If your therapy practice is going to accept electronic payments from clients, you need to do so with a HIPAA-compliant payment system.
Here’s what you need to know to accept payments from clients quickly and easily, while ensuring you’re doing everything required by HIPAA to protect their information.
HIPAA compliance: a quick refresher
The Health Insurance Portability and Accountability Act (HIPAA) was enacted into law by Congress in 1996. Its purpose is to protect patients’ privacy by setting standards for how their information is shared and stored.
Since it was enacted, HIPAA has proven essential for:
- Reducing healthcare fraud
- Allowing workers to transfer and continue their health insurance when they lose their jobs
- Mandating standards that ensure electronic systems for billing and other healthcare related tasks function without putting patients at risk
At the core of HIPAA is the protection of patient health information (PHI). When it comes to determining whether your transactions with clients are HIPAA-compliant, it’s important to understand the difference between PHI and payment information.
What is PHI?
PHI is information that can be used to identify a patient. According to Yale’s Clinician’s Guide to HIPAA Privacy and Security 8-2019:
Protected Health Information Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:
- The individual’s past, present or future physical or mental health.
- The provision of health care to the individual.
- The past, present or future payment for health care.
The Clinician’s Guide includes 18 pieces of data that may be used to identify a patient:
- Their name
- Their address, or “all geographic subdivisions smaller than state, including street address, city, county, ZIP code”
- Elements (not including years) related to dates having to do with the individual, “including birth date, admission date, discharge date, date of death and exact age if over 89”
- Phone numbers
- Fax numbers
- E-mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Serial numbers for vehicles or other devices
- Other numbers used to identify devices
- Internet Protocol (IP) address numbers
- Fingerprints or voice recordings
- “Any other characteristic that could uniquely identify the individual”
If you’re trying to determine whether the information you’re receiving from a client is PHI, ask yourself: Could a bad guy use this information to hurt them?
“Bad guy,” in this case, refers to a scammer, identity thief, or even someone in your client’s personal life who intends to cause them harm.
A single piece of PHI, such as your client’s name, may not seem important at first glance. But in some cases, simply the fact an individual is seeing a therapist counts as critical personal information that could be used to hurt them—for instance, in the workplace, or within a family dispute.
Even an emailed receipt from an online payment provider including your client’s name and the name of your practice may qualify as PHI.
Are Venmo, Paypal, Zelle, or Apple Pay HIPAA-compliant?
In a word: No.
Popular apps for sending funds such as Venmo, Paypal, Zelle, and Apple Pay are not HIPAA-compliant. Using them to receive payments from clients opens you up to HIPAA penalties and puts the client’s personal information at risk. On top of that, many of these payment providers sell user data to third parties.
Any third party application you use to send and receive information about a client—including online banking or credit card payments—must be certified as HIPAA-compliant. That means they’re willing to enter into a business associate agreement (BAA) with you.
Business associate agreements (BAAs) and payment for therapy
A BAA is an agreement between a healthcare provider (you) and a third party (a payment provider) for the transfer of your client’s PHI.
Any payment provider you use to receive money from clients must be able and willing to sign a BAA with you in order to be HIPAA-compliant.
Broadly speaking, online payment providers are not in the practice of signing BAAs with therapists.
How to receive HIPAA-compliant payments
In order to be paid by clients while complying with HIPAA regulations, you should either use an online payment method that is explicitly HIPAA compliant, or a traditional method of getting paid (e.g. credit card, ACH, cash)
Whatever method you use, be sure to stick to HIPAA guidelines for sending and storing information. More on that in the next section.
Electronic health record (EHR) systems
If your EHR system (e.g. SimplePractice) allows you to bill clients and receive payments from them, you can safely assume it’s HIPAA-compliant.
So long as you use Stripe exclusively to collect payments from clients (and not for invoicing or other activities involving client information), it’s HIPAA-compliant.
Ivy Pay is 100% HIPAA-compliant payment method designed for licensed therapists. It allows you to collect no-swipe credit card payments at a flat rate of 2.75% per charge.
Credit card payments using a traditional POS terminal are typically HIPAA-compliant. Be sure to consult with the POS provider about a BAA.
ACH payments are managed by the National Automated Clearing House Association (Nacha). Their Healthcare Electronic Funds Transfer (EFT) is HIPAA-compliant, sending client information and the information for transferring funds together in one secure package.
While cash is probably the most anonymous (and thus secure) means of receiving payment from a client, you still need to follow HIPAA best practices when it comes to recording the transaction. If you store the client’s name on file, you must use a HIPAA-compliant system to do so.
In most cases, a check is a HIPAA-compliant means of receiving payment.
HIPAA best practices for therapy payments
The HIPAA Journal has an article listing some best overall practices for HIPAA compliance.
When it comes to payments in particular, follow these guidelines.
- Include any information about a client’s treatment or care when processing information
- Send receipts or invoices using unencrypted email (or use a provider that sends them this way)
- Store unencrypted payment card information in any way
- Make sure any healthcare payment provider is payment card industry (PCI) compliant, and follows the PCI data security standards (PCI DSS)
- Use a POS with up-to-date encryption technology
- Ensure any card reader you use is EMV chip card compatible
It may cost you slightly more to use a HIPAA-compliant payment method, rather than an everyday service like Venmo. But it’s worth it—both for the security of your clients’ information, and so you don’t get penalized for breaking HIPAA rules.
As you plan to put a HIPAA-compliant payment system in place, be sure to include any related fees in your therapy practice’s budget.
This post is to be used for informational purposes only and does not constitute legal, business, or tax advice. Each person should consult his or her own attorney, business advisor, or tax advisor with respect to matters referenced in this post.
Bryce Warnes is a West Coast writer specializing in small business finances.