ISOs can present themselves as consultants by specializing in offering card-acceptance services to just one or two types of clients and really getting to know those businesses.

Experts who recommend that approach to acquiring often cite the example of concentrating on selling card services to health care providers. ISOs can get started in that specialty by learning about compliance-related issues for that industry, they say.

At the same time, however, ISOs that do not specialize in health care also may benefit from brushing up on medical-data regulations. Those rules apply to companies in many other industries that somehow touch health care information–anything from a clinic’s accounting firm to a health plan’s paper-shredding service.

“We believe ISOs and card processors that develop even basic consultative knowledge of HIPAA and HITECH can leverage that knowledge to open doors into card-processing relationships,” says Mark Brady, compliance director for Compliance Solutions and Resources, or CSR, a Jensen, Beach, Fla.-based compliance provider.

HIPAA, the Health Insurance Portability and Accountability Act of 1996, regulates electronic and paper health records. HITECH, or the Health Information Technology for Economic and Clinical Health Act of 2009, a variation from HIPAA, covers only electronic transmission of health information and does not take into account paper records.

HIPAA’s Title I protects health-insurance coverage for workers when they change jobs, but ISOs should focus on Title II, which deals with handling health information, Brady suggests. Title II, known as “administrative simplification,” covers rules concerning privacy, security and enforcement.

The privacy rule mandates the form patients fill out on their first visit to a health care provider, Brady notes. It instructs providers to appoint a privacy officer, but smaller entities sometimes outsource privacy functions instead, he says. It also requires privacy training for the provider’s entire workforce.

Under the safety rule, the government established administrative, physical and technical safeguards and standards that resemble some of the requirements of the Payment Card Industry data security standards, Brady says. It also requires providers to create policies and set procedures, he notes.

The enforcement rule sets civil and criminal penalties for violating HIPAA rules. The government has levied a few significant fines recently and is auditing providers, Brady says.

HIPAA applies to “covered entities,” including clinics, health plans, health care billing services and community health-information systems–all the health care providers that transmit medical data, Brady says. But the government expanded some of that responsibility to everyone who does business with “covered entities” by passing HITECH, he says.

HITECH stretches the scope of regulation to such entities as fundraisers, marketers, data analysts and aggregators, consultants, attorneys, accountants, actuaries, managers, administrators, photocopiers, medical records companies, document shredders, information-storage companies, billers, collections firms and website hosts, according to a list Brady provided.

It also requires reporting data breaches to the Health & Human Services Department, Brady says. If fewer than 500 individuals are affected, entities can report breaches annually, he says. If more than 500 are victimized, entities must report breaches within 72 hours.

States also are passing legislation and imposing regulations that sometimes restrict health care information more stringently than the federal rules, Brady warns.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry