Can You Email Patients Credit Card Receipts?
By: Dr. Jeff Brown | updated on
Providers increasingly utilize web-based credit card processing vendors (e.g. Square) because these services offer low up front cost, transparent pricing, flexibility, and additional services. It's the additional services that can become a HIPAA compliance problem; specifically, an email being sent to a patient containing a credit card payment receipt for your office visit.
Credit card payment processing alone does not make a vendor your HIPAA business associate. However, as soon as the vendor sends a payment receipt or invoice to your patient via email or text, they immediately become a business associate. This is because the service they are now performing on your behalf goes beyond the actual processing of a payment.
If this is the case in your office, you are obligated to do two things:
- Obtain a signed Business Associate Agreement (BAA) from the credit card vendor.
- Obtain the patient’s authorization to send them email or texts to unsecured accounts (here's a sample Email/Text Authorization form).
Of your two HIPAA obligations above, getting a patient's authorization is the easy part. Credit card processors, on the other hand, are reluctant to sign a BAA because it increases their liability (as it should). If the vendor is unwilling to sign a BAA, you must disable any email and text features. And if this is not possible, you should look elsewhere for a credit card processing company that is willing to sign a BAA.
Remember, credit card payment processing alone does not make a vendor your HIPAA business associate. Therefore, if your credit card processor is only transferring money, and doing nothing else, then you don't need a BAA.
UPDATE: Square now includes a BAA as part of their Terms of Service. This is wonderful news because their product is such a great fit for many healthcare providers.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice.