What is a Payment Facilitator or PayFac?

We are finding many Revenue Cycle Management (RCM) companies who have been given terrible information about how to collect and process patient payments from their existing credit card vendor.  In the Payment Card Industry (PCI) that includes Visa, Mastercard, Discover and Amex there is a credit card processing classification call Payment Facilitator or PayFac.  PayFacs are allowed to collect payments directly from a patient and then forward those payments over to the their clients.  Companies such as Square are classified as a PayFac but are required to meet very stricture rules set up by the PCI industry as well as meet money transmitters rules that are regulated by state banking commissioners.  As you will see below just to be approved to become a PayFac by a credit card processor the process is arduous and expensive.  I would expect to spend around $50,000 on the PCI audit if you can even get compliant.  With regards to the money transmitter rules each of the 49 states require a money transmitter surety bond with widely ranging amounts from as little as $25,000 to over $1 million and maintaining a minimum capital requirementSquare was fined in Florida $507,000 for not being registered as a PayFac.  

If you are an RCM company who is currently collecting payments from patients with those funds being deposited into your bank account and then forwarding these funds over to your medical groups or hospitals you are a Payment Facilitator or PayFac.  If this is the case you will be shut down immediately by Visa/Mastercard/Amex as well as risk state fines such as the one levied on Square once discovered.

Below are the requirements to become a PayFac from one of the largest credit card processor in the country:

Business Financial Background

1. PFac/PF Submission Form with PFac Questionnaire and Site Visitation Form

2. Summary of Business history and operations - Describe the business history, model, products/services and operational infra-structure to support PFac model.

3 (a) Articles of Incorporation or Partnership Documents

3 (b) DBA  - Fictitious Name Filing Required

4 Two (2) years Corporate Audited Financial Statements and Interim Financial Statements including P&L and Balance Sheet. If audited are not available, then statements prepared in accordance with GAAP.

5. Two (2) years Corporate Tax Returns

6. Principals' biographical profile and work history/resume for signer’s with 20% or more ownership

7. Two (2) years Personal Tax Returns OR Personal Financial Statements for Principals with 20% or more ownership

8. Names, addresses, telephone #, Social Security #, and % of Ownership for Principals with 20% or more ownership

9. Copy of Driver's License for Principals with 20% or more ownership

10. Current Merchant Processing Statements (previous 3 months)

11. Bank Reference(s) - Provide the Bank, Contact Person & telephone number, and ABA/DDA Numbers.

Business Operations

12. Organization chart of Risk Management staffing by function (Underwriting, Fraud, Risk, etc). Provide details the number of employees on the Risk Management staff, and background/experience profile or resumes on Senior Risk Managers.

13. Document the Process, Policies, and Procedures on the following:

13 (a) Know Your Customer (KYC) - Describe the methods/tools used to “validate” the Business Operations and the Principals (Owners) of Sub-Merchants.

13 (b) Fraud Monitoring - Describe the processes/reporting/systems to monitor Fraud among Sub-merchant transactions.

13 (c) On-going Risk Management - Describe the ongoing monitoring program to manage the Risk of Sub-merchants 

14. Sub-merchant Portfolio Information for all Sub-merchants which will participate in PFac program - see “Sub-merchant Info Spreadsheet”

15. Copy of Annual PCI Level 1 Compliance Version 3.1 PCI SSC Vallidation Document

16. How will the First Data Operating Guide be distributed to Sub Merchants?

16 (a) If on website please list website where it can be found by Sub Merchant?

17. Business Continuity Plan

18. AML Questionnaire (response to questions in file)

 PFac/PF Registration Sponsorship Documentation

19. Level 1 - AOC (Attestation of Compliance) Service Provider & Executive Summary from the ROC (Report on Compliance)

20. List of Third Party Service Providers who have access to Cardholder Data or offer any Third Party Services to your Sub-merchants  - e.g. Payment Gateways, etc.

21. List of Third Party Service Providers who will perform PIN Pad Encryption, if applicable (note there are additional requirements for ESOs - Encryption and Support Organization)

22. Name of Third Party Vendor conducting on-going Sub-merchant URL screening

23. Marketing materials, sales brochures, solicitation forms, websites (URL) used to solicit Sub-merchants

24. Website/Payment Page, if the PFac is accepting card payment on their website versus on the Sub-merchant's website

25. Sample of Sub-Merchant Application

26. Merchant Decline Letter - if Credit Score is a factor the letter must follow the Fair Credit Reporting Guidelines for decline of account


27. Registration Templates for MasterCard and Visa. 

28. Signed Contract with the PFac

29. Billing Instructions for initial Registration Fee and Annual Renewal Fee



Do You Know Why Patients Don’t Pay Their Healthcare Payments?

Like most people in preparation for our summer vacation, I have a number of one-time large bills and charges that have accumulated getting ready for our trip!  And like most I bite the bullet and remit payments and pay my bills once they are due. However there is a large segment of bills that aren’t getting paid by most people (I do pay these on time as well assuming they are legit), and it’s those that are owed to medical groups and hospitals.

According to a report released by the Consumer Financial Protection Bureau, almost 43 million Americans have unpaid medical bills. The main cause for this is that many Americans are confused by the statements that they receive from their medical providers and insurance companies about the cost of treatment. Lack of transparency in their statements and understanding what they owe has put a lot of people in a tough situation.

Medical groups and hospitals too are feeling the pain. In fact one of our large radiology groups has seen a 23 percent increase in year-over-year growth in patient accounts receivables representing millions of dollars.  The average overdue debt that a patient owes is growing across the all of healthcare and the most baffling thing is that most of these patients show no signs of other financial stress. So what does this mean for medical groups and hospitals? Most patients who owe money have the means to pay but don’t, because of their lack of understanding about what they really owe.

Here are three easy fixes medical groups and hospitals can make to help patients pay their bills, and pay them faster. 

1. Integrate bill payment into your process. Medical groups and hospitals today should have one place where they can go to get a full picture of a patient’s payment history and not have to switch between multiple applications.

2. Simplify your statements. Make it easy for patients to understand what your charges are, what insurance has paid by providing a statement that matches up to the patient’s Explanation of Benefits (EOB), and most importantly what they still owe. With this information they are much more likely to remit payment quickly or start a conversation with you so that you can resolve any outstanding issues.

3. Ditch paper billing. It’s 2019 and according to the USPS more than 60% of Americans across all demographics are paying their bills online. According to Cain, “Only 17% of consumers receive a medical bill electronically, despite over 70% preferring electronic statements. “ Online bills get paid faster and you can create your online statements to match the EOBs. If the majority of patients want to pay their bills online…let them! 

With deductibles growing every day, medical groups and hospitals will continue to collect a significant amount of their revenue directly from patients…on average for the first five months of the year. It’s time to help patients pay their bills and practices collect what they’re owed.


Telephone Consumer Protection Act (TCPA) White Paper for Patient Account Communications

Prepared by:

Nick Whisler and Josh Stevens

Mac Murray & Shuster LLP

6525 West Campus Oval, Suite 210

New Albany, Ohio 43054 

I.               INTRODUCTION[1]

Calls and text messages offer healthcare providers a great opportunity to communicate with patients for billing, servicing and related purposes.  These communications must, however, comply with the Telephone Consumer Protection Act (TCPA),[2] including its automatic telephone dialing system (ATDS) restrictions.[3]  Although the strictest requirements are reserved for telemarketing communications, the TCPA requires prior express consent (express consent) to send invoicing, payment reminder and account servicing messages (collectively “account communications") using an ATDS.[4] 

II.              DISCUSSION

A.    What is an ATDS?

            The TCPA defines ATDS as "equipment which has the capacity— (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers."[5]  This definition has caused significant disagreement and confusion regarding the types of devices that qualify as an ATDS.  In a 2015 Order, the Federal Communications Commission (“FCC”) adopted a very broad interpretation of ATDS; however, the D.C. Circuit struck down that interpretation in 2018.[6]  Courts continue to disagree about the functionality needed to be an ATDS[7] and how human intervention—particularly with regard to text platforms—factors into the ATDS analysis.[8]  Although PatientPay has an argument that its platform is not an ATDS because it cannot randomly or sequentially generate phone numbers, the safest course of action is to limit calls and texts to patients who consented to receive such communications.[9]

B.    What Constitutes Express Consent?

The TCPA does not define express consent.  In 1992, the FCC held that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.”[10]  The FCC reiterated this holding in a 2008 Declaratory Ruling related to debt collection calls (“the provision of a cell phone number to a creditor, e.g. as part of a credit application, reasonably evidences prior express consent by the cell phone subscriber to be contacted at that number regarding the debt.”)[11] and again in its 2015 Order.[12]  Calls must be within the scope of consent, which means they should relate to the general purpose(s) for which the person provided his/her phone number.[13]  The FCC has also held that callers may obtain express consent through an intermediary[14] and consent extends to third parties calling (or texting) on behalf of the entity that has consent.[15]

            Courts have similarly held that express consent extends to third parties calling on behalf of healthcare providers.  For example, in Mais v. Gulf Coast Collection Bureau, Inc., the Eleventh Circuit held that a collector can rely on the express consent a patient’s wife provided to a healthcare provider.[16]  The court noted that Mais’ wife received the hospital’s Notice of Privacy Practices, which disclosed that it may use and disclose health information to bill and collect payment.[17]  Although Mais argued that “health information” did not include his cell phone number, the court disagreed pointing out that the admission form containing the number was part of the record of his visit and, therefore, part of his “health information.”[18]

Similarly, in Fober v. Mgmt. & Tech. Consultants, LLC, the Ninth Circuit held that a third party calling to conduct customer satisfaction surveys (a non-marketing communication) for the benefit of a doctors’ group could rely on express consent conveyed to the doctors’ group.[19]  The court emphasized that the very act of turning over one’s phone number demonstrates a willingness to be called for purposes that relate to the reason the person provided their phone number in the first place.[20]  The patient enrollment form indicated that the doctors’ group could disclose her information for “quality improvement” and customer service surveys to assist with improving quality.[21]  Relating specifically to the fact the calls were made by a third party, the court opined “when Plaintiff authorized Health Net to disclose her phone number for certain purposes, she necessarily authorized someone other than Health Net to make calls for those purposes.”[22]  In short, by providing her phone number on an enrollment form, the patient gave express consent for communications permitted under the healthcare provider’s privacy notice, including communications from a third party on the provider’s behalf.[23]

These cases demonstrate that a healthcare provider has express consent to call and text patients for any purpose expressly or implicitly contemplated by its Notice of Privacy Practices or other enrollment forms.  Even if a patient did not receive a Notice of Privacy Practices, or the Notice does not cover account communications, FCC guidance demonstrates that the provider has express consent for such communications (which are necessarily related to the purpose(s) for which the patient provides his/her number) unless the patient provides “instructions to the contrary”.    

C.     Revocation of Consent

            Patients may revoke their consent by any reasonable means.[24]  Additionally, businesses may not take steps to abridge a patient’s right to revoke consent, such as requiring the patient to send a fax or use some other specific method to revoke consent.[25]  Limits do exist as to what is reasonable and, as articulated by the D.C. Circuit in ACA Int’l, “[i]f recipients are afforded [clearly-defined and easy-to-use] options, any effort to sidestep the available methods in favor of idiosyncratic or imaginative revocation requests might well be seen as unreasonable.”[26]  Healthcare providers must honor and keep records of consent revocations, whether provided by the patient directly to the provider or to one of its service providers.  If a healthcare provider uses one or more service providers to send communications on its behalf, it must implement a process to facilitate the two-way communication of patient’s consent revocations.  This allows the healthcare provider to consolidate revocations into a single “opt-out” list and gives proper notice to the service provider(s) to suppress calls and/or texts to applicable numbers.

D.    Using PatientPay for Account Servicing Communications

            PatientPay provides an automated patient communication platform that facilitates account communications.  As a full-service payment platform, PatientPay also facilitates remittance of payments by patients.  Like in Mais, PatientPay’s communications are intended to address billing and payment matters associated with the patient’s account and only require express consent.  Further, as in Mais and Fober, PatientPay may communicate on the healthcare provider’s behalf and rely upon the provider’s express consent with the patient.  If the provider’s Notice of Privacy Practices informs the patient that his/her health information or personal information may be disclosed for billing, payment or similar purposes, the provider has express consent for account communications (unless the patient revoked the consent).  Even without clear disclosure in the Notice of Privacy Practices, a healthcare provider and PatientPay likely have express consent for account communications, which are necessarily related to the purposes for which the patient provided his/her phone number to the provider. 

            Each healthcare provider must keep a consolidated list of patients that revoke consent for autodialed calls and texts.  The provider should not give a phone number to PatientPay if it is on the “opt-out” list.  Additionally, the provider should notify PatientPay whenever it receives a consent revocation directly from the patient of through another vendor.  This will allow PatientPay to suppress calls and texts to that number.  PatientPay accepts and honors consent revocations (e.g. patients that reply “STOP” to a text message or request not to be called again) and has procedures in place to communicate these revocations back to the healthcare provider.

III.            CONCLUSION

Although the TCPA requires express consent to use an ATDS for informational calls/texts to patients’ cell phones, healthcare providers likely have consent to send account communications to patients unless those patients revoked consent to be contacted.  Third party service providers, like PatientPay, may rely upon the healthcare provider’s express consent to communicate with the patient.  As with any compliance issue, each healthcare provider should consult with its legal counsel to evaluate the policies and procedures it has in place to collect/document express consent and to process/honor revocations of consent.

[1] This white paper provides general information regarding a topic area and does not constitute legal advice.  Please consult your own attorney for legal advice.

[2] 47 U.S.C. § 227, implementing regulations at 47 C.F.R. § 64.1200.

[3] 47 U.S.C. § 227(b)(1)(iii). See also, Satterfield v. Simon & Schuster, Inc., 569 F.3d 946, 951-952 (9th Cir. Cal. 2009) (citing In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, Report and Order, 18 FCC Rcd. 14014, 14115 (July 3, 2003) (articulating that text messages are calls under the TCPA).

[4] Compare 47 C.F.R. § 64.1200(a)(2) (requiring “prior express written consent” for telemarketing communications) with 47 C.F.R. § 64.1200(a)(1) (requiring “prior express consent” for informational and other non-marketing communications).

[5] 47 U.S.C. § 227(a)(1).

[6] In re Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, Declaratory Ruling and Order, CG Docket No. 02-278, WC Docket No. 07-135, FCC 15-72 (July 10, 2015) (“2015 Order”); ACA Int’l v. FCC, 885 F.3d 687, 697 (D.C. Cir. March 16, 2018) (“If a device’s capacity includes functions that could be added through app downloads and software additions, and if smartphone apps can introduce ATDS functionality into the device, it follows that all smartphones, under the Commission’s approach, meet the statutory definition of an autodialer. [. . .] If every smartphone qualifies as an ATDS, the statute’s restrictions on autodialer calls assume an eye-popping sweep.”).  

[7] Compare Pinkus v. Sirius XM Radio, Inc., 2018 U.S. Dist. LEXIS 125043 (device must be capable of generating and dialing random or sequential numbers) with Marks v. Crunch San Diego, LLC, 904 F.3d 1042, 1052 (9th Cir. Sept. 20, 2018) (device is an ATDS if it can automatically dial numbers from a list).

[8] Compare Jenkins v. mGage, LLC, 2016 U.S. Dist. LEXIS 106769 and Duran v. La Boom Disco, Inc., 2019 U.S. Dist. LEXIS 30012 (holding that text platforms do not meet the definition of ATDS because a human must select the phone numbers, type or select the message and schedule the batches of texts for delivery) with Blow v. Bijora, Inc., 855 F.3d 793 (7th Cir. May 4, 2017) (district court prematurely granted summary judgment in case involving text platform that requires human intervention to load and schedule texts but lacks human intervention when the scheduled texts are actually sent).

[9] The FCC, under new leadership, solicited comments on the ATDS definition in the wake of ACA Int’l.  We anticipate the FCC will issue a new ATDS interpretation in 2019; however, interested parties will likely seek judicial review of the FCC’s new interpretation on grounds that it is too narrow or too broad, as applicable.

[10] In re Rules Implementing the Telephone Consumer Protection Act of 1991, Report and Order, 7 FCC Rcd. 8752, 8769 at ¶ 31 (“1992 Order”).

[11] In re Rules Implementing the Telephone Consumer Protection Act of 1991, Declaratory Ruling, 23 FCC Rcd. 559, 564 (adopted Dec. 28, 2007; released Jan. 4, 2008) (citing a House of Representatives report stating that “the restriction on calls to emergency lines, pagers, and the like does not apply when the called party has provided the telephone number of such a line to the caller for use in normal business communications.”).

[12] 2015 Order at ¶ 141.

[13] Id.

[14] In the Matter of GroupMe, Inc./Skype Commc’ns S.A.R.L. Petition for Expedited Declaratory Ruling, Rules & Regulations Implementing the Tel. Consumer Protection Act of 1991, Declaratory Ruling, 29 FCC Rcd. 3442, 3444 (Mar. 27, 2014) (“[T]he TCPA does not prohibit a caller . . . from obtaining the consumer’s prior express consent through an intermediary[.]”).

[15] 2015 Order at ¶ 141.

[16] Mais v. Gulf Coast Collection Bureau, Inc., 768 F.3d 1110, 1125 (11th Cir. Sept. 29, 2014).

[17] Id. at 1124. (“We have little doubt that by signing the admission forms Mais’ wife agreed to allow the Hospital to transmit his health information to Florida United so it could bill him for services rendered.”).

[18] Id. at 1125.

[19] Fober v. Mgmt. & Tech. Consultants, LLC, 886 F.3d 789 (9th Cir. Mar. 29, 2018)

[20] Id. at 792-793.

[21] Id. at 793.

[22] Id. at 794 (emphasis in original).

[23] See also, Baisden v. Credit Adjustments, Inc., 813 F.3d 338, 346 (6th Cir. Feb. 12, 2016) (“The FCC’s rulings in this area make no distinction between directly providing one’s cell phone number to a creditor and taking steps to make that number available through other methods, like consenting to disclose that number to other entities for certain purposes.”) (emphasis in original).

[24] 2015 Order ¶ 55.

[25] 2015 Order ¶ 64.

[26] ACA Int’l v. FCC, 885 F.3d at 710.

The True Cost of Processing a Patient Bill

With the growth of patient out-of-pocket bills, it is becoming more important for Revenue Cycle Management (RCM) companies and medical groups to evaluate the true cost of processing a patient bill and how reducing these costs can impact profitability and efficiency. Often times while evaluating cost, RCM and medical groups will only look at the cost to send a traditional paper statement, overlooking all of the other cost drivers that hamper profitability.

With traditional paper-based medical billing, the same patient statement usually gets “stuffed and stamped” anywhere from three to seven times before it gets paid.  However, the real cost is not just sending out paper statements but instead the processing required once mailed back to the business office, a lock box or called in by the patient.  Most RCM and medical groups have a team of people in the back office that open envelopes or files, process payments via check or credit card, and post the payment data in their system.  Recent third party data shows that collecting an out-of-pocket bill from patients can cost anywhere from $7.00 to $15.00 per bill if a call center is used to collect payment.  By examining both the direct and indirect costs, the inefficiency starts to become clear.

Electronic billing for patients streamlines the entire collections process by reducing old-fashioned, costly paper-based traditional methods that demand an increasing amount of time and resources.. Sending patient bills electronically allows patients to receive bills quickly and conveniently pay online, which accelerates the payment collection time. In addition,  by integrating electronic payments into your back-end billing system, the payment information can automatically upload and reconcile, eliminating the need for manual entry.  Electronic posting not only saves time and money, it also reduces manual error.

While there is value in reducing paper statements, postage, and back-end processing costs, there is also an opportunity to address the need for patient engagement demands.  If you are interested in true patient engagement, I would encourage you to send a bill via electronic text message or email to your patients and see how they respond.  What we find is patients normally engage within the first twelve hours after sending a text message and twenty-four hours after sending an email.. In the end, empowering a patient to pay their bill electronically reduces costs and leads to more efficient operations, which results in more true patient engagement.

Don’t Let Patient Accounts Receivable Impact Your Cash Flow

Accounts receivable (A/R) has a direct correlation to a medical group’s cash flow. Without prompt, positive cash flow, a medical group will go into the business equivalent of cardiac arrest.  For those who know the outstanding A/R to the penny, who know within a couple of days the average age of their accounts, get ready: Your world is changing. 

More and more of your patients have High Deductible Health Plans or HDHPs, and the number is growing.  According to William Blair ‘s recent report titled, Patient Engagement – The New “IT” in HCIT, “HDHP plans likely accounted for about 30% of the commercially insured population in 2018—up from only 5% as recently as a decade ago.  In 2010, about 25.3 million persons were covered under some form of HDHP; however, this number rose by about 70% through the beginning of 2017, to a record 42.9 million.”  

Most medical groups look to insurance companies for the bulk of their revenue; generally speaking, as much as 85 to 90 percent historically.  It comes in with mostly reliable and consistent cycles.  The time between submission of a claim to an insurance company and your receipt of the payment for that claim is typically a couple of weeks.

However, with HDHPs much more of your A/R will sit in patient balances.  You can expect to see, if not already, insurance payments shift to between 70 and 80 percent from prior levels.  The remaining payments for a typical medical group will need to be secured from your patients. 

Granted, the insurance company will continue to pay in a consistent time but no such speed or certainty can be expected from your patients, especially at the start of a plan year when just about everything will “contribute to the deductible;” a nice way of saying everything is owed by the patient.  More troubling, you don’t even know if or how much a patient owes your medical group until the insurance company has adjudicated the claim, which can take a couple of weeks after the procedure or office visit.  Add in the increased delay (not to mention the cost per my last blog) to send paper statements via the USPS, and suddenly A/R aging goes from an average of 30 days to two or three times as long … and cash flow has slowed to a trickle. 

A solution for medical groups to help with the shifting landscape is to work with a payment company that issues electronic bills to patients as a first touch point for patient engagement, sends an easy-to-understand bill that lets them understand what’s due assuming it aligns with their explanation of benefits (EOB), provides flexible payment options and allows for it to be paid online to settle their obligations easily and quickly.  Among the advantages:

  • An electronic billing and payment solution allows for higher collection rates and cuts in half the time and cost to collect patient payments;

  • It automates the arduous reconciliation process eliminating errors once patient payments have been received;

  • It provides the capability to produce patient payment A/R reports by office location, by specialty area, by provider in whatever manner you wish gives you meaningful insight into your patient balances.