Hello! I’m Roy of Person Centered Tech. We know that you want to focus on your clients, so we provide articles, tools, and continuing education on how to best serve clients in the digital world.
(Sign up for other free articles addressing topics such as: telemental health, HIPAA, and practical technology tools!)
There are advantages and drawbacks to this practice, and most clinicians are primarily concerned about these issues:
- How can we keep the credit card information safe? Are there HIPAA or PCI DSS issues in keeping card info on file?
- Is it ethical to require clients to provide card information so that we can run charges in their absence?
- What do we need to do to make the practice legal and effective?
How Do We Store and Use This Information?
The classic, and now defunct, way to store credit card information would be to photocopy or scan each side of the card, get the necessary agreements from the client, and keep it all in the client’s file. This might mean keeping paper in a filing cabinet or scanned documents in an electronic system. Due to PCI-DSS requirements, and the availability of much safer methods of storing credit card info, we strongly recommend against this method.
Another way to store information is to use a merchant service that allows you to store credit cards in their system, usually online. Such a system would hold the information on your behalf and allow you to charge the card when you need without having to store or remember the credit card numbers or other info. Many online practice management systems provide this service, as well.
In general, when professional ethics codes address the issue of payment, they state that the circumstances and requirements of payment need to be defined and agreed to up front. What’s more, in my opinion, informed consent would include informing the client of how you store the card information and how you go about charging it.
The most pressing question, in my mind, is whether or not it is ethical to require a client to provide credit card information to be kept on file, as some private practitioners do. Another way to phrase this is to ask whether it is ethical to predicate the provision of counseling services on the client providing payment info up front and agreeing to its storage and later use.
Private practitioners are not necessarily required by professional ethics to work with all comers, and are allowed to define the parameters of how their practice works within certain ethical and legal limitations. However, a given client may not trust the method you use to store their sensitive payment information or they may object to the circumstances under which you charge their card in absentia. In these situations, should a clinician insist that the credit card information be turned over before therapy can begin (or continue)? Would it be ethical to do so?
Many clinicians who make a habit of getting up-front payment information from clients say that they do not push it when clients object. It seems to me that this policy is a wise one for not only ethical but also clinical and business reasons.
Security Issues – HIPAA and PCI DSS
Since the payment information we’re using qualifies as protected health information, we have an ethical responsibility and a responsibility under HIPAA to secure it regardless of HIPAA covered entity status. (Not sure what that is? See our article, Am I a HIPAA Covered Entity? How Much Does It Matter If I Am Or Not?)
Also vital to consider is that anyone who accepts credit cards in the United States agrees to comply with PCI DSS (aka “PCI”) — what I like to call “credit card HIPAA.” This is not a law but rather an industry standard that everyone agrees to when they contract to accept credit cards (if you accept credit cards, you agreed to comply with PCI as part of the registration process.)
Some states do have laws that support, in various ways and to various degrees, PCI as a security and privacy standard.
PCI is much more specific than HIPAA in regards to particular security measures that we must use to protect payment card information. HIPAA would act in this case through its usual requirement that you perform a risk analysis, which includes assessing the way you store clients’ payment card info, and that you come up with a reasonable risk management plan following the analysis. PCI requires the same risk management process, but also requires and/or heavily encourages specific security measures.
In the case of storing card info for charging later, PCI is much more strict than HIPAA and thus defines the rules we need to go with.
We could explore the specific requirements that PCI lays out, but they come down to this: we advise that no practice should store credit card info on paper or in their own electronic systems, at all. In other words, we advise that all clinicians and practices who wish to hold card info on file should use a merchant service provider to do it.
These days, storing card info with a merchant service provider is quite easy. They generally allow you to enter client card info once and then later you can apply charges to those cards without having to see the actual card info ever again (except, perhaps, for the last 4 digits of the card number) — this is a very good thing for your clients’ security and privacy. Many such services exist and have low costs. This may be one part of why PCI does not easily tolerate storage of payment card information in one’s office — it’s so reasonable to have professional merchant services do it for you and do a far better job of keeping it safe.
