As vaccination rates rise and the U.S. begins to emerge from the COVID-19 pandemic, medical practices are assessing what their “new normal” looks like in a post-pandemic business environment.
Regardless of the specific business challenges individual practices may face, patient engagement is certain to be a critical component of providers’ playbooks as they endeavor to strengthen their financial positions. Through better patient engagement, providers can build more trust and loyalty, improve patient retention, produce better health outcomes – and ultimately improve collection rates.
In 2021, strong patient engagement is likely to become even more essential to financial success, because unpredictable fluctuations in patient volumes represent the single-biggest risk to maintaining long-term revenue cycle continuity, according to a survey of healthcare providers from the Healthcare Financial Management Association.
As a result, it is more critical than ever that providers find new methods of engaging patients in the payment process, a topic Sphere explored in the eBook “5 Reasons Engaged Patients are Better-Paying Patients.”
Following are some highlights from the eBook, including 3 reasons why better engagement leads to more reliable payment:
- Patients who understand their bills better are more likely to pay them. Many patients don’t avoid paying bills because they can’t pay; they avoid paying because don’t understand what they owe and why they owe it. That’s why it is important to engage all patients – regardless of treatment – by communicating to them before an appointment the how and why of what they’ll be charged, what insurance will cover, and what their out-of-pocket responsibility is.
- Communicating payment details earlier in the process leads to better engagement and improved collections. Timing is a key element. It is essential that providers capture payment before the patient leaves the office, or else the chances of that patient paying promptly drop substantially. When sending appointment reminders, do not simply ask whether the patient plans to show up on time. Include a link that verifies insurance and demographic information and indicates the anticipated payment details such as charges, copay and effect on patient’s deductible.
- Offering omnichannel payment options that cater to all patient preferences helps build patient loyalty. Communicating with patients on their terms using their preferred communication methods is key to engagement and reducing the lag between billing and payment. An omnichannel approach can include communications and payment acceptance via email, call center, Interactive Voice Response, paper, kiosks, point of service, guest pay, payment plans, and text message.
With the challenges associated with COVID-19 and a recovering economy, patient collections will likely remain an obstacle to providers’ financial success into the foreseeable future. However, by improving patient engagement with clear pre-visit communication, convenient and flexible payment options, and greater price transparency providers gain a competitive advantage that can help boost collection rates.
To read Sphere’s eBook 5 Reasons Engaged Patients are Better-Paying Patients click below:
Manufacturers worldwide are facing a challenge that doesn’t appear to be going away anytime soon. They are having difficulty obtaining semiconductors, which is delaying production timelines and delivery of goods. There are many factors at play, from the COVID-19 pandemic’s disruption of supply chains and consumer shopping habits to extreme weather and everything in between. According to CNBC, demand for chips is continuing to outstrip supply, and car makers are no longer the only companies feeling the impact.
How does this affect the payments industry?
The chip shortage is having a trickle-down effect on payment equipment manufacturers. Sphere has been notified by our equipment vendors that they are experiencing increased product lead times given component shortages and the strain COVID-19 impacts have placed on the supply chain. For example, where 6-8 week lead times were targeted, in some cases these are shifting to 24+ weeks. For example, what is ordered in May might not be available until closer to November.
What you can do
Stay informed and be prepared! When placing device orders, know that lead times may significantly increase throughout the industry. To reduce impact to your business, plan ahead. Start thinking about your device needs and develop an equipment forecast through 2021. Whether a multi-lane terminal, encrypting keypad, simple swipe, or even an Apple iPad—most manufacturers are experiencing delays. If your device plans cannot be forecasted through the end of the year, make sure to plan for as much lead time as possible on new orders. Ordering now may minimize disruption to your business.
We’re here to help! Please reach out with any questions.
Sphere’s full service ISV partner program provides a single source of end-to-end, scalable and rapidly deployable payment solutions that integrate seamlessly with your software. Simply put, with just one integration, you can unlock many ways for your customers to pay.
Take advantage of all Sphere has to offer! We’ve written a definitive guide to show you the benefits of partnering with Sphere, including:
- Ways to increase revenue capabilities
- How a consultative approach can deliver the best integration plan
- Frictionless onboarding so you can set up merchant accounts quickly
- Best-in-breed security and technology, reducing your PCI footprint
Sphere is also more than a payments partner. We are also a powerful marketing partner.
Our teams will work together on joint go-to-market planning. We’ll brainstorm the best channels to reach your audience and messaging that will drive engagement. From there, our marketing teams will work together to help you grow.
Everything you need to succeed
Get started today! Read the partner guide and reach out with any questions. We’d love to let you know more about how we can help you grow your business, enable your clients to accept all types of payments, and take the burden of compliance complexities off your plate.
With the acquisition of Health iPASS in December of 2020, Sphere is placing a greater focus on leveraging their payment capabilities for the benefit of healthcare providers. Health iPASS is committed to creating better patient check-ins for better provider revenue, strengthened by the end-to-end patient payment support offered by Sphere. Health iPASS gets practices paid by going after those patient dollars that sometimes slip through the cracks, such as prior and residual balances and inconsistently collected copays. The best part? Health iPASS is able to do this in a way that improves the patient experience.
Taking the hassle out of health visits
The typical patient check-in and payment experience requires patients to arrive for their appointments 15 minutes early, wait in line, perhaps pay a copay, then take a clipboard back to the waiting area where they are asked to fill out any required paperwork. The patient can then expect to receive the bill for any services rendered weeks, even months later. According to HFMA, 60% of all patients never pay their bill after leaving the provider’s office through the traditional payment channels, stressing the need for better payment options pre-arrival and at the point of service. With the huge increase in patient responsibility, up 30% since 2015, providers must invest in the right tools to maximize clarity and boost patient payments.
How it works
Health iPASS delivers clear cost communication and enables patients to view and verify their insurance benefits, make payments, complete paperwork digitally, and even leave payment information on file for automatic payment of residual balances—all through their 100% mobile express check-in. They also offer self- or assisted check-in at the provider office for less tech-savvy patients. Here are just a few ways the Health iPASS platform can support pre-arrival, point of service and post-visit workflows:
- Customized Express check-in for patients (any device, any time) including registration, insurance, payments, clinical forms and consents/policies
- Real-time integration with Practice Management (PM) systems for schedule & demographics
- Automated verification of insurance benefits
- Pre check-in including pre-collection of prior balance, co-pays, etc.
- Self-service or assisted check-in using iPad-based kiosks
- In-clinic, mobile check-in & messaging sent to patient’s phone real-time
- Streamline the check-in process to complete registration, insurance, payments and forms
- Checkout process to provide transparency into cost of care and collect against patient estimates
- Real-time posting of demographic changes, payments and images to EMR/PM*
- Convenient text-to-pay and email-to-pay options with fully automated electronic billing (eStatements & eBills)
- Electronic statements are automatically generated as soon as claim is adjudicated
- Convenient auto-pay process using card-on-file obtained at check-in
- Client-branded online payment portal for patients
- Flexible, recurring payment plan options for large balances
Integrated with Sphere end-to-end
With Health iPASS, Sphere users can now enjoy the patient engagement, check-in and payment features of the platform. Health iPASS provides a one-step shop that does not require medical providers to interact with third-party payment processors. This integration also enables Health iPASS to provide seamless customer service for clients with one support number to call for any payment-related concerns. The combined efforts of Sphere and Health iPASS will lead to increased collection capabilities for providers and ultimately better health outcomes for patients.
2020 marks the fifteenth year that The Ponemon Institute produced its Cost of a Data Breach report. Among the findings of the report, produced jointly by IBM security, is one that generates pause for many of those in the healthcare industry: while the average total cost for a data breach was $3.86 million across all sectors, this cost in the healthcare sector was nearly double that at $7.13 million. This represents an increase of 10% from the 2019 study.
What does this mean for those in the healthcare sector? Strengthening information security practices to avoid and mitigate breaches is paramount, and a key component of this effort is finding ways to diminish the cost of a breach. In these times where many companies are closely watching the bottom line, there is good news: among the top cost-mitigating factors are three that with your people and processes.
1. Incident Response Plan and Testing
Incident response team formation and incident response testing comprise 2 of the top 3 cost mitigating factors affecting the average cost of a data breach, according to the Ponemon report. Having a team in place before an incident occurs means that you will be able to respond and contain a breach more quickly. A trained team will be able to react quickly and make good decisions during a breach. You will know what steps to take, who to contact for assistance, and how to mitigate the damage a security incident can create.
2. Business Continuity Planning
Implementation of a sound business continuity program rounds out the top 3 cost mitigating factors. Your business continuity program is essential during a data breach. You will want to answer questions like: How will your organization continue to provide services to your customers? Do you have data backups that can restore corrupt data, or data that is frozen by ransomware? Are you able to ensure your systems remain secure when operating under an emergency plan? And how do you go back to normal operations when a breach is finally over? Planning for these questions in advance puts you in a strong position to recover effectively.
3. Employee Training
Employee training continues to be a top cost mitigating factor. One of the most effective ways to prevent a breach is to ensure employees know their responsibility for information security, and how they can contribute on an individual basis. They will learn how to keep your organization secure by not falling for e-mail scams like phishing and spear phishing, how to create strong passwords, and how to be cyber-aware while working from home. A well-trained workforce with information security on the brain can not only help you avoid falling victim to a breach, but they can also be the first line of detection and help you discover an attack more quickly.
When it comes to securing your company’s systems, and your customers’ personal information, every effort counts. Leveraging your work force’s skills and knowledge in these key areas to contribute to your breach resilience are great steps in the right direction.
The United States is now almost one year into its COVID Pandemic Response that shifted a large percentage of its workforces to a remote office scenario. While every organization works to maintain appropriate security and privacy safeguards in this new milieu, the stakes are higher for those companies that are obligated by the HIPAA Privacy and Safeguard Rules. While you cannot understate the importance of awareness training for a remote work force, there are several steps that companies can implement to support continue compliance, even outside the office.
- Secure Wireless– All employees should ensure that the wireless networks to which they are connected are secured. This seems straightforward and generally, people are aware that they should be requiring passwords to join the network, but secure wireless networks take a little bit more than that. Protection of the networking equipment itself is often overlooked, as more attention is focused on the workstation itself. Users should ensure that they have changed the default administrative credentials on their networking equipment. Setting the SSID (network name) to private can also help secure the network, making it more difficult for criminals to find. Firmware on the access point or router should be updated and patches maintained. Securing network equipment and devices is critical to securely working in a remote environment.
- VPN Connections – When accessing corporate resources, employees should be sure to do so through secure VPN connections. VPNs establish a secure connection between the workstation and the network resource being accessed. Data traffic is exchanged through an encrypted tunnel, offering protections against theft of data in transit. It also obscures the IP address of the workstation by using a proxy. It’s also important to remind employees to disconnect from the network when they are done with work.
- Two Factor Authentication – An additional of security can be added by requiring two factor authentication for logging into corporate assets that may have sensitive or regulated data, such as PHI. This requires users to provide not just a name and password to log-in, but also an additional identifying criterion. Most often, this is a randomized number provided by an authentication tool, such as Google Authenticator or RSA SecurID. This means that even if someone does compromise username and password, they will be unable to log in to those sensitive assets.
- Printing Restrictions – In talking about securing the work environment at home, printing is often overlooked. Printing hard copies of reports or file that contain PHI represents a potential exposure. If employees must print documents with sensitive information, it should be stored in a locked drawer or filing cabinet. When the document is no longer needed it should be shredded.
- Policies and Procedures – While well-documented policies and procedures are a must for the protection of PHI, they are only successful if employees understand them and know how to apply them to their job roles. Not only is it helpful to have the policies regarding the treatment of PHI readily available, but companies may also consider conducting ongoing training about the role their employees play in ensuring the security and confidentiality of PHI. Ongoing communications through email, SharePoint or company messaging systems can act as helpful reminders and assist in creating a culture of security and privacy awareness.
While everyone is managing the seemingly continuous change necessary to maintain healthy communities amidst the pandemic, one thing that remains constant is the need to ensure the protection of sensitive patient data. For that reason, we must ensure that the policies, processes, and pratices that we enforce to secure patient data apply equally in the office and at home.
This is a guest post from Vincent Martino, Chief Product Officer & Co-Founder of VisitPay.
In this Q&A, Vincent Martino shares how VisitPay helps simplify and consolidate the patient experience. He also discusses the value of choosing a technology compatible with Sphere to ensure your organization continues to manage a single, integrated experience.
Why are health systems choosing a platform like VisitPay?
Vincent Martino: Health systems are choosing VisitPay primarily for the increase in patient satisfaction we drive combined with the resultant increase in cash payments. The platform provides patients a consolidated billing process that creates an unparalleled amount of transparency, which in turn creates more loyal and better-paying patients. Our clients Net Promoter Score (NPS) for their billing experience is in the 40’s, which is three times higher than the average across healthcare. Bills are also higher than they have ever been, and providers have a need to deploy more advanced strategies and capabilities to manage this growing and difficult to collect asset. The VisitPay team offers a tremendous amount of consumer finance experience to help guide and advise client-specific strategies, which can be enabled and delivered through the platform.
What teams in the health system are typically driving that work?
Martino: We team up with teams across the entire health system. Of course, the CFO and rev cycle organization are key partners – VisitPay offers a lot of flexibility in terms of how it’s deployed, and many of the financial offer decisions will be driven by these teams. Oftentimes the consumer experience team will also influence or drive some of the configurations. The patient billing experience is complex and also is viewed as an increasingly important part of the overall healthcare experience. Therefore we also partner with the information and technology groups, patient access, the treasury department, and the marketing departments.
What are the implications of this from a payment processing experience?
Martino: It’s important to create cohesive, system-centric experiences for your patients and operational efficiency for your staff. Finding a patient financial experience company that can effectively partner and collaborate with the different teams within your healthcare system is very important – and it’s vital that your partner can drive alignment when you need them to do so.
Why is it good to have a single payment environment?
Martino: Having one integrated payment solution from end to end is a good thing for a health system and for your patients. It provides the most efficiency for your staff in terms of posting, reconciliation, and reporting. And it provides the best experience for patients by providing a single place to save payment method information.
Any industry trends in payments? Any that could influence change?
Martino: Prior to COVID, we were already seeing a trend around contactless payment and “login-less” payment, and the two essentially go together and can be one and the same. And COVID has only accelerated the need for contactless payments. Every consumer today essentially has a “payment device” in the mobile phone they carry with them everywhere they go. VisitPay has deployed multiple novel ways to pay from that device, which are all contactless in nature. One specific payment option we offer is “Text To Pay,” which serves as both a contactless and “password-less” way to pay. VisitPay developed and now offers Text to Pay in partnership with Sphere. This provides the patient with an automated text when a balance is due and provides them a way to pay their bill securely, without needing to log into an application to do so. In general, we are seeing more consumers willing to pay from their mobile device using a variety of payment options – some of our clients have over 60% of their consumers paying via mobile devices.
How do these changing trends impact the people running infrastructure?
Martino: I think the organization should continually be looking to deploy new technologies that provide easier and better ways to pay bills. That said, ideally, newly added technologies shouldn’t create an added process or management burden for the organization that manages the infrastructure. There are vendors in the market that seamlessly combine technologies onto one platform to ensure efficiency for your team. When assessing the market, be sure to ask if all payment technologies are centralized on a common processing, reporting, and reconciliation platform.
