Send HIPAA Compliant Payment Receipts

by Dr. Jeff Brown

Providers are increasingly utilizing web-based credit card processing vendors (e.g. Square) because these services offer low up front cost, transparent pricing, flexibility, and additional services. It's the additional services that can become a HIPAA compliance problem.

Credit card processing alone does not make a vendor your HIPAA business associate. However, as soon as the vendor sends a payment receipt or invoice to your patient via e-mail or text, they immediately become a business associate. This is because the service they are performing on your behalf goes beyond the processing of a payment.

If this is the case in your office, you are obligated to do two things:

  1. Obtain a signed Business Associate Agreement (BAA) from the credit card vendor.
  2. Obtain the patient’s authorization to send them e-mail or texts to unsecured accounts (here's a sample E-mail/Text Authorization form).

Of your two HIPAA obligations above, getting a patient's authorization is the easy part. Credit card processors, on the other hand, are reluctant to sign a Business Associate Agreement because it increases their liability (as it should). If the vendor is unwilling to sign a BAA, you must disable any e-mail and text features. And if this is not possible, you should look elsewhere for a credit card processing company.

DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.

See More HIPAA Topics