If you’re in private practice for long enough, you’ll have that experience where a client fails to pay something they owe you. It may be your no-show fee, wherein the client not only no-shows but doesn’t communicate with you again. It may be more innocent, where the client is willing to pay but has poor organization. In order to prevent losses from such situations – and sometimes to simplify the process for both clinician and client – some therapists ask clients to provide credit card information for the therapist to keep on file. Then when a charge comes up, often due to a no-show, the clinician can charge the card in the client’s absence and immediately collect payment.
There are advantages and drawbacks to this practice, and most clinicians are primarily concerned about these issues:
- How can we keep the credit card information safe? Are there HIPAA or PCI DSS issues in keeping card info on file?
- Is it ethical to require clients to provide card information so that we can run charges in their absence?
- What do we need to do to make the practice legal and effective?
How Do We Store and Use This Information?
Not even a safe is likely to be sufficient for PCI DSS standards
The classic, and now defunct, way to store credit card information would be to photocopy or scan each side of the card, get the necessary agreements from the client, and keep it all in the client’s file. This might mean keeping paper in a filing cabinet or scanned documents in an electronic system. Due to PCI-DSS requirements, and the availability of much safer methods of storing credit card info, we strongly recommend against this method.
Another way to store information is to use a merchant service that allows you to store credit cards in their system, usually online. Such a system would hold the information on your behalf and allow you to charge the card when you need without having to store or remember the credit card numbers or other info. Many online practice management systems provide this service, as well.
Ethical Issues
In general, when professional ethics codes address the issue of payment, they state that the circumstances and requirements of payment need to be defined and agreed to up front. What’s more, in my opinion, informed consent would include informing the client of how you store the card information and how you go about charging it.
The most pressing question, in my mind, is whether or not it is ethical to require a client to provide credit card information to be kept on file, as some private practitioners do. Another way to phrase this is to ask whether it is ethical to predicate the provision of counseling services on the client providing payment info up front and agreeing to its storage and later use.
Private practitioners are not necessarily required by professional ethics to work with all comers, and are allowed to define the parameters of how their practice works within certain ethical and legal limitations. However, a given client may not trust the method you use to store their sensitive payment information or they may object to the circumstances under which you charge their card in absentia. In these situations, should a clinician insist that the credit card information be turned over before therapy can begin (or continue)? Would it be ethical to do so?
Many clinicians who make a habit of getting up-front payment information from clients say that they do not push it when clients object. It seems to me that this policy is a wise one for not only ethical but also clinical and business reasons.
Security Issues – HIPAA and PCI DSS
Since the payment information we’re using qualifies as protected health information, we have an ethical responsibility and a responsibility under HIPAA to secure it regardless of HIPAA covered entity status. (Not sure what that is? See our article, Am I a HIPAA Covered Entity? How Much Does It Matter If I Am Or Not?)
Also vital to consider is that anyone who accepts credit cards in the United States agrees to comply with PCI DSS (aka “PCI”) — what I like to call “credit card HIPAA.” This is not a law but rather an industry standard that everyone agrees to when they contract to accept credit cards (if you accept credit cards, you agreed to comply with PCI as part of the registration process.)
Some states do have laws that support, in various ways and to various degrees, PCI as a security and privacy standard.
PCI is much more specific than HIPAA in regards to particular security measures that we must use to protect payment card information. HIPAA would act in this case through its usual requirement that you perform a risk analysis, which includes assessing the way you store clients’ payment card info, and that you come up with a reasonable risk management plan following the analysis. PCI requires the same risk management process, but also requires and/or heavily encourages specific security measures.
In the case of storing card info for charging later, PCI is much more strict than HIPAA and thus defines the rules we need to go with.
We could explore the specific requirements that PCI lays out, but they come down to this: we advise that no practice should store credit card info on paper or in their own electronic systems, at all. In other words, we advise that all clinicians and practices who wish to hold card info on file should use a merchant service provider to do it.
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
These days, storing card info with a merchant service provider is quite easy. They generally allow you to enter client card info once and then later you can apply charges to those cards without having to see the actual card info ever again (except, perhaps, for the last 4 digits of the card number) — this is a very good thing for your clients’ security and privacy. Many such services exist and have low costs. This may be one part of why PCI does not easily tolerate storage of payment card information in one’s office — it’s so reasonable to have professional merchant services do it for you and do a far better job of keeping it safe.
Many merchant service companies that offer credit card charging also offer this card storage service. Importantly, a lot of practice management systems do, too.
Most practice management systems don’t store your clients’ card info themselves. They generally “farm out” that part of their service to third-party financial service providers. Many clinicians (and clients!) find this integration of practice management and instant billing to be very useful.
HIPAA Issues – Business Associate Relationships
If we store the credit card information with an online provider, then they are storing protected health information on our behalf. Normally, this would cause a HIPAA Business Associate relationship between us and the service provider. If such a relationship exists, then we must get a Business Associate Agreement with that provider in order to remain HIPAA compliant. (Need more? See our article, What Is a HIPAA Business Associate Agreement?)
Financial service providers, however, have a special exemption from HIPAA insofar as they only perform certain specific financial transactions. A financial service that is providing the basic service of storing and charging credit cards is probably not a HIPAA Business Associate to the covered entities that they provide this service for.
The previous version of this article argued that financial services that store card information on a covered entity’s behalf may or may not be HIPAA Business Associates, but consultation with a number of experts has indicated that HIPAA covered entities are likely not expected to get Business Associate Agreements with these financial service providers. It is possible that this state of affairs will change, but it does not seem likely at the moment.
Do be aware, however, that financial services could potentially provide extra services that move them into HIPAA Business Associate territory. See more about that in our article on Banks and HIPAA.
Definitely consult with legal counsel if you’re unsure.
What About Practice Management Systems That Store Credit Cards?
As was stated earlier, practice management systems often use a third-party service to actually store the card info and make the charges. Systems that don’t use a third-party service are likely financial services themselves.
The fact that practice management systems act as an intermediary between you and the merchant service means that they are handling your protected health information on your behalf and are your HIPAA Business Associate.
This is nothing new, however. Practice management systems are already Business Associates for a number of reasons and you already need to make sure you have a Business Associate Agreement with them, anyways (which is also rather easy in the majority of cases.)
If you wish to find a practice management system that can manage credit cards for you, I recommend starting with Rob Reinhardt’s reviews of practice management companies.
Credit Card Company Issues
Lest we forget in our discussion of professional ethics and laws, the companies that provide our merchant service accounts have their own issues we need to be aware of.
Specifically, if we don’t get it in writing that a client agrees to all the charges we make, then they have a strong case for reversing any such charges. Think about when you use a credit card at a store. After payment, you generally need to sign the receipt and give it to the cashier (these days, many stores don’t require this on charges below $25.) On that receipt is some text that basically says you agree to pay the amount charged “according to the cardholder agreement.” If you decide later to contest the charge, claiming you never made that purchase, the merchant can produce your signed receipt as proof that you did, in fact, agree to the charge.
As you’ve probably already surmised, making charges in the client’s absence could get us in trouble here. Without a signed agreement from the client, provided ahead of time and defining when charges will happen and how much they will be, we are vulnerable to the client successfully doing a “chargeback,” wherein they contest the charge and have it refunded by the credit card company. Not only do chargebacks mean we don’t get paid, but they also are a black mark on one’s merchant record.
If the client genuinely didn’t expect the charge, there is likely an ethical issue at hand, as well.
Advantages of Holding Credit Card Information
This article has discussed a lot of pitfalls and problems, so let’s make sure to talk about the benefits.
Making sure you can collect all your no-show fees, deductibles, and other money owed to you can be invaluable in private practice. Holding on to payment information is a kind of safety net that all but ensures that you can do this. If your policies and procedures are reasonable, well thought out, and well presented to clients, the majority of clients will not object to the practice and many may find it quite convenient.
You don’t have to limit the practice only to no-shows and unpaid bills. With this scheme, you can bill clients on your own time and skip the rigmarole of running a card or handing over checks or cash at session time. Companies that provide this service usually charge higher fees than are typical, so you may not wish to use it all the time, however.
Hi,
I am interested in accepting credit cards in my practice strictly for nopays and noshow fees. I am wondering if anyone has an example of paperwork that the client signs giving the therapist permission to do this? What is the legal wording that the client would receive that enables a clinician to bill a credit card for a no-show, etc?
Hi Tammy,
I am not specifically aware of an answer, myself. It is possible you may need to get such a document from a lawyer.
-Roy
Tammy,
This article was of significant interest for me, as I am the founder of a payment solution with a specific focus on the medical community. We have the required forms, HIPAA compliant “Vault” for the storage of card data, and a solution you may be interested in. Contact me at 480-704-1620 or [email protected] for more information.
Thanks for a good write up Roy. I was looking for something to point our users to for educational purposes on this topic. I found this to be really good.
Thanks, Shegun. Appreciate it!
If storing credit card information, please remember that doing so goes beyond HIPAA. You meet PCI requirements. One big thing with PCI is that you should NEVER store the security code in any format (the security code is the code on the back of the card). Therefore, if you do photocopy the back of the card, make sure you completely black out the security code.
If you have any type of breach and it is found that you were storing the security codes, your liability skyrockets.
Very useful info, Joe. Thank you!
We keep card details on file in the company that I work for. Once the father of the client called up and confirmed that we could use the clients card details to make the payment. The client was not angry that we allowed his father to use his details but more so the fact that we did not ask permission off the client first. If we had their details on file anyway would this matter? Very scared here as the client advised that he would be seeking legal action. I work in a small-ish company and I fear that if they do get legal action then I would most definitely get fired and also may bankrupt the company… do reply!
Hi Steven,
I’m sorry to hear you’re in a tight situation. Sounds rough!
This isn’t the best place to ask for this advice, however. You would do best to consult with a lawyer or a security and compliance professional who specializes in PCI DSS.
Best of luck,
-Roy
Often times credit card companies ask for company type and or business name (which often designates us as counselors) when signing up. Putting something generic like “consultation” will often result in denial of charges by clients with HSA’s. But does designating yourself as a licensed professional counselor or selecting that you were in the mental health field violate patient confidentiality since this may be seen by there credit card company and on statements, etc.?
I don’t imagine that changes the circumstance all that much. And you do need that designation in order for clients to be able to pay with HSA cards.
There are much larger issues and concerns that should be considered with this type of program and policy. You shouldn’t and can’t just take photocopies and keep them on file of the patient/client credit card. This leaves you and your practice with a large amount of risk, let alone not following the required policies and procedures for credit cards.
I suggest that if you are interested in doing this, you do your homework to ensure that you have the proper procedures in place and that no credit card information is kept on site at the practice. This should be done through the merchant services equipment and websites.
Thanks for this article Roy – it makes me glad that Theranest allows us to enter credit card details right in their system so we can easily charge them again for future sessions. A huge time saver!
Thanks Dave!
I completely agree with Dave that it is a bad idea to store credit card numbers on site. If you do, and you have a breach, and you do not have proper policies, procedures, safeguards in place that meet PCI requirements, then you are under big liability. It is always easiest to pass the storage of credit card information off to the merchant provider. From my earlier reply to this. If you do store a copy of the back of the card, which has the CVV, then you are *not* being PCI compliant.
As Steve points out, there are practice management software that will allow you to store it. When you do so, make sure the practice management software is storing it securely and following PCI. The best situation is when your software is tokenizing it. Most major practice management software will use this technology. I cannot speak for other PM software, however, I know Therabill does tokenization when saving your patients cards for you.
Thanks for chiming in, guys. I agree that this article needs updating to heavily discourage on-site storage of payment card information. It’s on my todo list.
Roy,
The article was helpful. I currently don’t store credit card information but have become concerned that I use Paypal Here to process credit cards and have become concerned that they store information. Initially I believed that this was acceptable as long as I didn’t request a receipt be sent to the client, which I make sure that I don’t. However, I receive a receipt from them through email that has the client name and sometimes their email. In this same article it indicated that if a client has previously processed their credit card with PayPal they would be in the system and readily identifiable and it suggested the solution was to be to be identified as a medical entity and no client information would be collected. I spoke with a customer service rep yesterday and was told this isn’t an option with PayPal. At the moment I am trying to decide how to ensure that I don’t loose money while not violating patient confidentiality. I try to read as much as I can and make sure that I am compliant but there is so much contradicting information available.
Belinda
Roy,
Very informative site and I’ve referred my mental health clients to you.
It is crucial that providers do not store credit card information on paper in their office if there are employees or others who have access to the files. Besides HIPAA, there are PCI compliance issues and identity theft issues (I’ve have had experience with clinicians whose employees have stolen identities and used credit cards of patients).
If they are storing the data online in their software, their software should be masking the numbers except the last four digits so that the information cannot be stolen. Masking is a requirement of PCI compliance. I have seen many offices type the info in their clinical systems in an open notes field; this is not secure. If all the info can be viewed in its entirety after the initial transaction is complete, it is not secure.
The article has finally been updated!
Hi Julie. Thanks for commenting. The article has been in need of update for a while, and I just updated it.
Thanks Roy! Great update. One more detail is how cards are stored electronically. Let’s not forget that Target, Neiman Marcus and Home Depot were all PCI compliant, yet millions of card numbers were still obtained. The only secure way to truly store card data is to use a processor with all three of the following: Point to Point encryption, tokenization and a secure Vault. If you’re unsure, or your processor does not advertise this level of security, they are likely not doing it.
Good tips. Thanks, Tom!
