Getting paid is an essential part of practicing, whether you’re in private practice or employed by someone else. Astute students of HIPAA and other security and privacy regulations usually come to realize, at some point in their study, that getting paid and keeping our clients’ sensitive information safe from the larger world do not necessarily go hand-in-hand. Fortunately, I can tell you with great confidence that HIPAA does not want to prevent America’s health care professionals from getting paid for their work.
Take a look at your checks or your credit card, and you’ll see that your personally identifying information is on those documents. When you swipe a credit card, that personally identifying information is sent to the credit card processor along with the other necessary payment data. I’ve done numerous risk analysis consultations wherein my colleague-clients have asked me how to protect client confidentiality from bank tellers, other bank staff and credit card company computers. When personally identifying information is combined with information about payment for health care, such as when we process a payment from a client, the result is protected health information as defined by HIPAA.
Health care attorney Marcia Augsburger, JD has written on the subject of financial institutions as potential HIPAA Business Associates because of the fact that these institutions create, receive, maintain, and/or transmit protected health information on our behalf. (Need more? See our article What Is a HIPAA Business Associate Agreement?) According to Augsburger:
Thus, unlike other entities, whether financial institutions must comply with HIPAA does not turn on their receipt, disclosure, or use of PHI. If this were the test, all banks would be business associates according to experts who have estimated that 40% of the information contained in most bank lockbox accounts meets the definition of PHI. However, OCR instructs that the focus is [not] on the nature of the information but on what financial institutions are doing with the information.
Augsburger claims that OCR (“The Office of Civil Rights” – the HIPAA People) says that banks and other financial institutions have a special relationship with HIPAA, wherein their mandate to comply with it is entirely dependent on what they do with information rather than what information they receive, disclose, use or maintain. So what can banks and other financial institutions do with our clients’ payment information and avoid the looming shadow of HIPAA? Let’s look at the law itself:
The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in §1179 of the HIPAA statute, for example, the activity of cashing a check or conducting a funds transfer.
(US Dept. of Health and Human Services, 2013)
It sounds like the text of the HIPAA Omnibus Final Rule – the most recent update to the HIPAA law at the time of writing – states that banks and “financial institutions” are exempt from the HIPAA rules when performing basic functions of processing payment. How thorough is that exemption, however? What, exactly, is covered by it? There’s more:
Section 1179 of HIPAA exempts certain activities of financial institutions from the HIPAA Rules, to the extent that these activities constitute authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care…
(US Dept. of Health and Human Services, 2013)
Well, that is quite thorough. It seems to me that these activities would include such common activities as authorizing, processing, and settling credit card payments, as well as transferring funds such as with a PayPal payment transfer. The still somewhat mysterious activity defined above is “billing,” since it is well defined that companies that provide professional billing services are HIPAA Business Associates.
So “Financial Institutions” Are Exempt From HIPAA?
The law, as we can see above, is quite particular about the specific scope of activities that financial institutions can engage in and still enjoy the exemption from the HIPAA rules. There are many activities that most banks, merchant service providers, and other financial institutions engage in that do not apply. In fact, the Omnibus Rule anticipated this question:
However, a banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity, such as performing accounts receivable functions on behalf of a health care provider.
(US Dept. of Health and Human Services, 2013)
Want CE credit for reading this article?
This article is part of our 1 CE hour Guided Reading course titled: “Credit/Debit Cards and Electronic Payments in Mental Health Private Practice: Regulatory and Ethical Issues.”
For health care providers, “accounts receivable functions” include payment processing activities and billing, but they may also include mailing letters to patients who are behind on payment, reviewing the terms of coverage agreements and provider contracts with health plans and other payers and applying them in dealing with patients, setting up payment schedules, and tracing changes to patient addresses. Presumably, financial institutions performing these kinds of activities on behalf of providers are business associates.
(Augsburger, 2013) emphasis mine
Augsburger points out that banks may provide a variety of services for their customers that don’t fall under those defined in subsection 1179 of HIPAA and therefore could be reasonably labeled as “non-exempt” for our purposes here. I would like to add some more examples of non-exempt services that would more typically be encountered in mental health practice:
- Using invoicing services provided by your financial services provider (e.g. PayPal or Square.) These companies can send invoices to clients on your behalf and manage and track their payments. This would be a non-exempt service. Which is too bad – this invoicing feature would be a very handy service for those who practice telehealth and need to receive payments remotely. Note that Square offers a HIPAA Business Associate Agreement to go with its invoicing service, but HIPAA compliance issues linger despite that. See our article on Square’s BAA for more→
- Be especially aware of when any service offers to send emails or text messages to clients on your behalf. Even though clients are allowed under HIPAA to consent to receive emails that contain protected health information (See our article on consent for emails for more), the issue here is not only one of email and text message security. This activity would trigger a Business Associate relationship between you and the service, and that is unaffected by client consents.
To make sure it’s clear: the main concern we are addressing here is that of a financial institution taking on a HIPAA Business Associate relationship with you. If such an institution performs any services for you besides those defined above as exempt from HIPAA, they will generally become your Business Associate. If you don’t acquire a Business Associate contract from the banking institution before they perform a non-exempt service, you will be in violation of HIPAA.
How Do I Get a Business Associate Contract From My Financial Service Provider?
Most financial services currently won’t execute Business Associate Agreements, with the notable exception of Square (although Square’s HIPAA situation still has major issues, read our article on it for more→.) This means that HIPAA compliance would require avoiding the use of any non-exempt services from those companies that don’t provide BAAs and full support for your HIPAA compliance needs.
Another strategy is to use a financial service that does provide a Business Associate contract, such as a practice management system that includes invoicing, billing and payment features. Here we see yet another example of how cloud-based practice management systems and electronic health record systems generally simplify HIPAA compliance. If you want to find one, I recommend starting with Rob Reinhardt’s reviews of such systems.
Another item to clarify: the potential for a Business Associate relationship with a financial institution does not, in any way, mean that you cannot use the institution’s services. You simply need to avoid using those non-exempt services since they trigger a BA relationship. E.g. you can collect credit card payments with Square, but do not use it to send receipts. Also, your clients can send payments to you through PayPal, but do not invoice them using PayPal’s invoicing feature.
Alternatively, you can provide clients with paper receipts, email your own receipts (by secure email), send your own invoices to clients, etc. There are a variety of ways to simulate non-exempt services in HIPAA compliant ways.
Reference for this article can be found here.