Simplified tax and accounting software built for therapists.
If your therapy practice is going to accept electronic payments from clients, you need to do so with a HIPAA-compliant payment system.
Here’s what you need to know to accept payments from clients quickly and easily, while ensuring you’re doing everything required by HIPAA to protect their information.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted into law by Congress in 1996. Its purpose is to protect patients’ privacy by setting standards for how their information is shared and stored.
Since it was enacted, HIPAA has proven essential for:
At the core of HIPAA is the protection of patient health information (PHI). When it comes to determining whether your transactions with clients are HIPAA-compliant, it’s important to understand the difference between PHI and payment information.
PHI is information that can be used to identify a patient. According to Yale’s Clinician’s Guide to HIPAA Privacy and Security 8-2019:
Protected Health Information Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:
The Clinician’s Guide includes 18 pieces of data that may be used to identify a patient:
If you’re trying to determine whether the information you’re receiving from a client is PHI, ask yourself: Could a bad guy use this information to hurt them?
“Bad guy,” in this case, refers to a scammer, identity thief, or even someone in your client’s personal life who intends to cause them harm.
A single piece of PHI, such as your client’s name, may not seem important at first glance. But in some cases, simply the fact an individual is seeing a therapist counts as critical personal information that could be used to hurt them—for instance, in the workplace, or within a family dispute.
Even an emailed receipt from an online payment provider including your client’s name and the name of your practice may qualify as PHI.
Popular apps for sending funds such as Venmo, Paypal, Zelle, and Apple Pay are not HIPAA-compliant. Using them to receive payments from clients opens you up to HIPAA penalties and puts the client’s personal information at risk. On top of that, many of these payment providers sell user data to third parties.
Any third party application you use to send and receive information about a client—including online banking or credit card payments—must be certified as HIPAA-compliant. That means they’re willing to enter into a business associate agreement (BAA) with you.
A BAA is an agreement between a healthcare provider (you) and a third party (a payment provider) for the transfer of your client’s PHI.
Any payment provider you use to receive money from clients must be able and willing to sign a BAA with you in order to be HIPAA-compliant.
Broadly speaking, online payment providers are not in the practice of signing BAAs with therapists.
In order to be paid by clients while complying with HIPAA regulations, you should either use an online payment method that is explicitly HIPAA compliant, or a traditional method of getting paid (e.g. credit card, ACH, cash).
Whatever method you use, be sure to stick to HIPAA guidelines for sending and storing information. More on that in the next section.
If your EHR system (e.g. SimplePractice) allows you to bill clients and receive payments from them, you can safely assume it’s HIPAA-compliant.
So long as you use Stripe exclusively to collect payments from clients (and not for invoicing or other activities involving client information), it’s HIPAA-compliant.
Ivy Pay is 100% HIPAA-compliant payment method designed for licensed therapists. It allows you to collect no-swipe credit card payments at a flat rate of 2.75% per charge.
Credit card payments using a traditional POS terminal are typically HIPAA-compliant. Be sure to consult with the POS provider about a BAA.
ACH payments are managed by the National Automated Clearing House Association (Nacha). Their Healthcare Electronic Funds Transfer (EFT) is HIPAA-compliant, sending client information and the information for transferring funds together in one secure package.
While cash is probably the most anonymous (and thus secure) means of receiving payment from a client, you still need to follow HIPAA best practices when it comes to recording the transaction. If you store the client’s name on file, you must use a HIPAA-compliant system to do so.
In most cases, a check is a HIPAA-compliant means of receiving payment.
The HIPAA Journal has an article listing some best overall practices for HIPAA compliance.
When it comes to payments in particular, follow these guidelines.
Do not:
Do:
It may cost you slightly more to use a HIPAA-compliant payment method, rather than an everyday service like Venmo. But it’s worth it—both for the security of your clients’ information, and so you don’t get penalized for breaking HIPAA rules.
As you plan to put a HIPAA-compliant payment system in place, be sure to include any related fees in your therapy practice’s budget.
This post is to be used for informational purposes only and does not constitute legal, business, or tax advice. Each person should consult their own attorney, business advisor, or tax advisor with respect to matters referenced in this post.
Bryce Warnes is a West Coast writer specializing in small business finances.