Square, sometimes called “Squareup,” is the upstart on the credit card payment scene that uses a little square-shaped doohickey that you stick in the headphone port of your smart phone or tablet computer. You can swipe credit cards through the doohickey and, in combination with an app on your mobile device, make charges to the card. You don’t have to set up any merchant banking account, you don’t have to buy anything (the doohickey is free), and you pay no setup fees. It’s like a dream come true.
This is too good to be true. Is it HIPAA compliant?
Yes! The dream remains alive!
The Office of Civil Rights — the federal agency that does most of the enforcing for HIPAA — stated in January of 2013 that HIPAA does not come in to play when we charge clients’ credit cards for health care services. According to Marcia Augsburger of DLA Piper:
The OCR clarified that financial institutions are not required to comply with HIPAA when they conduct certain payment processing activities. These activities include cashing a check, conducting a funds transfer, and authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care or health plan premiums.
[Updated 4/29/2013]: To be specific about what this means: When you run a card with Square, you are sending electronic protected health information over a network where that information is visible to Square employees and computers. Normally, you would need a Business Associate Agreement with Square for this to be HIPAA compliant (see “What Is a HIPAA Business Associate Agreement?“) However, the special exception for financial transactions makes the Business Associate Agreement unnecessary.
That’s great! So I don’t have to worry about HIPAA at all when I charge credit cards?
Well, hold on a second. OCR also specified that when banks perform services for us that go above and beyond those financial transactions, the protection is gone.
In Square’s case, we’re interested in the electronic receipts that it generates. When you charge someone’s card using Square, you have an option to send them a receipt by email or SMS (text message.) Square will even fill in the client’s email address or phone number automatically if that client has made payments by Square before.
As we know, email and SMS (texting) aren’t secured technologies (see “Is Email HIPAA Compliant?“) The receipts sent by Square contain “protected health information,” to use the HIPAA jargon.
[Updated 4/29/2013]: Since Square turns your smart phone or tablet computer into a payment device for clients, you may also want to consider securing your phone or tablet to HIPAA standards. I have some information for doing that in the Resources page of my Security and Privacy CE course at the Zur Institute: Security for Mobile Devices.
So does HIPAA not allow me to use Square?
HIPAA never allows or disallows anything. HIPAA asks you to balance risks and costs, reduce risks to reasonable levels, and comply with certain security standards. In this case, the electronic receipts pose a minimal-yet-existing confidentiality risk. The actual level of risk depends on the client’s context. Does the client have an abusive and snoopy partner who might harm the client if the receipt is discovered? Does the client live with a supportive family who all know that the client is in therapy? These situations create completely different levels of risk.
It is simple to reduce the risk by not sending the electronic receipts and supplying a paper receipt instead.
[Updated 8/1/2013]: OCR’s public statements this year regarding the Business Associate rules have expanded the Business Associate net quite a bit. After the September 23rd, 2013 compliance date, when Square sends an email or text message receipt on your behalf, doing so will cause them to become your HIPAA Business Associate. That means that even if your client decides to accept the confidentiality risks of email and text message receipts, you would still end up needing a Business Associate agreement with Square to avoid non-compliance with HIPAA — and Square won’t do those agreements. So the autonomy of the client in this situation has been superseded by new interpretations. This could change in the future, and we’ll keep an eye out.
Updated 2/25/2015: We also offer our sample Electronic Payment Communications Disclosure form to our newsletter subscribers, in order to help discuss with clients the confidentiality risks of automatic email receipts. Subscribe to our newsletter here to get access to this and other useful forms.
So that’s it, then? Sounds nice and simple!
You knew it wouldn’t be that easy, didn’t you?
When we talk about credit cards, we have to talk about a lovely thing called “PCI DSS.” PCI DSS is like HIPAA, but for credit cards. There’s one big difference, however. While HIPAA is a law created by the feds, PCI DSS is a standard created by the credit card companies. You don’t have to comply with PCI DSS because it’s the law — you have to comply with PCI DSS because you promised you would when you signed the contract that allows you to take credit cards.
What does this mean to you? Here’s the short version: Square’s software and their computer networks are PCI DSS-compliant, so long as you don’t have an outdated card-slider doohickey. The doohickey, which is more formally called a “dongle,” was updated in 2012 to comply with new PCI standards. The newer dongle is thicker than the old dongle, and has a visible seam along the back side. If you’ve had your dongle for a long time, you may wish to order a new one. Square will give them to you for free — you need only ask. If you’re starting fresh with Square now, you’ll be starting off right.
The longer version of the story is a little more complicated. You, as a merchant, are required to be PCI DSS-compliant yourself. In theory, you can be audited and asked to prove your compliance. In practice, small merchants are not really expected to actively prove PCI compliance. What’s more, I asked Square to tell me what to do if a Square merchant finds themselves facing a PCI audit. This was their reply:
Unlike traditional merchant companies, we don’t require account holders to go through a complicated and expensive PCI compliance application. There are no additional PCI compliance or hidden fees for using Square. Square itself is PCI compliant, so we take care of it for you. You can consider it one less thing to worry about.
The Square representative is definitely blowing marketing smoke at me, but one thing seems clear from this response: Square will not require its customers to prove PCI compliance, even though other credit card processing companies probably will. This is part of Square’s business model, and one reason why Square is so attractive to therapists in private practice.
But does Square provide good service? Is it a good company?
The biggest complaint about Square that I’ve seen is poor customer service. If your account shows suspicious activity or a client disputes a charge, Square (like any other credit card company) may put a freeze on your account, including holding all the funds that were in there at the time they froze it. When this happens, Square is known for being unresponsive and unhelpful.
However, therapists are an ideal group for Square’s business model. Square’s way of operating is ideal for businesses that don’t process a lot of card transactions (“a lot” in this case would be tens of thousands of card transactions per year), and where the average transaction is greater than $25. Square is usually happy with businesses that fit this mold.
What’s more, therapist offices provide a good security situation for Square. The biggest security criticism for Square is that a bad guy could make his own hacked version of the dongle, go to a store, and secretly switch the merchant’s dongle with the hacker’s own modified version. The modified dongle would then start recording credit card data for the hacker. In a therapist office, this is highly unlikely to happen, unlike in a retail store where the clerks’ attention is split amongst many tasks and it’s easy for an anonymous person to pull the switcharoo.
Are there are alternatives to Square?
PayPal and ProPay both offer a Square-like service that works with smart phones and tablet computers. The caveats about those services are largely the same as for Square.
Whatever service you use, accepting credit cards is clearly becoming an important part of 21st-century practice. With a little forethought, you can accept this tech innovation into your practice and, hopefully, make your work life a little easier.
Special thanks to Seattle counselor Clinton Campbell in helping me sort out the mess that is PCI.