Can You Email Patients Credit Card Receipts?
Providers increasingly utilize web-based credit card processing vendors (e.g. Square) because these services offer low up front cost, transparent pricing, flexibility, and additional services. It's the additional services that can become a HIPAA compliance problem; specifically, an email being sent to a patient containing a credit card payment receipt for your office visit.
Credit card payment processing alone does not make a vendor your HIPAA business associate. However, as soon as the vendor sends a payment receipt or invoice to your patient via email or text, they immediately become a business associate. This is because the service they are now performing on your behalf goes beyond the actual processing of a payment.
If this is the case in your office, you are obligated to do two things:
- Obtain a signed Business Associate Agreement (BAA) from the credit card vendor. Read more
- Obtain the patient’s authorization to send them email or texts to unsecured accounts (here's a sample Email/Text Authorization form).
Of your two HIPAA obligations above, getting a patient's authorization is the easy part. Credit card processors, on the other hand, are reluctant to sign a BAA because it increases their liability (as it should). If the vendor is unwilling to sign a BAA, you must disable any email and text features. And if this is not possible, you should look elsewhere for a credit card processing company that is willing to sign a BAA.
Remember, credit card payment processing alone does not make a vendor your HIPAA business associate. Therefore, if your credit card processor is only transferring money, and doing nothing else, then you don't need a BAA.
UPDATE: Square now includes a BAA as part of their Terms of Service. This is wonderful news because their product is such a great fit for many healthcare providers.
by Dr. Jeff Brown
Jeff Brown, DC, is CEO at HIPAAMATE and dedicated to making HIPAA compliance comfortable for small- and medium-sized healthcare practices and business associates. Dr. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.