider to protect their patient’s confidential health data, (“protected health information,” or PHI) including financial documentation that includes health data within it. Most often, medical records are contained in proprietary locations (digital or otherwise), behind layers of encryption and firewall technology, with access denied to all but a few authorized users.

Financial records, on the other hand, contain information that is frequently transmitted throughout the medical clinic and among the providers in the wider medical services team, as well as through the related processing systems of Business Associates. Accordingly, patient financial data requires different, and more comprehensive security measures to remain confidential and protected for as long as the medical service’s provider holds it.

Two Primary Financial Data Security Systems

Each of these systems offers a different type of protection and uses a different system to accomplish the task.

Tokenization

This system replaces the sensitive data with a “token,” a non-sensitive equivalent that has no value other than as a placeholder for the card number. The token is related to the original data, which is, itself, only accessible to those with access to the token system. Punching in the token’s code provides the card information to the vendor. The token system runs parallel to the card-reading system.

Point-to-Point Encryption

This system converts card information into indecipherable characters at the beginning of the transaction and keeps it encrypted until it arrives at the processor, where a processing “key” converts it back into the relevant information. Without the key, the encrypted information is useless.

Both Tokenization and Encryption protect the data from the point of swipe/chip/pin entry to its final destination in the receiver’s bank, making it extremely difficult to steal. The EMV card, however, protects that data only as it enters the system, at the beginning of the transaction, and prevents card use by nefarious people. After an EMV card transaction is authorized, the financial data travels like any other, non-HIPAA data travels – through the open and unprotected ether of the Internet.

Adding chip readers to a medical office is advised to avoid unnecessary liability exposure, as is maintaining existing, up-to-date, HIPAA-compliant protections for patient financial information.