To learn more about VisitPay and Sphere solutions, such as Text to Pay, request a demo.
Sphere recently sat down with its own Andrew Immerman, Senior Vice President of Technology to answer questions asked regularly by software vendors when choosing a payments platform with which to integrate. Mr. Immerman leverages over 20 years of experience in the development, deployment, coordination and operation of quality-driven, mission-critical technologies.
Sphere: Why use a gateway when you can connect directly to an acquirer/processor?
Immerman: Premium gateways are optimized to dramatically reduce the costs and risks of electronic payment acceptance. In general, processors are optimized to extend as much functionality as possible to the widest possible user base. To facilitate these objectives, premium gateways offer user-friendly human interfaces and easy to integrate application programming interfaces (APIs). Processors, on the other hand, extend complex, yet highly functional, user interfaces and APIs. As a result, processor interfaces are generally far more costly and time consuming to implement.
Premium gateways offer a wide variety of value adds and flexibility processors generally cannot. For example, gateways can offer fraud prevention and analysis solutions generally beyond those of the processors themselves. Additionally, gateways can offer management and automation for scheduled payments, such as those of a recurring, installment, or deferred nature. As from such functional value adds, gateways almost always natively support seamless transitions from one processor and acquirer to another.
In general, only merchants processing an extreme and sustained volume of transactions, such as 100+ transactions per second (TPS), are advised to directly integrate with a processor. Such merchants essentially build and use their own gateways, though often without the benefit of proven and ever-maturing technologies.
Sphere: Should gateway uptime/availability be a concern when selecting a gateway, or has cloud computing made this a non-issue?
Immerman: Dependability, performance, security, and many other quality attributes should be considered whenever evaluating any technology for use. As part of any dependability evaluation, availability, reliability, resiliency, and controlability should all be considered. Availability describes a system’s functional readiness; reliability describes a system’s functional correctness and consistency; resiliency describes a system’s ability to endure exceptions; and, controlability describes the efficacy and efficiency of system controls for management, maintenance, and administration. These quality attributes are implemented using careful and proven design, development, and deployment lifecycles.
“Cloud”-based technologies generally enjoy greater dependability and performance through service-driven relationships that abstract single points of failure. The configuration of cloud-based technologies and, more so, the services, applications, and other software that run thereon, dictate the potential and realized dependability and performance of such technologies. Put another way, cloud-based technologies reduce some risks; however, poor designs, such as those having single points of failure, are often just as failure-prone as are non-cloud-based technologies. As an analogous example, consider that multi-engine aircraft are often considered safer than singles. In actuality, multi-engine aircraft are generally more challenging to operate and are still susceptible to fuel depletion and contamination, both essentially being single points of failure.
When considering the introduction of any new technology, such as those of a payment gateway, it is generally advisable to obtain historical dependability, performance, and security data, as well as to understand and assess its continuity, resiliency, and resumption considerations.
Sphere: Does using a gateway add time to a transaction, especially if it’s EMV? Can bandwidth/capacity affect transaction times, especially during peak periods?
Immerman: Whereas all payment processing steps do increase round-trip transaction times, premium gateways do so with increases of no more than 10 to 50 milliseconds, including EMV overhead. In many cases, a premium gateway may be able to offer reductions in transaction times through highly tuned, high-throughput integrations with upstream entities. As an example, Sphere round-trip transaction times include overheads generally well under 50 milliseconds and, in total, average less than one second, including all round-trip times with the processor, associations, and issues.
Sphere: Every gateway is PCI validated, what makes Sphere more secure?
