GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Growth by acquisition


Industry Update

Visa says Durbin impact 'manageable'

TCF appeal denied

$100 million for Square means change for low-end payments

Cyber security update


An interview with Paul Martaus

Ken Musante
Eureka Payments LLC

Research Rundown

Meet The Expert: Adam Atlas

The accidental advertisement

Selling Prepaid

Prepaid in brief

Law center faults UC card programs

A primer on prepaid's basics


The unbanked: Banks are ceding billions in potential revenues

Patti Murphy
ProScribes Inc.

Mobile payments follow many new paths

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Networking groups and referral marketing - Part II

Bill Pirtle
MPCT Publishing Co.

The adaptability of POS terminals

Dale S. Laszig
Castles Technology Co. Ltd.

HIPAA compliance fundamentals for ISOs

Mark Brady and Ross Federgreen
CSRSI, The Payment Advisors

Michaels breach reveals gray areas

Nicholas Cucci
Network Merchants Inc.

Company Profile

Creative Vision Studio LLC

Network Merchants Inc.

New Products

A processor-agnostic payment gateway

PayCommerce gateway platform
PayCommerce Inc.


Breaking up is hard to do


10 Years ago in
The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

July 25, 2011  •  Issue 11:07:02

previous next

HIPAA compliance fundamentals for ISOs

By Mark Brady and Ross Federgreen

It seems every week brings us more headline-grabbing news of the latest data breach. Not only have Payment Card Industry Data Security Standard-related breach incidents escalated, but compromises to public health information have raised concerns among health care professionals. By understanding the complex issues surrounding health care compliance, ISOs can build better relationships in this thriving sector.

In 1996 the Department of Health and Human Services (HHS) published the Health Insurance Portability and Accountability Act (HIPAA). HIPAA presents significant challenges to the more than 1 million merchants involved in health care who are known as "covered entities." By definition, these entities provide care, services or supplies related to the health of an individual and transmit health information in electronic form. HIPAA makes no distinction as to the size of the health care merchant. Smaller organizations must comply with all HIPAA requirements, just as larger health care providers, health insurance companies and health plans do. However, the HHS does give providers the flexibility to design their own privacy procedures.

This article will concentrate on the health care provider segment, which includes doctors, psychologists, dentists, chiropractors, clinics, nursing homes and pharmacies. In some cases, HIPAA can even include fitness centers, spas and masseuse offices that meet the very broad HIPAA definition of a business associate of a covered entity.

HIPAA core requirements

The following describes some HIPAA compliance components that smaller health care providers must perform.

Health care compliance procedures

If a compromise or breach of health care data should occur, HHS requires specific actions to be taken by the covered entity. HIPAA defines a data breach as follows:

"A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual." Following a breach of unsecured, protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary of HHS, and, in certain circumstances, to the media.

Penalties for compliance violations

HIPAA compliance violations can incur stiff penalties, as follows:

Civil penalties for HIPAA violations

Here's what you can do to make HIPAA work for you: Educate your merchants; Be a resource for your merchants; Provide merchants with additional resources; Consider selling HIPAA compliant Electronic Medical Record Systems. Given the complexities of HIPAA and the significant and growing level of criminal and civil penalties, it is strongly recommended that HIPAA covered entities align with a company whose principals have the appropriate credentials, including the designation of Certified Information Privacy Professional.

Mark Brady, Consultant at CSRSI and Ross Federgreen, CIPP and founder of CSRSI, can be reached at or, respectively.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios