April 16, 2014

Legal Issues in Keeping Patient’s Credit Card Information on File

Many physicians find credit cards to be the easiest way of accepting payment, and some will even keep their patient’s credit card information on file in case a patient fails to pay their bill. What many of these physicians do not realize, however, is that electronically storing a patient’s credit card information opens them up to a litany of legal issues. While not meant to be exhaustive, this article will briefly run through three issues physicians may face when they retain their patient’s credit card information.

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

Credit card information is considered protected health information, or “PHI”, under HIPAA and its implementing regulations when it is stored by a healthcare provider. Specifically, the electronic storage of credit card information by a physician practice raises several legal issues under HIPAA, including issues under both the Privacy Rule and Security Rule. While there are no bright line requirements that physicians must follow to guarantee compliance with HIPAA in the storage of patient credit card information, the Security Rule emphasizes the “reasonableness” of the security measures in place while also setting forth minimum security standards that a healthcare provider must follow. Every practice should already employ HIPAA compliant security measures to protect their electronic PHI, and should make sure that it uses at least equivalent measures to protect electronically stored credit card information so that it satisfies its HIPAA obligations with respect to such information.

Payment Card Industry Data Security Standards

In addition to HIPAA, storing patient’s credit card information will likely trigger Payment Card Industry Data Security Standards (“PCI DSS”). PCI DSS consists of a minimum set of security standards necessary to protect cardholder data. These standards are not issued by a governmental entity but instead apply to businesses pursuant to their contracts with the individual card schemes (e.g. Visa, American Express, Mastercard).

The PCI DSS divides businesses into four tiers depending on the volume and type of transaction processed and imposes different standards on each tier. In addition to the tiered approach, the PCI DSS imposes minimum standards on all businesses that store and process card data electronically, including the installation of a firewall configuration to protect data and the prohibition on the use of vendor supplied default passwords, just to name a few. Businesses that do not comply with these standards can be fined by one of the various card schemes or have their contract canceled.

The Federal Trade Commission Act (“FTCA”)

Physicians who store their patients’ credit card information on file could also potentially be subject to Section 5 of FTCA and analogous state laws. While the FTCA does not explicitly prohibit physicians from storing their patients’ credit card information, Section 5(a) of the FTCA would subject them to liability if the information becomes compromised in certain circumstances. Courts have interpreted Section 5(a) to require companies “employ reasonable and appropriate security measures to protect personal information and files.” Similar to the HIPAA standard, the question of whether a set of security measures is “reasonable and appropriate” is not always clear.

In addition to the security measures requirement, Section 5 of the FTCA has been interpreted to prohibit an entity from charging an individual’s credit card without first receiving their authorization. Section 5 of the FTCA also requires businesses to disclose, or at the very least not obscure, material changes to their billing practices. Thus, physicians who previously accepted payment by credit cards but who now wish to retain a patient’s credit card information for future billings should notify the patient of the change in billing practices and be sure to obtain the patient’s authorization before billing their credit card.

© Copyright 2014 Dickinson Wright PLLC

About the Author

Scott F. Roberts, Of Counsel, Dickinson Wright Law Firm
Of Counsel


  • Oakland County Bar Association
  • American Bar Association


  • Young Friends of the Taubman Institute, Michigan Chapter, Co-Chair
  • Detroit Audubon Society, Board Member


  • "Transforming Science into Medicine: How Clinician-Scientists Can Build Bridges Across Research's 'Valley of Death'" Roberts, SF, Fischoff, MA, Feldman, EL, Sakowski, SA. Acad Med. 2012 Mar. 87(3): 266-70....

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.