Immerman: Payment gateways, like all entities that handle sensitive cardholder information, are expected to maintain ongoing compliance with the PCI Data Security Standard (DSS). That said, not all do. In some cases, organizations predominantly focus on annual PCI DSS revalidation efforts, as opposed to ongoing compliance. Often, the terms “secure,” “compliant,” “validated,” and “certified” are used interchangeably when, in fact, each is distinctly different from one another. For example, being secure and/or being compliant are ongoing states, while being validated and/or being certified are based on assessments of security and compliance at specific points in time. Moreover, most security and/or compliance assessments are sample based, as opposed to being comprehensive. Additionally, no single security standard is truly comprehensive or all encompassing. All this is to say that being PCI “validated” may only be a superficial indication of an organization’s security and/or compliance maturity.
In numerous ways, Sphere distinguishes itself in the community of payment gateways and other service providers. As just a few examples of Sphere’s commitment to exceptional security and compliance:
- Sphere maintains several independent compliance and security organizations that operate in tandem with one another, as well as with mutual accountability;
- Sphere prioritizes and invests in security and compliance as separate activities to ensure that both are achieved;
- Sphere leverages several security frameworks to ensure better coverage (e.g., Sphere maintains compliance with the PCI DSS, as well as the PCI Point-to-Point-Encryption (P2PE) Standard and the HITRUST Common Security Framework (CSF);
- Sphere establishes compliance and security requirements that, in many cases, exceed those of the PCI DSS, PCI P2PE, and/or HITRUST CSF;
- Sphere invests separately in the architecture, the implementation, the administration, and the assessment of security and other sensitive solutions;
- Sphere implements security considerations through the lifecycle of all plans, processes, products, and technologies;
- Sphere offers and encourages ongoing training for all employees; and,
- Sphere maintains a culture where security, privacy, compliance, and risk mitigation in general are championed.
Sphere: What can go wrong with payments and what risk does that introduce to me and my customers?
Immerman: Payment processing involves numerous entities and many complex workflows. Any degradation with any interconnectivity, any degradation with any processing entity, and/or any workflow exception can lead to connectivity failures, processing failures, duplicated or otherwise erroneous financial authorizations, incorrect settlement or funding, etc., not to mention numerous risks relating to security, privacy, and compliance.
Premium payment gateways implement numerous checks, balances, and other controls to minimize the vulnerabilities and risks of processing exceptions. Such controls may include redundant connectivities, client- and server-side availability switching (fail-over and load-balancing), verification cross-checks, integrated and continuous system health and integrity monitoring, and autonomous exception containment, mitigation, recovery, and reporting.
Sphere: Is integrating to Sphere more complicated than using other gateways?
Immerman: Sphere technologies were designed to be inherently easy to integrate. As an example, the TC Link API, a highly dependable and highly flexible application programming interface (API), can easily be integrated with less than a dozen lines of programming code. Additionally, Sphere products are designed and assured to be compatible with all major operating systems and operating environments. For more information, please refer to the TC Link API Developer Guide, which details and demonstrates its integrational simplicity, as well as its vast functionality.
The Sphere Technology team and I are very proud of the products and services we offer. We look forward to addressing any questions or comments our partners may have, and to assist with all integration efforts.
To learn more about the developer resources that Andrew mentioned, visit our integration page or contact us below:
While healthcare providers are properly focused on patient care, it is important not to overlook the overall patient experience. There are many opportunities to make improvements. One practical way to do this is to allow multiple, digital points of payment. Why is this important? Out-of-pocket costs for patients has increased by 230% in the previous 10 years. Coupled with the challenges presented by COVID-19, health systems need to meet patients where they are and accept non-touch payments anytime, anywhere to improve collections.
Adding new ways to pay may seem like a daunting task. With complex systems that must adhere to stringent compliance and security requirements, the time and resources this change will take may seem like a barrier.
But, with the implementation of a centralized, secure payment solution that can integrate with EHR, kiosks, IVR, and other systems, it becomes much less burdensome. In addition to improving the payment experience for patients, resulting in improved collections, it can also provide organizations with valuable insights and centralized reporting and reconciliation.
