Mobile payment apps like Square and online payment services like PayPal make it surpassingly easy for therapists in private practice — or even for small agencies — to accept credit card payments without much upfront investment. Do we need client consent to use these services, however? What kind of information is needed for informed consent?
We have already published extensively about how HIPAA interacts with banks and financial institutions, and whether or not mobile credit card swiper apps like Square play well with our practices:
We’ve also covered the question of how to (or whether or not to) go about holding client credit cards on file. That topic contains a lot of informed consent issues:
What has still been left hanging is the issue of informing clients about the parts of this process that put their confidentiality at risk or could otherwise cause harm.
Over time, these popular payment providers add new features and blend payment with the worlds of social media and instant, automatic communication. This is a part of the modern world and an exciting one, but one that is difficult for us to reconcile with the need to maintain client privacy.
For example, when you use Square to run a credit card using your smartphone or tablet computer, Square may automatically send an email or text message receipt to your client. Square will do this if the client has previously requested a receipt from another merchant using Square.
To explain more concretely, Joe Client buys a coffee at Mug Shots using his credit card through their Square payment terminal. He decides to ask for a coffee receipt to be emailed to him. Then he goes to his therapy session at Roy’s (kitty corner to Mug Shots) and pays for the session with his credit card through the Square app on Roy’s iPhone. This time, Square sends Joe an email with a receipt for Roy’s counseling session without even asking first. It’s for convenience, and you can ask Square to turn that feature off. Until you do, however, clients may receive unexpected email receipts for therapy sessions.
PayPal also sends receipts for payment by email automatically, and does not give the client a chance to refuse them.
Venmo is a very popular (with the kids) service that can be used to transfer funds easily and quickly between Venmo accounts. The catch: Venmo is a social media app that also displays those payments on your Venmo “wall,” Facebook-style (to be fair: Venmo only displays whatever the payer tells it to display, so clients would have a fair amount of control over what is revealed by Venmo.)
We’ve discussed in other articles the potential HIPAA Business Associate issues that arise with these unrequested disclosures.
In this article, however, I’d like to focus on the ethical issues that arise around confidentiality.
Our duty of confidentiality means we must uphold clients’ privacy decisions and privacy rights. Clients do have the autonomy to make those privacy decisions themselves, but we must ensure that they are properly informed of all related risks before making their decisions.
As such, before using one of these electronic payment services with clients, it is likely wise to inform them about those emails or text messages that the service may send them.
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
Why is it important?
Our emails and text messages can end up in all kinds of places. For many clients, the others who can access their email accounts or read their texts are trusted people and often loved ones. For those folks, there is little risk posed by emailed receipts.
Imagine, however, a client with an abusive partner or parent who often spies on the client’s phone or even reads the client’s emails without permission. What if they see an email with a receipt from a therapist?
One more: imagine a client who uses her work email address when she buys that coffee at Mug Shots. The email that is automatically sent to her after a session with Roy goes to her work’s email servers, where her employers have the legal right to read those emails.
Given the number of scenarios where real risks can arise from the transmission of electronic receipts, it seems wise to at least bring up this issue with clients.
Is It Ethically Required That I Inform Clients About These Risks?
We think so. See these quotes from major ethics codes on professional responsibility to inform clients of the risks that arise in use of digital technology for communications and other purposes:
marriage and family therapists…inform clients or supervisees of the potential risks and benefits associated with technologically-assisted services…
AAMFT Code of Ethics, 2015, 6.1.b
Counselors… inform clients that individuals might have authorized or unauthorized access to… records or transmissions (e.g., colleagues, supervisors, employees, information technologists).
ACA Code of Ethics, 2014, H.2.b
Psychologists who offer services, products, or information via electronic transmission inform clients/patients of the risks to privacy and limits of confidentiality.
Ethical Principles of Psychologists and Code of Conduct, 2010, 4.02.c
Social workers who use technology to provide social work services should obtain informed consent from the individuals using these services during the initial screening or interview and prior to initiating services.
NASW Code of Ethics, 2017, 1.03.f
…NCCs shall advise clients about the potential risks of sending messages through digital technology and social media sources.
NBCC Code of Ethics, 2012, 20
Note: To assist in providing language for that disclosure, subscribers to our free newsletter have access to our Electronic Payment Communications Disclosure form, and the form is also included with some Person Centered Tech CE courses. Subscribe to our newsletter here to get access to this and other useful forms.
Providing such disclosures will make me HIPAA compliant?
The purpose of informing clients about these electronic receipts is to meet your ethical duties around confidentiality when you wish to accept credit cards and other electronic payments from clients. As we discuss in our article, Banks and HIPAA: Checks & Credit Cards vs Receipts & Invoices, simple money transfers and credit card charges are largely uncovered by HIPAA. So here we’re almost solely concerned with ethical confidentiality concerns.
Your articles have helped me so much to travel the information highway that often boggles this not tech mind. Thank you again.
You’re very welcome. :)
Incorrect information in this article. Square receipts do not automatically get sent to the client. The email or phone number pre-fills but the client can still select “no thanks” or change the delivery method for each transaction.
Thanks for your comment Rachael. While Square does have a “no thanks” option, it is not presented for each transaction. If you have selected to have a receipt sent to you via email or text on a previous transaction with any merchant, it will do the same thing via the same method on future transactions with any merchants without asking first. So, even if you don’t input your email address/phone number or select to have a receipt sent, one will be sent. The only time it gives the “no thanks” option is on the first transaction, or until you don’t select “no thanks” and have, therefore, essentially opted in.
Please see the “For example…” and “To explain more concretely…” paragraph in https://dev-personcenteredtech.com/2015/03/01/ethics-of-disclosure-to-clients-who-pay-with-plastic-or-online-transfers/ for further illustration.
The exception to this is if Square is connected to a printer; in that instance, Square will give the option to select “no thanks” to an emailed or texted receipt — even if an email/text receipt has previously been selected.
I literally use Square every working day. And every transaction it asks if a receipt is wanted by text, email or “no thanks.” The situation you’re describing has never happened to me or anyone in our office. As a small-business supporter I frequently encounter Square readers and have the same experience as a consumer. Perhaps there is an explanation for this and other people have other experiences. Even so, I suspect that auto-delivery of receipts is not a major ethical or legal issue right now, though occasionally it could potentially present problems for a client.
I do, as well. The situation described has come up for me on several occasions. It has also come up for several of the many colleagues I confer with. Thus it’s presence in this article and thus the recommendation to address it with clients so that they may make appropriate risk management decisions for themselves.
So if Venmo settings make the feeds private, would that be HIPAA-friendly?
Hi Gina! Good question. The devil is definitely in the details on this one and answering your question requires knowing the specifics of how Venmo handles information and what information is being handled — there are also probably legal judgement calls required in making a determination on this as well. Don’t forget, there are a number of other ways to send money without fees. If you would like to discuss other options and resources on this topic, I invite you to schedule a free 10-minute resource consultation with me. You can schedule that directly here or email [email protected] or call 503-893-9717.