Square has finally heard our pleas, oh colleagues, and have started handing out HIPAA Business Associate Agreements like they’re going out of style! (Not sure what that is? See our article on What Is a HIPAA Business Associate Agreement?→)
You don’t even have to take my word for it. Click here to witness it!
This was not only unexpected on my part, but it also opens up new possibilities for using Square while remaining HIPAA compliant — and unfortunately it also has potential to enable ethical problems and even harm to clients. Read on…
Wait, Is Square HIPAA Compliant Now?
I know this is how the question will be asked by many clinicians, so let me make sure the situation is clear:
1) Products can’t be HIPAA compliant. You and I can be HIPAA compliant (or not.) I know I sound pedantic, really, but this matters a lot. If we conceptualize things like Square as being either “HIPAA-compliant” or not, then we see them simply as something we can use or something we can’t, with no space in between. And that’s just not the truth.
What’s even more dangerous is the risk that if we say to ourselves, “Square is HIPAA compliant,” then we are likely to ignore the fact that compliance is our own ongoing task and we will erroneously assume Square is taking care of everything without thinking about it any further. That will put us, and possibly our clients, at real risk.
2) Square was always HIPAA-friendly in its most basic form. When collecting payment for your services, HIPAA takes a back seat (for the most part.) So it was always HIPAA-compliant to do the basic task of accepting credit cards using Square. Instead of talking about the details of banking and HIPAA here, I’ll refer you to our article on the topic:
Banks and HIPAA: Checks & Credit Cards vs. Receipts & Invoices →
The main advantage of Square’s new offering of a Business Associate Agreement is that Square actually offers quite a bit more than just basic credit card processing. More later.
3) What Square is doing is now giving us a previously-missing piece of the puzzle that would allow us to make full use of Square’s features and remain HIPAA-compliant. In order to use a third-party service like Square to manage information about our clients — e.g. appointments, invoicing, and other useful stuff that Square offers — we absolutely could not be HIPAA compliant without executing a Business Associate Agreement with Square, full-stop.
Now that Square offers the BAA, that piece of the HIPAA puzzle is in place and makes our decisions about how to use Square much more about assessing risks than about getting the right paperwork in pace.
Just To Be Sure: How Do I Get the BAA From Square?
You already have it!
I did a long back-and-forth with Square’s support department to be absolutely sure of this, too (boy, is it hard to get a straight answer from those folks.) The Business Associate Agreement is included with the basic service agreement. At some point in January 2016, you probably got a notice from Square that your service agreement had been amended. If you’re like me, you ignored it. That amendment included the BAA.
So no action is necessary. Enjoy your new BAA.
Which Square Services Are Covered?
All Square services are covered. I also confirmed this with Square Support.
I think these are the Square services that mental health practices are most likely to use — or at least are the most impacted by the BAA:
- Register (the basic credit card processing we all use)
- Invoicing
- Appointments
Those are all services that many therapists can make good use of. Invoicing is especially useful for online therapy practices who can’t collect payment in person.
The Invoicing and Appointments services both collect personally-identifying information about clients, including contact information, and they store that information in your account. Without a Business Associate Agreement, you would be violating HIPAA to allow Square to do this. With the BAA, it is now permissible for Square to handle this information.
There are two kickers, though:
- Square makes no efforts to ensure that you can’t end up making use of their services in non-HIPAA-compliant ways. In other words, they won’t stop you from messing the HIPAA part up, even if you have no idea you’re doing it. The customer service rep I communicated with was very diligent about emphasizing this fact.
- Both Invoicing and Appointments rely on email and/or texting to function, and that’s where we get into…
Email and Texting: The Old Party-Poopers
This party is about to get pooped
The fly in our ointment is that the Appointment and Invoicing services from Square both lean heavily on email and text messaging. This has long been a pain point for us with Square, as you can read about in our first article on Square and HIPAA.
Both of these Square services send emails and/or texts to both clients and service providers whenever anything of interest happens. These messages contain personally-identifying information about the clients and also indicate that the client has a relationship with the therapist. There is no way to turn these messages off or to change their contents to maintain privacy.
