July 09, 2020

Please Disrupt Me: Regulatory Concerns in Fixing Healthcare Payments

10 min

America's fragmented systems for billing and making healthcare payments are ripe for the sort of "disruption" that has revolutionized the delivery of other financial services. Consumers seeking routine medical care often have no idea what they will be required to pay and, once the care has been provided, often receive a flurry of (largely) paper-based bills from different sources, including hospitals, multiple physician practices, clinical labs, and medical imaging providers, as well as explanations of benefits from the patient's own insurance company. Moreover, many healthcare providers do not have simple, direct methods for accepting electronic payments by ACH or debit or credit cards. Thus, the sheer difficulty of determining what is owed and making a payment likely contributes to patient confusion, which may, in turn, make patients less likely to pay their medical bills on time or at all.

There is a real opportunity in the market for companies that combine experience in payments and technology to improve the healthcare experience for both patients and providers by offering an improved software-based user experience and electronic payment processing expertise. That said, if you are a fintech, insurtech, healthtech, techtech (#AllTheTechs), or other service provider looking to make healthcare payments seamless, frictionless, and painless, keep in mind that healthcare payments sit on the crossroads between two significant regulatory regimes. This article discusses some of the basic issues applicable to potential disruptors under both payments and healthcare laws.


Regulation in the payments industry comes from a variety of sources, including network rules imposed by the credit and debit card brands (Card Networks) and the National Automated Clearinghouse Association (NACHA) and legal requirements directly applicable to payments companies. In addition, because non-banks cannot directly access the ACH or Card Networks, they must form a relationship with a sponsor bank to process payments, which involve additional contractual requirements.

Network Rules

Before jumping into the legal requirements described below, payments companies should be aware of the rules imposed by the Card Brands and NACHA for use of their networks. These rules establish threshold issues for the structure of a payments company's operations, relationships with its healthcare provider customers, and the application of federal and state laws.

  • Card Processing Role: There are numerous designations for the manner in which a payments company may participate in processing card transactions for healthcare clients. Among others, these include the following:
  • As processor, the company would contract directly with an acquiring bank and interact directly with the Card Brands in processing transactions. When its acquiring bank receives transaction settlement funds, a processor would instruct the acquiring bank on the correct amount to be settled to each healthcare provider without itself ever receiving those funds.
  • As a payment facilitator, the company would contract with an acquiring bank or a processor, but would not interact directly with the Card Brands. Rather, a payment facilitator would submit the transactions of its provider customers through its own merchant account to be processed by its processor and/or acquiring bank. A payment facilitator may receive settlement funds itself for distribution to its customer or have the funds settled directly to the customers.
  • As an independent sales organization (ISO), the company would enter into an agreement with an acquiring bank and/or processor to sell their processing services to its customers. An ISO is not involved in transaction processing and would arrange for its provider customers to receive processing services under a direct contract with the acquirer and/or processor.
  • Merchant of Record: Unless it is registered and compliant as a payment facilitator, the Card Network rules generally prohibit a company from processing third-party card transactions through its own processing account. Unless it is a payment facilitator, a company must be the merchant of record for each transaction it submits for processing.
  • ACH: Similar to card processing, there are multiple ways for a company to offer ACH payments to customers. For example, a "third-party sender" may submit ACH transactions for processing on behalf of its customers under an agreement with a sponsor bank. The NACHA rules impose numerous requirements on this activity.
Direct Legal Requirements

Depending on its activities, including the payments model it chooses, a company may be subject to various different requirements under federal and state law. Highlights include the following:

  • Money Transmission: To the extent a company uses a payments model where it takes custody of funds prior to remitting them to a healthcare provider client or patient, it should consider the application of money transmission requirements under federal and state law. This may be the case for certain payment facilitators, ACH third-party senders, and prepaid and digital wallet providers.
  • Federal Bank Secrecy Act (BSA): The BSA imposes various anti-money laundering (AML) requirements on certain types of financial institutions, including "money services businesses" (MSB). MSBs include money transmitters, generally defined as companies engaged in receiving funds for the purpose of transmitting them to another place or person, as well as certain types of prepaid products. Under the BSA, MSBs are required to register with the Financial Crimes Enforcement Network (FinCEN), a division of the Treasury Department, and develop a comprehensive AML program, including customer and beneficial owner identification and suspicious activity-monitoring procedures.
  • State Money Transmission Laws: Forty-nine states and the District of Columbia require money transmitters to apply for and obtain a license, comply with state statutes, and submit to examination and reporting requirements.
  • Surcharges: A "surcharge" is generally defined as any increase in the price of goods or services that is imposed on a customer paying by credit card that is not imposed on a customer paying by other methods. Although state law prohibitions on surcharges have been successfully challenged in recent years, several states continue to prohibit surcharging, including New York and Massachusetts. Payments companies should carefully review these laws in determining whether they or their clients may impose fees in connection with accepting payments by credit cards.
  • Credit Laws: Payments companies should also be aware that laws applicable to loans and other extensions of credit may apply where their services include advancing funds, whether to a consumer or to a healthcare provider. For example, if your model includes advancing funds to a healthcare provider to be repaid out of an expected insurance payment, this may be a regulated extension of commercial credit, especially if you charge a fee or interest. In some states, including California, engaging in the business of consumer or commercial lending may subject the credit provider to licensing, disclose, examination, and reporting requirements.
Sponsor Bank Relationships

Because only banks contract directly with the Card Networks and the ACH network, a non-bank entity must have a relationship with a sponsor bank to process payments on behalf of its customers. A bank will not sponsor just anyone though, and whichever form the relationship takes, the sponsorship agreement will require the payments company to comply with certain legal and regulatory requirements, including the following:

  • AML Program: Although non-bank payments companies may meet an exemption from MSB status under the BSA, all banks are subject to its AML requirements. Moreover, the BSA applies to bank activities carried out by third-party service providers. Therefore, because a non-bank performs card processing and certain ACH activities as an extension of its sponsor, the bank will contractually require AML compliance. Payments companies should be prepared to develop an AML program consistent with the BSA even if they are not legally subject to it.
  • Network Rules: As discussed above, Card Network and NACHA rules apply to all participants in their networks. Because only banks contract with the Networks, a non-bank's contract with its sponsor is the mechanism through which it is bound to the Network rules. Any violation of these rules will result in liability to the sponsor bank, as well as indirectly to the Networks.
  • Chargeback Liability: When a card or ACH transaction is returned or charged back by a patient, the sponsor bank is required to return those funds through the applicable payment network. Banks typically will not accept the risk of loss in connection with such activities, and the sponsor agreement will make the payments company liable to the bank for reversed transactions. Because the healthcare provider should ultimately be liable for its patients, payment companies should be careful to flow down this liability by contract.


Like the financial industry, the healthcare industry is highly regulated. While healthcare providers and insurance companies bear the brunt of the regulatory responsibilities, payment companies that provide services to those in this industry may have obligations that flow down from some healthcare regulatory regimes, particularly with respect to information privacy and security. Furthermore, payment companies should be mindful to structure their arrangements with clients in the healthcare industry in a manner that complies with anti-kickback laws.


Healthcare providers and insurance companies (Covered Entities) are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to take measures to protect the privacy and provide for the security of identifiable patient information known as Protected Health Information or PHI. Further, service providers that support the operations of Covered Entities, known as Business Associates, have certain flow-down responsibilities to similarly safeguard PHI.

As an initial matter, HIPAA does not apply to banking or financial institutions with respect to certain payment processing activities. Namely, financial institutions and those that engage in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution are exempt from HIPAA. A typical exempt payment transaction is when a Covered Entity processes a payment made by a patient for healthcare using a check or credit card.

However, if a payment company provides other value-added services to a Covered Entity in addition to simply processing a payment , such as operating a healthcare provider's accounts payable system or other "back office" functions, that activity is not exempt from HIPAA, and the company would be subject to HIPAA as a Business Associate. In other words, performing the same payment processing activities that it provides any commercial customer does not cause a company to be a Business Associate, but involving itself in the business of healthcare in a more material way would subject it to HIPAA requirements.

As a Business Associate, the payment company would be required to implement a HIPAA privacy and security program that includes elements such as:

  • Appointing administrative leadership to oversee the company's HIPAA compliance efforts;
  • Developing and implementing policies and procedures;
  • Training workforce members on the policies and procedures;
  • Agreeing to undertake certain obligations with respect to information privacy and security by entering into Business Associate Agreements with clients; and
  • Performing (and subsequently updating) an enterprise-wide security risk analysis and implementing a risk management plan to address the threats and vulnerabilities identified in the analysis.

Payment companies that are accustomed to complying with information privacy and security regimes within the financial industry may be able to leverage some of their existing controls to demonstrate compliance with HIPAA, though they will likely need to modify certain documentation, training, and/or security controls to specifically account for HIPAA compliance.

Anti-Kickback Laws

Healthcare providers and others in the healthcare industry are acutely aware of the various federal and state anti-kickback laws that apply within the healthcare industry.

At the federal level, the Anti-Kickback Statute provides criminal penalties for individuals and entities that knowingly and willfully offer, pay, solicit, or receive remuneration in order to induce business for which payment may be made under a federal healthcare program, such as Medicare, Medicaid, CHIP, TRICARE, and the Veterans Administration healthcare benefits. "Remuneration" includes, but is not limited to, kickbacks, bribes, and rebates, and applies to any such remuneration, whether made directly or indirectly, overtly or covertly, in cash or in kind. Prohibited conduct includes not only remuneration intended to induce referrals, but also remuneration intended to induce the purchasing, leasing, ordering, or arranging for or recommending any good, facility, service, or item paid for by a federal healthcare program. There are 24 regulatory exceptions to the Anti-Kickback Statute permitting certain arrangements, such as services and management contracts.

Because the Anti-Kickback Statute ascribes liability to both sides of an impermissible "kickback" transaction, payment companies should be attuned to structuring their arrangements with healthcare clients in a manner that complies with the Anti-Kickback Statute in the event that the Statute is implicated by such arrangements.

Payment companies should also be mindful of any programs or campaigns that would incentivize individual patients to receive services from a particular healthcare provider. Not only would the Anti-Kickback Statute be implicated, but another fraud and abuse regime under the Civil Monetary Penalties Law that prohibits offering or transferring remuneration to a Medicare or Medicaid beneficiary that is likely to influence the beneficiary's selection of a particular healthcare provider would also be implicated.

* * * * *

For more information on these issues, please contact any of the authors.