Square, sometimes called “Squareup,” is the upstart on the credit card payment scene that uses a little square-shaped doohickey that you stick in the headphone port of your smart phone or tablet computer. You can swipe credit cards through the doohickey and, in combination with an app on your mobile device, make charges to the card. You don’t have to set up any merchant banking account, you don’t have to buy anything (the doohickey is free), and you pay no setup fees. It’s like a dream come true.
This is too good to be true. Is it HIPAA compliant?
Roy’s Square Card-Swiper Doohickey (aka “Dongle”)
Yes! The dream remains alive!
The Office of Civil Rights — the federal agency that does most of the enforcing for HIPAA — stated in January of 2013 that HIPAA does not come in to play when we charge clients’ credit cards for health care services. According to Marcia Augsburger of DLA Piper:
The OCR clarified that financial institutions are not required to comply with HIPAA when they conduct certain payment processing activities. These activities include cashing a check, conducting a funds transfer, and authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums.
[Updated 4/29/2013]: To be specific about what this means: When you run a card with Square, you are sending electronic protected health information over a network where that information is visible to Square employees and computers. Normally, you would need a Business Associate Agreement with Square for this to be HIPAA compliant (see “What Is a HIPAA Business Associate Agreement?“) However, the special exception for financial transactions makes the Business Associate Agreement unnecessary.
That’s great! So I don’t have to worry about HIPAA at all when I charge credit cards?
Well, hold on a second. OCR also specified that when banks perform services for us that go above and beyond those financial transactions, the protection is gone.
In Square’s case, we’re interested in the electronic receipts that it generates. When you charge someone’s card using Square, you have an option to send them a receipt by email or SMS (text message.) Square will even fill in the client’s email address or phone number automatically if that client has made payments by Square before.
As we know, email and SMS (texting) aren’t secured technologies (see “Is Email HIPAA Compliant?“) The receipts sent by Square contain “protected health information,” to use the HIPAA jargon.
[Updated 4/29/2013]: Since Square turns your smart phone or tablet computer into a payment device for clients, you may also want to consider securing your phone or tablet to HIPAA standards. I have some information for doing that in the Resources page of my Security and Privacy CE course at the Zur Institute: Security for Mobile Devices.
[Updated 11/18/21]:
Learn more about the services and tools we recommend in your practice:
This is Step 3: Device Security of the PCT Way.
Tackle the toughest piece of compliance with minimal drama. Learn More.
So does HIPAA not allow me to use Square?
HIPAA never allows or disallows anything. HIPAA asks you to balance risks and costs, reduce risks to reasonable levels, and comply with certain security standards. In this case, the electronic receipts pose a minimal-yet-existing confidentiality risk. The actual level of risk depends on the client’s context. Does the client have an abusive and snoopy partner who might harm the client if the receipt is discovered? Does the client live with a supportive family who all know that the client is in therapy? These situations create completely different levels of risk.
It is simple to reduce the risk by not sending the electronic receipts and supplying a paper receipt instead.
[Updated 8/1/2013]: OCR’s public statements this year regarding the Business Associate rules have expanded the Business Associate net quite a bit. After the September 23rd, 2013 compliance date, when Square sends an email or text message receipt on your behalf, doing so will cause them to become your HIPAA Business Associate. That means that even if your client decides to accept the confidentiality risks of email and text message receipts, you would still end up needing a Business Associate agreement with Square to avoid non-compliance with HIPAA — and Square won’t do those agreements. So the autonomy of the client in this situation has been superseded by new interpretations. This could change in the future, and we’ll keep an eye out.
Updated 2/25/2015: We also offer our sample Electronic Payment Communications Disclosure form to our newsletter subscribers, in order to help discuss with clients the confidentiality risks of automatic email receipts. Subscribe to our newsletter here to get access to this and other useful forms.
So that’s it, then? Sounds nice and simple!
You knew it wouldn’t be that easy, didn’t you?
When we talk about credit cards, we have to talk about a lovely thing called “PCI DSS.” PCI DSS is like HIPAA, but for credit cards. There’s one big difference, however. While HIPAA is a law created by the feds, PCI DSS is a standard created by the credit card companies. You don’t have to comply with PCI DSS because it’s the law — you have to comply with PCI DSS because you promised you would when you signed the contract that allows you to take credit cards.
Roy’s card slider dongle with seam marked. That seam means this dongle is compliant with current PCI rules.
What does this mean to you? Here’s the short version: Square’s software and their computer networks are PCI DSS-compliant, so long as you don’t have an outdated card-slider doohickey. The doohickey, which is more formally called a “dongle,” was updated in 2012 to comply with new PCI standards. The newer dongle is thicker than the old dongle, and has a visible seam along the back side. If you’ve had your dongle for a long time, you may wish to order a new one. Square will give them to you for free — you need only ask. If you’re starting fresh with Square now, you’ll be starting off right.
The longer version of the story is a little more complicated. You, as a merchant, are required to be PCI DSS-compliant yourself. In theory, you can be audited and asked to prove your compliance. In practice, small merchants are not really expected to actively prove PCI compliance. What’s more, I asked Square to tell me what to do if a Square merchant finds themselves facing a PCI audit. This was their reply:
Unlike traditional merchant companies, we don’t require account holders to go through a complicated and expensive PCI compliance application. There are no additional PCI compliance or hidden fees for using Square. Square itself is PCI compliant, so we take care of it for you. You can consider it one less thing to worry about.
The Square representative is definitely blowing marketing smoke at me, but one thing seems clear from this response: Square will not require its customers to prove PCI compliance, even though other credit card processing companies probably will. This is part of Square’s business model, and one reason why Square is so attractive to therapists in private practice.
But does Square provide good service? Is it a good company?
The biggest complaint about Square that I’ve seen is poor customer service. If your account shows suspicious activity or a client disputes a charge, Square (like any other credit card company) may put a freeze on your account, including holding all the funds that were in there at the time they froze it. When this happens, Square is known for being unresponsive and unhelpful.
However, therapists are an ideal group for Square’s business model. Square’s way of operating is ideal for businesses that don’t process a lot of card transactions (“a lot” in this case would be tens of thousands of card transactions per year), and where the average transaction is greater than $25. Square is usually happy with businesses that fit this mold.
What’s more, therapist offices provide a good security situation for Square. The biggest security criticism for Square is that a bad guy could make his own hacked version of the dongle, go to a store, and secretly switch the merchant’s dongle with the hacker’s own modified version. The modified dongle would then start recording credit card data for the hacker. In a therapist office, this is highly unlikely to happen, unlike in a retail store where the clerks’ attention is split amongst many tasks and it’s easy for an anonymous person to pull the switcharoo.
Are there are alternatives to Square?
PayPal and ProPay both offer a Square-like service that works with smart phones and tablet computers. The caveats about those services are largely the same as for Square.
Whatever service you use, accepting credit cards is clearly becoming an important part of 21st-century practice. With a little forethought, you can accept this tech innovation into your practice and, hopefully, make your work life a little easier.
Acknowledgements
Special thanks to Seattle counselor Clinton Campbell in helping me sort out the mess that is PCI.
Learn more about the services and tools we recommend in your practice:
This is Step 1: Service Selection of the PCT Way.
Build your tech stack without fear. Learn More.
If you are using the same smart phone to talk to patients or have it in your office with Square (or most of the other apps) you are probably breaking HIPAA laws. LOOK AT THE PERMISSIONS for the app: record audio, access your contacts, make phone calls to your contacts, and many of them say: take pictures and record video without your knowledge. Pretty sure that type of power cannot be given to a third party.
Hi Jennie,
This is actually the reason why in my article I talk about the need for the updated card reader dongle. Square’s existence triggered the PCI DSS rules to be updated to deal with the fact that smart phones are not good devices to store card info on. The newer card readers encrypt the credit card data before putting it into the phone, so the phone itself never sees the card data. This was an important change and it’s why I urge anyone using Square to avoid using the old card readers.
Health IT security specialists generally recommend that clinicians avoid putting medium-high risk protected data directly on a mobile device. This is why, for example, I like mHealthText (http://www.mobilehealthrx.com/) as a secure texting app. It doesn’t store the text messages on your actual phone.
Any comments on intuit? It’s what I have been using.
I haven’t used or looked at Intuit yet. Sorry, Emily.
Someone in my LinkedIn group may know more about it. You could post there: http://www.linkedin.com/groups?home=&gid=4203297&trk=anet_ug_hm&goback=%2Egmr_4203297
I’m likely confused, but are we maintaining HIPAA compliance (with use of PayPal/Square) as long as we do NOT text/email receipts from the phone/pad?
Hi Emily: By not sending email receipts from the Square app, we help avoid a Business Associate relationship with Square. Since Square won’t sign a Business Associate contract with us, that means that by extension we are avoiding HIPAA violations by not sending those emails.
Thanks Roy! LOVE your site…
Hi Roy,
I have been thinking of switching to Square because my CC fees are so high. As a chiropractor I don’t have a huge volume but I am a bit concerned about account freezes. What are your thoughts? Thanks,
Charles
Low volume means things like Square are a good idea. I’ve never known anyone who got their account frozen, but Square can be vicious about it. Good luck!
Hello Roy, Thank you for this great article. In thinking about this, the amount of information sent via an email or text receipt is very minimal, from what I can tell. It only shows my name, credentials, and business address. This doesn’t even describe what was purchased or for whom. In other words, there is no indication that the person using the credit card is the same person who received services. They could be paying for services for a child, spouse, or partner. They could even be purchasing a book from me (or really a pedicure for all you can tell from the statement if someone is unfamiliar with my particular credentials). So, how can this be a HIPAA violation? A snoopy partner (as you mention in your article) can get much more information from a statement that arrives in the mail. What are your thoughts?
Hi Ursula,
I think your analysis of the real risks involved is about right, although I would be a little more cautious about assuming that there are no threats out there that could take advantage of the information in the receipt emails or text messages.
The problem here is that the issue is not one of managing security threats, as you are proposing in your comment, but one of complying with the HIPAA Business Associate rule. That rule is much more rigid, and in many ways somewhat removed from the process of managing security rusks.
I have just signed up for a new, simpler, free Square service called Square Cash. No dongle required, just a smart phone. I haven’t used it yet, but it seems worth considering. Did I mention no fees (for now). I learned about it from an article in the New York Times ()http://www.nytimes.com/2014/02/22/your-money/square-cash-free-for-now-has-several-payment-perks.html?_r=0). Does anyone have any experience with this?
I’m planning on switching away from Square for a few reasons. The main one being that it seems as though they have recently changed how their email/text message receipts work. It seems that if a client has used their credit card with another merchant and has asked to receive an email receipt from that merchant, that Square now automatically sends email receipts from me too. That means, I have no way to NOT send an email receipt if a client has asked for email receipts from other merchants.
In my research with regards to using mobile card readers (like Square, SparkPay, etc.), I’ve been told (by at least on credit card merchant service) that Visa and Master Card mandate that receipts for all mobile transactions must be emailed to the merchant and that these receipts will contain my business info (identifying me as a health care provider) and at the least the customer’s signature. This, in theory could be hacked, and client PHI could be at risk. Am I understanding correctly? Is my only other option to use a handheld wireless terminal that reads cards and prints receipts? A desktop, wired terminal is not an option for me right now.
What are the best options for small sole proprietors who do a combination of office and home visits?
I have heard about the auto-send of receipts for some customers, although I haven’t seen it myself, yet. I recommend putting an informed consent process in place to inform customers this can happen. If it is automatic, then we have very little control over it.
I have been using Square frequently for a long time, including this last week. I don’t receive emails from Square that contain client signatures. Those signatures are viewable in my Square account online. The emails I receive simply state the amount collected and the last 4 digits of the card used.
The rule says a BA relationship is triggered when a company has access to PHI and does anything above and beyond standard banking. I use something like Square (First Data Mobile Pay). As far as I can tell it doesn’t access any PHI, so it would not trigger that relationship.
The app has no idea whose charges are being put on that card, or what CPTs generated the charges. The receipts print my business name, the date, the total charge, and the last 4 digits of the card, nothing else. They do list an “invoice number” but this is basically a “receipt number” randomly generated by the app and has no correlation to anything. (If I ran the same card again later that number would change.) The app doesn’t even print the cardholder’s name or signature. The signature can be included in an emailed receipt if I push some buttons, but is not generated with the standard printed receipt or the texted receipt.
I have little interest in texting these minimal 3-line receipts to every client, but sometimes people want them. Also it would be really convenient for me to move the “printed” receipts through Google Cloud Print. Given that the patient and the services are not identified, and the payer is identified only by the last 4 digits of a credit card (which are probably shared with several other people), does this really trigger a special relationship?
Hi Could I get some advice on language I can use to add to my informed consent about Square?
Jennifer, I am developing something like that. Look for it in the future.
Hi Ariel,
PHI = Personally Identifying Info + Info About Health Care or Payment for Health Care
HIPAA mentions email addresses and phone numbers in its list of information that is personally identifying. Receipts for therapy sessions are definitely info about payment for health care. So the receipts contain PHI regardless of how we try to minimize information. They are not especially high risk info, but they are still PHI.
All of Square’s claims aside, the PCI Security Council says that they now list approved mobile payment solutions on their website. They would be under “Validated P2PE Solutions” list. I don’t see Square listed there. (Neither do I see PayPal Here.) That makes me concerned that they are actually not approved by the council as PCI-DSS compliant.
Hi Roy, any update on the informed consent form?
Hi Brad,
I’ve been doing some deeper investigation on how to handle services like Square from a HIPAA perspective. The situation created by Square, PayPal, etc. is not clearly handled by the law, so I’m working on getting more legal analysis and perspective.
As for language: the main point is to inform clients that the service may send them a receipt by email or text message, even if they don’t explicitly ask for it. If that would be harmful or problematic for them, they should ask for a different payment method. (remind them to think of all their email accounts and which ones may have received Square receipts in that past — e.g. work email accounts, school accounts, etc.)
Hi Mark,
The Validated Solutions list is a kind of “pre-approved” list. Lack of presence on the list does not imply that a solution is *not* PCI compliant. It simply means it hasn’t been officially validated as PCI compliant.
I’ve recently heard that Square will no long be PCI compliant a of October 2015 and that if we continue to use Square after that time, we (psychotherapists)will be at risk of law suits?! Do you know anything about this?
Hi Diana,
October 2015 will be when accepting chip cards will start to be “required,” so to speak. Merchants (us) will be in a position where not accepting chip cards when a client presents one will make us 100% liable for any fraud that occurs as a result.
The truth, however, is that Square is already developing the ability to take chip cards. So we’ll be fine by the time that deadline rolls around.
Cheers,
-Roy
Roy I just wondered if you had any more info on square and the email receipts? I contacted square and the vendor cannot turn off auto-receipts for their transactions. So currently the only way I can see is to have them sign a consent form. Did you manage to craft language for one? Thanks for the work you have done!
Hi Andrew,
No, I haven’t had time to work on that one. Check my above comment about how you might take care of it yourself. :)
Why won’t they sign a Business Associate Agreement??
Hi Cliff,
Signing such an agreement can bring a lot of potential legal liability to the company. Square probably sees themselves as exempt from the need, as well, because they are a financial services company.
-Roy
How do patients stop receiving square receipts via email/text if they already do so that we can bring our patient accounts into HIPAA compliance using Square?
Roy,
My questions are around email receipts. We are planning on moving to a new online and point of service processor. We will be entering into a contract with a BAA. When sending the customer an email receipt we were planning to include Acct#, date of service, and amount paid, this would also have our logo and address information, plus a confirmation code. This email receipt would not be sent encrypted. Does this meet Hipaa since I would have a BAA?
If you offer credit card payments on your website (through Square or PayPal), that clients solely are responsible for initiating, would that still be a HIPAA violation?
Hi Andrew,
I just added a new form to the free forms section of this website that provides some language you can use to help inform clients about the confidentiality risks from the auto-generated emails.
You need only subscribe to our free newsletter to access it: https://dev-personcenteredtech.com/get-our-articles-and-updates-by-email/
Jennifer and Brad,
I just added a new form to the free forms section of this website that provides some language you can use to help inform clients about the confidentiality risks from the auto-generated emails.
You need only subscribe to our free newsletter to access it: https://dev-personcenteredtech.com/get-our-articles-and-updates-by-email/
Hi Cami,
Generally speaking, I don’t see an issue with putting buttons on your website that lead to places where clients can send you payment. If you take payments directly through your website, that would likely be a different situation.
BTW, I just announced a free seminar to happen on Mar 20 that will cover topics of taking credit cards in mental health. If you’re interested, check it out here: https://dev-personcenteredtech.com/training-descriptions/put-it-on-the-card-legal-ethical-issues-in-electronic-payments-for-mental-health-pros/
Franco,
The answer to this one is pretty complicated and is an issue for risk analysis. I’m not comfy with the idea of sending those pieces of info by email, myself.
Square does state that there is a way for customers to do that, but I’m not sure how it works. You can visit the Square website and see what info they have about it there.
Thank you for this informative article, and this site as a valuable resource for clinicians! In case you weren’t aware, Square now has the capability to disable the automatic emails that are sent to clients. It still produces the option of having an email sent to the client, but clients can be asked not to push the “send email” button after signing. You have to ask them to do this, and you may need to ask to talk to more than one person at Square to get it to happen.
Yes, indeed. One challenge is that most clients don’t even know they have auto-receipts turned on until they try it out. And getting it turned off is probably more of a pain than the client wants to deal with.
Luckily the clients don’t have to deal with it – the clinician can call Square and ask to have the automatic emails disabled for their business (so, presumably, clients still receive the auto-emails when they use cards at other businesses). I had to spend quite a bit of time on the phone with Square to get them to make this change to my account. Square doesn’t have any way, at this time, to allow the clinicians to disable the auto-emails in the app settings.
That is very helpful. Thanks. I’m gonna look into this and update the article!
Really helpful article. Do you know if the new Square chip reader (dongle), that is $29.00 is HIPAA compliant?
It’s not really a question of HIPAA compliance so much as PCI compliance. I haven’t read up on the dongle but I can’t imagine why Square would make their new dongles stop supporting PCI compliance.
I used intuit for a few years. They are reliable, and if memory serves me, they offer a BAA despite not technically needing to.
Hi Bailey,
The above mentioned issue that you address, clients receiving automatic receipts from me because they have accepted receipts from other merchants, just happened to me last week-and the receipt went to her bosses email! Thank goodness I have talked to all of my clients about the risks involved by using credit/debit cards, have a consent in place, and have given handwritten receipts. However, it was only until I read about this issue in your post. Also, as others have mentioned, Square has obviously changed their options regarding not receiving a receipt, as I have had that problem, as well. I have only been accepting credit cards for less than a year. I am looking for another option. My preference would be to accept cash or checks, only. However, there are risks involved with that, too!
Roy, thanks so much for all of your free handouts, free information, this blog, etc. I did attend one of your seminars and this is how I found out about issuing a hand written receipt.Also, the seminar was awesome!
Also, thank you for your ongoing commitment to us psychotherapy providers regarding all of this HIPPA stuff! I can;t imagine how much time you must spend staying abreast on all of this.
Did anyone else notice that Square snuck a HIPAA BAA online? I first noticed it around the new year. Any thoughts?
https://squareup.com/legal/hipaa
Thank you, thank you! I had not seen this, and am quite happy to see it now.
I’ve sent them a message asking for more details, and you can bet I’ll be writing all about it as soon as I get more info.
Hi Roy – thanks so much for all of your help. I just looked at Square and they have this link https://squareup.com/legal/hipaa and https://squareup.com/help/us/en/article/5091-hipaa-compliance
When I read that it sounded like you have “agreed” to a BA with them if you are invoicing for PHI. But I can’t find a document to “sign”. Have they moved to a model of BA since your last post on this? And if so, am I understanding correctly that the BA is automatic? Or is there something I need to DO to make sure this is in place?
Hi Amber,
Thanks for your message! You’re correct that Square has indeed adopted a BA since Roy’s last update to this article. The BA is now automatic and contained in the TOS, nothing needs to be signed or done in order for it to be in effect and it can be obtained from Square if and when it is needed.
Please do check out one of Roy’s other articles on Square: https://dev-personcenteredtech.com/2015/03/01/ethics-of-disclosure-to-clients-who-pay-with-plastic-or-online-transfers/ to be informed regarding additional protected health information disclosure and HIPPA compliance considerations when utilizing Square services.