So why are these messages pooping the party? Aren’t they helpful to the clients?
Email and texting are not private means of communication, and therefore our default practice policies must be to not use them at all for any communications with clients. This is both to keep up HIPAA compliance and for ethical practice.
It is possible to legally and ethically use email and texting with clients who wish for you to use it. For clients who have jumped the email and texting hurdle with you, you could potentially use Square’s Appointments and Invoicing services. However, this is unlikely to be useful for most clinicians.
→ We strongly urge all readers to take seriously the processes and nuances behind using email and texting with clients. We have a free article on the subject: Clients Have the Right to Receive Unencrypted Emails Under HIPAA. However, the nuances are enough that we urge you to spend more time considering them than reading a single article. The subject is covered in-depth in the Level I session of our Digital Confidentiality course series →
It is also touched on in the Level 101 session of that series, which is a free ceu offering for subscribers to our (also free) newsletter. Click here for information about subscribing and getting the free ceus as well as forms your can use with clients for the email and texting process. →
Invoicing and appointment scheduling are, for most of us, a basic part of practice management. In other words, most of the time it isn’t useful to have an invoicing or appointment service that you can only use with select clients and only after you’ve gone through a kind of due diligence process with each one of them.
Generally, basic practices management services are ones we want to use with all clients or with no clients. And if you are looking for ways to get around legal-ethical issues in order to use these services with all your clients, there is a real risk that you could end up violating law, practicing unethically, or even putting a client in harm’s way.
What’s more, some licensing boards and state legislatures ban email and texting altogether. For therapists in those jurisdictions, Square’s Invoicing and Appointments services are rendered totally useless by the information disclosed in those emails and texts.
Concerns Besides HIPAA
By offering a BAA, Square has allayed any lingering concerns about our HIPAA compliance when we use their basic credit card charging service. Technically, this was probably unnecessary. It is good when a company meets us halfway to address our needs, however, even if they don’t technically have to.
In our opinion, though, HIPAA compliance has always been less of a concern than the simple risk of clients suffering harm when they use a credit card to pay for our services.
Imagine this:
A client runs her card with us for services, but we advise her not to allow Square to send her an email receipt. So she skips the receipt step and no email is sent. This client has an abuser in the house who reads her credit card statements without her knowledge (perhaps he logs in to her online banking, perhaps he intercepts mail, or perhaps he has another method.) After seeing that she charged counseling services to her card, the abuser enacts revenge.
There is very likely no HIPAA violation in the above example, but there certainly is client harm due to an important disclosure of her sensitive information.
How about a less obvious example:
A client runs her card with us for services, and we advise her not to allow Square to send her an email receipt. Without thinking, however, she taps the button to send a receipt anyways. She states that it’s “not a big deal because everyone knows she’s in therapy.” She doesn’t notice, however, that Square’s on-file email address for her is her work address. Her employer monitors her emails and sees the therapy receipt. This knowledge is used against her at work.
We cite these example risks to encourage all therapists who wish to run credit cards at all — with or without Square — to talk about the confidentiality risks with clients before they run a card for the first time.
We offer our free sample Electronic Payment Communications Disclosure form to our (also free) newsletter subscribers, in order to help discuss with clients the confidentiality risks of credit card payments. Subscribe to our newsletter here to get access to this and other useful forms, as well as free CE.
Since Square’s Invoicing and Appointments services rely on email or texting to function, the above example risks are even more likely to come up if we use those services with clients.
What About PayPal, Intuit, and All Those?
At the time of writing, Square looks to be the only BAA-providing vendor of free “mobile payment solutions” (i.e. apps and card readers for your smart phone or tablet) or free online payment services that don’t require you to first acquire a merchant services account. PayPal and Intuit also provide those services, but won’t do a BAA with us.
So even if you can jump the legal-ethical hurdles around using email and texting with clients, PayPal’s invoicing service or any other similar service would be a no-go for HIPAA compliance. This is because the BAA is an indispensable piece of the HIPAA compliance puzzle when we use a third-party service to handle client information.
