HIPAA & PCI-compliant healthcare payment processing
HIPAA & NHS-compliant phone payments
Built for medical practices, NHS trusts, dental clinics, and revenue cycle teams.
TL;DR
HIPAA payment processing means keeping card data and PHI out of the same system. The standard architecture in 2026 is DTMF masking on the call (the patient keys the card on their own phone — the agent never hears it), a Business Associate Agreement with your payment vendor, and a payment gateway that sits outside your EHR or practice management system. Paytia ships all three. PCI scope drops from SAQ D to SAQ A, and HHS OCR audits see a clean separation between payment data and clinical records. Same architecture supports the NHS DSP Toolkit on the UK side.
Last updated: 29 May 2026
How HIPAA payment processing actually works
We've been building phone payment systems for healthcare since 2016, and the question that starts a project is almost always the same: “how do we take a card over the phone without it landing in our EHR, our call recording, or our HIPAA scope?”
The answer is architectural, not procedural. You can't train your way out of this — telling a front-desk staffer to “just be careful with the card number” doesn't hold up when an HHS OCR auditor or a PCI QSA walks in. The card number, the CVV, and the expiry have to physically leave the audio path before they reach your agent's headset, your desktop, or your recording system. That's what DTMF masking does — it intercepts the keypad tones before the audio crosses to the agent and substitutes a flat replacement tone the agent hears instead. The payment processor still gets the real digits; everyone and everything in your environment gets silence.
On the HIPAA side, the same principle applies in reverse. PHI lives in your EHR and clinical systems. Card data lives at the payment processor. The two never end up in the same database or the same recording file. The Business Associate Agreement covers the edge case where a payment call mentions a patient name alongside the payment — we treat that incidental PHI with the same protections as any other Business Associate handling PHI for a covered entity.
Where HIPAA, PCI DSS, and your payment vendor actually meet
HIPAA doesn't regulate card numbers. PCI DSS doesn't regulate clinical data. The grey zone is where they overlap on a single phone call, and that's where most healthcare payment incidents happen — a call recording that captured the patient's diagnosis and their card number on the same audio file, sitting on a server that wasn't scoped for either regime.
The financial institution exemption in HIPAA (45 CFR 164.501) carves out pure payment processing — taking a card and settling a transaction isn't a HIPAA matter on its own. But that exemption assumes the payment activity stays bounded. The moment the conversation includes “Mrs Jones, your visit on Tuesday for the imaging study is $340” on a recording that also captures the card number, you've got identifiable health information sitting next to a primary account number. That's the worst-case PCI-meets-HIPAA artefact, and it's what auditors look for.
The clean architecture is straightforward. Card data goes to a PCI DSS Level 1 certified processor via DTMF masking — the digits never touch your audio path, your desktop, or your recording. PHI stays in your EHR. The Business Associate Agreement covers the payment vendor for any incidental PHI on the call (a patient name, a service description) — same way you have BAAs with your clearinghouse and your EHR vendor. That's the picture both HHS OCR and your PCI QSA want to see.
On the UK side the regulatory picture is different but the architecture is identical. NHS Digital's Data Security and Protection Toolkit (DSPT) requires every NHS organisation to assess every system that handles sensitive data. Removing card data from your environment via DTMF masking means the payment flow doesn't enter DSPT scope at all — your submission only has to attest to the systems you actually run. PCI DSS Level 1 attestation from the payment vendor covers the rest.
Healthcare payment processing challenges
Healthcare carries a double compliance burden — HIPAA or NHS Digital data security requirements on top of PCI DSS. Most payment tools weren't designed with either in mind.
Card numbers in call recordings
If your call centre records calls, every patient who reads a card number aloud puts that data into a recording — which is now a PCI-scope asset and, depending on what was said before and after, possibly mixed with PHI. That's a problem for your QSA and your privacy officer at the same time.
HIPAA and PCI compliance together
Card data and PHI are both regulated, with different rules and different penalties. HHS OCR audits and PCI QSAs sit alongside each other — and a breach involving both is the worst-case scenario. NHS DSP Toolkit submissions face the same dual-scope problem.
BAA scoping for payment vendors
Strictly, payment processing falls under the HIPAA financial institution exemption — but almost every privacy officer wants a BAA on file anyway, because incidental PHI on a payment call is hard to rule out. Some vendors won't sign one; some will only sign a watered-down version. Worth checking before you commit.
Patient payment friction
Patients expect quick payments but front-desk staff lack secure tools. Asking patients to read card numbers aloud in waiting areas compromises security, dignity, and HIPAA's minimum-necessary principle all at once.
How Paytia solves healthcare payment challenges
DTMF masking on every call
Replaces keypad tones in real time as the patient enters their card number. Front-desk and billing staff stay on the call and see payment progress on screen — they never hear or see any card data, and nothing identifying lands in your call recording.
BAA-ready for PHI exposure
Where any PHI may pass through the call alongside payment, we sign a Business Associate Agreement aligned with HHS Office for Civil Rights expectations. We treat that data with the same protections as your EHR vendor or clearinghouse.
NHS DSP Toolkit support
Because Paytia removes card data from your network entirely, the payment flow doesn't enter DSP Toolkit scope. Your annual submission only has to attest to the systems you actually run — not the payment infrastructure.
Zero card data in your environment
Card data never enters your practice — not through your phones, your computers, your EHR, or your network. There's nothing stored, nothing to steal, and nothing that affects your PCI scope. Most healthcare clients drop from SAQ D to SAQ A.
Simple for front-desk and billing staff
Browser-based portal that works on any computer. Staff enter the amount, the patient keys in their card details on their own phone keypad, and the payment completes. No specialist training and nothing new to install.
Works with your existing gateway and EHR
Process through whatever gateway you already use — Stripe, Worldpay, Barclaycard, Adyen, Authorize.Net, Chase Paymentech and others. Paytia sits next to your EHR or practice management system rather than replacing it.
Paytia solutions for healthcare
Whether you're a single medical practice, a GP surgery, or a multi-site NHS trust, we've got the right solution for how your patients pay.
Phone Payments
Secure phone payments for co-pays, prescription fees, deductibles, and patient balances — staff stay on the call throughout.
Learn morePayment Links
Send a secure payment link by SMS or email for telehealth, statements, or outstanding balances. No card data over the phone at all.
Learn moreRecurring Payments
Set up payment plans for treatment costs or surgical balances — one phone call to agree the plan, then payments run automatically.
Learn moreIVR Payments
24/7 self-service so patients can pay outside surgery or office hours without involving any staff member.
Learn moreHealthcare payment use cases
From medical practices and GP surgeries to hospital revenue cycle teams, Paytia covers the phone payment scenarios that come up every day in healthcare.
Medical practices and GP surgeries
Collect co-pays, deductibles, prescription fees, and private GP letter charges over the phone without staff handling card data — even between patients during a busy clinic.
Dental and specialty clinics
Take payment for NHS banding fees, treatment plans, orthodontic care, and elective work in a single call. Set up payment plans for larger balances without paperwork.
Hospital revenue cycle and billing
Centralised billing teams take inbound calls all day. DTMF masking means agents never hear card numbers — and your call recordings stay clean for HIPAA and PCI both.
NHS trusts and private clinics
Trusts use Paytia for overseas patient charges, medical record fees, and non-NHS chargeable services. Private clinics inside NHS settings get the same architecture.
Where Paytia sits in your HIPAA picture
Pure payment processing isn't usually a HIPAA matter — the financial institution exemption covers most card transactions. But the moment a payment call references a patient name, a procedure, or a diagnosis, you've potentially got PHI in scope. We sign a Business Associate Agreementso you're covered either way, and we architect the platform so payment data and any incidental PHI never end up co-mingled in a way that creates breach exposure.
HHS Office for Civil Rights audits look closely at how Business Associates handle PHI and how covered entities oversee them. Removing card data from your environment, keeping recordings clean of card numbers, and having a current BAA on file are all things that hold up well under that kind of scrutiny. For the deeper architecture write-up, see HIPAA-compliant credit card processing or our guide to building a PCI-compliant call centre.
Eyecare and prescription payments — lessons from Warby Parker
Optical is health retail. Patients call to reorder prescription lenses, check eye exam records, and pay for frames without reading card numbers into a call recording that's sitting in a CRM. It's the same challenge private clinics, opticians, and audiology practices face every day. Take a look at how Warby Parker handles phone payments for prescription eyewear — the same flow works for any healthcare provider taking card-not-present payments over the phone.
Benefits for healthcare providers
Compliance and certifications
PCI DSS Level 1
The highest level of PCI certification. Paytia is audited annually by a Qualified Security Assessor — so you don't need to be.
HIPAA Business Associate
BAA available for healthcare clients. We treat any PHI that may pass through a payment call with the same protections as a covered entity would.
NHS Digital compatible
Meets NHS Digital data handling standards. Removing card data from your environment directly supports your annual DSP Toolkit submission.
Cyber Essentials Plus
UK government-backed certification for cyber security, mapping closely to SOC 2 trust services criteria. Assessed and certified annually.
Frequently asked questions
What is HIPAA-compliant payment processing?
+
HIPAA-compliant payment processing means handling card payments in a way that protects any protected health information (PHI) that may travel alongside the transaction. Pure card processing usually falls under the HIPAA financial institution exemption — taking a credit card on its own isn't PHI. But the moment a patient name, procedure code, or diagnosis is mentioned on the same call, you potentially have PHI in scope. The cleanest answer is to remove card data from your environment entirely and sign a Business Associate Agreement with your payment vendor. See our deeper write-up on HIPAA-compliant credit card processing.
Do payment processors need to sign a BAA?
+
Strictly under HIPAA, a payment processor doing only payment processing falls under the financial institution exemption and doesn't legally need a BAA. In practice, almost every US healthcare provider asks for one — and we think they're right. As soon as a payment call mentions a patient name or procedure, you've potentially got PHI in scope. Paytia signs a Business Associate Agreement aligned with HHS Office for Civil Rights expectations so you're covered either way. Full detail in our guide to Business Associate Agreements.
Is Paytia HIPAA compliant for US healthcare practices?
+
There's no federal HIPAA certification body, so nobody can technically say "HIPAA certified". What we offer is a HIPAA-aware architecture: card data never enters your environment, payment processing happens outside any PHI system, and we sign a BAA where any incidental PHI may pass through a payment call. Our QSAs and our customers' privacy officers have both signed off on this posture. See PCI-compliant call centre for the technical detail on how the card data stays out.
Is Paytia compliant with NHS Digital standards?
+
Paytia operates as a PCI DSS Level 1 service provider — the highest tier of card security accepted by NHS Digital's Data Security and Protection Toolkit. Card data never enters your network; it goes straight to Paytia's certified infrastructure, so your DSP Toolkit submission only has to attest to your existing systems, not the payment flow. See our PCI DSS attestation if your information governance team needs the AoC.
Can patients pay for prescriptions, co-pays, and appointments by phone?
+
Yes. The patient reads no card details to a receptionist or front-desk staff member — they key the number into their own phone keypad while still on the call. DTMF masking intercepts the tones before they reach the agent's headset or your call recording, so card data never enters your environment. The patient stays on the line throughout, and your staff confirm the payment landed before ending the call. Works for NHS prescription fees and for US co-pays the same way.
Will Paytia work with our existing phone system and EHR?
+
Yes. Paytia integrates with whatever phone system you're already running — IP, traditional PBX, hosted VoIP, or browser-based softphones. On the records side it sits next to your EHR or practice management system (Epic, Cerner, athenahealth, NextGen, eClinicalWorks, NHS practice management tools) rather than inside it, so there's no integration project, no vendor approval, and no IT change request. Most surgeries, clinics, and practices are live within days. See telephone payments for the integration options.
Can private clinics take recurring payments for treatment plans?
+
Yes. After the initial card capture, Paytia returns a tokenised reference your billing system can charge against on a schedule — useful for ongoing treatments, dentistry plans, fertility programmes, surgical balances, or any care where the patient responsibility runs into thousands. The token is meaningless to anyone who intercepts it; only your gateway can charge against it. See recurring payments for the setup detail.
Does HIPAA apply to call recordings of payment calls?
+
It depends what's on the recording. If the recording captures only the payment portion — amount, authorisation reference, agent confirmation — there's no PHI and HIPAA doesn't apply to that segment. If the recording captures the patient discussing a procedure, a diagnosis, or anything identifying, that section is PHI and falls under HIPAA's technical safeguards. PCI DSS still applies to any recording that captured a spoken card number. The simplest answer is to keep card data out of the recording with DTMF masking, and treat any PHI in the recording the same way you treat clinical notes.
Does this work for NHS trusts and not just GP surgeries?
+
Yes. NHS trusts use Paytia for non-NHS chargeable services — overseas patient charges, lost-property fees, copying medical records — anywhere a phone payment is involved. The deployment pattern is identical to a GP surgery: card data never touches the trust's network, the DSP Toolkit submission is unaffected, and the call agent never hears the digits. Talk to us about NHS-specific procurement frameworks.
Does it work with our existing payment gateway?
+
Paytia works with most payment gateways used by healthcare — Stripe, Worldpay, Barclaycard, Adyen, Authorize.Net, Chase Paymentech, Elavon, and others. You keep your existing merchant account and banking relationships; we sit in front as the secure collection layer that strips card data out of your environment.
Ready to take card data out of your healthcare environment?
Medical practices, GP surgeries, NHS trusts, dental practices, and hospital revenue cycle teams use Paytia to collect phone payments without touching card data — and without a complex IT project.