Providers are increasingly utilizing web-based credit card processing vendors (e.g. Square) because these services offer low up front cost, transparent pricing, flexibility, and additional services. It's the additional services that can become a HIPAA compliance problem.

Credit card processing alone does not make a vendor your HIPAA business associate. However, as soon as the vendor sends a payment receipt or invoice to your patient via email or text, they immediately become a business associate. This is because the service they are performing on your behalf goes beyond the processing of a payment.

If this is the case in your office, you are obligated to do two things:

  1. Obtain a signed Business Associate Agreement (BAA) from your credit card vendor.
  2. Obtain the your patient's authorization to send them email or texts to unsecured accounts.

Of your two HIPAA obligations, getting a patient's authorization is the easy part. Credit card processors, on the other hand, are reluctant to sign a Business Associate Agreement because it increases their liability (as it should). If the vendor is unwilling to sign a BAA, you must disable any email and text features. And if this is not possible, you must look elsewhere for a credit card processing company.