Using PayPal, Inuit, and others for the basic purpose of charging a credit card or transferring funds, however, would likely not threaten your HIPAA compliance. Once again, see our article on HIPAA and banking for details→
If I Can’t Use Square Appointments and Invoicing, What Do I Use?
There are a plethora of services out there that provide these functions for health care providers in ways that work much better for client confidentiality.
Many practice management systems will give you both services, and credit card payments to-boot. To get an idea of which ones can do this for you, we recommend Rob Reinhardt’s reviews of online practice management systems.
Roy,
As always- timely, helpful, concise and precise. You are such an asset to the psychotherapy community!
Thanks, Rajani. Such kind words! :)
I agree with Rajani! The timing is perfect for me to delve more thoroughly into these details. Thank you, Roy! :)
Glad I caught you at a good time. :)
Don’t forget to share the article so your colleagues can see it, too! (There are share buttons at the bottom of the article)
Yep. And presented in a “user friendly” (easily understandable) form. Thanks!
Gosh, everyone. Thanks! :)
Thrilled I found you! You brought up issues (especially with Square) I had not even thought of. Thank you.
You’re very welcome. Don’t forget to share with your colleagues!
I work in one of those states where email and texting is considered not protected…. Texas. I have been told that a client must deliberately request or allow email for every single communication. Do you have a form for clients that addresses this? Suggestions for therapists?
Thanks!
Well, I should say that email and texting aren’t seen as secure communication anywhere. They just aren’t. The issue isn’t one of whether or not they’re secure but rather one of whether or not clients see the security risks as acceptable for them.
I’d be careful about acting on what someone has told you until you confirm it. I’ve been told a lot of whoppers over the past several years and have learned to ignore it all until I get info from the source or a level-headed, trustworthy authority. So make sure you know authoritatively what you must do before making new practice management procedures around it.
That said, we just have what we offer our newsletter subscribers: https://dev-personcenteredtech.com/get-our-articles-and-updates-by-email/
Also, you may want to check out Level I of our Digital Confidentiality courses. It covers Internet communication and how email and texting fit into our practices around confidentiality: https://dev-personcenteredtech.com/client-centered-hipaa-and-technology-live-online-learning-groups/
Your articles are awesome. Thank you! What happens if a client contacts their credit card company to dispute charges for therapy sessions that they attended, (basically not wanting to pay for services)? How can the clinician respond to the dispute without breaking confidentiality?
Thank you for your positive feedback; it’s always great to hear that the info and resources PCT provides are of value! Please check out Roy’s article: https://dev-personcenteredtech.com/2014/01/12/banks-and-hipaa-checks-credit-cards-vs-receipts-invoices/ — it should prove useful as HIPPA relates to banking and payments in interesting ways. HIPPA may not be the only consideration to bear in mind regarding this issue. In terms of a more specific answer; we receive too many questions to be able to respond to each individually in detail right away. We have logged your question to be addressed in a future article, but the backlog is long and it will take some time before your question makes it to the top of the list.
I considered and abandoned using Square approximately one year ago because I had concerns about privacy (for me and my clients) given that I needed to give them permission to access multiple parts of my phone (e.g., speaker). I saw in another article that the new “dongle” helps with this but I wonder still about tracking locations. I believe that they want to access my location to determine if the charge occurred in my place of business but it seems intrusive and just gives me the heebie jeebies. I’m not sure if other people can use this data to stalk my clients.
Thanks for your thoughts and the consideration you’re showing for your clients security. Unfortunately I don’t really have much guidance or information to give you, other than that many apps ask for that kind of access. The Square swiper/dongle does rely on the microphone to work, so currently there isn’t a way around it if you do utilize Square.
So can you simply not use the invoicing and appointments feature on Square and remain HIPAA compliant?
Yes, of course. :)
With Square, is there an option to print the receipt in the office to give the patient a paper copy as they are leaving the appointment?
I don’t believe so. Email or text are the only options.