In healthcare, compliance burdens are numerous, high and costly—and new requirements can pop up in surprising places. The average cost for non-compliant organizations is $9.6 million per year, putting the cost of non-compliance organizations 3.5x higher than those in compliance according to the Ponemon Institute. 

Here are three compliance risks that you might not have been aware of related to payments processing. Explore the risk potential, consequences of non-compliance, and methods to get back into compliance. 

1. NACHA web debit verification 

Despite being announced in 2021, a rule change by Nacha, the regulator overseeing the Automated Clearing House (ACH) network is now being enforced. The “Supplementing Fraud Detection Standards for WEB Debits” update requires that when an electronic ACH debit payment is made, a commercially reasonable system must be used to screen for fraud. That is a lot of screening considering ACH/eCheck payments have grown nearly 18% YoY. This means that the account number must be validated for ACH and echeck payments made online for the first time from a consumer checking account, and when a consumer changes the account number to make payments they’ve made before. 

RISK: Moderate. According to Nacha’s own statistics, in 2021, more than 426 million transactions totaling nearly $2 trillion were processed.

PENALTIES: Fines shouldn’t be taken lightly as they can range from $1,000 – $500,000 a month for non- compliance. 

RESOLUTION: If not included in the services provided by their payment processor, healthcare organizations should sign up for a third-party verification solution to perform required real-time screening checks. With a low cost per screened transaction ($.15-.40), this ensures compliance as well as optimizes your revenue and avoids collections expenses from returned checks (Non-Sufficient Funds). Enhanced capabilities such as validations performed against multiple databases, additional checks like account age, current NSF reports, or stop payments ordered will further reduce risk. 

2. ADA compliance and Web Content Accessibility Guidelines (WCAG) 

As medical professionals, it is critical for you to be in tune with all your patients’ needs. However, making your online presence and digital payment processes ADA compliant may not have been a consideration when you first set up your payment portal. Web Content Accessibility Guidelines (WCAG), is a technology-agnostic set of guidelines to create more accessible content online. The Americans with Disabilities Act (ADA) and Section 508 also contain standards for web accessibility. Unlike WCAG, ADA and 508 have legal ramifications.  

RISK: With more than 2 billion disabled individuals around the world, creating an accessible experience isn’t just the right thing to do, it also means reaching a wider audience. Beyond compliance, accessible design allows consumers to do more online, including buying and using products. 

PENALTIES: Non-compliance with Section 508 web accessibility requirements can put contracts with federal agencies in jeopardy. Without WCAG certification and attention to section 508 and ADA compliance, you are also excluding this key consumer group and at risk of being party to negative, reputation-damaging lawsuits and the associated legal costs.  

RESOLUTION: Choose a payments partner that has already implemented WCAG 2.1 principles in its payments experience because providing accessible payment options does require a framework and WCAG provides a powerful starting point for better digital payments. 

3. PCI compliance 

Scribbled credit card numbers on a piece of paper to manually enter and failing to remove access to credit card data when users are terminated are just a couple of ways that you can find yourself on the wrong side of Payment Card Industry (PCI) requirements. More burdensome is the amount of time and expense for your staff or an outside consultant to compile an annual PCI audit.  

RISK: Without proper precautions, credit card terminals can be compromised before they’re even installed on premise. Not to mention the risk of damage to your organization’s reputation if appropriate measures are not in place. 

PENALTIES: In addition to the increased risk of falling victim to the growing threat of credit card fraud, what happens if you are not in compliance? The payment card brands may, at their discretion, fine an acquiring bank anywhere from $5,000 to $100,000 per month for PCI compliance violations. Most banks will pass this fine along until it reaches the merchant.  Banks are also able to terminate your relationship or increase transaction fees. Penalties are not openly discussed or widely publicized, but they can be truly catastrophic to a business. 

RESOLUTION: Implementing stronger security measures, like PCI validated point-to-point encryption (P2PE) enabled credit card terminals can drastically reduce your PCI scope (going from 200+ questions to ~ 30), and consequently the time and expense invested in PCI self-assessments. P2PE solutions from a certified payments provider follow a validated process ensuring data is secure and devices haven’t been tampered with. 

Compliance can undermine your reputation and your profitability without proper attention. With the world becoming digitally led, it’s critical for business success to stay current to changing requirements that affect your compliance and ability to deliver a compelling consumer experience. Choose a payments processor that can have a significant impact on mitigating your risk of non-compliance.  

Click here to learn more about how CSG Forte’s solutions can help you secure patient payment data.