Realize Revenue Earlier
An important, bottom-line benefit to providing more points of payment is that it can positively affect an organization’s cash flow by realizing revenue earlier in the billing process. There are smart, simple and secure solutions that can help drive business forward.
69% of consumers don’t believe that healthcare is keeping pace with payments innovation.
You can improve this perception by adding payment methods, which can help increase on time payments and provide patients with the flexibility and security they require. Patients are used to paying for goods and services online, on mobile devices, in app and more. They expect the same capabilities when paying for healthcare services.
To learn more about how healthcare organizations can take payments securely, via many channels, please check out our new E-book, “Secure Payments at Every Touchpoint”.
By Dr. Heather Mark, CCEP
Privacy data leaks can cause long term damage to an organization. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately. Here are 5 questions to get you started.
The subject of data privacy and consumer rights has been a hot topic over the last several years. Beginning with the implementation of the General Data Protection Regulation (GDPR) in the EU, continuing with the passage of privacy laws in California, Massachusetts, Nevada, and continuing with the proposal of almost a dozen more state level consumer privacy laws, businesses are have to sit up and take notice. While these laws certainly aim to protect consumers from businesses that might intentionally misuse data, it also means that organizations must be cognizant of the ways that such sensitive data might “leak” into, or out of, their business ecosystems and the potential damage that can be done by such “contamination.”
I use the term toxic data here to describe data that is protected by regulation (Personally Identifiable Information or PII, Financial Information, Protected Health Information, etc). This data carries with it responsibilities and has to be handled appropriately to avoid serious negative consequences. Not to overdo the analogy, but for small businesses particularly, leaks of such data can prove fatal. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately.
Here are five straightforward questions that organizations can ask to start getting a feel for their own practices.
- What data do we collect?
Surprisingly, the answer to this question for many companies is, ”I’m not sure.” If a organization has been in operation for some time (5 years or more), it may be the case that data collection began simply, with a contact or payment form or cookies and web beacons. Some organizations may have relied on third parties to help with forms and websites and may not have a complete list of data that is collected. In other cases, data collection protocols that were purposely set up may not have evolved with the organization’s needs over time. Doing a data inventory (finding out what data you collect and where that data is stored) is a critical component in protecting that toxic data. You can’t protect it if you don’t know that you have it.
- Why do we collect that data?
Once you’ve determined what data is being collected by the organization, the next step is to answer the “why?” This is where the rubber meets the road. If there is no specific business purpose to collecting the data (i.e., it is considered a “nice to have” or no one can really identify its purpose) then the organization should really examine whether it should change their practice. The more toxic data a company stores, the higher the liability exposure if the data is compromised or, in the case of GDPR, CCPA and similar laws, if the data is used inappropriately. The general guideline for data – if the data is not needed, it should not be collected.
- How does data flow through and out of our organization?
This one might seem obvious, but data has a habit of migrating through organizations if it is not carefully constrained. Understanding how different departments interact with the data, helps to develop appropriate controls in departments handle the toxic data. For example, if the “contact” form for your support group also provides information to your product group or your account management group, understanding where that data goes allows the organization to focus its resources on protecting those data flows and data stores. Additionally, it might bring to light data uses that were not widely known in the organization, allowing for a discussion of risk and appropriate data uses. Understanding the data flow allows the organization to use maximize the positive aspects of data use without “infecting” departments that have no need to access or use it.
As important as how the data flows through the organization is how the data flows out of it. What third parties are being used to support the business operation, and how do those organizations access and use data? Do they need the data to fulfill their obligations? Sitting down and going through these relationships can be extremely helpful in identifying critical vendors and helping to manage third party risk.
- How do we dispose of data when it is no longer needed, or a deletion request is received?