Many merchant service companies that offer credit card charging also offer this card storage service. Importantly, a lot of practice management systems do, too.
Most practice management systems don’t store your clients’ card info themselves. They generally “farm out” that part of their service to third-party financial service providers. Many clinicians (and clients!) find this integration of practice management and instant billing to be very useful.
HIPAA Issues – Business Associate Relationships
If we store the credit card information with an online provider, then they are storing protected health information on our behalf. Normally, this would cause a HIPAA Business Associate relationship between us and the service provider. If such a relationship exists, then we must get a Business Associate Agreement with that provider in order to remain HIPAA compliant. (Need more? See our article, What Is a HIPAA Business Associate Agreement?)
Financial service providers, however, have a special exemption from HIPAA insofar as they only perform certain specific financial transactions. A financial service that is providing the basic service of storing and charging credit cards is probably not a HIPAA Business Associate to the covered entities that they provide this service for.
The previous version of this article argued that financial services that store card information on a covered entity’s behalf may or may not be HIPAA Business Associates, but consultation with a number of experts has indicated that HIPAA covered entities are likely not expected to get Business Associate Agreements with these financial service providers. It is possible that this state of affairs will change, but it does not seem likely at the moment.
Do be aware, however, that financial services could potentially provide extra services that move them into HIPAA Business Associate territory. See more about that in our article on Banks and HIPAA.
Definitely consult with legal counsel if you’re unsure.
What About Practice Management Systems That Store Credit Cards?
As was stated earlier, practice management systems often use a third-party service to actually store the card info and make the charges. Systems that don’t use a third-party service are likely financial services themselves.
The fact that practice management systems act as an intermediary between you and the merchant service means that they are handling your protected health information on your behalf and are your HIPAA Business Associate.
This is nothing new, however. Practice management systems are already Business Associates for a number of reasons and you already need to make sure you have a Business Associate Agreement with them, anyways (which is also rather easy in the majority of cases.)
If you wish to find a practice management system that can manage credit cards for you, I recommend starting with Rob Reinhardt’s reviews of practice management companies.
Credit Card Company Issues
Lest we forget in our discussion of professional ethics and laws, the companies that provide our merchant service accounts have their own issues we need to be aware of.
Specifically, if we don’t get it in writing that a client agrees to all the charges we make, then they have a strong case for reversing any such charges. Think about when you use a credit card at a store. After payment, you generally need to sign the receipt and give it to the cashier (these days, many stores don’t require this on charges below $25.) On that receipt is some text that basically says you agree to pay the amount charged “according to the cardholder agreement.” If you decide later to contest the charge, claiming you never made that purchase, the merchant can produce your signed receipt as proof that you did, in fact, agree to the charge.
As you’ve probably already surmised, making charges in the client’s absence could get us in trouble here. Without a signed agreement from the client, provided ahead of time and defining when charges will happen and how much they will be, we are vulnerable to the client successfully doing a “chargeback,” wherein they contest the charge and have it refunded by the credit card company. Not only do chargebacks mean we don’t get paid, but they also are a black mark on one’s merchant record.
If the client genuinely didn’t expect the charge, there is likely an ethical issue at hand, as well.
Advantages of Holding Credit Card Information
This article has discussed a lot of pitfalls and problems, so let’s make sure to talk about the benefits.
Making sure you can collect all your no-show fees, deductibles, and other money owed to you can be invaluable in private practice. Holding on to payment information is a kind of safety net that all but ensures that you can do this. If your policies and procedures are reasonable, well thought out, and well presented to clients, the majority of clients will not object to the practice and many may find it quite convenient.
You don’t have to limit the practice only to no-shows and unpaid bills. With this scheme, you can bill clients on your own time and skip the rigmarole of running a card or handing over checks or cash at session time. Companies that provide this service usually charge higher fees than are typical, so you may not wish to use it all the time, however.