Thank you, Roy, for the wealth of information and good advice that you provide. Please pardon my naivete, but as a clinician who is just beginning their practice (and with far too few clients), it would be too expensive, I believe, for me to use a secure merchant card processor. I can see that everyone agrees that keeping credit card info in your office is not safe. But I am still unsure as to why it would be considered unsafe to keep cc info with client files. I do not use electronic files, I keep my paper case notes in a locked drawer in a locked office. No one else has access. After all, it seems like if this method of storage, as I have been taught, is secure enough for highly personal client notes, it would also be secure enough for cc numbers. Am I wrong? Life is getting so complicated…
Hi Susan,
Speaking generically, credit card info is at much higher risk than clients’ records. There are many more threats actively interested in credit card info than threats who are interested in paper clinical files. And that’s saying a lot — even paper clinical files are at enough risk to merit significant concern.
Credit card fraud is an enormous black market industry, and a bad guy can easily sell the info from payment cards for set amounts of money.
This is a case where the need for risk analysis thinking becomes apparent. I genuinely believe that clinicians need to learn the risk management lens in order to operate these days. Trust me: it’ll make things a lot less complicated!
-Roy
Thank you, Roy. Makes sense now.
Susan,
I’ve been following this thread, and have offered input. I hope this message does not sound “salesly” but I wanted to give you an idea of the typical costs for accepting credit cards, and securely storing them for future payments.
We provide the secure mag-swipe reader at no cost, so there is nothing up front to get set-up. Through our CardConnect gateway, you have the option to securely (encrypted and tokenized) store card data for future use. The monthly fixed cost for the platform is $12.95, but the fees are significantly lower than you would pay with Square, PayPal, etc.
I have been in the payments industry for 20+ years and bring a level of professionalism that is rare for this product. I am more than happy to discuss your needs and even provide a demonstration of the platform.
email me directly [email protected] for further details.
Thank you, Tom, but I really can’t use that right now. I will keep your contact info though. Susan
This was very helpful. Much appreciated.
So a colleague and I are debating whether or not it is legal to “require” a cc to be kept on file. I ask for it but don’t push it if my clients don’t want to do it (it is a cc form that i send to my billing company and they are PCI compliant and then my paper copy is destroyed upon their receipt). My colleague says that we have the legal right to do that and if the client does not want to receive care from us for that reason, they have other choices. I am not sure if that is ethical or even legal?
I don’t know if “legal” is the question to ask. All our major ethics codes certainly address the manner in which we manage and expect payment, however.
I am in need of a credit card company that allows us to store electronically a card to hold on file until the client comes in for their appointment – somewhat like what hotels do where no payment is given at the time of making the appointment. So far, most I’ve talked to will only hold the card after it has been scanned or billed for an amount. I’m sure this service is available somewhere. Any ideas?
You’re very welcome!
I can’t say as I know much about this one, sorry. It’s not a common practice outside of specific areas (such as hotels, of course.)
I would like to get connected and updated on these posts.
Sure thing. The best way is to subscribe to our newsletter here: https://dev-personcenteredtech.com/get-our-articles-and-updates-by-email/
Thanks for asking!
We’ve confirmed our credit card processor and vendor is PCI compliant and wish to implement card on file policies. Through networking with other practice managers I’ve heard from some that storing card information for future vs. past services is an important distinction. Are you aware of any laws – state (Florida specifically) or federal – that require written notification to patients prior to implementation of storing cards on file in any circumstance? We, of course, would require cardholder signature of the applicable agreement at time of swiping their card.
I’m not familiar with the state laws. I can tell you, though, that PCI compliance would make it irretrievably hard on you to store card information and be compliant. Further than that, I recommend consulting with a PCI compliance consulting firm.
To clarify, our vendor who is PCI compliant will store the patient’s credit card information on our behalf. My concern is relative only to any laws that may be in place to require written notification to patients that a card on file is required.
Your article is fantastic! You bring up valid points in an interesting way
Thank you, Timothy! Please feel free to share with your colleagues :)
Thanks for taking the time to discuss this, It is very useful for me.
I’m a billing company. and medical billing educator. I have had many clients tell me that patients just tell them they don’t “HAVE” a credit card. I don’t think it legal or ethical at all for a client to NOT treat a patient due to not having a credit card, and I’m pretty sure we can’t ask for proof of something a patient says they do NOT have. I myself will NEVER give a physician or hospital my credit card number so I also use the “I don’t have one” response. I’ve never been refused care but if I were I might seek legal counsel based on principal alone.
We certainly agree. :)
Is there any requirement like mental health records that we keep signed credir card authorization consent forms with the payment policy on file for certain amount of time after the clients chart closes?
If you ever need to prove a charge was authorized, you’ll need that document.
Is it okay to store credit card information on customers in Quickbooks? These customers do not have recurring payments with this company nor did they authorize their information to be stored. The card information was given by customer for a one-time service charge.
Hi Kristen, thanks for checking out our article! Here is a link to ore information about membership with Person Centered Tech. This is a perfect example of a question to ask in our “Office Hours” membership benefit.