The issue of data disposal, “deletion” or “erasure” is certainly complex and worth speaking with counsel about when drafting and implementing policies and practices. For the purposes of this discussion, the question is how an organization can ensure that such toxic data is appropriately removed from the network or systems. CCPA allows for anonymization or de-identification of data. This means that identifying information is removed so that the data element cannot be tied to an individual. Organizations must also balance their regulatory obligations to maintain records against the consumer request. While the regulatory obligation will supercede the deletion request, it is possible for organizations to meet the spirit of a deletion request while maintaining its legal obligation for record keeping. Doing so requires careful planning and execution and a clear understanding of privacy requirements.
- How do we disclose our data privacy practices?
The central tenet of all privacy laws, and the fair information principles on which they are based, is providing the consumer with ability to make a clear, informed decision about how their personal information is collected and used. To further that objective, organizations must disclose clearly and explicitly the ways in which data is collected and used. Further, consumers must have easily identifiable mechanisms to make privacy-related requests of the organization. And the notice must be provided PRIOR to the collection of data. If data is shared with third parties, that, too, must be disclosed. This allows the consumer the ability to really understand why certain data elements are being collected and they are being used before they consent to share it.
Designing, implementing, and maintaining a privacy program is an “all hands on deck” operation. Every department must be bought it to get a comprehensive picture of the organization’s privacy prognosis and create a “treatment plan” for the toxic data. This also assists in obtaining organization-wide buy in on the program.
Personal information is the currency of this age. Consumers will trade privacy for convenience. The Center for Data Innovation found that 58% of Americans are willing to trade their personal data for a greater level personal convenience. That gives organizations a great deal of power, but also a great deal of responsibility. In order to ensure that companies are mindful of that obligation, states are taking the lead in establishing consumer rights with respect to how data is collected and used. Understanding your organizations relationship with potentially toxic data can help keep everyone, business and consumer, safer.
Health systems have been hard hit by the economic impact of COVID-19. Unfortunately, bad debt will rise for providers as patients prioritize their bills, oftentimes putting medical bills last.
Ryne Natzke, Vice President of Strategic Accounts and Healthcare at Sphere joined Vince Martino, Chief Product Officer & Co-Founder at VisitPay to discuss 3 ways to reduce cost and recover patient revenue during a recession.
Want to learn more about Sphere and VisitPay? Read Sphere’s interview with Vince Martino, Chief Product Officer of VisitPay.
By Dr. Heather Mark, CCEP
In the wake of the COVID-19 pandemic, fraudulent activity and scams have been on the rise. As a result, scammers are looking for ways to test their stolen card information. One way they do that is to find portals or e-commerce sites that have payment forms and use those forms to “test” cards. This is done by running hundreds or thousands of small transactions to see if they will be authorized. If these small transactions are authorized, the criminals assume the card is “good.” Meanwhile, the merchant may not know that this has happened until an expensive invoice is received for those “auths.”
In order to combat these types of scams, here are three ways merchants with an internet presence can mitigate their risk proactively:
- Implement CAPTCHA – CAPTCHA is an easy test that users take on web-based forms to prove that they are not a “bot.” These may include simple math questions or identifying pictures from an array. This simple step allows merchants to filter out bad actors and helps to ensure that their payment site is not being misused.
- Use TC CrediGuard – TC CrediGuard is a product offered by Sphere that allows merchants to set parameters for certain transaction patterns. Merchants can set TC CrediGuard to deny transactions based on a set of predetermined criteria. For example, a merchant may set parameters to deny transactions after five attempts from the same IP address within 7 minutes. Or, if the IP address of a bad actor is known, a merchant may block that specific IP address.
- Add a Log-in Screen – Payment forms that reside in front of a log-in page may be more convenient for your customers, patients, or donors, but it can also make it easier for criminals to use that payment screen as a tool for testing card numbers. By adding a log in screen, you create a barrier that may protect your business from becoming a target for these types of schemes.
By implementing these recommendations, merchants can take significant steps towards mitigating the likelihood of a Primary Account Number (PAN) or Card Testing event.
To learn more about secure online payment solutions and fraud reduction tools, please contact a Solutions Consultant at 800.915.1680, option 2 or email@example.com.