Providers are increasingly utilizing web-based credit card processing vendors (e.g. Square) because these services offer low up front cost, transparent pricing, flexibility, and additional services. It's the additional services that can become a HIPAA compliance problem.
Credit card processing alone does not make a vendor your HIPAA business associate. However, as soon as the vendor sends a payment receipt or invoice to your patient via email or text, they immediately become a business associate. This is because the service they are performing on your behalf goes beyond the processing of a payment.
If this is the case in your office, you are obligated to do two things:
- Obtain a signed Business Associate Agreement (BAA) from your credit card vendor.
- Obtain the your patient's authorization to send them email or texts to unsecured accounts.
Of your two HIPAA obligations, getting a patient's authorization is the easy part. Credit card processors, on the other hand, are reluctant to sign a Business Associate Agreement because it increases their liability (as it should). If the vendor is unwilling to sign a BAA, you must disable any email and text features. And if this is not possible, you must look elsewhere for a credit card processing company.