Getting paid is an essential part of practicing, whether you’re in private practice or employed by someone else. Astute students of HIPAA and other security and privacy regulations usually come to realize, at some point in their study, that getting paid and keeping our clients’ sensitive information safe from the larger world do not necessarily go hand-in-hand. Fortunately, I can tell you with great confidence that HIPAA does not want to prevent America’s health care professionals from getting paid for their work.
Take a look at your checks or your credit card, and you’ll see that your personally identifying information is on those documents. When you swipe a credit card, that personally identifying information is sent to the credit card processor along with the other necessary payment data. I’ve done numerous risk analysis consultations wherein my colleague-clients have asked me how to protect client confidentiality from bank tellers, other bank staff and credit card company computers. When personally identifying information is combined with information about payment for health care, such as when we process a payment from a client, the result is protected health information as defined by HIPAA.
Health care attorney Marcia Augsburger, JD has written on the subject of financial institutions as potential HIPAA Business Associates because of the fact that these institutions create, receive, maintain, and/or transmit protected health information on our behalf. (Need more? See our article What Is a HIPAA Business Associate Agreement?) According to Augsburger:
Thus, unlike other entities, whether financial institutions must comply with HIPAA does not turn on their receipt, disclosure, or use of PHI. If this were the test, all banks would be business associates according to experts who have estimated that 40% of the information contained in most bank lockbox accounts meets the definition of PHI. However, OCR instructs that the focus is [not] on the nature of the information but on what financial institutions are doing with the information.
(Augsburger, 2013)
Augsburger claims that OCR (“The Office of Civil Rights” – the HIPAA People) says that banks and other financial institutions have a special relationship with HIPAA, wherein their mandate to comply with it is entirely dependent on what they do with information rather than what information they receive, disclose, use or maintain. So what can banks and other financial institutions do with our clients’ payment information and avoid the looming shadow of HIPAA? Let’s look at the law itself:
The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in §1179 of the HIPAA statute, for example, the activity of cashing a check or conducting a funds transfer.
(US Dept. of Health and Human Services, 2013)
It sounds like the text of the HIPAA Omnibus Final Rule – the most recent update to the HIPAA law at the time of writing – states that banks and “financial institutions” are exempt from the HIPAA rules when performing basic functions of processing payment. How thorough is that exemption, however? What, exactly, is covered by it? There’s more:
Section 1179 of HIPAA exempts certain activities of financial institutions from the HIPAA Rules, to the extent that these activities constitute authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care…
(US Dept. of Health and Human Services, 2013)
Well, that is quite thorough. It seems to me that these activities would include such common activities as authorizing, processing, and settling credit card payments, as well as transferring funds such as with a PayPal payment transfer. The still somewhat mysterious activity defined above is “billing,” since it is well defined that companies that provide professional billing services are HIPAA Business Associates.
So “Financial Institutions” Are Exempt From HIPAA?
The law, as we can see above, is quite particular about the specific scope of activities that financial institutions can engage in and still enjoy the exemption from the HIPAA rules. There are many activities that most banks, merchant service providers, and other financial institutions engage in that do not apply. In fact, the Omnibus Rule anticipated this question:
However, a banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity, such as performing accounts receivable functions on behalf of a health care provider.
(US Dept. of Health and Human Services, 2013)
Augsburger sheds a little light on the question, and partially addresses the question of how “billing” fits in to the equation:
For health care providers, “accounts receivable functions” include payment processing activities and billing, but they may also include mailing letters to patients who are behind on payment, reviewing the terms of coverage agreements and provider contracts with health plans and other payers and applying them in dealing with patients, setting up payment schedules, and tracing changes to patient addresses. Presumably, financial institutions performing these kinds of activities on behalf of providers are business associates.
(Augsburger, 2013) emphasis mine
Augsburger points out that banks may provide a variety of services for their customers that don’t fall under those defined in subsection 1179 of HIPAA and therefore could be reasonably labeled as “non-exempt” for our purposes here. I would like to add some more examples of non-exempt services that would more typically be encountered in mental health practice:
- Using invoicing services provided by your financial services provider (e.g. PayPal or Square.) These companies can send invoices to clients on your behalf and manage and track their payments. This would be a non-exempt service. Which is too bad – this invoicing feature would be a very handy service for those who practice telehealth and need to receive payments remotely. Note that Square offers a HIPAA Business Associate Agreement to go with its invoicing service, but HIPAA compliance issues linger despite that. See our article on Square’s BAA for more→
- Be especially aware of when any service offers to send emails or text messages to clients on your behalf. Even though clients are allowed under HIPAA to consent to receive emails that contain protected health information (See our article on consent for emails for more), the issue here is not only one of email and text message security. This activity would trigger a Business Associate relationship between you and the service, and that is unaffected by client consents.
To make sure it’s clear: the main concern we are addressing here is that of a financial institution taking on a HIPAA Business Associate relationship with you. If such an institution performs any services for you besides those defined above as exempt from HIPAA, they will generally become your Business Associate. If you don’t acquire a Business Associate contract from the banking institution before they perform a non-exempt service, you will be in violation of HIPAA.
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
How Do I Get a Business Associate Contract From My Financial Service Provider?
Most financial services currently won’t execute Business Associate Agreements, with the notable exception of Square (although Square’s HIPAA situation still has major issues, read our article on it for more→.) This means that HIPAA compliance would require avoiding the use of any non-exempt services from those companies that don’t provide BAAs and full support for your HIPAA compliance needs.
Another strategy is to use a financial service that does provide a Business Associate contract, such as a practice management system that includes invoicing, billing and payment features. Here we see yet another example of how cloud-based practice management systems and electronic health record systems generally simplify HIPAA compliance. If you want to find one, I recommend starting with Rob Reinhardt’s reviews of such systems.
Another item to clarify: the potential for a Business Associate relationship with a financial institution does not, in any way, mean that you cannot use the institution’s services. You simply need to avoid using those non-exempt services since they trigger a BA relationship. E.g. you can collect credit card payments with Square, but do not use it to send receipts. Also, your clients can send payments to you through PayPal, but do not invoice them using PayPal’s invoicing feature.
Alternatively, you can provide clients with paper receipts, email your own receipts (by secure email), send your own invoices to clients, etc. There are a variety of ways to simulate non-exempt services in HIPAA compliant ways.
Thank you for sending your thoughtful newsletters- I especially enjoy reading them because they are well written – which helps because I’m a beginner when it comes to the world of technology.
Regarding HIPPA/privacy and electronic payment, I didn’t notice any comment on the way that Visa or MasterCard lists payments made on the monthly invoice that they mail to the client.
I have a contract with a service called ProfessionalCharges.com which ensures charges are listed as ‘prof charge’ rather than as the name of my psychology practice. How does the credit card invoice list a payment made through Square or PayPal ? Is client’s privacy protected from whomever looks at that invoice?
Hi Julianne,
Thank you for the kind words. :)
The name of the merchant listed on the financial statement will vary by company. It’s not set by Mastercard and Visa. I don’t know off-hand what each company lists. The customer service folks with each company can tell you for sure.
Thanks for this well written article. I am seeing more payment services migrate towards Practice Management solutions with features such as invoicing, card data storage, etc. Do you see the requirement for the BAA with the Financial Service Provider become standard?
Hi Mr. Huggins,
You’re one man’s mission has just reached another traveler. Thank you for this informative article. Very particularly for the clarity in your style and ease to share practical notes on the topic.
Thank you again for sharing,
Mario
The BAA is required if any PHI handling occurs outside of the transactions described in the article above. I doubt that will change.
Hi Roy! Thank you so much for your quality information….I use Stripe for cc payments and will immediately “un check” the “send email receipt” box to limit my exposure. On another note, enjoyed your webinar with Joe B., I am impressed with your chosen associations and look forward to working with Uncommon Practices. Be well,
Hi, Mary. Thanks for the compliment. I appreciate it. :)
And one quibble: “unchecking the send email receipt” box does limit your exposure, for sure. The risk analysis on that one, however, shows that it does far more to limit your clients’ exposure to harm and abuse than it does to reduce our risk of liability. Limiting both is great, of course. :)
Hi Roy,
This is all so helpful. I am trying to catch up on all the details since going out on my own. IF I get a credit card machine in my office, I can give the client the receipt that prints out of there, correct? I just can’t let a third party (i.e….Square) send a receipt. Do I have this? I am trying to determine if it is just easier to have a device in my office. Of course, I would still need to have an options for tele clients.
Thanks!
What about mobile check deposits? My bank now has an app that gives one the ability to cash a check right from the app, by taking a picture of it. Is this a safe practice?
That’s most likely fine. You’ll want to see the whole process of how the bank handles your check images to be sure they aren’t doing something cavalier with those images. That’s all part of risk analysis.
If you need more details or consultation, feel free to get in contact with us for it! https://dev-personcenteredtech.com/contact/
Roy-does section 1179 apply to vendors contracted by the bank for healthcare lockbox services? Where the flow of Phi data Hipaa information flows between the two vendors (one vendor processing the lockbox imaged payments to the vendor translating EDI 835 format directly to the bank’s customer), and not flowing through to the bank. Without contracting away the bank’s obligation?
Hi Sandra,
This question would be outside of what we study about HIPAA’s applications. I recommend looking for a certified compliance specialist with knowledge of both HIPAA’s application to Business Associates and banking regulations.
Thank you for your very informative information.
Hi Roy, I have been reading your articles for hours and found them quite helpful! I’d like to tell you what I’m planning to set up and see if you find any holes in the plan.
I provide healthcare services. I am using Square(up) in a HIPAA compliant way. However, to reduce my CC fees, I’d like to use Zelle and Venmo instead, as these are free. I already encourage clients to use cash or check. If I use Zelle, I would only use it to charge the CC card (or HSA card) and nothing else. Since Zelle’s transactions are bank to bank, I believe I’d be HIPAA compliant. With Venmo, I’d set all transactions to “private” and use it only to charge the CC card. I THINK this would be HIPAA compliant, but since there is an app (Venmo) in between my bank and my customer’s bank in this transaction, I’m not 100% sure. What do you think of my plan?
Hi Kaley,
We’re glad you’ve found the articles helpful! Regarding Roy providing feedback on your plan and guidance for HIPAA considerations, that’s exactly the sort of thing our member Office Hours is designed for — which is a means of providing access to direct consultation on particular practice considerations. You can learn more about the membership and Office Hours by clicking these links. An alternative is individual consultation. I suggest membership, though, as it is a more cost-effective option than individual consultation, and includes a wealth of additional resources.