Mobile payment apps like Square and online payment services like PayPal make it surpassingly easy for therapists in private practice — or even for small agencies — to accept credit card payments without much upfront investment. Do we need client consent to use these services, however? What kind of information is needed for informed consent?
We have already published extensively about how HIPAA interacts with banks and financial institutions, and whether or not mobile credit card swiper apps like Square play well with our practices:
We’ve also covered the question of how to (or whether or not to) go about holding client credit cards on file. That topic contains a lot of informed consent issues:
What has still been left hanging is the issue of informing clients about the parts of this process that put their confidentiality at risk or could otherwise cause harm.
Over time, these popular payment providers add new features and blend payment with the worlds of social media and instant, automatic communication. This is a part of the modern world and an exciting one, but one that is difficult for us to reconcile with the need to maintain client privacy.
For example, when you use Square to run a credit card using your smartphone or tablet computer, Square may automatically send an email or text message receipt to your client. Square will do this if the client has previously requested a receipt from another merchant using Square.
To explain more concretely, Joe Client buys a coffee at Mug Shots using his credit card through their Square payment terminal. He decides to ask for a coffee receipt to be emailed to him. Then he goes to his therapy session at Roy’s (kitty corner to Mug Shots) and pays for the session with his credit card through the Square app on Roy’s iPhone. This time, Square sends Joe an email with a receipt for Roy’s counseling session without even asking first. It’s for convenience, and you can ask Square to turn that feature off. Until you do, however, clients may receive unexpected email receipts for therapy sessions.
PayPal also sends receipts for payment by email automatically, and does not give the client a chance to refuse them.
Venmo is a very popular (with the kids) service that can be used to transfer funds easily and quickly between Venmo accounts. The catch: Venmo is a social media app that also displays those payments on your Venmo “wall,” Facebook-style (to be fair: Venmo only displays whatever the payer tells it to display, so clients would have a fair amount of control over what is revealed by Venmo.)
We’ve discussed in other articles the potential HIPAA Business Associate issues that arise with these unrequested disclosures.
In this article, however, I’d like to focus on the ethical issues that arise around confidentiality.
Our duty of confidentiality means we must uphold clients’ privacy decisions and privacy rights. Clients do have the autonomy to make those privacy decisions themselves, but we must ensure that they are properly informed of all related risks before making their decisions.
As such, before using one of these electronic payment services with clients, it is likely wise to inform them about those emails or text messages that the service may send them.
Why is it important?
Our emails and text messages can end up in all kinds of places. For many clients, the others who can access their email accounts or read their texts are trusted people and often loved ones. For those folks, there is little risk posed by emailed receipts.
Imagine, however, a client with an abusive partner or parent who often spies on the client’s phone or even reads the client’s emails without permission. What if they see an email with a receipt from a therapist?
One more: imagine a client who uses her work email address when she buys that coffee at Mug Shots. The email that is automatically sent to her after a session with Roy goes to her work’s email servers, where her employers have the legal right to read those emails.
Given the number of scenarios where real risks can arise from the transmission of electronic receipts, it seems wise to at least bring up this issue with clients.
Is It Ethically Required That I Inform Clients About These Risks?
We think so. See these quotes from major ethics codes on professional responsibility to inform clients of the risks that arise in use of digital technology for communications and other purposes:
marriage and family therapists…inform clients or supervisees of the potential risks and benefits associated with technologically-assisted services…
AAMFT Code of Ethics, 2015, 6.1.b
Counselors… inform clients that individuals might have authorized or unauthorized access to… records or transmissions (e.g., colleagues, supervisors, employees, information technologists).
ACA Code of Ethics, 2014, H.2.b
Psychologists who offer services, products, or information via electronic transmission inform clients/patients of the risks to privacy and limits of confidentiality.
Ethical Principles of Psychologists and Code of Conduct, 2010, 4.02.c
Social workers who use technology to provide social work services should obtain informed consent from the individuals using these services during the initial screening or interview and prior to initiating services.
NASW Code of Ethics, 2017, 1.03.f
…NCCs shall advise clients about the potential risks of sending messages through digital technology and social media sources.
NBCC Code of Ethics, 2012, 20
Note: To assist in providing language for that disclosure, subscribers to our free newsletter have access to our Electronic Payment Communications Disclosure form, and the form is also included with some Person Centered Tech CE courses. Subscribe to our newsletter here to get access to this and other useful forms.
Providing such disclosures will make me HIPAA compliant?
The purpose of informing clients about these electronic receipts is to meet your ethical duties around confidentiality when you wish to accept credit cards and other electronic payments from clients. As we discuss in our article, Banks and HIPAA: Checks & Credit Cards vs Receipts & Invoices, simple money transfers and credit card charges are largely uncovered by HIPAA. So here we’re almost solely concerned with ethical confidentiality concerns.